[xen staging] efi: Protect against unnecessary image unloading

[patchbot@xxxxxxx]

commit 5d492ce33d66397f60692f3c2b1b1e0ea6a6ea2e
Author:     Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>
AuthorDate: Thu Sep 11 08:24:28 2025 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Oct 14 18:31:43 2025 +0100

    efi: Protect against unnecessary image unloading
    
    Commit 59a1d6d3ea1e introduced Shim's LoadImage protocol and unloads the
    image after loading it (for verification purposes) regardless of the
    returned status. The protocol API implies this is the correct behaviour
    but we should add a check to protect against the unlikely case this
    frees any memory in use.
    
    Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
    Release-Acked-By: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
---
 xen/common/efi/boot.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index 5b84dbf26e..d7f4d0cb22 100644
--- a/xen/common/efi/boot.c
+++ b/xen/common/efi/boot.c
@@ -1062,7 +1062,7 @@ static void __init efi_verify_kernel(EFI_HANDLE 
ImageHandle)
     static EFI_GUID __initdata shim_image_guid = SHIM_IMAGE_LOADER_GUID;
     static EFI_GUID __initdata shim_lock_guid = SHIM_LOCK_PROTOCOL_GUID;
     SHIM_IMAGE_LOADER *shim_loader;
-    EFI_HANDLE loaded_kernel;
+    EFI_HANDLE loaded_kernel = NULL;
     EFI_SHIM_LOCK_PROTOCOL *shim_lock;
     EFI_STATUS status;
     bool verified = false;
@@ -1078,11 +1078,13 @@ static void __init efi_verify_kernel(EFI_HANDLE 
ImageHandle)
             verified = true;
 
         /*
-         * Always unload the image.  We only needed LoadImage() to perform
-         * verification anyway, and in the case of a failure there may still
-         * be cleanup needing to be performed.
+         * If the kernel was loaded, unload it. We only needed LoadImage() to
+         * perform verification anyway, and in the case of a failure there may
+         * still be cleanup needing to be performed.
          */
-        shim_loader->UnloadImage(loaded_kernel);
+        if ( loaded_kernel &&
+             (!EFI_ERROR(status) || status == EFI_SECURITY_VIOLATION) )
+            shim_loader->UnloadImage(loaded_kernel);
     }
 
     /* Otherwise, fall back to SHIM_LOCK. */
--
generated by git-patchbot for /home/xen/git/xen.git#staging