xref: /linux/drivers/firmware/efi/unaccepted_memory.c (revision eb01fe7abbe2d0b38824d2a93fdb4cc3eaf2ccc1)
1 // SPDX-License-Identifier: GPL-2.0-only
2 
3 #include <linux/efi.h>
4 #include <linux/memblock.h>
5 #include <linux/spinlock.h>
6 #include <linux/crash_dump.h>
7 #include <asm/unaccepted_memory.h>
8 
9 /* Protects unaccepted memory bitmap and accepting_list */
10 static DEFINE_SPINLOCK(unaccepted_memory_lock);
11 
12 struct accept_range {
13 	struct list_head list;
14 	unsigned long start;
15 	unsigned long end;
16 };
17 
18 static LIST_HEAD(accepting_list);
19 
20 /*
21  * accept_memory() -- Consult bitmap and accept the memory if needed.
22  *
23  * Only memory that is explicitly marked as unaccepted in the bitmap requires
24  * an action. All the remaining memory is implicitly accepted and doesn't need
25  * acceptance.
26  *
27  * No need to accept:
28  *  - anything if the system has no unaccepted table;
29  *  - memory that is below phys_base;
30  *  - memory that is above the memory that addressable by the bitmap;
31  */
32 void accept_memory(phys_addr_t start, phys_addr_t end)
33 {
34 	struct efi_unaccepted_memory *unaccepted;
35 	unsigned long range_start, range_end;
36 	struct accept_range range, *entry;
37 	unsigned long flags;
38 	u64 unit_size;
39 
40 	unaccepted = efi_get_unaccepted_table();
41 	if (!unaccepted)
42 		return;
43 
44 	unit_size = unaccepted->unit_size;
45 
46 	/*
47 	 * Only care for the part of the range that is represented
48 	 * in the bitmap.
49 	 */
50 	if (start < unaccepted->phys_base)
51 		start = unaccepted->phys_base;
52 	if (end < unaccepted->phys_base)
53 		return;
54 
55 	/* Translate to offsets from the beginning of the bitmap */
56 	start -= unaccepted->phys_base;
57 	end -= unaccepted->phys_base;
58 
59 	/*
60 	 * load_unaligned_zeropad() can lead to unwanted loads across page
61 	 * boundaries. The unwanted loads are typically harmless. But, they
62 	 * might be made to totally unrelated or even unmapped memory.
63 	 * load_unaligned_zeropad() relies on exception fixup (#PF, #GP and now
64 	 * #VE) to recover from these unwanted loads.
65 	 *
66 	 * But, this approach does not work for unaccepted memory. For TDX, a
67 	 * load from unaccepted memory will not lead to a recoverable exception
68 	 * within the guest. The guest will exit to the VMM where the only
69 	 * recourse is to terminate the guest.
70 	 *
71 	 * There are two parts to fix this issue and comprehensively avoid
72 	 * access to unaccepted memory. Together these ensure that an extra
73 	 * "guard" page is accepted in addition to the memory that needs to be
74 	 * used:
75 	 *
76 	 * 1. Implicitly extend the range_contains_unaccepted_memory(start, end)
77 	 *    checks up to end+unit_size if 'end' is aligned on a unit_size
78 	 *    boundary.
79 	 *
80 	 * 2. Implicitly extend accept_memory(start, end) to end+unit_size if
81 	 *    'end' is aligned on a unit_size boundary. (immediately following
82 	 *    this comment)
83 	 */
84 	if (!(end % unit_size))
85 		end += unit_size;
86 
87 	/* Make sure not to overrun the bitmap */
88 	if (end > unaccepted->size * unit_size * BITS_PER_BYTE)
89 		end = unaccepted->size * unit_size * BITS_PER_BYTE;
90 
91 	range.start = start / unit_size;
92 	range.end = DIV_ROUND_UP(end, unit_size);
93 retry:
94 	spin_lock_irqsave(&unaccepted_memory_lock, flags);
95 
96 	/*
97 	 * Check if anybody works on accepting the same range of the memory.
98 	 *
99 	 * The check is done with unit_size granularity. It is crucial to catch
100 	 * all accept requests to the same unit_size block, even if they don't
101 	 * overlap on physical address level.
102 	 */
103 	list_for_each_entry(entry, &accepting_list, list) {
104 		if (entry->end <= range.start)
105 			continue;
106 		if (entry->start >= range.end)
107 			continue;
108 
109 		/*
110 		 * Somebody else accepting the range. Or at least part of it.
111 		 *
112 		 * Drop the lock and retry until it is complete.
113 		 */
114 		spin_unlock_irqrestore(&unaccepted_memory_lock, flags);
115 		goto retry;
116 	}
117 
118 	/*
119 	 * Register that the range is about to be accepted.
120 	 * Make sure nobody else will accept it.
121 	 */
122 	list_add(&range.list, &accepting_list);
123 
124 	range_start = range.start;
125 	for_each_set_bitrange_from(range_start, range_end, unaccepted->bitmap,
126 				   range.end) {
127 		unsigned long phys_start, phys_end;
128 		unsigned long len = range_end - range_start;
129 
130 		phys_start = range_start * unit_size + unaccepted->phys_base;
131 		phys_end = range_end * unit_size + unaccepted->phys_base;
132 
133 		/*
134 		 * Keep interrupts disabled until the accept operation is
135 		 * complete in order to prevent deadlocks.
136 		 *
137 		 * Enabling interrupts before calling arch_accept_memory()
138 		 * creates an opportunity for an interrupt handler to request
139 		 * acceptance for the same memory. The handler will continuously
140 		 * spin with interrupts disabled, preventing other task from
141 		 * making progress with the acceptance process.
142 		 */
143 		spin_unlock(&unaccepted_memory_lock);
144 
145 		arch_accept_memory(phys_start, phys_end);
146 
147 		spin_lock(&unaccepted_memory_lock);
148 		bitmap_clear(unaccepted->bitmap, range_start, len);
149 	}
150 
151 	list_del(&range.list);
152 	spin_unlock_irqrestore(&unaccepted_memory_lock, flags);
153 }
154 
155 bool range_contains_unaccepted_memory(phys_addr_t start, phys_addr_t end)
156 {
157 	struct efi_unaccepted_memory *unaccepted;
158 	unsigned long flags;
159 	bool ret = false;
160 	u64 unit_size;
161 
162 	unaccepted = efi_get_unaccepted_table();
163 	if (!unaccepted)
164 		return false;
165 
166 	unit_size = unaccepted->unit_size;
167 
168 	/*
169 	 * Only care for the part of the range that is represented
170 	 * in the bitmap.
171 	 */
172 	if (start < unaccepted->phys_base)
173 		start = unaccepted->phys_base;
174 	if (end < unaccepted->phys_base)
175 		return false;
176 
177 	/* Translate to offsets from the beginning of the bitmap */
178 	start -= unaccepted->phys_base;
179 	end -= unaccepted->phys_base;
180 
181 	/*
182 	 * Also consider the unaccepted state of the *next* page. See fix #1 in
183 	 * the comment on load_unaligned_zeropad() in accept_memory().
184 	 */
185 	if (!(end % unit_size))
186 		end += unit_size;
187 
188 	/* Make sure not to overrun the bitmap */
189 	if (end > unaccepted->size * unit_size * BITS_PER_BYTE)
190 		end = unaccepted->size * unit_size * BITS_PER_BYTE;
191 
192 	spin_lock_irqsave(&unaccepted_memory_lock, flags);
193 	while (start < end) {
194 		if (test_bit(start / unit_size, unaccepted->bitmap)) {
195 			ret = true;
196 			break;
197 		}
198 
199 		start += unit_size;
200 	}
201 	spin_unlock_irqrestore(&unaccepted_memory_lock, flags);
202 
203 	return ret;
204 }
205 
206 #ifdef CONFIG_PROC_VMCORE
207 static bool unaccepted_memory_vmcore_pfn_is_ram(struct vmcore_cb *cb,
208 						unsigned long pfn)
209 {
210 	return !pfn_is_unaccepted_memory(pfn);
211 }
212 
213 static struct vmcore_cb vmcore_cb = {
214 	.pfn_is_ram = unaccepted_memory_vmcore_pfn_is_ram,
215 };
216 
217 static int __init unaccepted_memory_init_kdump(void)
218 {
219 	register_vmcore_cb(&vmcore_cb);
220 	return 0;
221 }
222 core_initcall(unaccepted_memory_init_kdump);
223 #endif /* CONFIG_PROC_VMCORE */
224