This is a note to let you know that I've just added the patch titled
Revert "x86/efi: Build our own page table structures"
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
revert-x86-efi-build-our-own-page-table-structures.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Thu Dec 14 21:26:14 CET 2017
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Dec 2017 21:21:50 +0100
Subject: Revert "x86/efi: Build our own page table structures"
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
This reverts commit 36e0f05afd4e1d09fd47936761a502aedbc50649 which is
commit 67a9108ed4313b85a9c53406d80dc1ae3f8c3e36 upstream.
Turns there was too many other issues with this patch to make it viable
for the stable tree.
Reported-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
Cc: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Cc: Andy Lutomirski <luto@xxxxxxxxxx>
Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Brian Gerst <brgerst@xxxxxxxxx>
Cc: Dave Jones <davej@xxxxxxxxxxxxxxxxx>
Cc: Denys Vlasenko <dvlasenk@xxxxxxxxxx>
Cc: H. Peter Anvin <hpa@xxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@xxxxxxxxx>
Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Toshi Kani <toshi.kani@xxxxxx>
Cc: linux-efi@xxxxxxxxxxxxxxx
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: "Ghannam, Yazen" <Yazen.Ghannam@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/x86/include/asm/efi.h | 1
arch/x86/platform/efi/efi.c | 39 ++++++++++------
arch/x86/platform/efi/efi_32.c | 5 --
arch/x86/platform/efi/efi_64.c | 97 ++++++-----------------------------------
4 files changed, 40 insertions(+), 102 deletions(-)
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -136,7 +136,6 @@ extern void __init efi_memory_uc(u64 add
extern void __init efi_map_region(efi_memory_desc_t *md);
extern void __init efi_map_region_fixed(efi_memory_desc_t *md);
extern void efi_sync_low_kernel_mappings(void);
-extern int __init efi_alloc_page_tables(void);
extern int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages);
extern void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages);
extern void __init old_map_region(efi_memory_desc_t *md);
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -869,7 +869,7 @@ static void __init kexec_enter_virtual_m
* This function will switch the EFI runtime services to virtual mode.
* Essentially, we look through the EFI memmap and map every region that
* has the runtime attribute bit set in its memory descriptor into the
- * efi_pgd page table.
+ * ->trampoline_pgd page table using a top-down VA allocation scheme.
*
* The old method which used to update that memory descriptor with the
* virtual address obtained from ioremap() is still supported when the
@@ -879,8 +879,8 @@ static void __init kexec_enter_virtual_m
*
* The new method does a pagetable switch in a preemption-safe manner
* so that we're in a different address space when calling a runtime
- * function. For function arguments passing we do copy the PUDs of the
- * kernel page table into efi_pgd prior to each call.
+ * function. For function arguments passing we do copy the PGDs of the
+ * kernel page table into ->trampoline_pgd prior to each call.
*
* Specially for kexec boot, efi runtime maps in previous kernel should
* be passed in via setup_data. In that case runtime ranges will be mapped
@@ -895,12 +895,6 @@ static void __init __efi_enter_virtual_m
efi.systab = NULL;
- if (efi_alloc_page_tables()) {
- pr_err("Failed to allocate EFI page tables\n");
- clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
- return;
- }
-
efi_merge_regions();
new_memmap = efi_map_regions(&count, &pg_shift);
if (!new_memmap) {
@@ -960,11 +954,28 @@ static void __init __efi_enter_virtual_m
efi_runtime_mkexec();
/*
- * We mapped the descriptor array into the EFI pagetable above
- * but we're not unmapping it here because if we're running in
- * EFI mixed mode we need all of memory to be accessible when
- * we pass parameters to the EFI runtime services in the
- * thunking code.
+ * We mapped the descriptor array into the EFI pagetable above but we're
+ * not unmapping it here. Here's why:
+ *
+ * We're copying select PGDs from the kernel page table to the EFI page
+ * table and when we do so and make changes to those PGDs like unmapping
+ * stuff from them, those changes appear in the kernel page table and we
+ * go boom.
+ *
+ * From setup_real_mode():
+ *
+ * ...
+ * trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd;
+ *
+ * In this particular case, our allocation is in PGD 0 of the EFI page
+ * table but we've copied that PGD from PGD[272] of the EFI page table:
+ *
+ * pgd_index(__PAGE_OFFSET = 0xffff880000000000) = 272
+ *
+ * where the direct memory mapping in kernel space is.
+ *
+ * new_memmap's VA comes from that direct mapping and thus clearing it,
+ * it would get cleared in the kernel page table too.
*
* efi_cleanup_page_tables(__pa(new_memmap), 1 << pg_shift);
*/
--- a/arch/x86/platform/efi/efi_32.c
+++ b/arch/x86/platform/efi/efi_32.c
@@ -38,11 +38,6 @@
* say 0 - 3G.
*/
-int __init efi_alloc_page_tables(void)
-{
- return 0;
-}
-
void efi_sync_low_kernel_mappings(void) {}
void __init efi_dump_pagetable(void) {}
int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -40,7 +40,6 @@
#include <asm/fixmap.h>
#include <asm/realmode.h>
#include <asm/time.h>
-#include <asm/pgalloc.h>
/*
* We allocate runtime services regions bottom-up, starting from -4G, i.e.
@@ -122,92 +121,22 @@ void __init efi_call_phys_epilog(pgd_t *
early_code_mapping_set_exec(0);
}
-static pgd_t *efi_pgd;
-
-/*
- * We need our own copy of the higher levels of the page tables
- * because we want to avoid inserting EFI region mappings (EFI_VA_END
- * to EFI_VA_START) into the standard kernel page tables. Everything
- * else can be shared, see efi_sync_low_kernel_mappings().
- */
-int __init efi_alloc_page_tables(void)
-{
- pgd_t *pgd;
- pud_t *pud;
- gfp_t gfp_mask;
-
- if (efi_enabled(EFI_OLD_MEMMAP))
- return 0;
-
- gfp_mask = GFP_KERNEL | __GFP_NOTRACK | __GFP_REPEAT | __GFP_ZERO;
- efi_pgd = (pgd_t *)__get_free_page(gfp_mask);
- if (!efi_pgd)
- return -ENOMEM;
-
- pgd = efi_pgd + pgd_index(EFI_VA_END);
-
- pud = pud_alloc_one(NULL, 0);
- if (!pud) {
- free_page((unsigned long)efi_pgd);
- return -ENOMEM;
- }
-
- pgd_populate(NULL, pgd, pud);
-
- return 0;
-}
-
/*
* Add low kernel mappings for passing arguments to EFI functions.
*/
void efi_sync_low_kernel_mappings(void)
{
- unsigned num_entries;
- pgd_t *pgd_k, *pgd_efi;
- pud_t *pud_k, *pud_efi;
+ unsigned num_pgds;
+ pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
if (efi_enabled(EFI_OLD_MEMMAP))
return;
- /*
- * We can share all PGD entries apart from the one entry that
- * covers the EFI runtime mapping space.
- *
- * Make sure the EFI runtime region mappings are guaranteed to
- * only span a single PGD entry and that the entry also maps
- * other important kernel regions.
- */
- BUILD_BUG_ON(pgd_index(EFI_VA_END) != pgd_index(MODULES_END));
- BUILD_BUG_ON((EFI_VA_START & PGDIR_MASK) !=
- (EFI_VA_END & PGDIR_MASK));
-
- pgd_efi = efi_pgd + pgd_index(PAGE_OFFSET);
- pgd_k = pgd_offset_k(PAGE_OFFSET);
-
- num_entries = pgd_index(EFI_VA_END) - pgd_index(PAGE_OFFSET);
- memcpy(pgd_efi, pgd_k, sizeof(pgd_t) * num_entries);
-
- /*
- * We share all the PUD entries apart from those that map the
- * EFI regions. Copy around them.
- */
- BUILD_BUG_ON((EFI_VA_START & ~PUD_MASK) != 0);
- BUILD_BUG_ON((EFI_VA_END & ~PUD_MASK) != 0);
-
- pgd_efi = efi_pgd + pgd_index(EFI_VA_END);
- pud_efi = pud_offset(pgd_efi, 0);
-
- pgd_k = pgd_offset_k(EFI_VA_END);
- pud_k = pud_offset(pgd_k, 0);
-
- num_entries = pud_index(EFI_VA_END);
- memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries);
+ num_pgds = pgd_index(MODULES_END - 1) - pgd_index(PAGE_OFFSET);
- pud_efi = pud_offset(pgd_efi, EFI_VA_START);
- pud_k = pud_offset(pgd_k, EFI_VA_START);
-
- num_entries = PTRS_PER_PUD - pud_index(EFI_VA_START);
- memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries);
+ memcpy(pgd + pgd_index(PAGE_OFFSET),
+ init_mm.pgd + pgd_index(PAGE_OFFSET),
+ sizeof(pgd_t) * num_pgds);
}
int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
@@ -220,8 +149,8 @@ int __init efi_setup_page_tables(unsigne
if (efi_enabled(EFI_OLD_MEMMAP))
return 0;
- efi_scratch.efi_pgt = (pgd_t *)__pa(efi_pgd);
- pgd = efi_pgd;
+ efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd;
+ pgd = __va(efi_scratch.efi_pgt);
/*
* It can happen that the physical address of new_memmap lands in memory
@@ -267,14 +196,16 @@ int __init efi_setup_page_tables(unsigne
void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages)
{
- kernel_unmap_pages_in_pgd(efi_pgd, pa_memmap, num_pages);
+ pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
+
+ kernel_unmap_pages_in_pgd(pgd, pa_memmap, num_pages);
}
static void __init __map_region(efi_memory_desc_t *md, u64 va)
{
+ pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
unsigned long flags = 0;
unsigned long pfn;
- pgd_t *pgd = efi_pgd;
if (!(md->attribute & EFI_MEMORY_WB))
flags |= _PAGE_PCD;
@@ -383,7 +314,9 @@ void __init efi_runtime_mkexec(void)
void __init efi_dump_pagetable(void)
{
#ifdef CONFIG_EFI_PGT_DUMP
- ptdump_walk_pgd_level(NULL, efi_pgd);
+ pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
+
+ ptdump_walk_pgd_level(NULL, pgd);
#endif
}
Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are
queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch
queue-4.4/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch
queue-4.4/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch
queue-4.4/atm-horizon-fix-irq-release-error.patch
queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch
queue-4.4/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch
queue-4.4/ipvlan-fix-ipv6-outbound-device.patch
queue-4.4/arm-omap2-release-device-node-after-it-is-no-longer-needed.patch
queue-4.4/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch
queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch
queue-4.4/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch
queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch
queue-4.4/alsa-seq-remove-spurious-warn_on-at-timer-check.patch
queue-4.4/revert-x86-efi-build-our-own-page-table-structures.patch
queue-4.4/more-bio_map_user_iov-leak-fixes.patch
queue-4.4/hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch
queue-4.4/s390-fix-compat-system-call-table.patch
queue-4.4/netfilter-don-t-track-fragmented-packets.patch
queue-4.4/block-wake-up-all-tasks-blocked-in-get_request.patch
queue-4.4/kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch
queue-4.4/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch
queue-4.4/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch
queue-4.4/arm-omap2-fix-device-node-reference-counts.patch
queue-4.4/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch
queue-4.4/iommu-vt-d-fix-scatterlist-offset-handling.patch
queue-4.4/mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch
queue-4.4/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch
queue-4.4/drm-extra-printk-wrapper-macros.patch
queue-4.4/mm-drop-unused-pmdp_huge_get_and_clear_notify.patch
queue-4.4/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch
queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch
queue-4.4/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch
queue-4.4/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch
queue-4.4/axonram-fix-gendisk-handling.patch
queue-4.4/alsa-usb-audio-add-check-return-value-for-usb_string.patch
queue-4.4/revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch
queue-4.4/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch
queue-4.4/powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch
queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch
queue-4.4/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch
queue-4.4/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch
queue-4.4/thp-fix-madv_dontneed-vs.-numa-balancing-race.patch
queue-4.4/bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch
queue-4.4/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch
queue-4.4/sunrpc-fix-rpc_task_begin-trace-point.patch
queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch
queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch
queue-4.4/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch
queue-4.4/gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch
queue-4.4/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch
queue-4.4/arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch
queue-4.4/thp-reduce-indentation-level-in-change_huge_pmd.patch
queue-4.4/revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch
queue-4.4/afs-connect-up-the-cb.probeuuid.patch
queue-4.4/drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch
queue-4.4/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch
queue-4.4/sit-update-frag_off-info.patch
queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch
queue-4.4/module-set-__jump_table-alignment-to-8.patch
queue-4.4/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch
queue-4.4/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch
queue-4.4/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch
queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch
queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch
queue-4.4/virtio-release-virtio-index-when-fail-to-device_register.patch
queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch
queue-4.4/nfs-fix-a-typo-in-nfs_rename.patch
queue-4.4/can-kvaser_usb-free-buf-in-error-paths.patch
queue-4.4/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch
queue-4.4/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch
queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch
queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch
queue-4.4/route-also-update-fnhe_genid-when-updating-a-route-cache.patch
queue-4.4/selftest-powerpc-fix-false-failures-for-skipped-tests.patch
queue-4.4/revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch
queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch
queue-4.4/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch
queue-4.4/arm-avoid-faulting-on-qemu.patch
queue-4.4/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch
queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch
queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch
queue-4.4/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch
queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
queue-4.4/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch
queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch
queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch
queue-4.4/bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch
queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch
queue-4.4/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch
queue-4.4/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch
queue-4.4/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch
queue-4.4/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch
queue-4.4/alsa-usb-audio-fix-out-of-bound-error.patch
queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch
queue-4.4/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch
queue-4.4/arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch
queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch
queue-4.4/i2c-riic-fix-restart-condition.patch
queue-4.4/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch
queue-4.4/usb-gadget-configs-plug-memory-leak.patch
queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch
queue-4.4/revert-drm-armada-fix-compile-fail.patch
queue-4.4/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch
queue-4.4/kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch