From patchwork Fri Jan 19 00:45:44 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Masahisa Kojima <masahisa.kojima@linaro.org>
X-Patchwork-Id: 763903
Delivered-To: patch@linaro.org
Received: by 2002:a5d:4a08:0:b0:337:62d3:c6d5 with SMTP id m8csp204446wrq;
 Thu, 18 Jan 2024 16:48:02 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEoQbfI4+evQIUmofDG7RwvLziV03PM/JOEL980o9TfSz/4gSbH1Qko2geIM2TXFgMIT7xK
X-Received: by 2002:adf:a3d1:0:b0:336:8848:e7e5 with SMTP id
 m17-20020adfa3d1000000b003368848e7e5mr1175523wrb.15.1705625281991;
 Thu, 18 Jan 2024 16:48:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1705625281; cv=none;
 d=google.com; s=arc-20160816;
 b=l4Rrms++wD1d10KgCX9mPxAV0veh7YSAEsaR+n2mzxxs77KL5XwfRKPIKEBfJRjyDc
 NPyWesLXIFn5TNMp7MEfJwbEEL+bG3s6gEy5YLb+dk7DfPGIFY+2tnX5bMtBVXIkHWiQ
 MHD2Oj8hNUG4DNP3mpvJVuJ2iA6vKjPGWlivo7bXqf4xS6T9Tz9sCVv3OJQ7mvo3Re8a
 dwq96cH99MU22QW53GwNBumQ0WYQXhpSxuQSn84UU1IGl2uqAeN1JzDmkPandVF354R9
 qISPoLi5DwycJiJy46890LTnp6uYOJ1rxFm3m/QKOYPOoTEZ0YweVfNPJF85TkhmgII6
 /pSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=lMkAtHbS9igJk/XqlqD1v8X9YbbdLN5u5/dkt7CG/X0=;
 fh=90lSBw+wRfsPn+xaW0S3z+mfIwOpjwfjrVWi6OXSKN0=;
 b=NeXWHVLZ9roNgtu0/aMNbMeCLAS94RP+OVhsvfMOhXNkA5b+vpfUVdYCQy5gpU37Kg
 N4IWvWjLhxLGXYjks5PWchh4wu03euxAF070g/JBARPFnx/T5gSV0xTFhnohT+GqWyLP
 8rOQK0xw1Qa79ZM728dVpTn5WGoq7H3Sn+3uLScno3EfahWixzWmG6O3tibqgH/SA3N0
 sg0XVghIH81dStDfeX33NAQ6KyZgBc+wk8Dt241meUWXaMmTyFWNV9qctBKoBY1GphdA
 TR7+dnFnEFl+33hDub1PKq2VXhV8MAGO1JjYTYrnEcqjVsvLAU3xTc45Mr5DG4nlTNoh
 k+FA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=DnSsEgNe;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de.
 [2a01:238:438b:c500:173d:9f52:ddab:ee01])
 by mx.google.com with ESMTPS id
 s10-20020a5d6a8a000000b00337bf858ed9si2710344wru.65.2024.01.18.16.48.01
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jan 2024 16:48:01 -0800 (PST)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=DnSsEgNe;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id A8CBD87C0F;
 Fri, 19 Jan 2024 01:47:59 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.b="DnSsEgNe";
 dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 64FE0876C8; Fri, 19 Jan 2024 01:47:56 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-oo1-xc33.google.com (mail-oo1-xc33.google.com
 [IPv6:2607:f8b0:4864:20::c33])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 8064D87C0F
 for <u-boot@lists.denx.de>; Fri, 19 Jan 2024 01:47:51 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=masahisa.kojima@linaro.org
Received: by mail-oo1-xc33.google.com with SMTP id
 006d021491bc7-598f3e9f2e3so140942eaf.3
 for <u-boot@lists.denx.de>; Thu, 18 Jan 2024 16:47:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1705625270; x=1706230070; darn=lists.denx.de;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=lMkAtHbS9igJk/XqlqD1v8X9YbbdLN5u5/dkt7CG/X0=;
 b=DnSsEgNeanLRGsVa6hz4KTAVFhnseA1nehI5D5LnzFEYo6vwh95JpCvDl6FfN4wVt5
 hz/Hit0Cm+lZZjABh71TmWPkdLRK07iAiYv+IZGzbEXK1iRCJQzzd7rS4dt0crZjXsXv
 TNyg7n5StRkKyXrLXp+X4keOykC+fKQc4JzEAmJQc57gnxcIMxKrSnDIjdQmhFDStJg5
 m4frMag5FUPBuokBgLJST8ZRbTD0MoP40iJ7lSBM50lYhQdMucdPIO5slISE7hx7cdT0
 va9bxK+dmOJ4p5vIj6ddo3Q4WUIBQojiNKu42ZpNdlBlP0oejmo7F747bhvvbYU5wVWM
 4sKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1705625270; x=1706230070;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=lMkAtHbS9igJk/XqlqD1v8X9YbbdLN5u5/dkt7CG/X0=;
 b=H0qxSN5mRMPDaIiKOwNUEe9RyoIgZBAH9PDaMVBIe6DX6NfdACcUq1ojI/ZOH/3mrO
 QZgcCwmPmCeTuLR+fSh6qe+ewufkLKA5d+5NwMJgClQvSrd3X0wWoz6HH4A9MgcvUIPa
 wwrGkOxiIgHzSyIVgMPUQdUutJlMOS61OOiNDwPopCoHczh5jBPngpPV/tu5cVNH1OOr
 wclM/MwHHgzURkwYhJPILFnue6FbotBrIcli6RkUqGnuv36P5hxH/7w1AOvE3eGAmu8Q
 Vg5VX6xmpoTNEPEdXI+IQNytVGFA0az8cUl3GmDPquWdS9T+dt0RW4ltWGp/SIF8p6bN
 PIDw==
X-Gm-Message-State: AOJu0Yyw7o7NC6Tmz/alFEGMDLMzsxrnnZOOK+fJM94U99kymmRAd3fC
 zgFa4KsejzJmSsWk7yH8maJfhTet/Q09xFfgGlJhK+hwuXoojcnSYNeviNuFRbldhqtt0YV1AQ5
 5
X-Received: by 2002:a05:6358:cc1e:b0:175:e96d:3c4a with SMTP id
 gx30-20020a056358cc1e00b00175e96d3c4amr1516810rwb.11.1705625269709;
 Thu, 18 Jan 2024 16:47:49 -0800 (PST)
Received: from localhost ([164.70.16.189]) by smtp.gmail.com with ESMTPSA id
 kd3-20020a17090313c300b001d5383ae01csm1946470plb.121.2024.01.18.16.47.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jan 2024 16:47:49 -0800 (PST)
From: Masahisa Kojima <masahisa.kojima@linaro.org>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 AKASHI Takahiro <takahiro.akashi@linaro.org>,
 Masahisa Kojima <masahisa.kojima@linaro.org>
Subject: [PATCH v3 1/3] efi_loader: avoid pointer access after calling
 efi_delete_handle
Date: Fri, 19 Jan 2024 09:45:44 +0900
Message-Id: <20240119004546.1084018-2-masahisa.kojima@linaro.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240119004546.1084018-1-masahisa.kojima@linaro.org>
References: <20240119004546.1084018-1-masahisa.kojima@linaro.org>
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

efi_delete_handle() calls efi_purge_handle(), then it finally
frees the EFI handle.
Both diskobj and handle variables in efi_disk_remove() have
the same pointer, we can not access diskobj->dp after calling
efi_delete_handle().

This commit saves the struct efi_device_path pointer before
calling efi_delete_handle(). This commit also fixes the
missing free for volume member in struct efi_disk_obj.

This commit also removes the container_of() calls, and
adds the TODO comment of missing efi_close_protocol() call
for the parent EFI_BLOCK_IO_PROTOCOL.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/efi_loader/efi_disk.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c
index 013842f077..105f080125 100644
--- a/lib/efi_loader/efi_disk.c
+++ b/lib/efi_loader/efi_disk.c
@@ -707,7 +707,9 @@ int efi_disk_remove(void *ctx, struct event *event)
 	struct udevice *dev = event->data.dm.dev;
 	efi_handle_t handle;
 	struct blk_desc *desc;
+	struct efi_device_path *dp = NULL;
 	struct efi_disk_obj *diskobj = NULL;
+	struct efi_simple_file_system_protocol *volume = NULL;
 	efi_status_t ret;
 
 	if (dev_tag_get_ptr(dev, DM_TAG_EFI, (void **)&handle))
@@ -718,24 +720,30 @@ int efi_disk_remove(void *ctx, struct event *event)
 	case UCLASS_BLK:
 		desc = dev_get_uclass_plat(dev);
 		if (desc && desc->uclass_id != UCLASS_EFI_LOADER)
-			diskobj = container_of(handle, struct efi_disk_obj,
-					       header);
+			diskobj = (struct efi_disk_obj *)handle;
 		break;
 	case UCLASS_PARTITION:
-		diskobj = container_of(handle, struct efi_disk_obj, header);
+		diskobj = (struct efi_disk_obj *)handle;
+
+		/* TODO: closing the parent EFI_BLOCK_IO_PROTOCOL is missing. */
+
 		break;
 	default:
 		return 0;
 	}
 
+	if (diskobj) {
+		dp = diskobj->dp;
+		volume = diskobj->volume;
+	}
+
 	ret = efi_delete_handle(handle);
 	/* Do not delete DM device if there are still EFI drivers attached. */
 	if (ret != EFI_SUCCESS)
 		return -1;
 
-	if (diskobj)
-		efi_free_pool(diskobj->dp);
-
+	efi_free_pool(dp);
+	free(volume);
 	dev_tag_del(dev, DM_TAG_EFI);
 
 	return 0;