Commit da8d493a authored Jan 20, 2025 by Johan Hovold Committed by Bjorn Andersson Feb 08, 2025

firmware: qcom: uefisecapp: fix efivars registration race



Since the conversion to using the TZ allocator, the efivars service is
registered before the memory pool has been allocated, something which
can lead to a NULL-pointer dereference in case of a racing EFI variable
access.

Make sure that all resources have been set up before registering the
efivars.

Fixes: 6612103e ("firmware: qcom: qseecom: convert to using the TZ allocator")
Cc: stable@vger.kernel.org	# 6.11
Cc: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Maximilian Luz <luzmaximilian@gmail.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Link: https://lore.kernel.org/r/20250120151000.13870-1-johan+linaro@kernel.org


Signed-off-by: Bjorn Andersson <andersson@kernel.org>

parent 7f048b20

drivers/firmware/qcom/qcom_qseecom_uefisecapp.c

+9 −9

Original line number	Diff line number	Diff line
		@@ -814,15 +814,6 @@ static int qcom_uefisecapp_probe(struct auxiliary_device *aux_dev,

		qcuefi->client = container_of(aux_dev, struct qseecom_client, aux_dev);

		auxiliary_set_drvdata(aux_dev, qcuefi);
		status = qcuefi_set_reference(qcuefi);
		if (status)
		return status;

		status = efivars_register(&qcuefi->efivars, &qcom_efivar_ops);
		if (status)
		qcuefi_set_reference(NULL);

		memset(&pool_config, 0, sizeof(pool_config));
		pool_config.initial_size = SZ_4K;
		pool_config.policy = QCOM_TZMEM_POLICY_MULTIPLIER;
		@@ -833,6 +824,15 @@ static int qcom_uefisecapp_probe(struct auxiliary_device *aux_dev,
		if (IS_ERR(qcuefi->mempool))
		return PTR_ERR(qcuefi->mempool);

		auxiliary_set_drvdata(aux_dev, qcuefi);
		status = qcuefi_set_reference(qcuefi);
		if (status)
		return status;

		status = efivars_register(&qcuefi->efivars, &qcom_efivar_ops);
		if (status)
		qcuefi_set_reference(NULL);

		return status;
		}