tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'efi-fixes-for-v6.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi

Pull EFI fixes from Ard Biesheuvel:

- Assorted fixes for the OP-TEE based pseudo-EFI variable store

- Fix for an OOB access when looking up the same non-existing efivarfs
entry multiple times in parallel

* tag 'efi-fixes-for-v6.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
efi: stmm: Drop unneeded null pointer check
efi: stmm: Drop unused EFI error from setup_mm_hdr arguments
efi: stmm: Do not return EFI_OUT_OF_RESOURCES on internal errors
efi: stmm: Fix incorrect buffer allocation method

Linus Torvalds fb679c83 2575e638

+31 -34
+27 -34
drivers/firmware/efi/stmm/tee_stmm_efi.c
··· 143 143 return var_hdr->ret_status; 144 144 } 145 145 146 + #define COMM_BUF_SIZE(__payload_size) (MM_COMMUNICATE_HEADER_SIZE + \ 147 + MM_VARIABLE_COMMUNICATE_SIZE + \ 148 + (__payload_size)) 149 + 146 150 /** 147 151 * setup_mm_hdr() - Allocate a buffer for StandAloneMM and initialize the 148 152 * header data. ··· 154 150 * @dptr: pointer address to store allocated buffer 155 151 * @payload_size: payload size 156 152 * @func: standAloneMM function number 157 - * @ret: EFI return code 158 153 * Return: pointer to corresponding StandAloneMM function buffer or NULL 159 154 */ 160 - static void *setup_mm_hdr(u8 **dptr, size_t payload_size, size_t func, 161 - efi_status_t *ret) 155 + static void *setup_mm_hdr(u8 **dptr, size_t payload_size, size_t func) 162 156 { 163 157 const efi_guid_t mm_var_guid = EFI_MM_VARIABLE_GUID; 164 158 struct efi_mm_communicate_header *mm_hdr; ··· 171 169 if (max_buffer_size && 172 170 max_buffer_size < (MM_COMMUNICATE_HEADER_SIZE + 173 171 MM_VARIABLE_COMMUNICATE_SIZE + payload_size)) { 174 - *ret = EFI_INVALID_PARAMETER; 175 172 return NULL; 176 173 } 177 174 178 - comm_buf = kzalloc(MM_COMMUNICATE_HEADER_SIZE + 179 - MM_VARIABLE_COMMUNICATE_SIZE + payload_size, 180 - GFP_KERNEL); 181 - if (!comm_buf) { 182 - *ret = EFI_OUT_OF_RESOURCES; 175 + comm_buf = alloc_pages_exact(COMM_BUF_SIZE(payload_size), 176 + GFP_KERNEL | __GFP_ZERO); 177 + if (!comm_buf) 183 178 return NULL; 184 - } 185 179 186 180 mm_hdr = (struct efi_mm_communicate_header *)comm_buf; 187 181 memcpy(&mm_hdr->header_guid, &mm_var_guid, sizeof(mm_hdr->header_guid)); ··· 185 187 186 188 var_hdr = (struct smm_variable_communicate_header *)mm_hdr->data; 187 189 var_hdr->function = func; 188 - if (dptr) 189 - *dptr = comm_buf; 190 - *ret = EFI_SUCCESS; 190 + *dptr = comm_buf; 191 191 192 192 return var_hdr->data; 193 193 } ··· 208 212 209 213 payload_size = sizeof(*var_payload); 210 214 var_payload = setup_mm_hdr(&comm_buf, payload_size, 211 - SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE, 212 - &ret); 215 + SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE); 213 216 if (!var_payload) 214 - return EFI_OUT_OF_RESOURCES; 217 + return EFI_DEVICE_ERROR; 215 218 216 219 ret = mm_communicate(comm_buf, payload_size); 217 220 if (ret != EFI_SUCCESS) ··· 234 239 */ 235 240 *size -= 2; 236 241 out: 237 - kfree(comm_buf); 242 + free_pages_exact(comm_buf, COMM_BUF_SIZE(payload_size)); 238 243 return ret; 239 244 } 240 245 ··· 254 259 255 260 smm_property = setup_mm_hdr( 256 261 &comm_buf, payload_size, 257 - SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET, &ret); 262 + SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET); 258 263 if (!smm_property) 259 - return EFI_OUT_OF_RESOURCES; 264 + return EFI_DEVICE_ERROR; 260 265 261 266 memcpy(&smm_property->guid, vendor, sizeof(smm_property->guid)); 262 267 smm_property->name_size = name_size; ··· 277 282 memcpy(var_property, &smm_property->property, sizeof(*var_property)); 278 283 279 284 out: 280 - kfree(comm_buf); 285 + free_pages_exact(comm_buf, COMM_BUF_SIZE(payload_size)); 281 286 return ret; 282 287 } 283 288 ··· 310 315 311 316 payload_size = MM_VARIABLE_ACCESS_HEADER_SIZE + name_size + tmp_dsize; 312 317 var_acc = setup_mm_hdr(&comm_buf, payload_size, 313 - SMM_VARIABLE_FUNCTION_GET_VARIABLE, &ret); 318 + SMM_VARIABLE_FUNCTION_GET_VARIABLE); 314 319 if (!var_acc) 315 - return EFI_OUT_OF_RESOURCES; 320 + return EFI_DEVICE_ERROR; 316 321 317 322 /* Fill in contents */ 318 323 memcpy(&var_acc->guid, vendor, sizeof(var_acc->guid)); ··· 342 347 memcpy(data, (u8 *)var_acc->name + var_acc->name_size, 343 348 var_acc->data_size); 344 349 out: 345 - kfree(comm_buf); 350 + free_pages_exact(comm_buf, COMM_BUF_SIZE(payload_size)); 346 351 return ret; 347 352 } 348 353 ··· 375 380 376 381 payload_size = MM_VARIABLE_GET_NEXT_HEADER_SIZE + out_name_size; 377 382 var_getnext = setup_mm_hdr(&comm_buf, payload_size, 378 - SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME, 379 - &ret); 383 + SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME); 380 384 if (!var_getnext) 381 - return EFI_OUT_OF_RESOURCES; 385 + return EFI_DEVICE_ERROR; 382 386 383 387 /* Fill in contents */ 384 388 memcpy(&var_getnext->guid, guid, sizeof(var_getnext->guid)); ··· 398 404 memcpy(name, var_getnext->name, var_getnext->name_size); 399 405 400 406 out: 401 - kfree(comm_buf); 407 + free_pages_exact(comm_buf, COMM_BUF_SIZE(payload_size)); 402 408 return ret; 403 409 } 404 410 ··· 431 437 * the properties, if the allocation fails 432 438 */ 433 439 var_acc = setup_mm_hdr(&comm_buf, payload_size, 434 - SMM_VARIABLE_FUNCTION_SET_VARIABLE, &ret); 440 + SMM_VARIABLE_FUNCTION_SET_VARIABLE); 435 441 if (!var_acc) 436 - return EFI_OUT_OF_RESOURCES; 442 + return EFI_DEVICE_ERROR; 437 443 438 444 /* 439 445 * The API has the ability to override RO flags. If no RO check was ··· 461 467 ret = mm_communicate(comm_buf, payload_size); 462 468 dev_dbg(pvt_data.dev, "Set Variable %s %d %lx\n", __FILE__, __LINE__, ret); 463 469 out: 464 - kfree(comm_buf); 470 + free_pages_exact(comm_buf, COMM_BUF_SIZE(payload_size)); 465 471 return ret; 466 472 } 467 473 ··· 486 492 487 493 payload_size = sizeof(*mm_query_info); 488 494 mm_query_info = setup_mm_hdr(&comm_buf, payload_size, 489 - SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO, 490 - &ret); 495 + SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO); 491 496 if (!mm_query_info) 492 - return EFI_OUT_OF_RESOURCES; 497 + return EFI_DEVICE_ERROR; 493 498 494 499 mm_query_info->attr = attributes; 495 500 ret = mm_communicate(comm_buf, payload_size); ··· 500 507 *max_variable_size = mm_query_info->max_variable_size; 501 508 502 509 out: 503 - kfree(comm_buf); 510 + free_pages_exact(comm_buf, COMM_BUF_SIZE(payload_size)); 504 511 return ret; 505 512 } 506 513
+4
fs/efivarfs/super.c
··· 152 152 { 153 153 int guid = len - EFI_VARIABLE_GUID_LEN; 154 154 155 + /* Parallel lookups may produce a temporary invalid filename */ 156 + if (guid <= 0) 157 + return 1; 158 + 155 159 if (name->len != len) 156 160 return 1; 157 161