efi/x86: use naked RET on mixed mode call wrapper
When running with return thunks enabled under 32-bit EFI, the system
crashes with:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle page fault for address:
000000005bc02900
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0011) - permissions violation
PGD
18f7063 P4D
18f7063 PUD
18ff063 PMD
190e063 PTE
800000005bc02063
Oops: 0011 [#1] PREEMPT SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc6+ #166
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:0x5bc02900
Code: Unable to access opcode bytes at RIP 0x5bc028d6.
RSP: 0018:
ffffffffb3203e10 EFLAGS:
00010046
RAX:
0000000000000000 RBX:
0000000000000000 RCX:
0000000000000048
RDX:
000000000190dfac RSI:
0000000000001710 RDI:
000000007eae823b
RBP:
ffffffffb3203e70 R08:
0000000001970000 R09:
ffffffffb3203e28
R10:
747563657865206c R11:
6c6977203a696665 R12:
0000000000001710
R13:
0000000000000030 R14:
0000000001970000 R15:
0000000000000001
FS:
0000000000000000(0000) GS:
ffff8e013ca00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0:
0000000080050033
CR2:
000000005bc02900 CR3:
0000000001930000 CR4:
00000000000006f0
Call Trace:
? efi_set_virtual_address_map+0x9c/0x175
efi_enter_virtual_mode+0x4a6/0x53e
start_kernel+0x67c/0x71e
x86_64_start_reservations+0x24/0x2a
x86_64_start_kernel+0xe9/0xf4
secondary_startup_64_no_verify+0xe5/0xeb
That's because it cannot jump to the return thunk from the 32-bit code.
Using a naked RET and marking it as safe allows the system to proceed
booting.
Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: <stable@vger.kernel.org>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>