[PATCH] efivarfs: fix NULL-deref on mount when no efivars

[PATCH] efivarfs: fix NULL-deref on mount when no efivars

[Johan Hovold]

The VFS calls kill_sb() also in case mount fails in get_tree().

Add the missing check to make sure that efivars has been registered also
to kill_sb() to avoid dereferencing a NULL pointer when trying to remove
efivar entries.

Fixes: c3fd71b428b8 ("efivarfs: always register filesystem")
Reported-by: Steev Klimaszewski <steev@kali.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
---
 fs/efivarfs/super.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index b67d431c861a..482d612b716b 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -246,6 +246,9 @@ static void efivarfs_kill_sb(struct super_block *sb)
 {
 	kill_litter_super(sb);
 
+	if (!efivar_is_available())
+		return;
+
 	/* Remove all entries and destroy */
 	efivar_entry_iter(efivarfs_destroy, &efivarfs_list, NULL);
 }
-- 
2.39.1

Re: [PATCH] efivarfs: fix NULL-deref on mount when no efivars

[Ard Biesheuvel]

On Thu, 26 Jan 2023 at 12:23, Johan Hovold <johan+linaro@kernel.org> wrote:
>
> The VFS calls kill_sb() also in case mount fails in get_tree().
>
> Add the missing check to make sure that efivars has been registered also
> to kill_sb() to avoid dereferencing a NULL pointer when trying to remove
> efivar entries.
>
> Fixes: c3fd71b428b8 ("efivarfs: always register filesystem")
> Reported-by: Steev Klimaszewski <steev@kali.org>
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>

Thanks - I have squashed this with the original patch.

> ---
>  fs/efivarfs/super.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
> index b67d431c861a..482d612b716b 100644
> --- a/fs/efivarfs/super.c
> +++ b/fs/efivarfs/super.c
> @@ -246,6 +246,9 @@ static void efivarfs_kill_sb(struct super_block *sb)
>  {
>         kill_litter_super(sb);
>
> +       if (!efivar_is_available())
> +               return;
> +
>         /* Remove all entries and destroy */
>         efivar_entry_iter(efivarfs_destroy, &efivarfs_list, NULL);
>  }
> --
> 2.39.1
>

Re: [PATCH] efivarfs: fix NULL-deref on mount when no efivars

[Johan Hovold]

On Thu, Jan 26, 2023 at 09:32:27PM +0100, Ard Biesheuvel wrote:
> On Thu, 26 Jan 2023 at 12:23, Johan Hovold <johan+linaro@kernel.org> wrote:
> >
> > The VFS calls kill_sb() also in case mount fails in get_tree().
> >
> > Add the missing check to make sure that efivars has been registered also
> > to kill_sb() to avoid dereferencing a NULL pointer when trying to remove
> > efivar entries.
> >
> > Fixes: c3fd71b428b8 ("efivarfs: always register filesystem")
> > Reported-by: Steev Klimaszewski <steev@kali.org>
> > Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> 
> Thanks - I have squashed this with the original patch.

Thanks, Ard. And sorry about not catching this before posting.

Johan

Re: [PATCH] efivarfs: fix NULL-deref on mount when no efivars

[Ard Biesheuvel]

On Fri, 27 Jan 2023 at 09:28, Johan Hovold <johan@kernel.org> wrote:
>
> On Thu, Jan 26, 2023 at 09:32:27PM +0100, Ard Biesheuvel wrote:
> > On Thu, 26 Jan 2023 at 12:23, Johan Hovold <johan+linaro@kernel.org> wrote:
> > >
> > > The VFS calls kill_sb() also in case mount fails in get_tree().
> > >
> > > Add the missing check to make sure that efivars has been registered also
> > > to kill_sb() to avoid dereferencing a NULL pointer when trying to remove
> > > efivar entries.
> > >
> > > Fixes: c3fd71b428b8 ("efivarfs: always register filesystem")
> > > Reported-by: Steev Klimaszewski <steev@kali.org>
> > > Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> >
> > Thanks - I have squashed this with the original patch.
>
> Thanks, Ard. And sorry about not catching this before posting.
>

No worries.

Re: [PATCH] efivarfs: fix NULL-deref on mount when no efivars

[kernel test robot]

Hi Johan,

I love your patch! Yet something to improve:

[auto build test ERROR on v6.2-rc5]
[also build test ERROR on linus/master]
[cannot apply to efi/next next-20230223]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Johan-Hovold/efivarfs-fix-NULL-deref-on-mount-when-no-efivars/20230128-094525
patch link:    https://lore.kernel.org/r/20230126112129.4602-1-johan%2Blinaro%40kernel.org
patch subject: [PATCH] efivarfs: fix NULL-deref on mount when no efivars
config: x86_64-randconfig-a011 (https://download.01.org/0day-ci/archive/20230223/202302231642.tyrVwZMY-lkp@intel.com/config)
compiler: gcc-11 (Debian 11.3.0-8) 11.3.0
reproduce (this is a W=1 build):
        # https://github.com/intel-lab-lkp/linux/commit/da57163cc9d947884520240ec71c2806f48b8a64
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Johan-Hovold/efivarfs-fix-NULL-deref-on-mount-when-no-efivars/20230128-094525
        git checkout da57163cc9d947884520240ec71c2806f48b8a64
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        make W=1 O=build_dir ARCH=x86_64 olddefconfig
        make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash fs/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202302231642.tyrVwZMY-lkp@intel.com/

All errors (new ones prefixed by >>):

   fs/efivarfs/super.c: In function 'efivarfs_kill_sb':
>> fs/efivarfs/super.c:246:14: error: implicit declaration of function 'efivar_is_available'; did you mean 'slab_is_available'? [-Werror=implicit-function-declaration]
     246 |         if (!efivar_is_available())
         |              ^~~~~~~~~~~~~~~~~~~
         |              slab_is_available
   cc1: some warnings being treated as errors


vim +246 fs/efivarfs/super.c

   241	
   242	static void efivarfs_kill_sb(struct super_block *sb)
   243	{
   244		kill_litter_super(sb);
   245	
 > 246		if (!efivar_is_available())
   247			return;
   248	
   249		/* Remove all entries and destroy */
   250		efivar_entry_iter(efivarfs_destroy, &efivarfs_list, NULL);
   251	}
   252	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

Re: [PATCH] efivarfs: fix NULL-deref on mount when no efivars

[kernel test robot]

Hi Johan,

I love your patch! Yet something to improve:

[auto build test ERROR on v6.2-rc5]
[also build test ERROR on linus/master]
[cannot apply to efi/next next-20230223]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Johan-Hovold/efivarfs-fix-NULL-deref-on-mount-when-no-efivars/20230128-094525
patch link:    https://lore.kernel.org/r/20230126112129.4602-1-johan%2Blinaro%40kernel.org
patch subject: [PATCH] efivarfs: fix NULL-deref on mount when no efivars
config: i386-randconfig-a015 (https://download.01.org/0day-ci/archive/20230223/202302231733.iymwHTPf-lkp@intel.com/config)
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/da57163cc9d947884520240ec71c2806f48b8a64
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Johan-Hovold/efivarfs-fix-NULL-deref-on-mount-when-no-efivars/20230128-094525
        git checkout da57163cc9d947884520240ec71c2806f48b8a64
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash fs/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202302231733.iymwHTPf-lkp@intel.com/

All errors (new ones prefixed by >>):

>> fs/efivarfs/super.c:246:7: error: implicit declaration of function 'efivar_is_available' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
           if (!efivar_is_available())
                ^
   fs/efivarfs/super.c:246:7: note: did you mean 'slab_is_available'?
   include/linux/slab.h:171:6: note: 'slab_is_available' declared here
   bool slab_is_available(void);
        ^
   1 error generated.


vim +/efivar_is_available +246 fs/efivarfs/super.c

   241	
   242	static void efivarfs_kill_sb(struct super_block *sb)
   243	{
   244		kill_litter_super(sb);
   245	
 > 246		if (!efivar_is_available())
   247			return;
   248	
   249		/* Remove all entries and destroy */
   250		efivar_entry_iter(efivarfs_destroy, &efivarfs_list, NULL);
   251	}
   252	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

Re: [PATCH] efivarfs: fix NULL-deref on mount when no efivars

[Johan Hovold]

On Thu, Feb 23, 2023 at 05:03:54PM +0800, kernel test robot wrote:
> Hi Johan,
> 
> I love your patch! Yet something to improve:
> 
> [auto build test ERROR on v6.2-rc5]
> [also build test ERROR on linus/master]
> [cannot apply to efi/next next-20230223]

I have no idea what your robot is trying to do here, but this patch has
been folded into 301de9a20553 ("efivarfs: always register filesystem")
and is already in linux-next building just fine.

> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
> 
> url:    https://github.com/intel-lab-lkp/linux/commits/Johan-Hovold/efivarfs-fix-NULL-deref-on-mount-when-no-efivars/20230128-094525
> patch link:    https://lore.kernel.org/r/20230126112129.4602-1-johan%2Blinaro%40kernel.org
> patch subject: [PATCH] efivarfs: fix NULL-deref on mount when no efivars
> config: x86_64-randconfig-a011 (https://download.01.org/0day-ci/archive/20230223/202302231642.tyrVwZMY-lkp@intel.com/config)
> compiler: gcc-11 (Debian 11.3.0-8) 11.3.0
> reproduce (this is a W=1 build):
>         # https://github.com/intel-lab-lkp/linux/commit/da57163cc9d947884520240ec71c2806f48b8a64
>         git remote add linux-review https://github.com/intel-lab-lkp/linux
>         git fetch --no-tags linux-review Johan-Hovold/efivarfs-fix-NULL-deref-on-mount-when-no-efivars/20230128-094525
>         git checkout da57163cc9d947884520240ec71c2806f48b8a64
>         # save the config file
>         mkdir build_dir && cp config build_dir/.config
>         make W=1 O=build_dir ARCH=x86_64 olddefconfig
>         make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash fs/
> 
> If you fix the issue, kindly add following tag where applicable
> | Reported-by: kernel test robot <lkp@intel.com>
> | Link: https://lore.kernel.org/oe-kbuild-all/202302231642.tyrVwZMY-lkp@intel.com/
> 
> All errors (new ones prefixed by >>):
> 
>    fs/efivarfs/super.c: In function 'efivarfs_kill_sb':
> >> fs/efivarfs/super.c:246:14: error: implicit declaration of function 'efivar_is_available'; did you mean 'slab_is_available'? [-Werror=implicit-function-declaration]
>      246 |         if (!efivar_is_available())
>          |              ^~~~~~~~~~~~~~~~~~~
>          |              slab_is_available
>    cc1: some warnings being treated as errors
> 
> 
> vim +246 fs/efivarfs/super.c
> 
>    241	
>    242	static void efivarfs_kill_sb(struct super_block *sb)
>    243	{
>    244		kill_litter_super(sb);
>    245	
>  > 246		if (!efivar_is_available())
>    247			return;
>    248	
>    249		/* Remove all entries and destroy */
>    250		efivar_entry_iter(efivarfs_destroy, &efivarfs_list, NULL);
>    251	}
>    252	

Johan