Re: [PATCH] efi: Fix the size not consistent issue when unmapping memory map

[Randy Wright]

On Mon, Apr 16, 2018 at 06:35:22PM -0600, Randy Wright wrote:

> ... I will plan to run the same test tomorrow on
> a build of the SuSE 4.4.120-94.17 kernel, on which I had also reported
> the original bug.

I carried out the test on the older kernel today. I found the version of
arch/x86/kernel/kexec-bzimage64.c in the SuSE kernel version
4.4.120-94.17 was sufficiently different from the newer version that one
chunk of the patch under discussion was rejected.  Specifically, the
'struct kexec_buf kbuf' is not found in that older SuSE version of
kexec-bzimage64.c.   But I made the same modification to the
calculation of variable params_misc_sz in the older source, ran the same
test, and there were no longer any warnings from early_ioremap.c.

-- 
Randy WrightHewlett Packard Enterprise
Phone: (970) 898-0998   Mail: rwri...@hpe.com

Re: [PATCH] efi: Fix the size not consistent issue when unmapping memory map

[Randy Wright]

On Mon, Apr 16, 2018 at 06:35:22PM -0600, Randy Wright wrote:

> ... I will plan to run the same test tomorrow on
> a build of the SuSE 4.4.120-94.17 kernel, on which I had also reported
> the original bug.

I carried out the test on the older kernel today. I found the version of
arch/x86/kernel/kexec-bzimage64.c in the SuSE kernel version
4.4.120-94.17 was sufficiently different from the newer version that one
chunk of the patch under discussion was rejected.  Specifically, the
'struct kexec_buf kbuf' is not found in that older SuSE version of
kexec-bzimage64.c.   But I made the same modification to the
calculation of variable params_misc_sz in the older source, ran the same
test, and there were no longer any warnings from early_ioremap.c.

-- 
Randy WrightHewlett Packard Enterprise
Phone: (970) 898-0998   Mail: rwri...@hpe.com

Re: [PATCH] efi: Fix the size not consistent issue when unmapping memory map

[Randy Wright]

On Mon, Apr 16, 2018 at 02:37:38PM +0800, joeyli wrote:
> Hi Randy,
> ...
> Randy, do you want to try Dave's kexec patch on your environment? Please 
> remove
> my patch first.  
> 
> Thanks a lot!
> Joey Lee

Hi Joey, 

I tried Dave's patch to kexec-bzimage64.c on my build of the SuSE
4.12.14-15 kernel.   I ran the same test as I did with your patch: I
verified the early_ioremap.c warnings occurred with a crash triggered
from a kexec boot of the unmodified kernel. Then I applied the patch to
kexec-bzimage64.c, rebuilt, re-ran the test to crash from the kexec'ed
kernel, and verified the warnings are no longer seen.

I'm out of time today, but I will plan to run the same  test tomorrow on
a build of the SuSE 4.4.120-94.17 kernel, on which I had also reported
the original bug.

-- 
Randy WrightHewlett Packard Enterprise
Phone: (970) 898-0998   Mail: rwri...@hpe.com

Re: [PATCH] efi: Fix the size not consistent issue when unmapping memory map

[Randy Wright]

On Mon, Apr 16, 2018 at 02:37:38PM +0800, joeyli wrote:
> Hi Randy,
> ...
> Randy, do you want to try Dave's kexec patch on your environment? Please 
> remove
> my patch first.  
> 
> Thanks a lot!
> Joey Lee

Hi Joey, 

I tried Dave's patch to kexec-bzimage64.c on my build of the SuSE
4.12.14-15 kernel.   I ran the same test as I did with your patch: I
verified the early_ioremap.c warnings occurred with a crash triggered
from a kexec boot of the unmodified kernel. Then I applied the patch to
kexec-bzimage64.c, rebuilt, re-ran the test to crash from the kexec'ed
kernel, and verified the warnings are no longer seen.

I'm out of time today, but I will plan to run the same  test tomorrow on
a build of the SuSE 4.4.120-94.17 kernel, on which I had also reported
the original bug.

-- 
Randy WrightHewlett Packard Enterprise
Phone: (970) 898-0998   Mail: rwri...@hpe.com

[PATCH] Documentation/vm/pagemap.txt: correct location of page-types tool

[Randy Wright]

The page-types tool was relocated to tools/vm in the 3.4 kernel timeframe.

Signed-off-by: Randy Wright 
---
 Documentation/vm/pagemap.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Documentation/vm/pagemap.txt b/Documentation/vm/pagemap.txt
index 6fbd55e..6bfbc17 100644
--- a/Documentation/vm/pagemap.txt
+++ b/Documentation/vm/pagemap.txt
@@ -131,7 +131,8 @@ Short descriptions to the page flags:
 13. SWAPCACHE   page is mapped to swap space, ie. has an associated swap entry
 14. SWAPBACKED  page is backed by swap/RAM
 
-The page-types tool in this directory can be used to query the above flags.
+The page-types tool in the tools/vm directory can be used to query the
+above flags.
 
 Using pagemap to do something useful:
 
-- 
1.7.11.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] Documentation/vm/pagemap.txt: correct location of page-types tool

[Randy Wright]

The page-types tool was relocated to tools/vm in the 3.4 kernel timeframe.

Signed-off-by: Randy Wright rwri...@hp.com
---
 Documentation/vm/pagemap.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Documentation/vm/pagemap.txt b/Documentation/vm/pagemap.txt
index 6fbd55e..6bfbc17 100644
--- a/Documentation/vm/pagemap.txt
+++ b/Documentation/vm/pagemap.txt
@@ -131,7 +131,8 @@ Short descriptions to the page flags:
 13. SWAPCACHE   page is mapped to swap space, ie. has an associated swap entry
 14. SWAPBACKED  page is backed by swap/RAM
 
-The page-types tool in this directory can be used to query the above flags.
+The page-types tool in the tools/vm directory can be used to query the
+above flags.
 
 Using pagemap to do something useful:
 
-- 
1.7.11.3

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH RFC] function probe_roms accessing improper addresses

[Randy Wright]

Hi Matthew,
 
You made some interesting suggestions:

> 1) Declare that any x86 hardware supported by Linux *must* support 
> probing in this address region

On the first: one way to be compliant with such a requirement would be 
to design systems that implement softfail in this particular region.   
What about a system that hardfails, but on which the resulting machine
check can be handled by the kernel machine check handler?  Would
appropriate re-ordering of the kernel initialization code to support
such systems be acceptable?

Also, let me mention a possible amendment to your first idea: what if
the mandate that probing be supported were qualified by some attribute
that could be indicated in the UEFI environment?  For example: instead
of just a hole in the UEFI memory map, what if this range was
specifically present and typed as EfiUnusableMemory?  Another idea for
UEFI systems - but one requiring a UEFI specification change - might be
adding a UEFI variable that if present, indicates any area not
explicitly included and typed in the UEFI memory map (including the
legacy adapter region) must be explicitly avoided by an OS.

> 2) Don't call probe_roms() by default, but leave it up to the graphics 
> drivers. If they can get the rom by any other means then don't call it.

One the second idea: there are a quite a lot of video drivers in the kernel
source tree.  Do you have a suggestion for how to evaluate which ones 
rely on the setup performed by probe_roms?

-- 
Randy WrightHewlett-Packard Company
Phone: (970) 898-0998   Mail: rwri...@hp.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH RFC] function probe_roms accessing improper addresses

[Randy Wright]

Hi Matthew,
 
You made some interesting suggestions:

 1) Declare that any x86 hardware supported by Linux *must* support 
 probing in this address region

On the first: one way to be compliant with such a requirement would be 
to design systems that implement softfail in this particular region.   
What about a system that hardfails, but on which the resulting machine
check can be handled by the kernel machine check handler?  Would
appropriate re-ordering of the kernel initialization code to support
such systems be acceptable?

Also, let me mention a possible amendment to your first idea: what if
the mandate that probing be supported were qualified by some attribute
that could be indicated in the UEFI environment?  For example: instead
of just a hole in the UEFI memory map, what if this range was
specifically present and typed as EfiUnusableMemory?  Another idea for
UEFI systems - but one requiring a UEFI specification change - might be
adding a UEFI variable that if present, indicates any area not
explicitly included and typed in the UEFI memory map (including the
legacy adapter region) must be explicitly avoided by an OS.

 2) Don't call probe_roms() by default, but leave it up to the graphics 
 drivers. If they can get the rom by any other means then don't call it.

One the second idea: there are a quite a lot of video drivers in the kernel
source tree.  Do you have a suggestion for how to evaluate which ones 
rely on the setup performed by probe_roms?

-- 
Randy WrightHewlett-Packard Company
Phone: (970) 898-0998   Mail: rwri...@hp.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH RFC] function probe_roms accessing improper addresses

[Randy Wright]

I would like to summarize progress I have made on this issue in the past
few days, and then appeal for help in evaluating the options.  Matthew
and H. Peter Anvin, I would appreciate your additional input especially.

The general idea under consideration here is to avoid access to the
legacy adapter space.  My original rfc patch applied this restriction to
all efi_enabled systems.  I am modifying this to implement this
as a quirk, and the question is how best to activate such a quirk.

Option 1: Activating via Machine Check

I investigated the idea of activating based on encountering a
machine check.  As an experiment, to avoid boot-time code sequencing
issues, I moved the probe_roms call to after the MC handler
initialization. However, I ran into prototype firmware issues.  As I had
suspected  might be the case, the  access was still treated as fatal by
platform firmware and the kernel machine check handler does not get a
chance to run.  Since I could not resolve this with resources available
to me, I had to set this approach aside.

Option 2: Activating via DMI properties

I have written and tested code implementing the following approach. With
just a bit of clean-up I could send this as a new patch RFC if it sounds
workable.

First, I added a new member to the x86_platform_ops structure:
int (*legacy_range_accessible)(phys_addr_t);
The default function provided for this operation always returns an
indication that access is permitted.  If appropriate to the  platform,
the default function pointer can be replaced at runtime with a function
that disallows access. This provides a test by which post-boot code -
such  as devmem_is_allowed - can query whether access to a particular
address should be permitted.

Because this check must occur in a relatively small window between dmi
initialization and the call to probe_roms, I added what I think could be
a generally useful early quirk check at the end of dmi_scan_machine:

   if (dmi_available)
   dmi_check_system(dmi_early_quirks);

Here, dmi_early_quirks is a typical dmi_system_id array, initially
containing an entry for my prototype system.   When matched for the
properties of interest, it calls out via the .callback entry to a new
function I named x86_mark_legacy_adapter_range_inaccessible. This
function does the following:

a. it replaces the x86_init_resources.probe_roms function pointer with
x86_init_noop; and

b. it replaces the above-mentioned legacy_range_accessible callout in
the x86_platform_ops structure with a function that disapproves of
access to the legacy adapter region.

So in this approach, I don't patch the function probe_roms itself;
rather, I entirely avoid calling it.

A specific point on which I'd like to get advice is regarding the policy
for accepting a submission based on DMI properties of an unreleased
prototype platform.  This focuses on the weak point of any "opt-in" type
of quirk: if the DMI properties of the product change over the product
lifecyle (there's always a version n+1!) then the patch must be amended.
But at that point, the modification required is simply altering text
string content in a dmi_system_id array.


Option 3: Boot command line activation

| 3. Can it be activated on demand for testing on other platforms? A
| kernel boot command line parameter could be added, for example. How does
| the community feel about adding more of those?

I am considering this option in addition to - not instead of - the
automatic activation by the dmi properties, but it remains an area on
which I want to get further input before posting a new patch rfc: is it
appropriate to include a boot command interface to activate this feature
on demand for platforms that don't match via the DMI_MATCH criteria?  If
new boot command parameters are discouraged, is there a better paradigm
for forced activation that I should investigate?

Any other feedback?

--
Randy WrightHewlett-Packard Company
Phone: (970) 898-0998   Mail: rwri...@hp.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH RFC] function probe_roms accessing improper addresses

[Randy Wright]

I would like to summarize progress I have made on this issue in the past
few days, and then appeal for help in evaluating the options.  Matthew
and H. Peter Anvin, I would appreciate your additional input especially.

The general idea under consideration here is to avoid access to the
legacy adapter space.  My original rfc patch applied this restriction to
all efi_enabled systems.  I am modifying this to implement this
as a quirk, and the question is how best to activate such a quirk.

Option 1: Activating via Machine Check

I investigated the idea of activating based on encountering a
machine check.  As an experiment, to avoid boot-time code sequencing
issues, I moved the probe_roms call to after the MC handler
initialization. However, I ran into prototype firmware issues.  As I had
suspected  might be the case, the  access was still treated as fatal by
platform firmware and the kernel machine check handler does not get a
chance to run.  Since I could not resolve this with resources available
to me, I had to set this approach aside.

Option 2: Activating via DMI properties

I have written and tested code implementing the following approach. With
just a bit of clean-up I could send this as a new patch RFC if it sounds
workable.

First, I added a new member to the x86_platform_ops structure:
int (*legacy_range_accessible)(phys_addr_t);
The default function provided for this operation always returns an
indication that access is permitted.  If appropriate to the  platform,
the default function pointer can be replaced at runtime with a function
that disallows access. This provides a test by which post-boot code -
such  as devmem_is_allowed - can query whether access to a particular
address should be permitted.

Because this check must occur in a relatively small window between dmi
initialization and the call to probe_roms, I added what I think could be
a generally useful early quirk check at the end of dmi_scan_machine:

   if (dmi_available)
   dmi_check_system(dmi_early_quirks);

Here, dmi_early_quirks is a typical dmi_system_id array, initially
containing an entry for my prototype system.   When matched for the
properties of interest, it calls out via the .callback entry to a new
function I named x86_mark_legacy_adapter_range_inaccessible. This
function does the following:

a. it replaces the x86_init_resources.probe_roms function pointer with
x86_init_noop; and

b. it replaces the above-mentioned legacy_range_accessible callout in
the x86_platform_ops structure with a function that disapproves of
access to the legacy adapter region.

So in this approach, I don't patch the function probe_roms itself;
rather, I entirely avoid calling it.

A specific point on which I'd like to get advice is regarding the policy
for accepting a submission based on DMI properties of an unreleased
prototype platform.  This focuses on the weak point of any opt-in type
of quirk: if the DMI properties of the product change over the product
lifecyle (there's always a version n+1!) then the patch must be amended.
But at that point, the modification required is simply altering text
string content in a dmi_system_id array.


Option 3: Boot command line activation

| 3. Can it be activated on demand for testing on other platforms? A
| kernel boot command line parameter could be added, for example. How does
| the community feel about adding more of those?

I am considering this option in addition to - not instead of - the
automatic activation by the dmi properties, but it remains an area on
which I want to get further input before posting a new patch rfc: is it
appropriate to include a boot command interface to activate this feature
on demand for platforms that don't match via the DMI_MATCH criteria?  If
new boot command parameters are discouraged, is there a better paradigm
for forced activation that I should investigate?

Any other feedback?

--
Randy WrightHewlett-Packard Company
Phone: (970) 898-0998   Mail: rwri...@hp.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH RFC] function probe_roms accessing improper addresses

[Randy Wright]

> Date: Thu, 4 Oct 2012 20:22:56 +0100
> From: Matthew Garrett 
> To: rwri...@hp.com
> Cc: linux-kernel@vger.kernel.org
> Subject: Re: [PATCH RFC] function probe_roms accessing improper addresses
>  on UEFI systems
> Message-ID: <20121004192256.ga6...@srcf.ucam.org>
> References: <201210032353.q93nrkni018...@filesys1.fc.hp.com>
> 
> On Wed, Oct 03, 2012 at 05:53:46PM -0600, Randy Wright wrote:
> 
> > The following proposed patch takes advantage of the fact that on EFI
> > systems, the memory map provides a better description of the physical
> > space than on pre-EFI legacy systems. If the efi_enabled state variable
> > indicates the kernel is running on an UEFI system, the patch will use
> > information from the UEFI memory map so as not to access addresses that
> > should avoided according to the UEFI specification.
> 
> This turns out to be awkward. Some (mostly older) EFI platforms still 
> only provide the video ROM through the 0xc window, and that's 
> sometimes needed even if the platform isn't using int10 for anything 
> (for instance, some Intel graphics machines only provide the VBT through 
> the video ROM and don't provide that via the PCI BAR). And, of course, 
> they have an EFI memory map that just shows a hole there.
> 
> So we can't distinguish between the two cases easily. The only thing I 
> can think of would be to push that policy out to the graphics drivers 
> and have them trigger a scan only if they can't get the required 
> information from any other source. I suspect that this patch as is would 
> break graphics on a reasonable number of EFI platforms.
> -- 
> Matthew Garrett | mj...@srcf.ucam.org

Hi Matthew, 

I appreciate your description of the problems with my approach, as well
as the reply from h...@zytor.com (H. Peter Anvin) in response to my mention
of this patch in another thread.  His reply contained a couple of
suggestions that initially appeal to me more than an approach requiring
a change to a set of video drivers, the size of which I don't quite
know how to scope.  In that other thread, hpa said:

| One option would be to quirk it; obviously there is some piece of
| hardware which does cause this #MC and hopefully we could use that to
| detect that specific regions should be excluded; another option would be
| to trap the #MC during ROM probing.

I definitely see the appeal of trapping the #MC and triggering a
solution from that, if it can be made to work. I've spent some time
evaluating that, and I see these issues:

1. I don't believe the kernel's MC handler is initialized early enough
to handle a machine check occurring as early as probe_roms.  Probe_roms
is called very early in boot.  I see this as the call stack:
  start_kernel->setup_arch->probe_roms
Whereas the machine check initialization for x86 appears to come later:
  start_kernel->check_bugs->identify_boot_cpu->identify_cpu->mcheck_cpu_init
At present, I do not want to tackle such a major reordering of
intialization as would be required to change this.

2. For all platforms, is the setup of chipset and cpu address decoding
robust enough to allow the OS to handle the resulting machine check and
recover?  I've worked with some platforms in the past where this was not
always the case, the result being that for some unpopulated address
ranges, the resulting machine check would not be recoverable.

Because of the above difficulties with the MC handler idea, I have
focused my thoughts more on the quirk idea that hpa mentioned. I've been
investigating some existing examples in the kernel, and trying to
understand some of the issues involved with designing a new one.

1. Can the interface be chosen to present the needed interface to all callers? 
I recognize this as a challenge if a single interface is to be used both
in early boot (e.g. probe_roms) and later runtime (e.g.
devmem_is_allowed).  Something like a new member added to the
x86_platform_ops structure?

2. How can it automatically be activated for platforms that need it? I
see quite a few quirks selected by cpu id, but that's probably not
appropriate here.  Again, activating it by hitting the #MC in probe_roms
would be cool, but I see it as involving a major reordering of
initialization code.  So I'm left thinking about something in keying off
the dmi platform strings, which fortunately are initialized thusly:
  start_kernel->setup_arch->dmi_scan_machine
convenient, as it's just before probe_roms is called.

3. Can it be activated on demand for testing on other platforms? A
kernel boot command line parameter could be added, for example. How does
the community feel about adding more of those?

What are other design issues I'm overlooking?

Are there are existing quirks that strike you as particularly
good models for this case?  

--
Randy WrightHewlett-Packard Company
Phone: (970) 898-0998  

Re: [PATCH RFC] function probe_roms accessing improper addresses

[Randy Wright]

 Date: Thu, 4 Oct 2012 20:22:56 +0100
 From: Matthew Garrett mj...@srcf.ucam.org
 To: rwri...@hp.com
 Cc: linux-kernel@vger.kernel.org
 Subject: Re: [PATCH RFC] function probe_roms accessing improper addresses
  on UEFI systems
 Message-ID: 20121004192256.ga6...@srcf.ucam.org
 References: 201210032353.q93nrkni018...@filesys1.fc.hp.com
 
 On Wed, Oct 03, 2012 at 05:53:46PM -0600, Randy Wright wrote:
 
  The following proposed patch takes advantage of the fact that on EFI
  systems, the memory map provides a better description of the physical
  space than on pre-EFI legacy systems. If the efi_enabled state variable
  indicates the kernel is running on an UEFI system, the patch will use
  information from the UEFI memory map so as not to access addresses that
  should avoided according to the UEFI specification.
 
 This turns out to be awkward. Some (mostly older) EFI platforms still 
 only provide the video ROM through the 0xc window, and that's 
 sometimes needed even if the platform isn't using int10 for anything 
 (for instance, some Intel graphics machines only provide the VBT through 
 the video ROM and don't provide that via the PCI BAR). And, of course, 
 they have an EFI memory map that just shows a hole there.
 
 So we can't distinguish between the two cases easily. The only thing I 
 can think of would be to push that policy out to the graphics drivers 
 and have them trigger a scan only if they can't get the required 
 information from any other source. I suspect that this patch as is would 
 break graphics on a reasonable number of EFI platforms.
 -- 
 Matthew Garrett | mj...@srcf.ucam.org

Hi Matthew, 

I appreciate your description of the problems with my approach, as well
as the reply from h...@zytor.com (H. Peter Anvin) in response to my mention
of this patch in another thread.  His reply contained a couple of
suggestions that initially appeal to me more than an approach requiring
a change to a set of video drivers, the size of which I don't quite
know how to scope.  In that other thread, hpa said:

| One option would be to quirk it; obviously there is some piece of
| hardware which does cause this #MC and hopefully we could use that to
| detect that specific regions should be excluded; another option would be
| to trap the #MC during ROM probing.

I definitely see the appeal of trapping the #MC and triggering a
solution from that, if it can be made to work. I've spent some time
evaluating that, and I see these issues:

1. I don't believe the kernel's MC handler is initialized early enough
to handle a machine check occurring as early as probe_roms.  Probe_roms
is called very early in boot.  I see this as the call stack:
  start_kernel-setup_arch-probe_roms
Whereas the machine check initialization for x86 appears to come later:
  start_kernel-check_bugs-identify_boot_cpu-identify_cpu-mcheck_cpu_init
At present, I do not want to tackle such a major reordering of
intialization as would be required to change this.

2. For all platforms, is the setup of chipset and cpu address decoding
robust enough to allow the OS to handle the resulting machine check and
recover?  I've worked with some platforms in the past where this was not
always the case, the result being that for some unpopulated address
ranges, the resulting machine check would not be recoverable.

Because of the above difficulties with the MC handler idea, I have
focused my thoughts more on the quirk idea that hpa mentioned. I've been
investigating some existing examples in the kernel, and trying to
understand some of the issues involved with designing a new one.

1. Can the interface be chosen to present the needed interface to all callers? 
I recognize this as a challenge if a single interface is to be used both
in early boot (e.g. probe_roms) and later runtime (e.g.
devmem_is_allowed).  Something like a new member added to the
x86_platform_ops structure?

2. How can it automatically be activated for platforms that need it? I
see quite a few quirks selected by cpu id, but that's probably not
appropriate here.  Again, activating it by hitting the #MC in probe_roms
would be cool, but I see it as involving a major reordering of
initialization code.  So I'm left thinking about something in keying off
the dmi platform strings, which fortunately are initialized thusly:
  start_kernel-setup_arch-dmi_scan_machine
convenient, as it's just before probe_roms is called.

3. Can it be activated on demand for testing on other platforms? A
kernel boot command line parameter could be added, for example. How does
the community feel about adding more of those?

What are other design issues I'm overlooking?

Are there are existing quirks that strike you as particularly
good models for this case?  

--
Randy WrightHewlett-Packard Company
Phone: (970) 898-0998   Mail: rwri...@hp.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http

Re: [PATCH] Fix devmem_is_allowed for below 1MB accesses for an efi machine

[Randy Wright]

On 10/02/2012 11:20 PM, Matthew Garrett wrote:

> Oh, right, got you. In that case I think we potentially need a 
> finer-grained check on EFI platforms - the EFI memory map is kind enough 
> to tell us the difference between unusable regions and io regions, and 
> we could avoid access to the unusable ones.


I wanted to mention in this context a patch RFC I posted yesterday as a
distinct thread which is visible as https://lkml.org/lkml/2012/10/3/589
with the subject: [PATCH RFC] function probe_roms accessing improper
addresses on UEFI systems.

While the mechanism is different from Tmac's patch (because probe_roms
runs early in boot, prior to resource structure initialization) the
intent of the change is the same: to prevent a machine check resulting
from access to inappropriate physical addresses.

I will monitor both this thread as well as my own recent RFC posting
since the underlying issues are common.

-- 
Randy Wright+1-970-898-0998
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] Fix devmem_is_allowed for below 1MB accesses for an efi machine

[Randy Wright]

On 10/02/2012 11:20 PM, Matthew Garrett wrote:

 Oh, right, got you. In that case I think we potentially need a 
 finer-grained check on EFI platforms - the EFI memory map is kind enough 
 to tell us the difference between unusable regions and io regions, and 
 we could avoid access to the unusable ones.


I wanted to mention in this context a patch RFC I posted yesterday as a
distinct thread which is visible as https://lkml.org/lkml/2012/10/3/589
with the subject: [PATCH RFC] function probe_roms accessing improper
addresses on UEFI systems.

While the mechanism is different from Tmac's patch (because probe_roms
runs early in boot, prior to resource structure initialization) the
intent of the change is the same: to prevent a machine check resulting
from access to inappropriate physical addresses.

I will monitor both this thread as well as my own recent RFC posting
since the underlying issues are common.

-- 
Randy Wrightrwri...@hp.com+1-970-898-0998
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH RFC] function probe_roms accessing improper addresses on UEFI systems

[Randy Wright]

The code in function probe_roms accesses the legacy adapter space (in
the physical address range 640k-1mb) without regard to how this range is
described in the memory map. The assumption in the code is that the
result of an access to unpopulated space is a soft fail, returning -1.
This assumption is not universally true; some systems may cause a hard
error (MCE) when accessing an unpopulated physical address.

The following proposed patch takes advantage of the fact that on EFI
systems, the memory map provides a better description of the physical
space than on pre-EFI legacy systems. If the efi_enabled state variable
indicates the kernel is running on an UEFI system, the patch will use
information from the UEFI memory map so as not to access addresses that
should avoided according to the UEFI specification.

See also a discussion underway in the context of a patch to devmem_is_allowed 
  https://lkml.org/lkml/2012/10/2/458
which has the same overall goal of restricting access to 
inappropriate ranges of the EFI memory map.

Following is my proposed patch based on v3.6. I would appreciate input
on the following points.  

1. Is the implementation properly interpreting the UEFI specification by
disallowing probes of addresses for which the type is EFI_RESERVED_TYPE,
EFI_UNUSABLE_MEMORY, or otherwise unknown?

2. The patch includes some simple test cases in function test_probes
that can be customized to the testing needs of a particular target
system.  This test code is conditionally enabled based on the
pre-processor symbol DO_TEST_PROBES; if that is not defined, the body of
function test_probes() is empty.  This code can be enabled and modified
as needed to test specific addresses of interest.  Is this code useful
to include in an upstream patch?  If not, is there a more generally
useful testing strategy?

Please CC me directly with comments or questions.

Signed-off-by: Randy Wright 

---
 arch/x86/kernel/probe_roms.c |   71 ++
 1 file changed, 71 insertions(+)

diff --git a/arch/x86/kernel/probe_roms.c b/arch/x86/kernel/probe_roms.c
index d5f15c3..76c20c9 100644
--- a/arch/x86/kernel/probe_roms.c
+++ b/arch/x86/kernel/probe_roms.c
@@ -11,6 +11,7 @@
 #include 
 #include 
 #include 
+#include  /* efi_enabled, efi_mem_type */
 
 #include 
 #include 
@@ -177,11 +178,46 @@ EXPORT_SYMBOL(pci_biosrom_size);
 
 #define ROMSIGNATURE 0xaa55
 
+/*
+ * efi_paddr_valid returns 1 if the input physical address
+ * is valid in the efi memory map, 0 otherwise.
+ */
+static int __init efi_paddr_valid(phys_addr_t paddr)
+{
+   u32 type = efi_mem_type((unsigned long)paddr);
+   printk(KERN_DEBUG "efi_paddr_valid(0x%lx): type 0x%lx\n",
+   (unsigned long)paddr, (unsigned long)type);
+   if (type == EFI_RESERVED_TYPE
+   ||  type == EFI_UNUSABLE_MEMORY
+   ||  type >= EFI_MAX_MEMORY_TYPE)
+   return 0;
+   return 1;
+}
+
+/*
+ * efi_vaddr_valid translates itsinput va to a pa, then
+ * returns the result of efi_paddr_valid applied to that pa.
+ */
+
+static int __init efi_vaddr_valid(const unsigned char *vaddr)
+{
+   phys_addr_t paddr = virt_to_phys((volatile void *)vaddr);
+   return efi_paddr_valid(paddr);
+}
+
 static int __init romsignature(const unsigned char *rom)
 {
const unsigned short * const ptr = (const unsigned short *)rom;
unsigned short sig;
 
+   if (efi_enabled) {
+   int rv = efi_vaddr_valid(rom);
+   printk(KERN_DEBUG
+   "romsignature: efi_vaddr_valid(0x%llx) returned %d\n",
+(unsigned long long)rom, rv);
+   if (0 == rv)
+   return 0;
+   }
return probe_kernel_address(ptr, sig) == 0 && sig == ROMSIGNATURE;
 }
 
@@ -194,6 +230,39 @@ static int __init romchecksum(const unsigned char *rom, 
unsigned long length)
return !length && !sum;
 }
 
+/* #define DO_TEST_PROBES "include customizable test code" */
+static void __init test_probes(void)
+{
+#ifdef DO_TEST_PROBES
+   static struct {
+   phys_addr_t paddr;
+   int ptype;
+   } plist[] = {
+   {0x3e76ULL, 0}, /* RESERVED */
+   {0x009ffda9f000ULL, 1}, /* LOADER CODE  */
+   {0x0005e000ULL, 2}, /* LOADER DATA  */
+   {0x0006ULL, 3}, /* BOOT CODE (why after EBS?) */
+   {0x3640ULL, 4}, /* BOOT DATA (why after EBS?) */
+   {0x009fffc96000ULL, 5}, /* RUNTIME CODE */
+   {0x009fffcd3000ULL, 6}, /* RUNTIME DATA */
+   {0x1000ULL, 7}, /* CONVENTIONAL MEM */
+   {0x3e75f000ULL, 9}, /* ACPI RECLAIM */
+ 

[PATCH RFC] function probe_roms accessing improper addresses on UEFI systems

[Randy Wright]

The code in function probe_roms accesses the legacy adapter space (in
the physical address range 640k-1mb) without regard to how this range is
described in the memory map. The assumption in the code is that the
result of an access to unpopulated space is a soft fail, returning -1.
This assumption is not universally true; some systems may cause a hard
error (MCE) when accessing an unpopulated physical address.

The following proposed patch takes advantage of the fact that on EFI
systems, the memory map provides a better description of the physical
space than on pre-EFI legacy systems. If the efi_enabled state variable
indicates the kernel is running on an UEFI system, the patch will use
information from the UEFI memory map so as not to access addresses that
should avoided according to the UEFI specification.

See also a discussion underway in the context of a patch to devmem_is_allowed 
  https://lkml.org/lkml/2012/10/2/458
which has the same overall goal of restricting access to 
inappropriate ranges of the EFI memory map.

Following is my proposed patch based on v3.6. I would appreciate input
on the following points.  

1. Is the implementation properly interpreting the UEFI specification by
disallowing probes of addresses for which the type is EFI_RESERVED_TYPE,
EFI_UNUSABLE_MEMORY, or otherwise unknown?

2. The patch includes some simple test cases in function test_probes
that can be customized to the testing needs of a particular target
system.  This test code is conditionally enabled based on the
pre-processor symbol DO_TEST_PROBES; if that is not defined, the body of
function test_probes() is empty.  This code can be enabled and modified
as needed to test specific addresses of interest.  Is this code useful
to include in an upstream patch?  If not, is there a more generally
useful testing strategy?

Please CC me directly with comments or questions.

Signed-off-by: Randy Wright rwri...@hp.com

---
 arch/x86/kernel/probe_roms.c |   71 ++
 1 file changed, 71 insertions(+)

diff --git a/arch/x86/kernel/probe_roms.c b/arch/x86/kernel/probe_roms.c
index d5f15c3..76c20c9 100644
--- a/arch/x86/kernel/probe_roms.c
+++ b/arch/x86/kernel/probe_roms.c
@@ -11,6 +11,7 @@
 #include linux/pfn.h
 #include linux/pci.h
 #include linux/export.h
+#include linux/efi.h /* efi_enabled, efi_mem_type */
 
 #include asm/probe_roms.h
 #include asm/pci-direct.h
@@ -177,11 +178,46 @@ EXPORT_SYMBOL(pci_biosrom_size);
 
 #define ROMSIGNATURE 0xaa55
 
+/*
+ * efi_paddr_valid returns 1 if the input physical address
+ * is valid in the efi memory map, 0 otherwise.
+ */
+static int __init efi_paddr_valid(phys_addr_t paddr)
+{
+   u32 type = efi_mem_type((unsigned long)paddr);
+   printk(KERN_DEBUG efi_paddr_valid(0x%lx): type 0x%lx\n,
+   (unsigned long)paddr, (unsigned long)type);
+   if (type == EFI_RESERVED_TYPE
+   ||  type == EFI_UNUSABLE_MEMORY
+   ||  type = EFI_MAX_MEMORY_TYPE)
+   return 0;
+   return 1;
+}
+
+/*
+ * efi_vaddr_valid translates itsinput va to a pa, then
+ * returns the result of efi_paddr_valid applied to that pa.
+ */
+
+static int __init efi_vaddr_valid(const unsigned char *vaddr)
+{
+   phys_addr_t paddr = virt_to_phys((volatile void *)vaddr);
+   return efi_paddr_valid(paddr);
+}
+
 static int __init romsignature(const unsigned char *rom)
 {
const unsigned short * const ptr = (const unsigned short *)rom;
unsigned short sig;
 
+   if (efi_enabled) {
+   int rv = efi_vaddr_valid(rom);
+   printk(KERN_DEBUG
+   romsignature: efi_vaddr_valid(0x%llx) returned %d\n,
+(unsigned long long)rom, rv);
+   if (0 == rv)
+   return 0;
+   }
return probe_kernel_address(ptr, sig) == 0  sig == ROMSIGNATURE;
 }
 
@@ -194,6 +230,39 @@ static int __init romchecksum(const unsigned char *rom, 
unsigned long length)
return !length  !sum;
 }
 
+/* #define DO_TEST_PROBES include customizable test code */
+static void __init test_probes(void)
+{
+#ifdef DO_TEST_PROBES
+   static struct {
+   phys_addr_t paddr;
+   int ptype;
+   } plist[] = {
+   {0x3e76ULL, 0}, /* RESERVED */
+   {0x009ffda9f000ULL, 1}, /* LOADER CODE  */
+   {0x0005e000ULL, 2}, /* LOADER DATA  */
+   {0x0006ULL, 3}, /* BOOT CODE (why after EBS?) */
+   {0x3640ULL, 4}, /* BOOT DATA (why after EBS?) */
+   {0x009fffc96000ULL, 5}, /* RUNTIME CODE */
+   {0x009fffcd3000ULL, 6}, /* RUNTIME DATA */
+   {0x1000ULL, 7}, /* CONVENTIONAL MEM */
+   {0x3e75f000ULL, 9}, /* ACPI RECLAIM