From patchwork Thu Jun  8 16:37:27 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1792404
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=OyBhs7fS;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4QcVHq1mRcz20Wn
	for <incoming@patchwork.ozlabs.org>; Fri,  9 Jun 2023 02:37:43 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1q7Idk-0000jz-7H; Thu, 08 Jun 2023 16:37:36 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1q7Idj-0000jr-2x
 for kernel-team@lists.ubuntu.com; Thu, 08 Jun 2023 16:37:35 +0000
Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com
 [209.85.215.200])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 66D383F0F8
 for <kernel-team@lists.ubuntu.com>; Thu,  8 Jun 2023 16:37:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1686242254;
 bh=yOGAnAXRWmn3xLqRmB0HAIohW7wMNyHtGb0vw6dOG4g=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=OyBhs7fSC8i9LVDKgyLyH/4VrDMveMfhF8/1/0hfwJ0S6fkqqXeJObV+BOSPgb6TU
 wv7DE9e5cOfqtv1G7u+m+o259r6Nttj3gu3twkdwc8AhEd+pFsJbaWgT1cV/DpFwkx
 8mpSA7TmwE5Xyna67ABcriNxIbpRkQbqxd+Qy/PDnV6zrZPptUPjOlO/d8fIRNJ0Qd
 KKHtmZj+nnIWUpPpdrJ1yY0ZLlWw7S1c9UD0L228tvmQQzbKq/lyrnJV7waLva0NgO
 7XPd/LGw4S+OKUTFDyZTnBM9K4ULTWaZrh0ID+uDTiXjEA4IlqagXY1jXuaP5a4vfE
 c7ecfLhnUWFAw==
Received: by mail-pg1-f200.google.com with SMTP id
 41be03b00d2f7-53feeb13906so575833a12.1
 for <kernel-team@lists.ubuntu.com>; Thu, 08 Jun 2023 09:37:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1686242252; x=1688834252;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=yOGAnAXRWmn3xLqRmB0HAIohW7wMNyHtGb0vw6dOG4g=;
 b=eNtZJr0IIWadw2v/qoCbRcD56xJp6Xwr0DxOMvm+ToH4F5JxivANC51uS0yXh/zQPt
 N/Bnmj3rtD/xhilRny2dP+cWAHtX3lArVR0Qa7PcxNTtKaaIVdJ/xiOFbQh6NTNgYeqi
 q0Sdpgoil08fcBUVzKKZGnVX5MXLghTnS2C0rSJ68nINVqNb6My3KokIv9BjSHIpsRQh
 xKVW65u2bI/uX4Dqa4X/8giyIq2wt9o2mQc2cf9ySwNw9MlqsYWsy/wFUhX7EzpEGgIs
 MMfMBFUsGNJ/mDJJ6UQs5KgIC4uSZtzmQoCUza8gk8Z6sXj0fh3hRDNB6Pbv8mubxRn1
 srvw==
X-Gm-Message-State: AC+VfDxVmowKvstmYb31ZFB0EjoYGsEcp6L0wJbf3gxNWz4+qCdnCPTr
 d5OksPNX+cCTa/lX9R3yP+yBt1rxqcKoSbvb0FqzKnZOoU5f/oGjo+I05xmISWlgAfv1iD+MZQ6
 V6HifUaXTvp5Hqml9yy2aCHnSW+kOkxrJxNgAcIs/VCpQwmTZog==
X-Received: by 2002:a05:6a20:c1a1:b0:10c:c407:92e5 with SMTP id
 bg33-20020a056a20c1a100b0010cc40792e5mr7541165pzb.22.1686242252511;
 Thu, 08 Jun 2023 09:37:32 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ6qcyOACSzOtURU4XnwMUQaARI1rFiQ3Lxog+QLoIFsaboggOZRYTIRCR2Ss2IeZd36jvxguA==
X-Received: by 2002:a05:6a20:c1a1:b0:10c:c407:92e5 with SMTP id
 bg33-20020a056a20c1a100b0010cc40792e5mr7541145pzb.22.1686242252077;
 Thu, 08 Jun 2023 09:37:32 -0700 (PDT)
Received: from smtp.gmail.com (174-045-099-030.res.spectrum.com.
 [174.45.99.30]) by smtp.gmail.com with ESMTPSA id
 x16-20020aa79190000000b0064f76992905sm1286658pfa.202.2023.06.08.09.37.31
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 08 Jun 2023 09:37:31 -0700 (PDT)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH] arm64: efi: Recover from synchronous exceptions occurring in
 firmware
Date: Thu,  8 Jun 2023 10:37:27 -0600
Message-Id: <20230608163727.585219-2-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230608163727.585219-1-tim.gardner@canonical.com>
References: <20230608163727.585219-1-tim.gardner@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Ard Biesheuvel <ardb@kernel.org>

BugLink: https://bugs.launchpad.net/bugs/2023311

Unlike x86, which has machinery to deal with page faults that occur
during the execution of EFI runtime services, arm64 has nothing like
that, and a synchronous exception raised by firmware code brings down
the whole system.

With more EFI based systems appearing that were not built to run Linux
(such as the Windows-on-ARM laptops based on Qualcomm SOCs), as well as
the introduction of PRM (platform specific firmware routines that are
callable just like EFI runtime services), we are more likely to run into
issues of this sort, and it is much more likely that we can identify and
work around such issues if they don't bring down the system entirely.

Since we already use a EFI runtime services call wrapper in assembler,
we can quite easily add some code that captures the execution state at
the point where the call is made, allowing us to revert to this state
and proceed execution if the call triggered a synchronous exception.

Given that the kernel and the firmware don't share any data structures
that could end up in an indeterminate state, we can happily continue
running, as long as we mark the EFI runtime services as unavailable from
that point on.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit e8dfdf3162eb549d064b8c10b1564f7e8ee82591)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 arch/arm64/include/asm/efi.h            |  8 +++++++
 arch/arm64/kernel/efi-rt-wrapper.S      | 32 +++++++++++++++++++++----
 arch/arm64/kernel/efi.c                 | 22 +++++++++++++++++
 arch/arm64/mm/fault.c                   |  4 ++++
 drivers/firmware/efi/runtime-wrappers.c |  1 +
 5 files changed, 62 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h
index c5d4551a1be7..d2551bcc1993 100644
--- a/arch/arm64/include/asm/efi.h
+++ b/arch/arm64/include/asm/efi.h
@@ -14,8 +14,16 @@
 
 #ifdef CONFIG_EFI
 extern void efi_init(void);
+
+bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg);
 #else
 #define efi_init()
+
+static inline
+bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
+{
+	return false;
+}
 #endif
 
 int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md);
diff --git a/arch/arm64/kernel/efi-rt-wrapper.S b/arch/arm64/kernel/efi-rt-wrapper.S
index 2d3c4b02393e..d872d18101d8 100644
--- a/arch/arm64/kernel/efi-rt-wrapper.S
+++ b/arch/arm64/kernel/efi-rt-wrapper.S
@@ -7,7 +7,7 @@
 #include <asm/assembler.h>
 
 SYM_FUNC_START(__efi_rt_asm_wrapper)
-	stp	x29, x30, [sp, #-32]!
+	stp	x29, x30, [sp, #-112]!
 	mov	x29, sp
 
 	/*
@@ -17,11 +17,21 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 	 */
 	stp	x1, x18, [sp, #16]
 
+	/*
+	 * Preserve all callee saved registers and preserve the stack pointer
+	 * value at the base of the EFI runtime stack so we can recover from
+	 * synchronous exceptions occurring while executing the firmware
+	 * routines.
+	 */
+	stp	x19, x20, [sp, #32]
+	stp	x21, x22, [sp, #48]
+	stp	x23, x24, [sp, #64]
+	stp	x25, x26, [sp, #80]
+	stp	x27, x28, [sp, #96]
+
 	ldr_l	x16, efi_rt_stack_top
 	mov	sp, x16
-#ifdef CONFIG_SHADOW_CALL_STACK
-	str	x18, [sp, #-16]!
-#endif
+	stp	x18, x29, [sp, #-16]!
 
 	/*
 	 * We are lucky enough that no EFI runtime services take more than
@@ -39,7 +49,7 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 	mov	sp, x29
 	ldp	x1, x2, [sp, #16]
 	cmp	x2, x18
-	ldp	x29, x30, [sp], #32
+	ldp	x29, x30, [sp], #112
 	b.ne	0f
 	ret
 0:
@@ -57,3 +67,15 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 
 	b	efi_handle_corrupted_x18	// tail call
 SYM_FUNC_END(__efi_rt_asm_wrapper)
+
+SYM_CODE_START(__efi_rt_asm_recover)
+	mov	sp, x30
+
+	ldp	x19, x20, [sp, #32]
+	ldp	x21, x22, [sp, #48]
+	ldp	x23, x24, [sp, #64]
+	ldp	x25, x26, [sp, #80]
+	ldp	x27, x28, [sp, #96]
+	ldp	x29, x30, [sp], #112
+	ret
+SYM_CODE_END(__efi_rt_asm_recover)
diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
index 386bd81ca12b..fab05de2e12d 100644
--- a/arch/arm64/kernel/efi.c
+++ b/arch/arm64/kernel/efi.c
@@ -149,6 +149,28 @@ DEFINE_SPINLOCK(efi_rt_lock);
 
 asmlinkage u64 *efi_rt_stack_top __ro_after_init;
 
+asmlinkage efi_status_t __efi_rt_asm_recover(void);
+
+bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
+{
+	 /* Check whether the exception occurred while running the firmware */
+	if (current_work() != &efi_rts_work.work || regs->pc >= TASK_SIZE_64)
+		return false;
+
+	pr_err(FW_BUG "Unable to handle %s in EFI runtime service\n", msg);
+	add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
+	clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
+
+	regs->regs[0]	= EFI_ABORTED;
+	regs->regs[30]	= efi_rt_stack_top[-1];
+	regs->pc	= (u64)__efi_rt_asm_recover;
+
+	if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK))
+		regs->regs[18] = efi_rt_stack_top[-2];
+
+	return true;
+}
+
 /* EFI requires 8 KiB of stack space for runtime services */
 static_assert(THREAD_SIZE >= SZ_8K);
 
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index d035d47fb54c..58f0fed9fa2a 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -30,6 +30,7 @@
 #include <asm/bug.h>
 #include <asm/cmpxchg.h>
 #include <asm/cpufeature.h>
+#include <asm/efi.h>
 #include <asm/exception.h>
 #include <asm/daifflags.h>
 #include <asm/debug-monitors.h>
@@ -397,6 +398,9 @@ static void __do_kernel_fault(unsigned long addr, unsigned long esr,
 		msg = "paging request";
 	}
 
+	if (efi_runtime_fixup_exception(regs, msg))
+		return;
+
 	die_kernel_fault(msg, addr, esr, regs);
 }
 
diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
index 60075e0e4943..1fba4e09cdcf 100644
--- a/drivers/firmware/efi/runtime-wrappers.c
+++ b/drivers/firmware/efi/runtime-wrappers.c
@@ -84,6 +84,7 @@ struct efi_runtime_work efi_rts_work;
 	else								\
 		pr_err("Failed to queue work to efi_rts_wq.\n");	\
 									\
+	WARN_ON_ONCE(efi_rts_work.status == EFI_ABORTED);		\
 exit:									\
 	efi_rts_work.efi_rts_id = EFI_NONE;				\
 	efi_rts_work.status;						\