From: Sai Praneeth sai.praneeth.prakhya@intel.com

mainline inclusion from mainline-v4.20-rc1 commit 3425d934fc0312f62024163736a7afe4de20c10f category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I67RIP CVE: NA

--------------------------------

Memory accesses performed by UEFI runtime services should be limited to: - reading/executing from EFI_RUNTIME_SERVICES_CODE memory regions - reading/writing from/to EFI_RUNTIME_SERVICES_DATA memory regions - reading/writing by-ref arguments - reading/writing from/to the stack.

Accesses outside these regions may cause the kernel to hang because the memory region requested by the firmware isn't mapped in efi_pgd, which causes a page fault in ring 0 and the kernel fails to handle it, leading to die(). To save kernel from hanging, add an EFI specific page fault handler which recovers from such faults by 1. If the efi runtime service is efi_reset_system(), reboot the machine through BIOS. 2. If the efi runtime service is _not_ efi_reset_system(), then freeze efi_rts_wq and schedule a new process.

The EFI page fault handler offers us two advantages: 1. Avoid potential hangs caused by buggy firmware. 2. Shout loud that the firmware is buggy and hence is not a kernel bug.

Tested-by: Bhupesh Sharma bhsharma@redhat.com Suggested-by: Matt Fleming matt@codeblueprint.co.uk Based-on-code-from: Ricardo Neri ricardo.neri@intel.com Signed-off-by: Sai Praneeth Prakhya sai.praneeth.prakhya@intel.com Reviewed-by: Thomas Gleixner tglx@linutronix.de [ardb: clarify commit log] Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org Signed-off-by: Ding Hui dinghui@sangfor.com.cn --- arch/x86/include/asm/efi.h | 1 + arch/x86/mm/fault.c | 9 +++ arch/x86/platform/efi/quirks.c | 78 +++++++++++++++++++++++++ drivers/firmware/efi/runtime-wrappers.c | 8 +++ include/linux/efi.h | 8 ++- 5 files changed, 103 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h index 00aa9de5abbb..eea57447ee56 100644 --- a/arch/x86/include/asm/efi.h +++ b/arch/x86/include/asm/efi.h @@ -137,6 +137,7 @@ extern void __init efi_apply_memmap_quirks(void); extern int __init efi_reuse_config(u64 tables, int nr_tables); extern void efi_delete_dummy_variable(void); extern void efi_switch_mm(struct mm_struct *mm); +extern void efi_recover_from_page_fault(unsigned long phys_addr);

struct efi_setup_data { u64 fw_vendor; diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 52c8cbbd5a65..a9d03d3bacec 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -16,6 +16,7 @@ #include <linux/prefetch.h> /* prefetchw */ #include <linux/context_tracking.h> /* exception_enter(), ... */ #include <linux/uaccess.h> /* faulthandler_disabled() */ +#include <linux/efi.h> /* efi_recover_from_page_fault()*/ #include <linux/mm_types.h>

#include <asm/cpufeature.h> /* boot_cpu_has, ... */ @@ -25,6 +26,7 @@ #include <asm/vsyscall.h> /* emulate_vsyscall */ #include <asm/vm86.h> /* struct vm86 */ #include <asm/mmu_context.h> /* vma_pkey() */ +#include <asm/efi.h> /* efi_recover_from_page_fault()*/

#define CREATE_TRACE_POINTS #include <asm/trace/exceptions.h> @@ -805,6 +807,13 @@ no_context(struct pt_regs *regs, unsigned long error_code, if (is_errata93(regs, address)) return;

+ /* + * Buggy firmware could access regions which might page fault, try to + * recover from such faults. + */ + if (IS_ENABLED(CONFIG_EFI)) + efi_recover_from_page_fault(address); + /* * Oops. The kernel tried to access some bad page. We'll have to * terminate things with extreme prejudice: diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index 006eb09e9587..bd4806267456 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -16,6 +16,7 @@ #include <asm/efi.h> #include <asm/uv/uv.h> #include <asm/cpu_device_id.h> +#include <asm/reboot.h>

#define EFI_MIN_RESERVE 5120

@@ -653,3 +654,80 @@ int efi_capsule_setup_info(struct capsule_info *cap_info, void *kbuff, }

#endif + +/* + * If any access by any efi runtime service causes a page fault, then, + * 1. If it's efi_reset_system(), reboot through BIOS. + * 2. If any other efi runtime service, then + * a. Return error status to the efi caller process. + * b. Disable EFI Runtime Services forever and + * c. Freeze efi_rts_wq and schedule new process. + * + * @return: Returns, if the page fault is not handled. This function + * will never return if the page fault is handled successfully. + */ +void efi_recover_from_page_fault(unsigned long phys_addr) +{ + if (!IS_ENABLED(CONFIG_X86_64)) + return; + + /* + * Make sure that an efi runtime service caused the page fault. + * "efi_mm" cannot be used to check if the page fault had occurred + * in the firmware context because efi=old_map doesn't use efi_pgd. + */ + if (efi_rts_work.efi_rts_id == NONE) + return; + + /* + * Address range 0x0000 - 0x0fff is always mapped in the efi_pgd, so + * page faulting on these addresses isn't expected. + */ + if (phys_addr >= 0x0000 && phys_addr <= 0x0fff) + return; + + /* + * Print stack trace as it might be useful to know which EFI Runtime + * Service is buggy. + */ + WARN(1, FW_BUG "Page fault caused by firmware at PA: 0x%lx\n", + phys_addr); + + /* + * Buggy efi_reset_system() is handled differently from other EFI + * Runtime Services as it doesn't use efi_rts_wq. Although, + * native_machine_emergency_restart() says that machine_real_restart() + * could fail, it's better not to compilcate this fault handler + * because this case occurs *very* rarely and hence could be improved + * on a need by basis. + */ + if (efi_rts_work.efi_rts_id == RESET_SYSTEM) { + pr_info("efi_reset_system() buggy! Reboot through BIOS\n"); + machine_real_restart(MRR_BIOS); + return; + } + + /* + * Before calling EFI Runtime Service, the kernel has switched the + * calling process to efi_mm. Hence, switch back to task_mm. + */ + arch_efi_call_virt_teardown(); + + /* Signal error status to the efi caller process */ + efi_rts_work.status = EFI_ABORTED; + complete(&efi_rts_work.efi_rts_comp); + + clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); + pr_info("Froze efi_rts_wq and disabled EFI Runtime Services\n"); + + /* + * Call schedule() in an infinite loop, so that any spurious wake ups + * will never run efi_rts_wq again. + */ + for (;;) { + set_current_state(TASK_IDLE); + schedule(); + } + + return; +} diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c index 0c3481b80578..7ac5e4fdf458 100644 --- a/drivers/firmware/efi/runtime-wrappers.c +++ b/drivers/firmware/efi/runtime-wrappers.c @@ -61,6 +61,11 @@ struct efi_runtime_work efi_rts_work; ({ \ efi_rts_work.status = EFI_ABORTED; \ \ + if (!efi_enabled(EFI_RUNTIME_SERVICES)) { \ + pr_warn_once("EFI Runtime Services are disabled!\n"); \ + goto exit; \ + } \ + \ init_completion(&efi_rts_work.efi_rts_comp); \ INIT_WORK_ONSTACK(&efi_rts_work.work, efi_call_rts); \ efi_rts_work.arg1 = _arg1; \ @@ -79,6 +84,8 @@ struct efi_runtime_work efi_rts_work; else \ pr_err("Failed to queue work to efi_rts_wq.\n"); \ \ +exit: \ + efi_rts_work.efi_rts_id = NONE; \ efi_rts_work.status; \ })

@@ -413,6 +420,7 @@ static void virt_efi_reset_system(int reset_type, "could not get exclusive access to the firmware\n"); return; } + efi_rts_work.efi_rts_id = RESET_SYSTEM; __efi_call_virt(reset_system, reset_type, status, data_size, data); up(&efi_runtime_lock); } diff --git a/include/linux/efi.h b/include/linux/efi.h index 4d0be16f04c3..e691426def2d 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1684,8 +1684,13 @@ struct linux_efi_tpm_eventlog {

extern int efi_tpm_eventlog_init(void);

-/* efi_runtime_service() function identifiers */ +/* + * efi_runtime_service() function identifiers. + * "NONE" is used by efi_recover_from_page_fault() to check if the page + * fault happened while executing an efi runtime service. + */ enum efi_rts_ids { + NONE, GET_TIME, SET_TIME, GET_WAKEUP_TIME, @@ -1695,6 +1700,7 @@ enum efi_rts_ids { SET_VARIABLE, QUERY_VARIABLE_INFO, GET_NEXT_HIGH_MONO_COUNT, + RESET_SYSTEM, UPDATE_CAPSULE, QUERY_CAPSULE_CAPS, };

From: Anders Roxell anders.roxell@linaro.org

mainline inclusion from mainline-v5.1-rc1 commit 5c418dc789a3898717ebf2caa5716ba91a7150b2 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I67RIP CVE: NA

--------------------------------

The following commit:

a893ea15d764 ("tpm: move tpm_chip definition to include/linux/tpm.h")

introduced a build error when both IMA and EFI are enabled:

In file included from ../security/integrity/ima/ima_fs.c:30: ../security/integrity/ima/ima.h:176:7: error: redeclaration of enumerator "NONE"

What happens is that both headers (ima.h and efi.h) defines the same 'NONE' constant, and it broke when they started getting included from the same file:

Rework to prefix the EFI enum with 'EFI_*'.

Signed-off-by: Anders Roxell anders.roxell@linaro.org Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20190215165551.12220-2-ard.biesheuvel@linaro.org [ Cleaned up the changelog a bit. ] Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Ding Hui dinghui@sangfor.com.cn --- arch/x86/platform/efi/quirks.c | 4 +-- drivers/firmware/efi/runtime-wrappers.c | 48 ++++++++++++------------- include/linux/efi.h | 26 +++++++------- 3 files changed, 39 insertions(+), 39 deletions(-)

diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index bd4806267456..b21d8ebf694c 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -676,7 +676,7 @@ void efi_recover_from_page_fault(unsigned long phys_addr) * "efi_mm" cannot be used to check if the page fault had occurred * in the firmware context because efi=old_map doesn't use efi_pgd. */ - if (efi_rts_work.efi_rts_id == NONE) + if (efi_rts_work.efi_rts_id == EFI_NONE) return;

/* @@ -701,7 +701,7 @@ void efi_recover_from_page_fault(unsigned long phys_addr) * because this case occurs *very* rarely and hence could be improved * on a need by basis. */ - if (efi_rts_work.efi_rts_id == RESET_SYSTEM) { + if (efi_rts_work.efi_rts_id == EFI_RESET_SYSTEM) { pr_info("efi_reset_system() buggy! Reboot through BIOS\n"); machine_real_restart(MRR_BIOS); return; diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c index d901951208b4..3e8b3e3b8757 100644 --- a/drivers/firmware/efi/runtime-wrappers.c +++ b/drivers/firmware/efi/runtime-wrappers.c @@ -85,7 +85,7 @@ struct efi_runtime_work efi_rts_work; pr_err("Failed to queue work to efi_rts_wq.\n"); \ \ exit: \ - efi_rts_work.efi_rts_id = NONE; \ + efi_rts_work.efi_rts_id = EFI_NONE; \ efi_rts_work.status; \ })

@@ -188,50 +188,50 @@ static void efi_call_rts(struct work_struct *work) arg5 = efi_rts_work.arg5;

switch (efi_rts_work.efi_rts_id) { - case GET_TIME: + case EFI_GET_TIME: status = efi_call_virt(get_time, (efi_time_t *)arg1, (efi_time_cap_t *)arg2); break; - case SET_TIME: + case EFI_SET_TIME: status = efi_call_virt(set_time, (efi_time_t *)arg1); break; - case GET_WAKEUP_TIME: + case EFI_GET_WAKEUP_TIME: status = efi_call_virt(get_wakeup_time, (efi_bool_t *)arg1, (efi_bool_t *)arg2, (efi_time_t *)arg3); break; - case SET_WAKEUP_TIME: + case EFI_SET_WAKEUP_TIME: status = efi_call_virt(set_wakeup_time, *(efi_bool_t *)arg1, (efi_time_t *)arg2); break; - case GET_VARIABLE: + case EFI_GET_VARIABLE: status = efi_call_virt(get_variable, (efi_char16_t *)arg1, (efi_guid_t *)arg2, (u32 *)arg3, (unsigned long *)arg4, (void *)arg5); break; - case GET_NEXT_VARIABLE: + case EFI_GET_NEXT_VARIABLE: status = efi_call_virt(get_next_variable, (unsigned long *)arg1, (efi_char16_t *)arg2, (efi_guid_t *)arg3); break; - case SET_VARIABLE: + case EFI_SET_VARIABLE: status = efi_call_virt(set_variable, (efi_char16_t *)arg1, (efi_guid_t *)arg2, *(u32 *)arg3, *(unsigned long *)arg4, (void *)arg5); break; - case QUERY_VARIABLE_INFO: + case EFI_QUERY_VARIABLE_INFO: status = efi_call_virt(query_variable_info, *(u32 *)arg1, (u64 *)arg2, (u64 *)arg3, (u64 *)arg4); break; - case GET_NEXT_HIGH_MONO_COUNT: + case EFI_GET_NEXT_HIGH_MONO_COUNT: status = efi_call_virt(get_next_high_mono_count, (u32 *)arg1); break; - case UPDATE_CAPSULE: + case EFI_UPDATE_CAPSULE: status = efi_call_virt(update_capsule, (efi_capsule_header_t **)arg1, *(unsigned long *)arg2, *(unsigned long *)arg3); break; - case QUERY_CAPSULE_CAPS: + case EFI_QUERY_CAPSULE_CAPS: status = efi_call_virt(query_capsule_caps, (efi_capsule_header_t **)arg1, *(unsigned long *)arg2, (u64 *)arg3, @@ -255,7 +255,7 @@ static efi_status_t virt_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(GET_TIME, tm, tc, NULL, NULL, NULL); + status = efi_queue_work(EFI_GET_TIME, tm, tc, NULL, NULL, NULL); up(&efi_runtime_lock); return status; } @@ -266,7 +266,7 @@ static efi_status_t virt_efi_set_time(efi_time_t *tm)

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(SET_TIME, tm, NULL, NULL, NULL, NULL); + status = efi_queue_work(EFI_SET_TIME, tm, NULL, NULL, NULL, NULL); up(&efi_runtime_lock); return status; } @@ -279,7 +279,7 @@ static efi_status_t virt_efi_get_wakeup_time(efi_bool_t *enabled,

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(GET_WAKEUP_TIME, enabled, pending, tm, NULL, + status = efi_queue_work(EFI_GET_WAKEUP_TIME, enabled, pending, tm, NULL, NULL); up(&efi_runtime_lock); return status; @@ -291,7 +291,7 @@ static efi_status_t virt_efi_set_wakeup_time(efi_bool_t enabled, efi_time_t *tm)

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(SET_WAKEUP_TIME, &enabled, tm, NULL, NULL, + status = efi_queue_work(EFI_SET_WAKEUP_TIME, &enabled, tm, NULL, NULL, NULL); up(&efi_runtime_lock); return status; @@ -307,7 +307,7 @@ static efi_status_t virt_efi_get_variable(efi_char16_t *name,

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(GET_VARIABLE, name, vendor, attr, data_size, + status = efi_queue_work(EFI_GET_VARIABLE, name, vendor, attr, data_size, data); up(&efi_runtime_lock); return status; @@ -321,7 +321,7 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(GET_NEXT_VARIABLE, name_size, name, vendor, + status = efi_queue_work(EFI_GET_NEXT_VARIABLE, name_size, name, vendor, NULL, NULL); up(&efi_runtime_lock); return status; @@ -337,7 +337,7 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(SET_VARIABLE, name, vendor, &attr, &data_size, + status = efi_queue_work(EFI_SET_VARIABLE, name, vendor, &attr, &data_size, data); up(&efi_runtime_lock); return status; @@ -372,7 +372,7 @@ static efi_status_t virt_efi_query_variable_info(u32 attr,

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(QUERY_VARIABLE_INFO, &attr, storage_space, + status = efi_queue_work(EFI_QUERY_VARIABLE_INFO, &attr, storage_space, remaining_space, max_variable_size, NULL); up(&efi_runtime_lock); return status; @@ -404,7 +404,7 @@ static efi_status_t virt_efi_get_next_high_mono_count(u32 *count)

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL, + status = efi_queue_work(EFI_GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL, NULL, NULL); up(&efi_runtime_lock); return status; @@ -420,7 +420,7 @@ static void virt_efi_reset_system(int reset_type, "could not get exclusive access to the firmware\n"); return; } - efi_rts_work.efi_rts_id = RESET_SYSTEM; + efi_rts_work.efi_rts_id = EFI_RESET_SYSTEM; __efi_call_virt(reset_system, reset_type, status, data_size, data); up(&efi_runtime_lock); } @@ -436,7 +436,7 @@ static efi_status_t virt_efi_update_capsule(efi_capsule_header_t **capsules,

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(UPDATE_CAPSULE, capsules, &count, &sg_list, + status = efi_queue_work(EFI_UPDATE_CAPSULE, capsules, &count, &sg_list, NULL, NULL); up(&efi_runtime_lock); return status; @@ -454,7 +454,7 @@ static efi_status_t virt_efi_query_capsule_caps(efi_capsule_header_t **capsules,

if (down_interruptible(&efi_runtime_lock)) return EFI_ABORTED; - status = efi_queue_work(QUERY_CAPSULE_CAPS, capsules, &count, + status = efi_queue_work(EFI_QUERY_CAPSULE_CAPS, capsules, &count, max_size, reset_type, NULL); up(&efi_runtime_lock); return status; diff --git a/include/linux/efi.h b/include/linux/efi.h index e691426def2d..8fbab420b265 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1690,19 +1690,19 @@ extern int efi_tpm_eventlog_init(void); * fault happened while executing an efi runtime service. */ enum efi_rts_ids { - NONE, - GET_TIME, - SET_TIME, - GET_WAKEUP_TIME, - SET_WAKEUP_TIME, - GET_VARIABLE, - GET_NEXT_VARIABLE, - SET_VARIABLE, - QUERY_VARIABLE_INFO, - GET_NEXT_HIGH_MONO_COUNT, - RESET_SYSTEM, - UPDATE_CAPSULE, - QUERY_CAPSULE_CAPS, + EFI_NONE, + EFI_GET_TIME, + EFI_SET_TIME, + EFI_GET_WAKEUP_TIME, + EFI_SET_WAKEUP_TIME, + EFI_GET_VARIABLE, + EFI_GET_NEXT_VARIABLE, + EFI_SET_VARIABLE, + EFI_QUERY_VARIABLE_INFO, + EFI_GET_NEXT_HIGH_MONO_COUNT, + EFI_RESET_SYSTEM, + EFI_UPDATE_CAPSULE, + EFI_QUERY_CAPSULE_CAPS, };

/*

From: Ard Biesheuvel ardb@kernel.org

mainline inclusion from mainline-v6.1-rc4 commit 23715a26c8d812912a70c6ac1ce67af649b95914 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I67RIP CVE: NA

backport: - using ENTRY/ENDPROC instead of SYM_FUNC_START/END - add include to fix compile error

--------------------------------

Unlike x86, which has machinery to deal with page faults that occur during the execution of EFI runtime services, arm64 has nothing like that, and a synchronous exception raised by firmware code brings down the whole system.

With more EFI based systems appearing that were not built to run Linux (such as the Windows-on-ARM laptops based on Qualcomm SOCs), as well as the introduction of PRM (platform specific firmware routines that are callable just like EFI runtime services), we are more likely to run into issues of this sort, and it is much more likely that we can identify and work around such issues if they don't bring down the system entirely.

Since we already use a EFI runtime services call wrapper in assembler, we can quite easily add some code that captures the execution state at the point where the call is made, allowing us to revert to this state and proceed execution if the call triggered a synchronous exception.

Given that the kernel and the firmware don't share any data structures that could end up in an indeterminate state, we can happily continue running, as long as we mark the EFI runtime services as unavailable from that point on.

Signed-off-by: Ard Biesheuvel ardb@kernel.org Acked-by: Catalin Marinas catalin.marinas@arm.com

Conflicts: arch/arm64/kernel/efi-rt-wrapper.S

Signed-off-by: Ding Hui dinghui@sangfor.com.cn --- arch/arm64/include/asm/efi.h | 9 ++++++++ arch/arm64/kernel/efi-rt-wrapper.S | 35 ++++++++++++++++++++++++++++-- arch/arm64/kernel/efi.c | 26 ++++++++++++++++++++++ arch/arm64/mm/fault.c | 4 ++++ 4 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h index d3cb42fd51ec..f99e6291d7f5 100644 --- a/arch/arm64/include/asm/efi.h +++ b/arch/arm64/include/asm/efi.h @@ -11,11 +11,20 @@ #include <asm/neon.h> #include <asm/ptrace.h> #include <asm/tlbflush.h> +#include <linux/efi.h>

#ifdef CONFIG_EFI extern void efi_init(void); + +bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg); #else #define efi_init() + +static inline +bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg) +{ + return false; +} #endif

int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md); diff --git a/arch/arm64/kernel/efi-rt-wrapper.S b/arch/arm64/kernel/efi-rt-wrapper.S index e02329e79ee1..1d4312c3a4b0 100644 --- a/arch/arm64/kernel/efi-rt-wrapper.S +++ b/arch/arm64/kernel/efi-rt-wrapper.S @@ -7,9 +7,11 @@ */

#include <linux/linkage.h> +#include <asm/assembler.h> +#include <asm/alternative.h>

ENTRY(__efi_rt_asm_wrapper) - stp x29, x30, [sp, #-32]! + stp x29, x30, [sp, #-112]! mov x29, sp

/* @@ -19,6 +21,20 @@ ENTRY(__efi_rt_asm_wrapper) */ stp x1, x18, [sp, #16]

+ /* + * Preserve all callee saved registers and record the stack pointer + * value in a per-CPU variable so we can recover from synchronous + * exceptions occurring while running the firmware routines. + */ + stp x19, x20, [sp, #32] + stp x21, x22, [sp, #48] + stp x23, x24, [sp, #64] + stp x25, x26, [sp, #80] + stp x27, x28, [sp, #96] + + adr_this_cpu x8, __efi_rt_asm_recover_sp, x9 + str x29, [x8] + /* * We are lucky enough that no EFI runtime services take more than * 5 arguments, so all are passed in registers rather than via the @@ -34,7 +50,7 @@ ENTRY(__efi_rt_asm_wrapper)

ldp x1, x2, [sp, #16] cmp x2, x18 - ldp x29, x30, [sp], #32 + ldp x29, x30, [sp], #112 b.ne 0f ret 0: @@ -48,3 +64,18 @@ ENTRY(__efi_rt_asm_wrapper) mov x18, x2 b efi_handle_corrupted_x18 // tail call ENDPROC(__efi_rt_asm_wrapper) + +ENTRY(__efi_rt_asm_recover) + ldr_this_cpu x8, __efi_rt_asm_recover_sp, x9 + mov sp, x8 + + ldp x0, x18, [sp, #16] + ldp x19, x20, [sp, #32] + ldp x21, x22, [sp, #48] + ldp x23, x24, [sp, #64] + ldp x25, x26, [sp, #80] + ldp x27, x28, [sp, #96] + ldp x29, x30, [sp], #112 + + b efi_handle_runtime_exception +ENDPROC(__efi_rt_asm_recover) diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c index 4f9acb5fbe97..5704ac434897 100644 --- a/arch/arm64/kernel/efi.c +++ b/arch/arm64/kernel/efi.c @@ -13,6 +13,7 @@

#include <linux/efi.h> #include <linux/init.h> +#include <linux/percpu.h>

#include <asm/efi.h>

@@ -132,3 +133,28 @@ asmlinkage efi_status_t efi_handle_corrupted_x18(efi_status_t s, const char *f) pr_err_ratelimited(FW_BUG "register x18 corrupted by EFI %s\n", f); return s; } + +asmlinkage DEFINE_PER_CPU(u64, __efi_rt_asm_recover_sp); + +asmlinkage efi_status_t __efi_rt_asm_recover(void); + +asmlinkage efi_status_t efi_handle_runtime_exception(const char *f) +{ + pr_err(FW_BUG "Synchronous exception occurred in EFI runtime service %s()\n", f); + clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); + return EFI_ABORTED; +} + +bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg) +{ + /* Check whether the exception occurred while running the firmware */ + if (current_work() != &efi_rts_work.work || regs->pc >= TASK_SIZE_64) + return false; + + pr_err(FW_BUG "Unable to handle %s in EFI runtime service\n", msg); + add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); + dump_stack(); + + regs->pc = (u64)__efi_rt_asm_recover; + return true; +} diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c index df456030136a..05cf6f1ebb2a 100644 --- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -37,6 +37,7 @@ #include <asm/bug.h> #include <asm/cmpxchg.h> #include <asm/cpufeature.h> +#include <asm/efi.h> #include <asm/exception.h> #include <asm/daifflags.h> #include <asm/debug-monitors.h> @@ -332,6 +333,9 @@ static void __do_kernel_fault(unsigned long addr, unsigned int esr, msg = "paging request"; }

+ if (efi_runtime_fixup_exception(regs, msg)) + return; + die_kernel_fault(msg, addr, esr, regs); }