The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable@xxxxxxxxxxxxxxx>. Possible dependencies: 703c13fe3c9a ("efi: fix NULL-deref in init error path") 1fff234de2b6 ("efi: x86: Move EFI runtime map sysfs code to arch/x86") 8dfac4d8ad27 ("efi: runtime-maps: Clarify purpose and enable by default for kexec") 4059ba656ce5 ("efi: memmap: Move EFI fake memmap support into x86 arch tree") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 703c13fe3c9af557d312f5895ed6a5fda2711104 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro@xxxxxxxxxx> Date: Mon, 19 Dec 2022 10:10:04 +0100 Subject: [PATCH] efi: fix NULL-deref in init error path In cases where runtime services are not supported or have been disabled, the runtime services workqueue will never have been allocated. Do not try to destroy the workqueue unconditionally in the unlikely event that EFI initialisation fails to avoid dereferencing a NULL pointer. Fixes: 98086df8b70c ("efi: add missed destroy_workqueue when efisubsys_init fails") Cc: stable@xxxxxxxxxxxxxxx Cc: Li Heng <liheng40@xxxxxxxxxx> Signed-off-by: Johan Hovold <johan+linaro@xxxxxxxxxx> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 09716eebe8ac..a2b0cbc8741c 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -394,8 +394,8 @@ static int __init efisubsys_init(void) efi_kobj = kobject_create_and_add("efi", firmware_kobj); if (!efi_kobj) { pr_err("efi: Firmware registration failed.\n"); - destroy_workqueue(efi_rts_wq); - return -ENOMEM; + error = -ENOMEM; + goto err_destroy_wq; } if (efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE | @@ -443,7 +443,10 @@ static int __init efisubsys_init(void) err_put: kobject_put(efi_kobj); efi_kobj = NULL; - destroy_workqueue(efi_rts_wq); +err_destroy_wq: + if (efi_rts_wq) + destroy_workqueue(efi_rts_wq); + return error; }