github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 06:25:52 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e85c6907b2
linux/drivers
History
Sai Praneeth e85c6907b2 x86/efi-bgrt: Fix kernel panic when mapping BGRT data 
commit 50a0cb5652 upstream.

Starting with this commit 35eb8b81edd4 ("x86/efi: Build our own page
table structures") efi regions have a separate page directory called
"efi_pgd". In order to access any efi region we have to first shift %cr3
to this page table. In the bgrt code we are trying to copy bgrt_header
and image, but these regions fall under "EFI_BOOT_SERVICES_DATA"
and to access these regions we have to shift %cr3 to efi_pgd and not
doing so will cause page fault as shown below.

[    0.251599] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[    0.259126] Freeing SMP alternatives memory: 32K (ffffffff8230e000 - ffffffff82316000)
[    0.271803] BUG: unable to handle kernel paging request at fffffffefce35002
[    0.279740] IP: [<ffffffff821bca49>] efi_bgrt_init+0x144/0x1fd
[    0.286383] PGD 300f067 PUD 0
[    0.289879] Oops: 0000 [#1] SMP
[    0.293566] Modules linked in:
[    0.297039] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.0-rc1-eywa-eywa-built-in-47041+ #2
[    0.306619] Hardware name: Intel Corporation Skylake Client platform/Skylake Y LPDDR3 RVP3, BIOS SKLSE2R1.R00.B104.B01.1511110114 11/11/2015
[    0.320925] task: ffffffff820134c0 ti: ffffffff82000000 task.ti: ffffffff82000000
[    0.329420] RIP: 0010:[<ffffffff821bca49>]  [<ffffffff821bca49>] efi_bgrt_init+0x144/0x1fd
[    0.338821] RSP: 0000:ffffffff82003f18  EFLAGS: 00010246
[    0.344852] RAX: fffffffefce35000 RBX: fffffffefce35000 RCX: fffffffefce2b000
[    0.352952] RDX: 000000008a82b000 RSI: ffffffff8235bb80 RDI: 000000008a835000
[    0.361050] RBP: ffffffff82003f30 R08: 000000008a865000 R09: ffffffffff202850
[    0.369149] R10: ffffffff811ad62f R11: 0000000000000000 R12: 0000000000000000
[    0.377248] R13: ffff88016dbaea40 R14: ffffffff822622c0 R15: ffffffff82003fb0
[    0.385348] FS:  0000000000000000(0000) GS:ffff88016d800000(0000) knlGS:0000000000000000
[    0.394533] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    0.401054] CR2: fffffffefce35002 CR3: 000000000300c000 CR4: 00000000003406f0
[    0.409153] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    0.417252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    0.425350] Stack:
[    0.427638]  ffffffffffffffff ffffffff82256900 ffff88016dbaea40 ffffffff82003f40
[    0.436086]  ffffffff821bbce0 ffffffff82003f88 ffffffff8219c0c2 0000000000000000
[    0.444533]  ffffffff8219ba4a ffffffff822622c0 0000000000083000 00000000ffffffff
[    0.452978] Call Trace:
[    0.455763]  [<ffffffff821bbce0>] efi_late_init+0x9/0xb
[    0.461697]  [<ffffffff8219c0c2>] start_kernel+0x463/0x47f
[    0.467928]  [<ffffffff8219ba4a>] ? set_init_arg+0x55/0x55
[    0.474159]  [<ffffffff8219b120>] ? early_idt_handler_array+0x120/0x120
[    0.481669]  [<ffffffff8219b5ee>] x86_64_start_reservations+0x2a/0x2c
[    0.488982]  [<ffffffff8219b72d>] x86_64_start_kernel+0x13d/0x14c
[    0.495897] Code: 00 41 b4 01 48 8b 78 28 e8 09 36 01 00 48 85 c0 48 89 c3 75 13 48 c7 c7 f8 ac d3 81 31 c0 e8 d7 3b fb fe e9 b5 00 00 00 45 84 e4 <44> 8b 6b 02 74 0d be 06 00 00 00 48 89 df e8 ae 34 0$
[    0.518151] RIP  [<ffffffff821bca49>] efi_bgrt_init+0x144/0x1fd
[    0.524888]  RSP <ffffffff82003f18>
[    0.528851] CR2: fffffffefce35002
[    0.532615] ---[ end trace 7b06521e6ebf2aea ]---
[    0.537852] Kernel panic - not syncing: Attempted to kill the idle task!

As said above one way to fix this bug is to shift %cr3 to efi_pgd but we
are not doing that way because it leaks inner details of how we switch
to EFI page tables into a new call site and it also adds duplicate code.
Instead, we remove the call to efi_lookup_mapped_addr() and always
perform early_mem*() instead of early_io*() because we want to remap RAM
regions and not I/O regions. We also delete efi_lookup_mapped_addr()
because we are no longer using it.

Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
Reported-by: Wendy Wang <wendy.wang@intel.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Josh Triplett <josh@joshtriplett.org>
Cc: Ricardo Neri <ricardo.neri@intel.com>
Cc: Ravi Shankar <ravi.v.shankar@intel.com>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Cc: "Ghannam, Yazen" <Yazen.Ghannam@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-05 11:22:50 +01:00
..
accessibility
acpi ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal 2017-08-30 10:19:29 +02:00
amba
android ANDROID: binder: fix proc->tsk check. 2017-08-30 10:19:26 +02:00
ata ata: fixes kernel crash while tracing ata_eh_link_autopsy event 2017-11-30 08:37:21 +00:00
atm
auxdisplay
base PM / OPP: Add missing of_node_put(np) 2017-11-30 08:37:25 +00:00
bcma bcma: use (get|put)_device when probing/removing device driver 2017-03-12 06:37:30 +01:00
block xen-blkback: don't leak stack data via response ring 2017-11-21 09:21:17 +01:00
bluetooth Bluetooth: btusb: fix QCA Rome suspend/resume 2017-11-21 09:21:18 +01:00
bus bus: mbus: fix window size calculation for 4GB windows 2017-10-27 10:23:17 +02:00
cdrom
char ipmi: fix unsigned long underflow 2017-11-24 08:32:25 +01:00
clk clk: ti: dra7-atl-clock: fix child-node lookups 2017-11-30 08:37:23 +00:00
clocksource clockevents/drivers/cs5535: Improve resilience to spurious interrupts 2017-10-27 10:23:17 +02:00
connector
cpufreq cpufreq: CPPC: add ACPI_PROCESSOR dependency 2017-10-21 17:09:06 +02:00
cpuidle
crypto crypto: vmx - disable preemption to enable vsx in aes_ctr.c 2017-11-15 17:13:10 +01:00
dca
devfreq
dio
dma dmaengine: zx: set DMA_CYCLIC cap_mask bit 2017-11-30 08:37:26 +00:00
dma-buf
edac
eisa
extcon extcon: palmas: Check the parent instance to prevent the NULL 2017-11-21 09:21:18 +01:00
firewire
firmware x86/efi-bgrt: Fix kernel panic when mapping BGRT data 2017-12-05 11:22:50 +01:00
fmc
fpga
gpio
gpu drm: Apply range restriction after color adjustment when allocation 2017-11-30 08:37:27 +00:00
hid HID: usbhid: fix out-of-bounds bug 2017-10-18 09:20:41 +02:00
hsi
hv Drivers: hv: fcopy: restore correct transfer length 2017-10-12 11:27:33 +02:00
hwmon hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes 2017-10-08 10:14:17 +02:00
hwspinlock
hwtracing stm class: Fix a use-after-free 2017-10-12 11:27:33 +02:00
i2c i2c: riic: correctly finish transfers 2017-11-08 10:06:29 +01:00
ide
idle
iio iio: light: fix improper return value 2017-11-30 08:37:27 +00:00
infiniband IB/srp: Avoid that a cable pull can trigger a kernel crash 2017-11-30 08:37:23 +00:00
input Input: ims-psu - check if CDC union descriptor is sane 2017-11-18 11:11:05 +01:00
iommu iommu/arm-smmu-v3: Clear prior settings when updating STEs 2017-11-15 17:13:09 +01:00
ipack
irqchip irqchip/crossbar: Fix incorrect type of local variables 2017-10-21 17:09:04 +02:00
isdn isdn/i4l: fetch the ppp_write buffer in one shot 2017-10-21 17:09:02 +02:00
leds leds: ktd2692: avoid harmless maybe-uninitialized warning 2017-05-14 13:32:55 +02:00
lguest
lightnvm
macintosh
mailbox mailbox: handle empty message in tx_tick 2017-08-06 19:19:41 -07:00
mcb
md bcache: check ca->alloc_thread initialized before wake up it 2017-11-30 08:37:20 +00:00
media media: v4l2-ctrl: Fix flags field on Control events 2017-11-30 08:37:25 +00:00
memory
memstick
message
mfd mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped 2017-11-08 10:06:29 +01:00
misc mei: return error on notification request to a disconnected client 2017-11-08 10:06:30 +01:00
mmc mmc: s3cmci: include linux/interrupt.h for tasklet_struct 2017-11-08 10:06:28 +01:00
mtd mtd: bcm47xxpart: don't fail because of bit-flips 2017-07-05 14:37:18 +02:00
net ath10k: set CTS protection VDEV param only if VDEV is up 2017-11-30 08:37:26 +00:00
nfc nfc: fdp: fix NULL pointer dereference 2017-08-06 19:19:40 -07:00
ntb ntb_transport: fix bug calculating num_qps_mw 2017-08-30 10:19:29 +02:00
nubus
nvdimm libnvdimm, namespace: make 'resource' attribute only readable by root 2017-11-30 08:37:23 +00:00
nvme nvme: Fix memory order on async queue deletion 2017-11-24 08:32:25 +01:00
nvmem nvmem: imx-ocotp: Fix wrong register size 2017-08-06 19:19:46 -07:00
of of: device: Export of_device_{get_modalias, uvent_modalias} to modules 2017-07-27 15:06:09 -07:00
oprofile
parisc parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo 2017-08-24 17:02:35 -07:00
parport parisc, parport_gsc: Fixes for printk continuation lines 2017-06-17 06:39:37 +02:00
pci PCI: Apply _HPX settings only to relevant devices 2017-11-30 08:37:26 +00:00
pcmcia
perf
phy phy: qcom-usb-hs: Add depends on EXTCON 2017-05-14 13:32:57 +02:00
pinctrl pinctrl: samsung: Remove bogus irq_[un]mask from resource management 2017-08-16 13:40:30 -07:00
platform platform/x86: hp-wmi: Do not shadow error values 2017-11-15 17:13:11 +01:00
pnp
power power: supply: bq24190_charger: Handle fault before status on interrupt 2017-05-14 13:32:54 +02:00
powercap
pps
ps3
ptp
pwm pwm: pca9685: Fix period change with same duty cycle 2017-03-15 09:57:14 +08:00
rapidio
ras
regulator regulator: fan53555: fix I2C device ids 2017-11-02 09:40:50 +01:00
remoteproc
reset
rpmsg
rtc rtc: tegra: Implement clock handling 2017-04-21 09:30:07 +02:00
s390 s390/qeth: issue STARTLAN as first IPA command 2017-11-15 17:13:11 +01:00
sbus
scsi scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload 2017-11-21 09:21:20 +01:00
sfi
sh
sn
soc
spi spi: SPI_FSL_DSPI should depend on HAS_DMA 2017-11-30 08:37:27 +00:00
spmi spmi: Include OF based modalias in device uevent 2017-07-27 15:06:10 -07:00
ssb
staging staging: iio: cdc: fix improper return value 2017-11-30 08:37:27 +00:00
target target: Fix QUEUE_FULL + SCSI task attribute handling 2017-11-30 08:37:22 +00:00
tc
thermal thermal: cpu_cooling: Avoid accessing potentially freed structures 2017-07-27 15:06:02 -07:00
thunderbolt
tty serial: omap: Fix EFR write on RTS deassertion 2017-11-24 08:32:24 +01:00
uio
usb USB: serial: garmin_gps: fix memory leak on probe errors 2017-11-21 09:21:23 +01:00
uwb uwb: ensure that endpoint is interrupt 2017-10-12 11:27:35 +02:00
vfio vfio-pci: Handle error from pci_iomap 2017-08-06 19:19:46 -07:00
vhost fix a page leak in vhost_scsi_iov_to_sgl() error recovery 2017-11-30 08:37:22 +00:00
video backlight: adp5520: Fix error handling in adp5520_bl_probe() 2017-11-21 09:21:21 +01:00
virt
virtio virtio_balloon: init 1st buffer in stats vq 2017-03-31 09:49:53 +02:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19 20:17:21 +01:00
w1 w1: ds2490: USB transfer buffers need to be DMAable 2017-03-12 06:37:29 +01:00
watchdog watchdog: kempld: fix gcc-4.3 build 2017-10-21 17:09:04 +02:00
xen xen: xenbus driver must not accept invalid transaction ids 2017-11-30 08:37:28 +00:00
zorro
Kconfig
Makefile usb: Make sure usb/phy/of gets built-in 2017-05-20 14:26:59 +02:00