linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "tip-bot2 for Arvind Sankar" <tip-bot2@linutronix.de>
To: linux-tip-commits@vger.kernel.org
Cc: Arvind Sankar <nivedita@alum.mit.edu>,
	Ard Biesheuvel <ardb@kernel.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	Bhupesh Sharma <bhsharma@redhat.com>,
	Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>,
	linux-efi@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
	x86 <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>
Subject: [tip: efi/urgent] efi/gop: Fix memory leak in __gop_query32/64()
Date: Sun, 08 Dec 2019 13:33:33 -0000	[thread overview]
Message-ID: <157581201369.21853.10246677238795985040.tip-bot2@tip-bot2> (raw)
In-Reply-To: <20191206165542.31469-5-ardb@kernel.org>

The following commit has been merged into the efi/urgent branch of tip:

Commit-ID:     ff397be685e410a59c34b21ce0c55d4daa466bb7
Gitweb:        https://git.kernel.org/tip/ff397be685e410a59c34b21ce0c55d4daa466bb7
Author:        Arvind Sankar <nivedita@alum.mit.edu>
AuthorDate:    Fri, 06 Dec 2019 16:55:40 
Committer:     Ingo Molnar <mingo@kernel.org>
CommitterDate: Sun, 08 Dec 2019 12:42:18 +01:00

efi/gop: Fix memory leak in __gop_query32/64()

efi_graphics_output_protocol::query_mode() returns info in
callee-allocated memory which must be freed by the caller, which
we aren't doing.

We don't actually need to call query_mode() in order to obtain the
info for the current graphics mode, which is already there in
gop->mode->info, so just access it directly in the setup_gop32/64()
functions.

Also nothing uses the size of the info structure, so don't update the
passed-in size (which is the size of the gop_handle table in bytes)
unnecessarily.

Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Bhupesh Sharma <bhsharma@redhat.com>
Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191206165542.31469-5-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 drivers/firmware/efi/libstub/gop.c | 66 +++++------------------------
 1 file changed, 12 insertions(+), 54 deletions(-)

diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
index 69b2b01..b7bf1e9 100644
--- a/drivers/firmware/efi/libstub/gop.c
+++ b/drivers/firmware/efi/libstub/gop.c
@@ -84,30 +84,6 @@ setup_pixel_info(struct screen_info *si, u32 pixels_per_scan_line,
 }
 
 static efi_status_t
-__gop_query32(efi_system_table_t *sys_table_arg,
-	      struct efi_graphics_output_protocol_32 *gop32,
-	      struct efi_graphics_output_mode_info **info,
-	      unsigned long *size, u64 *fb_base)
-{
-	struct efi_graphics_output_protocol_mode_32 *mode;
-	efi_graphics_output_protocol_query_mode query_mode;
-	efi_status_t status;
-	unsigned long m;
-
-	m = gop32->mode;
-	mode = (struct efi_graphics_output_protocol_mode_32 *)m;
-	query_mode = (void *)(unsigned long)gop32->query_mode;
-
-	status = __efi_call_early(query_mode, (void *)gop32, mode->mode, size,
-				  info);
-	if (status != EFI_SUCCESS)
-		return status;
-
-	*fb_base = mode->frame_buffer_base;
-	return status;
-}
-
-static efi_status_t
 setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
             efi_guid_t *proto, unsigned long size, void **gop_handle)
 {
@@ -128,6 +104,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
 
 	nr_gops = size / sizeof(u32);
 	for (i = 0; i < nr_gops; i++) {
+		struct efi_graphics_output_protocol_mode_32 *mode;
 		struct efi_graphics_output_mode_info *info = NULL;
 		efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
 		bool conout_found = false;
@@ -145,9 +122,11 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
 		if (status == EFI_SUCCESS)
 			conout_found = true;
 
-		status = __gop_query32(sys_table_arg, gop32, &info, &size,
-				       &current_fb_base);
-		if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
+		mode = (void *)(unsigned long)gop32->mode;
+		info = (void *)(unsigned long)mode->info;
+		current_fb_base = mode->frame_buffer_base;
+
+		if ((!first_gop || conout_found) &&
 		    info->pixel_format != PIXEL_BLT_ONLY) {
 			/*
 			 * Systems that use the UEFI Console Splitter may
@@ -202,30 +181,6 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
 }
 
 static efi_status_t
-__gop_query64(efi_system_table_t *sys_table_arg,
-	      struct efi_graphics_output_protocol_64 *gop64,
-	      struct efi_graphics_output_mode_info **info,
-	      unsigned long *size, u64 *fb_base)
-{
-	struct efi_graphics_output_protocol_mode_64 *mode;
-	efi_graphics_output_protocol_query_mode query_mode;
-	efi_status_t status;
-	unsigned long m;
-
-	m = gop64->mode;
-	mode = (struct efi_graphics_output_protocol_mode_64 *)m;
-	query_mode = (void *)(unsigned long)gop64->query_mode;
-
-	status = __efi_call_early(query_mode, (void *)gop64, mode->mode, size,
-				  info);
-	if (status != EFI_SUCCESS)
-		return status;
-
-	*fb_base = mode->frame_buffer_base;
-	return status;
-}
-
-static efi_status_t
 setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
 	    efi_guid_t *proto, unsigned long size, void **gop_handle)
 {
@@ -246,6 +201,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
 
 	nr_gops = size / sizeof(u64);
 	for (i = 0; i < nr_gops; i++) {
+		struct efi_graphics_output_protocol_mode_64 *mode;
 		struct efi_graphics_output_mode_info *info = NULL;
 		efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
 		bool conout_found = false;
@@ -263,9 +219,11 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
 		if (status == EFI_SUCCESS)
 			conout_found = true;
 
-		status = __gop_query64(sys_table_arg, gop64, &info, &size,
-				       &current_fb_base);
-		if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
+		mode = (void *)(unsigned long)gop64->mode;
+		info = (void *)(unsigned long)mode->info;
+		current_fb_base = mode->frame_buffer_base;
+
+		if ((!first_gop || conout_found) &&
 		    info->pixel_format != PIXEL_BLT_ONLY) {
 			/*
 			 * Systems that use the UEFI Console Splitter may

  reply	other threads:[~2019-12-08 13:34 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-06 16:55 [GIT PULL 0/6] EFI fixes for v5.5 Ard Biesheuvel
2019-12-06 16:55 ` [PATCH 1/6] efi/memreserve: register reservations as 'reserved' in /proc/iomem Ard Biesheuvel
2019-12-08 13:33   ` [tip: efi/urgent] efi/memreserve: Register " tip-bot2 for Ard Biesheuvel
2019-12-06 16:55 ` [PATCH 2/6] efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs Ard Biesheuvel
2019-12-08 13:33   ` [tip: efi/urgent] " tip-bot2 for Arvind Sankar
2019-12-06 16:55 ` [PATCH 3/6] efi/gop: Return EFI_SUCCESS if a usable GOP was found Ard Biesheuvel
2019-12-08 13:33   ` [tip: efi/urgent] " tip-bot2 for Arvind Sankar
2019-12-06 16:55 ` [PATCH 4/6] efi/gop: Fix memory leak from __gop_query32/64 Ard Biesheuvel
2019-12-08 13:33   ` tip-bot2 for Arvind Sankar [this message]
2019-12-06 16:55 ` [PATCH 5/6] efi: fix type of unload field in efi_loaded_image_t Ard Biesheuvel
2019-12-08 13:33   ` [tip: efi/urgent] efi: Fix efi_loaded_image_t::unload type tip-bot2 for Arvind Sankar
2019-12-06 16:55 ` [PATCH 6/6] efi/earlycon: Remap entire framebuffer after page initialization Ard Biesheuvel
2019-12-08 13:33   ` [tip: efi/urgent] " tip-bot2 for Andy Shevchenko
2019-12-09 19:12   ` [PATCH 6/6] " Arvind Sankar
2019-12-09 19:24     ` Ard Biesheuvel
2019-12-10 20:05       ` Arvind Sankar
2019-12-11 11:26         ` Ard Biesheuvel
2019-12-11 15:55           ` Arvind Sankar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=157581201369.21853.10246677238795985040.tip-bot2@tip-bot2 \
    --to=tip-bot2@linutronix.de \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=ardb@kernel.org \
    --cc=bhsharma@redhat.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=m.mizuma@jp.fujitsu.com \
    --cc=mingo@kernel.org \
    --cc=nivedita@alum.mit.edu \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).