Commit fa1d3557 authored Sep 02, 2024 by Johan Hovold Committed by Gu Bowen Sep 02, 2024

efi: fix NULL-deref in init error path

stable inclusion
from stable-v5.10.164
commit 4ca71bc0e1995d15486cd7b60845602a28399cb5
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALIAT
CVE: CVE-2022-48879

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4ca71bc0e1995d15486cd7b60845602a28399cb5



--------------------------------

[ Upstream commit 703c13fe ]

In cases where runtime services are not supported or have been disabled,
the runtime services workqueue will never have been allocated.

Do not try to destroy the workqueue unconditionally in the unlikely
event that EFI initialisation fails to avoid dereferencing a NULL
pointer.

Fixes: 98086df8 ("efi: add missed destroy_workqueue when efisubsys_init fails")
Cc: stable@vger.kernel.org
Cc: Li Heng <liheng40@huawei.com>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent 683fc19e

drivers/firmware/efi/efi.c

+6 −3

Original line number	Diff line number	Diff line
		@@ -386,8 +386,8 @@ static int __init efisubsys_init(void)
		efi_kobj = kobject_create_and_add("efi", firmware_kobj);
		if (!efi_kobj) {
		pr_err("efi: Firmware registration failed.\n");
		destroy_workqueue(efi_rts_wq);
		return -ENOMEM;
		error = -ENOMEM;
		goto err_destroy_wq;
		}

		if (efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE \|
		@@ -430,7 +430,10 @@ static int __init efisubsys_init(void)
		generic_ops_unregister();
		err_put:
		kobject_put(efi_kobj);
		err_destroy_wq:
		if (efi_rts_wq)
		destroy_workqueue(efi_rts_wq);

		return error;
		}