From: Corey Minyard <corey@minyard.net> stable inclusion from stable-v6.6.140 commit 07f9bff69da84e462178d3f0ad1b32f19f13ad94 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15288 CVE: CVE-2026-46044 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- If an error occurs after the ssif kthread is created, but before the main IPMI code starts the ssif interface, the ssif kthread will not be stopped. So make sure the kthread is stopped on an error condition if it is running. Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") Reported-by: Li Xiao <<252270051@hdu.edu.cn> Cc: stable@vger.kernel.org Reviewed-by: Li Xiao <252270051@hdu.edu.cn> Signed-off-by: Corey Minyard <corey@minyard.net> (cherry picked from commit 75c486cb1bcaa1a3ec3a6438498176a3a4998ae4) Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/char/ipmi/ipmi_ssif.c [Only context conflicts] Signed-off-by: Cai Xinchen <caixinchen1@huawei.com> --- drivers/char/ipmi/ipmi_ssif.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index df8dd50b4cbe..124d51d845e4 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -1273,6 +1273,7 @@ static void shutdown_ssif(void *send_info) if (ssif_info->thread) { complete(&ssif_info->wake_thread); kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; } } @@ -1898,6 +1899,15 @@ static int ssif_probe(struct i2c_client *client) out: if (rv) { + /* + * If ipmi_register_smi() starts the interface, it will + * call shutdown and that will free the thread and set + * it to NULL. Otherwise it must be freed here. + */ + if (ssif_info->thread) { + kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } if (addr_info) addr_info->client = NULL; -- 2.34.1