Merge tag 'acpi-6.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull ACPI fixes from Rafael Wysocki:
"These fix three new issues in the ACPI APEI error injection code and
an ACPI platform firmware runtime update interface issue:

- Make ACPI APEI error injection check the version of the request
when mapping the EINJ parameter structure in the BIOS reserved
memory to prevent injecting errors based on an uninitialized
field (Tony Luck)

- Fix potential NULL dereference in __einj_error_inject() that may
occur when memory allocation fails (Charles Han)

- Remove the __exit annotation from einj_remove(), so it can be
called on errors during faux device probe (Uwe Kleine-König)

- Use a security-version-number check instead of a runtime version
check during ACPI platform firmware runtime driver updates to
prevent those updates from failing due to false-positive driver
version check failures (Chen Yu)"

* tag 'acpi-6.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI: pfr_update: Fix the driver update version check
ACPI: APEI: EINJ: Fix resource leak by remove callback in .exit.text
ACPI: APEI: EINJ: fix potential NULL dereference in __einj_error_inject()
ACPI: APEI: EINJ: Check if user asked for EINJV2 injection

Linus Torvalds 10 months ago f70e1e79 26d6ed49

+9 -11

3 changed files

expand all

drivers

acpi

apei

einj-core.c

pfr_update.c

include

uapi

linux

pfrut.h

+7 -10

drivers/acpi/apei/einj-core.c

··· 315 315 memcpy_fromio(&v5param, p, v5param_size); 316 316 acpi5 = 1; 317 317 check_vendor_extension(pa_v5, &v5param); 318 - if (available_error_type & ACPI65_EINJV2_SUPP) { 318 + if (is_v2 && available_error_type & ACPI65_EINJV2_SUPP) { 319 319 len = v5param.einjv2_struct.length; 320 320 offset = offsetof(struct einjv2_extension_struct, component_arr); 321 321 max_nr_components = (len - offset) / ··· 540 540 struct set_error_type_with_address *v5param; 541 541 542 542 v5param = kmalloc(v5param_size, GFP_KERNEL); 543 + if (!v5param) 544 + return -ENOMEM; 545 + 543 546 memcpy_fromio(v5param, einj_param, v5param_size); 544 547 v5param->type = type; 545 548 if (type & ACPI5_VENDOR_BIT) { ··· 1094 1091 return rc; 1095 1092 } 1096 1093 1097 - static void __exit einj_remove(struct faux_device *fdev) 1094 + static void einj_remove(struct faux_device *fdev) 1098 1095 { 1099 1096 struct apei_exec_context ctx; 1100 1097 ··· 1117 1114 } 1118 1115 1119 1116 static struct faux_device *einj_dev; 1120 - /* 1121 - * einj_remove() lives in .exit.text. For drivers registered via 1122 - * platform_driver_probe() this is ok because they cannot get unbound at 1123 - * runtime. So mark the driver struct with __refdata to prevent modpost 1124 - * triggering a section mismatch warning. 1125 - */ 1126 - static struct faux_device_ops einj_device_ops __refdata = { 1117 + static struct faux_device_ops einj_device_ops = { 1127 1118 .probe = einj_probe, 1128 - .remove = __exit_p(einj_remove), 1119 + .remove = einj_remove, 1129 1120 }; 1130 1121 1131 1122 static int __init einj_init(void)

+1 -1

drivers/acpi/pfr_update.c

··· 329 329 if (type == PFRU_CODE_INJECT_TYPE) 330 330 return payload_hdr->rt_ver >= cap->code_rt_version; 331 331 332 - return payload_hdr->rt_ver >= cap->drv_rt_version; 332 + return payload_hdr->svn_ver >= cap->drv_svn; 333 333 } 334 334 335 335 static void print_update_debug_info(struct pfru_updated_result *result,

include/uapi/linux/pfrut.h

··· 89 89 __u32 hw_ver; 90 90 __u32 rt_ver; 91 91 __u8 platform_id[16]; 92 + __u32 svn_ver; 92 93 }; 93 94 94 95 enum pfru_dsm_status {

Configure Feed

Configure Feed