| Message ID | 20210310083127.5784-1-lyl2019@mail.ustc.edu.cn |
|---|---|
| State | Accepted |
| Commit | 9ceee7d0841a8f7d7644021ba7d4cc1fbc7966e3 |
| Headers | show |
| Series | firmware/efi: Fix a use after bug in efi_mem_reserve_persistent | expand |
On Wed, 10 Mar 2021 at 09:37, Lv Yunlong <lyl2019@mail.ustc.edu.cn> wrote: > > In the for loop in efi_mem_reserve_persistent(), prsv = rsv->next > use the unmapped rsv. Use the unmapped pages will cause segment > fault. > > Fixes: 18df7577adae6 ("efi/memreserve: deal with memreserve entries in unmapped memory") > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Queued as a fix, thanks. > --- > drivers/firmware/efi/efi.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c > index df3f9bcab581..4b7ee3fa9224 100644 > --- a/drivers/firmware/efi/efi.c > +++ b/drivers/firmware/efi/efi.c > @@ -927,7 +927,7 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) > } > > /* first try to find a slot in an existing linked list entry */ > - for (prsv = efi_memreserve_root->next; prsv; prsv = rsv->next) { > + for (prsv = efi_memreserve_root->next; prsv; ) { > rsv = memremap(prsv, sizeof(*rsv), MEMREMAP_WB); > index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size); > if (index < rsv->size) { > @@ -937,6 +937,7 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) > memunmap(rsv); > return efi_mem_reserve_iomem(addr, size); > } > + prsv = rsv->next; > memunmap(rsv); > } > > -- > 2.25.1 > >
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index df3f9bcab581..4b7ee3fa9224 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -927,7 +927,7 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) } /* first try to find a slot in an existing linked list entry */ - for (prsv = efi_memreserve_root->next; prsv; prsv = rsv->next) { + for (prsv = efi_memreserve_root->next; prsv; ) { rsv = memremap(prsv, sizeof(*rsv), MEMREMAP_WB); index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size); if (index < rsv->size) { @@ -937,6 +937,7 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) memunmap(rsv); return efi_mem_reserve_iomem(addr, size); } + prsv = rsv->next; memunmap(rsv); }
In the for loop in efi_mem_reserve_persistent(), prsv = rsv->next use the unmapped rsv. Use the unmapped pages will cause segment fault. Fixes: 18df7577adae6 ("efi/memreserve: deal with memreserve entries in unmapped memory") Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> --- drivers/firmware/efi/efi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)