We should check whether the patch section currently being processed is actually a patch section for each of them (not just the first one) in the late loader verify_and_add_patch() function, just like the early loader already does in parse_container() function.
Signed-off-by: Maciej S. Szmigiero <m...@maciej.szmigiero.name> --- arch/x86/kernel/cpu/microcode/amd.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c index 0f78200f2f6c..3ad23e72c2b0 100644 --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c @@ -627,6 +627,11 @@ static int verify_and_add_patch(u8 family, u8 *fw, size_t leftover) if (leftover < SECTION_HDR_SIZE + sizeof(*mc_hdr)) return leftover; + if (*(u32 *)fw != UCODE_UCODE_TYPE) { + pr_err("invalid type field in container file section header\n"); + return -EINVAL; + } + patch_size = *(u32 *)(fw + 4); if (patch_size > PATCH_MAX_SIZE) { pr_err("patch size %u too large\n", patch_size); @@ -704,12 +709,6 @@ static enum ucode_state __load_microcode_amd(u8 family, const u8 *data, fw += offset; leftover = size - offset; - if (*(u32 *)fw != UCODE_UCODE_TYPE) { - pr_err("invalid type field in container file section header\n"); - free_equiv_cpu_table(); - return ret; - } - while (leftover) { crnt_size = verify_and_add_patch(family, fw, leftover); if (crnt_size < 0)