diff options
author | Matt Fleming <matt.fleming@intel.com> | 2013-04-29 22:31:45 +0400 |
---|---|---|
committer | Matt Fleming <matt.fleming@intel.com> | 2013-04-30 15:07:57 +0400 |
commit | 4ee39e979c80543095601b4bd812565a0928b56d (patch) | |
tree | c303fa01458e4e5e3303febbcc18aff8287735a4 /drivers/firmware | |
parent | a614e1923d5389d01f3545ee4a90e39a04d0c90d (diff) | |
download | linux-4ee39e979c80543095601b4bd812565a0928b56d.tar.xz |
efi, pstore: Initialise 'entry' before iterating
Seiji reports hitting the following crash when erasing pstore dump
variables,
BUG: unable to handle kernel NULL pointer dereference at 0000000000000fa4
IP: [<ffffffff8142dadf>] __efivar_entry_iter+0x2f/0x120
PGD 18482a067 PUD 190724067 PMD 0
Oops: 0000 [#1] SMP
[...]
Call Trace:
[<ffffffff8143001f>] efi_pstore_erase+0xdf/0x130
[<ffffffff81200038>] ? cap_socket_create+0x8/0x10
[<ffffffff811ea491>] pstore_unlink+0x41/0x60
[<ffffffff811741ff>] vfs_unlink+0x9f/0x110
[<ffffffff8117813b>] do_unlinkat+0x18b/0x280
[<ffffffff81178472>] sys_unlinkat+0x22/0x40
[<ffffffff81542402>] system_call_fastpath+0x16/0x1b
'entry' needs to be initialised in efi_pstore_erase() when iterating
with __efivar_entry_iter(), otherwise the garbage pointer will be
dereferenced, leading to crashes like the above.
Reported-by: Seiji Aguchi <seiji.aguchi@hds.com>
Tested-by: Seiji Aguchi <seiji.aguchi@hds.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Diffstat (limited to 'drivers/firmware')
-rw-r--r-- | drivers/firmware/efi/efi-pstore.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/firmware/efi/efi-pstore.c b/drivers/firmware/efi/efi-pstore.c index 221ad1bf94de..583ee8037f4d 100644 --- a/drivers/firmware/efi/efi-pstore.c +++ b/drivers/firmware/efi/efi-pstore.c @@ -174,7 +174,7 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, struct timespec time, struct pstore_info *psi) { struct pstore_erase_data edata; - struct efivar_entry *entry; + struct efivar_entry *entry = NULL; char name[DUMP_NAME_LEN]; efi_char16_t efi_name[DUMP_NAME_LEN]; int found, i; |