tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

firmware: qcom: uefisecapp: fix efivars registration race

Since the conversion to using the TZ allocator, the efivars service is
registered before the memory pool has been allocated, something which
can lead to a NULL-pointer dereference in case of a racing EFI variable
access.

Make sure that all resources have been set up before registering the
efivars.

Fixes: 6612103ec35a ("firmware: qcom: qseecom: convert to using the TZ allocator")
Cc: stable@vger.kernel.org # 6.11
Cc: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Maximilian Luz <luzmaximilian@gmail.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Link: https://lore.kernel.org/r/20250120151000.13870-1-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>

authored by

Johan Hovold and committed by
Bjorn Andersson da8d493a 7f048b20

+9 -9
+9 -9
drivers/firmware/qcom/qcom_qseecom_uefisecapp.c
··· 814 814 815 815 qcuefi->client = container_of(aux_dev, struct qseecom_client, aux_dev); 816 816 817 - auxiliary_set_drvdata(aux_dev, qcuefi); 818 - status = qcuefi_set_reference(qcuefi); 819 - if (status) 820 - return status; 821 - 822 - status = efivars_register(&qcuefi->efivars, &qcom_efivar_ops); 823 - if (status) 824 - qcuefi_set_reference(NULL); 825 - 826 817 memset(&pool_config, 0, sizeof(pool_config)); 827 818 pool_config.initial_size = SZ_4K; 828 819 pool_config.policy = QCOM_TZMEM_POLICY_MULTIPLIER; ··· 823 832 qcuefi->mempool = devm_qcom_tzmem_pool_new(&aux_dev->dev, &pool_config); 824 833 if (IS_ERR(qcuefi->mempool)) 825 834 return PTR_ERR(qcuefi->mempool); 835 + 836 + auxiliary_set_drvdata(aux_dev, qcuefi); 837 + status = qcuefi_set_reference(qcuefi); 838 + if (status) 839 + return status; 840 + 841 + status = efivars_register(&qcuefi->efivars, &qcom_efivar_ops); 842 + if (status) 843 + qcuefi_set_reference(NULL); 826 844 827 845 return status; 828 846 }