From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Arvind Sankar <nivedita@alum.mit.edu>,
Ard Biesheuvel <ardb@kernel.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Bhupesh Sharma <bhsharma@redhat.com>,
Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>,
linux-efi@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 61/91] efi/gop: Fix memory leak in __gop_query32/64()
Date: Sat, 11 Jan 2020 10:49:54 +0100 [thread overview]
Message-ID: <20200111094907.683095742@linuxfoundation.org> (raw)
In-Reply-To: <20200111094844.748507863@linuxfoundation.org>
From: Arvind Sankar <nivedita@alum.mit.edu>
[ Upstream commit ff397be685e410a59c34b21ce0c55d4daa466bb7 ]
efi_graphics_output_protocol::query_mode() returns info in
callee-allocated memory which must be freed by the caller, which
we aren't doing.
We don't actually need to call query_mode() in order to obtain the
info for the current graphics mode, which is already there in
gop->mode->info, so just access it directly in the setup_gop32/64()
functions.
Also nothing uses the size of the info structure, so don't update the
passed-in size (which is the size of the gop_handle table in bytes)
unnecessarily.
Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Bhupesh Sharma <bhsharma@redhat.com>
Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191206165542.31469-5-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/libstub/gop.c | 66 ++++++------------------------
1 file changed, 12 insertions(+), 54 deletions(-)
diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
index 81ffda5d1e48..fd8053f9556e 100644
--- a/drivers/firmware/efi/libstub/gop.c
+++ b/drivers/firmware/efi/libstub/gop.c
@@ -85,30 +85,6 @@ setup_pixel_info(struct screen_info *si, u32 pixels_per_scan_line,
}
}
-static efi_status_t
-__gop_query32(efi_system_table_t *sys_table_arg,
- struct efi_graphics_output_protocol_32 *gop32,
- struct efi_graphics_output_mode_info **info,
- unsigned long *size, u64 *fb_base)
-{
- struct efi_graphics_output_protocol_mode_32 *mode;
- efi_graphics_output_protocol_query_mode query_mode;
- efi_status_t status;
- unsigned long m;
-
- m = gop32->mode;
- mode = (struct efi_graphics_output_protocol_mode_32 *)m;
- query_mode = (void *)(unsigned long)gop32->query_mode;
-
- status = __efi_call_early(query_mode, (void *)gop32, mode->mode, size,
- info);
- if (status != EFI_SUCCESS)
- return status;
-
- *fb_base = mode->frame_buffer_base;
- return status;
-}
-
static efi_status_t
setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
efi_guid_t *proto, unsigned long size, void **gop_handle)
@@ -130,6 +106,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
nr_gops = size / sizeof(u32);
for (i = 0; i < nr_gops; i++) {
+ struct efi_graphics_output_protocol_mode_32 *mode;
struct efi_graphics_output_mode_info *info = NULL;
efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
bool conout_found = false;
@@ -147,9 +124,11 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
if (status == EFI_SUCCESS)
conout_found = true;
- status = __gop_query32(sys_table_arg, gop32, &info, &size,
- ¤t_fb_base);
- if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
+ mode = (void *)(unsigned long)gop32->mode;
+ info = (void *)(unsigned long)mode->info;
+ current_fb_base = mode->frame_buffer_base;
+
+ if ((!first_gop || conout_found) &&
info->pixel_format != PIXEL_BLT_ONLY) {
/*
* Systems that use the UEFI Console Splitter may
@@ -203,30 +182,6 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
return EFI_SUCCESS;
}
-static efi_status_t
-__gop_query64(efi_system_table_t *sys_table_arg,
- struct efi_graphics_output_protocol_64 *gop64,
- struct efi_graphics_output_mode_info **info,
- unsigned long *size, u64 *fb_base)
-{
- struct efi_graphics_output_protocol_mode_64 *mode;
- efi_graphics_output_protocol_query_mode query_mode;
- efi_status_t status;
- unsigned long m;
-
- m = gop64->mode;
- mode = (struct efi_graphics_output_protocol_mode_64 *)m;
- query_mode = (void *)(unsigned long)gop64->query_mode;
-
- status = __efi_call_early(query_mode, (void *)gop64, mode->mode, size,
- info);
- if (status != EFI_SUCCESS)
- return status;
-
- *fb_base = mode->frame_buffer_base;
- return status;
-}
-
static efi_status_t
setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
efi_guid_t *proto, unsigned long size, void **gop_handle)
@@ -248,6 +203,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
nr_gops = size / sizeof(u64);
for (i = 0; i < nr_gops; i++) {
+ struct efi_graphics_output_protocol_mode_64 *mode;
struct efi_graphics_output_mode_info *info = NULL;
efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
bool conout_found = false;
@@ -265,9 +221,11 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
if (status == EFI_SUCCESS)
conout_found = true;
- status = __gop_query64(sys_table_arg, gop64, &info, &size,
- ¤t_fb_base);
- if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
+ mode = (void *)(unsigned long)gop64->mode;
+ info = (void *)(unsigned long)mode->info;
+ current_fb_base = mode->frame_buffer_base;
+
+ if ((!first_gop || conout_found) &&
info->pixel_format != PIXEL_BLT_ONLY) {
/*
* Systems that use the UEFI Console Splitter may
--
2.20.1
next prev parent reply other threads:[~2020-01-11 10:03 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-11 9:48 [PATCH 4.9 00/91] 4.9.209-stable review Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 01/91] PM / devfreq: Dont fail devfreq_dev_release if not in list Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 02/91] RDMA/cma: add missed unregister_pernet_subsys in init failure Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 03/91] scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 04/91] scsi: qla2xxx: Dont call qlt_async_event twice Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 05/91] scsi: iscsi: qla4xxx: fix double free in probe Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 06/91] scsi: libsas: stop discovering if oob mode is disconnected Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 07/91] usb: gadget: fix wrong endpoint desc Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 08/91] md: raid1: check rdev before reference in raid1_sync_request func Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 09/91] s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 10/91] s390/cpum_sf: Avoid SBD overflow condition in irq handler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 11/91] IB/mlx4: Follow mirror sequence of device add during device removal Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 12/91] xen-blkback: prevent premature module unload Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 13/91] xen/balloon: fix ballooned page accounting without hotplug enabled Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 14/91] PM / hibernate: memory_bm_find_bit(): Tighten node optimisation Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 15/91] xfs: fix mount failure crash on invalid iclog memory access Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 16/91] taskstats: fix data-race Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 17/91] drm: limit to INT_MAX in create_blob ioctl Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 18/91] Revert "perf report: Add warning when libunwind not compiled in" Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 19/91] ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 20/91] MIPS: Avoid VDSO ABI breakage due to global register variable Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 21/91] mm/zsmalloc.c: fix the migrated zspage statistics Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 22/91] memcg: account security cred as well to kmemcg Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 23/91] locks: print unsigned ino in /proc/locks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 24/91] dmaengine: Fix access to uninitialized dma_slave_caps Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 25/91] compat_ioctl: block: handle Persistent Reservations Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 26/91] ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 27/91] ata: ahci_brcm: Allow optional reset controller to be used Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 28/91] ata: ahci_brcm: Fix AHCI resources management Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 29/91] gpiolib: fix up emulated open drain outputs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 30/91] tracing: Have the histogram compare functions convert to u64 first Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 31/91] ALSA: cs4236: fix error return comparison of an unsigned integer Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 32/91] ftrace: Avoid potential division by zero in function profiler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 33/91] arm64: Revert support for execute-only user mappings Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 34/91] PM / devfreq: Check NULL governor in available_governors_show Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 35/91] nfsd4: fix up replay_matches_cache() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 36/91] xfs: dont check for AG deadlock for realtime files in bunmapi Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 37/91] Bluetooth: btusb: fix PM leak in error case of setup Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 38/91] Bluetooth: delete a stray unlock Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 39/91] Bluetooth: Fix memory leak in hci_connect_le_scan Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 40/91] media: flexcop-usb: ensure -EIO is returned on error condition Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 41/91] regulator: ab8500: Remove AB8505 USB regulator Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 42/91] media: usb: fix memory leak in af9005_identify_state Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 43/91] tty: serial: msm_serial: Fix lockup for sysrq and oops Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 44/91] fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 45/91] drm/mst: Fix MST sideband up-reply failure handling Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 46/91] powerpc/pseries/hvconsole: Fix stack overread via udbg Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 47/91] coresight: tmc-etf: Do not call smp_processor_id from preemptible Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 48/91] coresight: etb10: " Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 49/91] rxrpc: Fix possible NULL pointer access in ICMP handling Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 50/91] ath9k_htc: Modify byte order for an error message Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 51/91] ath9k_htc: Discard undersized packets Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 52/91] net: add annotations on hh->hh_len lockless accesses Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 53/91] s390/smp: fix physical to logical CPU map for SMT Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 54/91] xen/blkback: Avoid unmapping unmapped grant pages Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 55/91] locking/x86: Remove the unused atomic_inc_short() methd Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 56/91] pstore/ram: Write new dumps to start of recycled zones Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 57/91] locking/spinlock/debug: Fix various data races Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 58/91] netfilter: ctnetlink: netns exit must wait for callbacks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 59/91] efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 60/91] efi/gop: Return EFI_SUCCESS if a usable GOP was found Greg Kroah-Hartman
2020-01-11 9:49 ` Greg Kroah-Hartman [this message]
2020-01-11 9:49 ` [PATCH 4.9 62/91] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 63/91] netfilter: uapi: Avoid undefined left-shift in xt_sctp.h Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 64/91] spi: spi-cavium-thunderx: Add missing pci_release_regions() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 65/91] ARM: dts: am437x-gp/epos-evm: fix panel compatible Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 66/91] samples: bpf: Replace symbol compare of trace_event Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 67/91] powerpc: Ensure that swiotlb buffer is allocated from low memory Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 68/91] bnx2x: Do not handle requests from VFs after parity Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 69/91] bnx2x: Fix logic to get total no. of PFs per engine Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 70/91] net: usb: lan78xx: Fix error message format specifier Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 71/91] rfkill: Fix incorrect check to avoid NULL pointer dereference Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 72/91] ASoC: wm8962: fix lambda value Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 73/91] regulator: rn5t618: fix module aliases Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 74/91] kconfig: dont crash on NULL expressions in expr_eq() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 75/91] perf/x86/intel: Fix PT PMI handling Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 76/91] net: stmmac: RX buffer size must be 16 byte aligned Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 77/91] block: fix memleak when __blk_rq_map_user_iov() is failed Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 78/91] parisc: Fix compiler warnings in debug_core.c Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 79/91] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 80/91] macvlan: do not assume mac_header is set in macvlan_broadcast() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 81/91] net: stmmac: dwmac-sunxi: Allow all RGMII modes Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 82/91] net: usb: lan78xx: fix possible skb leak Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 83/91] pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 84/91] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 85/91] tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 86/91] vxlan: fix tos value before xmit Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 87/91] vlan: vlan_changelink() should propagate errors Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 88/91] net: sch_prio: When ungrafting, replace with FIFO Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 89/91] vlan: fix memory leak in vlan_dev_set_egress_priority Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 90/91] USB: core: fix check for duplicate endpoints Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 91/91] USB: serial: option: add Telit ME910G1 0x110a composition Greg Kroah-Hartman
2020-01-11 15:44 ` [PATCH 4.9 00/91] 4.9.209-stable review Guenter Roeck
2020-01-11 17:51 ` Greg Kroah-Hartman
2020-01-11 20:09 ` Guenter Roeck
2020-01-12 4:55 ` Naresh Kamboju
2020-01-13 15:47 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200111094907.683095742@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=ardb@kernel.org \
--cc=bhsharma@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m.mizuma@jp.fujitsu.com \
--cc=mingo@kernel.org \
--cc=nivedita@alum.mit.edu \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).