arm64: efi: Recover from synchronous exceptions occurring in firmware

[ Upstream commit e8dfdf3162eb549d064b8c10b1564f7e8ee82591 ]

Unlike x86, which has machinery to deal with page faults that occur
during the execution of EFI runtime services, arm64 has nothing like
that, and a synchronous exception raised by firmware code brings down
the whole system.

With more EFI based systems appearing that were not built to run Linux
(such as the Windows-on-ARM laptops based on Qualcomm SOCs), as well as
the introduction of PRM (platform specific firmware routines that are
callable just like EFI runtime services), we are more likely to run into
issues of this sort, and it is much more likely that we can identify and
work around such issues if they don't bring down the system entirely.

Since we already use a EFI runtime services call wrapper in assembler,
we can quite easily add some code that captures the execution state at
the point where the call is made, allowing us to revert to this state
and proceed execution if the call triggered a synchronous exception.

Given that the kernel and the firmware don't share any data structures
that could end up in an indeterminate state, we can happily continue
running, as long as we mark the EFI runtime services as unavailable from
that point on.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Stable-dep-of: 8a9a1a18731e ("arm64: efi: Avoid workqueue to check whether EFI runtime is live")
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h
index b9f3165075c9d8ec2604186887c19ffa5c4ba859..0edaf8e385b8ecf42dab7fbd50065aea5d15da81 100644 (file)
--- a/arch/arm64/include/asm/efi.h
+++ b/arch/arm64/include/asm/efi.h
@@ -14,8 +14,16 @@
 
 #ifdef CONFIG_EFI
 extern void efi_init(void);
+
+bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg);
 #else
 #define efi_init()
+
+static inline
+bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
+{
+       return false;
+}
 #endif
 
 int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md);

diff --git a/arch/arm64/kernel/efi-rt-wrapper.S b/arch/arm64/kernel/efi-rt-wrapper.S
index 2d3c4b02393e4d60b6e45763a4050df4987dcaec..d872d18101d837508d1a4dd2cef742cc7c83e241 100644 (file)
--- a/arch/arm64/kernel/efi-rt-wrapper.S
+++ b/arch/arm64/kernel/efi-rt-wrapper.S
@@ -7,7 +7,7 @@
 #include <asm/assembler.h>
 
 SYM_FUNC_START(__efi_rt_asm_wrapper)
-       stp     x29, x30, [sp, #-32]!
+       stp     x29, x30, [sp, #-112]!
        mov     x29, sp
 
        /*
@@ -17,11 +17,21 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
         */
        stp     x1, x18, [sp, #16]
 
+       /*
+        * Preserve all callee saved registers and preserve the stack pointer
+        * value at the base of the EFI runtime stack so we can recover from
+        * synchronous exceptions occurring while executing the firmware
+        * routines.
+        */
+       stp     x19, x20, [sp, #32]
+       stp     x21, x22, [sp, #48]
+       stp     x23, x24, [sp, #64]
+       stp     x25, x26, [sp, #80]
+       stp     x27, x28, [sp, #96]
+
        ldr_l   x16, efi_rt_stack_top
        mov     sp, x16
-#ifdef CONFIG_SHADOW_CALL_STACK
-       str     x18, [sp, #-16]!
-#endif
+       stp     x18, x29, [sp, #-16]!
 
        /*
         * We are lucky enough that no EFI runtime services take more than
@@ -39,7 +49,7 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
        mov     sp, x29
        ldp     x1, x2, [sp, #16]
        cmp     x2, x18
-       ldp     x29, x30, [sp], #32
+       ldp     x29, x30, [sp], #112
        b.ne    0f
        ret
 0:
@@ -57,3 +67,15 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 
        b       efi_handle_corrupted_x18        // tail call
 SYM_FUNC_END(__efi_rt_asm_wrapper)
+
+SYM_CODE_START(__efi_rt_asm_recover)
+       mov     sp, x30
+
+       ldp     x19, x20, [sp, #32]
+       ldp     x21, x22, [sp, #48]
+       ldp     x23, x24, [sp, #64]
+       ldp     x25, x26, [sp, #80]
+       ldp     x27, x28, [sp, #96]
+       ldp     x29, x30, [sp], #112
+       ret
+SYM_CODE_END(__efi_rt_asm_recover)

diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
index 386bd81ca12bbfb13948a450b698c77188c8b277..fab05de2e12dd5d8ad28b1a647fea66c6ac1651e 100644 (file)
--- a/arch/arm64/kernel/efi.c
+++ b/arch/arm64/kernel/efi.c
@@ -149,6 +149,28 @@ DEFINE_SPINLOCK(efi_rt_lock);
 
 asmlinkage u64 *efi_rt_stack_top __ro_after_init;
 
+asmlinkage efi_status_t __efi_rt_asm_recover(void);
+
+bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
+{
+        /* Check whether the exception occurred while running the firmware */
+       if (current_work() != &efi_rts_work.work || regs->pc >= TASK_SIZE_64)
+               return false;
+
+       pr_err(FW_BUG "Unable to handle %s in EFI runtime service\n", msg);
+       add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
+       clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
+
+       regs->regs[0]   = EFI_ABORTED;
+       regs->regs[30]  = efi_rt_stack_top[-1];
+       regs->pc        = (u64)__efi_rt_asm_recover;
+
+       if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK))
+               regs->regs[18] = efi_rt_stack_top[-2];
+
+       return true;
+}
+
 /* EFI requires 8 KiB of stack space for runtime services */
 static_assert(THREAD_SIZE >= SZ_8K);
 

diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 74f76514a48d00732adf385a511b6b207c344951..3eb2825d08cffc7335fd64e643fbed105541a424 100644 (file)
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -30,6 +30,7 @@
 #include <asm/bug.h>
 #include <asm/cmpxchg.h>
 #include <asm/cpufeature.h>
+#include <asm/efi.h>
 #include <asm/exception.h>
 #include <asm/daifflags.h>
 #include <asm/debug-monitors.h>
@@ -397,6 +398,9 @@ static void __do_kernel_fault(unsigned long addr, unsigned long esr,
                msg = "paging request";
        }
 
+       if (efi_runtime_fixup_exception(regs, msg))
+               return;
+
        die_kernel_fault(msg, addr, esr, regs);
 }
 

diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
index 60075e0e4943a36018f0e7efa3532c6be9c9859d..1fba4e09cdcff8f02c8daaaff8127da66bbd8942 100644 (file)
--- a/drivers/firmware/efi/runtime-wrappers.c
+++ b/drivers/firmware/efi/runtime-wrappers.c
@@ -84,6 +84,7 @@ struct efi_runtime_work efi_rts_work;
        else                                                            \
                pr_err("Failed to queue work to efi_rts_wq.\n");        \
                                                                        \
+       WARN_ON_ONCE(efi_rts_work.status == EFI_ABORTED);               \
 exit:                                                                  \
        efi_rts_work.efi_rts_id = EFI_NONE;                             \
        efi_rts_work.status;                                            \