[PATCH V2] x86/efi: Add missing 1:1 mappings to support buggy firmware

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Sai Praneeth <sai.praneeth.prakhya@xxxxxxxxx>

There are some machines with buggy firmware that access EFI regions in
1:1 mode (or physical mode) rather than virtual mode even after kernel
being booted. On these machines, if we invoke an EFI runtime service
(that does these buggy accesses) then it causes a page fault and hence
results in kernel hang. The page fault happens because the requested
region doesn't have appropriate page attributes set or the mapping for
the region might be missing. This issue was introduced by commit
67a9108ed431 ("x86/efi: Build our own page table structures"). Before
this commit, 1:1 mappings for EFI regions were in swapper_pgd and were
not needed to be synced, but this commit introduced efi_pgd which missed
these mappings.

Below is the edited version of the page fault output that I noticed:

BUG: unable to handle kernel paging request at 0000000018847980
IP: [<fffffffef6981ec3>] 0xfffffffef6981ec3
PGD 4324d3063 PUD 4324e4063 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: efi_runtime(O) chipsec(O) igb e1000e [last unloaded:
efi_runtime]
CPU: 5 PID: 2308 Comm: fwts Tainted: G   W  O    4.7.0-yocto-standard #1
Hardware name: Gigabyte Technology Co., Ltd. Z87X-UD5H/Z87X-UD5H-CF,
BIOS F9 03/18/2014
task: ffff88041974d900 ti: ffff880418844000 task.ti: ffff880418844000
RIP: 0010:[<fffffffef6981ec3>]  [<fffffffef6981ec3>] 0xfffffffef6981ec3
RSP: 0018:ffff880418847868  EFLAGS: 00010297
RAX: 00000000000000e0 RBX: 0000000000000000 RCX: ffff880418847a50
RDX: 0000000018847980 RSI: ffff880418847a10 RDI: 0000000000000020
RBP: 0000000000000001 R08: ffff880418847a68 R09: 0000000000000000
R10: ffff880418847a70 R11: 0000000000000008 R12: ffff88042005c130
R13: 0000000000000010 R14: ffff880418847e30 R15: 0000000000000000
FS:  00007fb94251e700(0000) GS:ffff880432b40000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000018847980 CR3: 00000004324d1000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
[<ffffffff810abf01>] ? __lock_acquire+0x121/0x1480
[<ffffffff810ac57f>] ? __lock_acquire+0x79f/0x1480
[<ffffffff810599a8>] ? efi_call+0x58/0x90
[<ffffffff81748e4b>] ? virt_efi_set_variable+0x7b/0x190
[<ffffffffa0065e63>] ? efi_runtime_ioctl+0xe43/0x108c [efi_runtime]
[<ffffffff810893b4>] ? __might_sleep+0x44/0x80
[<ffffffff811e07de>] ? do_vfs_ioctl+0x8e/0x660
[<ffffffff8133dd4e>] ? security_file_ioctl+0x3e/0x60
[<ffffffff811e0e24>] ? SyS_ioctl+0x74/0x80
[<ffffffff81a20de5>] ? entry_SYSCALL_64_fastpath+0x18/0xa8

I have looked at EFI Memory map for the faulted address and found that
it belongs to memory region of type "Conventional Memory". So, this
firmware bug is not same as accessing EFI_BOOT_SERVICES_* regions after
boot, but firmware accessing *illegal regions* in *1:1 mode*.

Below shown are the efi_pgd dumps before and after the bad commit.
efi_dump_pagetable() is called before calling efi_merge_regions() in
__efi_enter_virtual_mode() and this kernel is booted on qemu to obtain
page table dumps.

EFI_PGT_DUMP before commit:
---------------------------
[0.007041] ---[ User Space ]---
[0.007427] 0x0000000000000000-0x0000000000200000 2M    RW     GLB NX pte
[0.008609] 0x0000000000200000-0x0000000000800000 6M    RW PSE GLB NX pmd
[0.010069] 0x0000000000800000-0x0000000000808000 32K                 pte
[0.011068] 0x0000000000808000-0x0000000000810000 32K   RW     GLB NX pte
[0.012325] 0x0000000000810000-0x0000000000900000 960K                pte
[0.013071] 0x0000000000900000-0x0000000000a00000 1M    RW     GLB NX pte
[0.014579] 0x0000000000a00000-0x000000007e800000 2014M RW PSE GLB NX pmd
[0.015593] 0x000000007e800000-0x000000007e9b6000 1752K RW     GLB NX pte
[0.016600] 0x000000007e9b6000-0x000000007e9fe000 288K                pte
[0.018003] 0x000000007e9fe000-0x000000007ea00000 8K    RW     GLB NX pte
[0.019165] 0x000000007ea00000-0x000000007ec00000 2M    RW PSE GLB NX pmd
[0.020331] 0x000000007ec00000-0x000000007eda9000 1700K RW     GLB NX pte
[0.021483] 0x000000007eda9000-0x000000007ee14000 428K                pte
[0.022500] 0x000000007ee14000-0x000000007f000000 1968K RW     GLB NX pte
[0.023596] 0x000000007f000000-0x000000007fe00000 14M   RW PSE GLB NX pmd
[0.025004] 0x000000007fe00000-0x000000007fe94000 592K  RW     GLB NX pte
[0.026220] 0x000000007fe94000-0x000000007fef8000 400K                pte
[0.027069] 0x000000007fef8000-0x000000007ffd0000 864K  RW     GLB NX pte
[0.028420] 0x000000007ffd0000-0x000000007fff0000 128K                pte
[0.029551] 0x000000007fff0000-0x0000000080000000 64K   RW     GLB NX pte
[0.030601] 0x0000000080000000-0x0000008000000000 510G                pud
[0.031499] 0x0000008000000000-0xffff800000000000 17179737600G        pgd
[0.032152] ---[ Kernel Space ]---

EFI_PGT_DUMP after commit:
--------------------------
[0.005620] ---[ User Space ]---
[0.005838] 0x0000000000000000-0xffff800000000000 16777088T           pgd
[0.005873] ---[ Kernel Space ]---

While not having these mappings isn't a bug but we need these mappings
to support machines with buggy firmware.

Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@xxxxxxxxx>
Cc: Lee, Chun-Yi <jlee@xxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Ricardo Neri <ricardo.neri@xxxxxxxxx>
Cc: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
Cc: Ravi Shankar <ravi.v.shankar@xxxxxxxxx>
Cc: Fenghua Yu <fenghua.yu@xxxxxxxxx>
---
 arch/x86/platform/efi/efi_64.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index de9652bd19d4..8d2fd6568b91 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -139,6 +139,7 @@ int __init efi_alloc_page_tables(void)
 	pgd_t *pgd;
 	pud_t *pud;
 	gfp_t gfp_mask;
+	unsigned num_pgds;
 
 	if (efi_enabled(EFI_OLD_MEMMAP))
 		return 0;
@@ -158,6 +159,13 @@ int __init efi_alloc_page_tables(void)
 
 	pgd_populate(NULL, pgd, pud);
 
+	/*
+	 * Sync 1:1 mappings to support buggy firmware which haven't updated
+	 * their addresses even after kernel has booted.
+	 */
+	num_pgds = pgd_index(VMALLOC_START) - pgd_index(PAGE_OFFSET);
+	memcpy(efi_pgd, pgd_offset_k(PAGE_OFFSET), sizeof(pgd_t) * num_pgds);
+
 	return 0;
 }
 
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux