[PATCH] x86/efi: Fix graceful fault handling after FPU softirq changes

[PATCH] x86/efi: Fix graceful fault handling after FPU softirq changes

[Ivan Hu]

Since commit d02198550423 ("x86/fpu: Improve crypto performance by
making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin()
calls fpregs_lock() which uses local_bh_disable() instead of the
previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count
during the entire EFI runtime service call, causing in_interrupt() to
return true in normal task context.

The graceful page fault handler efi_crash_gracefully_on_page_fault()
uses in_interrupt() to bail out for faults in real interrupt context.
With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI
firmware page faults unhandled. This escalates to die() which also sees
in_interrupt() as true and calls panic("Fatal exception in interrupt"),
resulting in a hard system freeze. On systems with buggy firmware that
triggers page faults during EFI runtime calls (e.g., accessing unmapped
memory in GetTime()), this causes an unrecoverable hang instead of the
expected graceful EFI_ABORTED recovery.

Fix by replacing in_interrupt() with in_hardirq() || in_nmi(). This
preserves the original intent of bailing for genuine hardware interrupt
or NMI faults, while no longer falsely triggering from the FPU code
path's local_bh_disable(). This is safe because softirqs cannot run
during EFI calls (they are explicitly blocked by fpregs_lock()), so
they can never be the source of a page fault in this context.

Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
---
 arch/x86/platform/efi/quirks.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
index df24ffc6105d..7475405119ce 100644
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -767,10 +767,10 @@ void efi_crash_gracefully_on_page_fault(unsigned long phys_addr)
 		return;
 
 	/*
-	 * If we get an interrupt/NMI while processing an EFI runtime service
+	 * If we get a hard IRQ or NMI while processing an EFI runtime service
 	 * then this is a regular OOPS, not an EFI failure.
 	 */
-	if (in_interrupt())
+	if (in_hardirq() || in_nmi())
 		return;
 
 	/*
-- 
2.43.0

Re: [PATCH] x86/efi: Fix graceful fault handling after FPU softirq changes

[Ard Biesheuvel]

On Thu, 30 Apr 2026, at 09:41, Ivan Hu wrote:
> Since commit d02198550423 ("x86/fpu: Improve crypto performance by
> making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin()
> calls fpregs_lock() which uses local_bh_disable() instead of the
> previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count
> during the entire EFI runtime service call, causing in_interrupt() to
> return true in normal task context.
>
> The graceful page fault handler efi_crash_gracefully_on_page_fault()
> uses in_interrupt() to bail out for faults in real interrupt context.
> With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI
> firmware page faults unhandled. This escalates to die() which also sees
> in_interrupt() as true and calls panic("Fatal exception in interrupt"),
> resulting in a hard system freeze. On systems with buggy firmware that
> triggers page faults during EFI runtime calls (e.g., accessing unmapped
> memory in GetTime()), this causes an unrecoverable hang instead of the
> expected graceful EFI_ABORTED recovery.
>
> Fix by replacing in_interrupt() with in_hardirq() || in_nmi(). This
> preserves the original intent of bailing for genuine hardware interrupt
> or NMI faults, while no longer falsely triggering from the FPU code
> path's local_bh_disable(). This is safe because softirqs cannot run
> during EFI calls (they are explicitly blocked by fpregs_lock()), so
> they can never be the source of a page fault in this context.
>
> Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making 
> kernel-mode FPU reliably usable in softirqs")
> Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
> ---
>  arch/x86/platform/efi/quirks.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

I'll take this via the EFI tree unless -tip prefers to take it.

Re: [PATCH] x86/efi: Fix graceful fault handling after FPU softirq changes

[Eric Biggers]

On Thu, Apr 30, 2026 at 03:41:07PM +0800, Ivan Hu wrote:
> Since commit d02198550423 ("x86/fpu: Improve crypto performance by
> making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin()
> calls fpregs_lock() which uses local_bh_disable() instead of the
> previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count
> during the entire EFI runtime service call, causing in_interrupt() to
> return true in normal task context.
> 
> The graceful page fault handler efi_crash_gracefully_on_page_fault()
> uses in_interrupt() to bail out for faults in real interrupt context.
> With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI
> firmware page faults unhandled. This escalates to die() which also sees
> in_interrupt() as true and calls panic("Fatal exception in interrupt"),
> resulting in a hard system freeze. On systems with buggy firmware that
> triggers page faults during EFI runtime calls (e.g., accessing unmapped
> memory in GetTime()), this causes an unrecoverable hang instead of the
> expected graceful EFI_ABORTED recovery.
> 
> Fix by replacing in_interrupt() with in_hardirq() || in_nmi(). This
> preserves the original intent of bailing for genuine hardware interrupt
> or NMI faults, while no longer falsely triggering from the FPU code
> path's local_bh_disable(). This is safe because softirqs cannot run
> during EFI calls (they are explicitly blocked by fpregs_lock()), so
> they can never be the source of a page fault in this context.
> 
> Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")
> Signed-off-by: Ivan Hu <ivan.hu@canonical.com>

Sorry for the trouble here.

Can you check the Sashiko review at
https://sashiko.dev/#/patchset/20260430074107.27051-1-ivan.hu%40canonical.com
?  The two things it found look legitimate.

- Eric

Re: [PATCH] x86/efi: Fix graceful fault handling after FPU softirq changes

[Ard Biesheuvel]

On Fri, 1 May 2026, at 07:52, Eric Biggers wrote:
> On Thu, Apr 30, 2026 at 03:41:07PM +0800, Ivan Hu wrote:
>> Since commit d02198550423 ("x86/fpu: Improve crypto performance by
>> making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin()
>> calls fpregs_lock() which uses local_bh_disable() instead of the
>> previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count
>> during the entire EFI runtime service call, causing in_interrupt() to
>> return true in normal task context.
>> 
>> The graceful page fault handler efi_crash_gracefully_on_page_fault()
>> uses in_interrupt() to bail out for faults in real interrupt context.
>> With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI
>> firmware page faults unhandled. This escalates to die() which also sees
>> in_interrupt() as true and calls panic("Fatal exception in interrupt"),
>> resulting in a hard system freeze. On systems with buggy firmware that
>> triggers page faults during EFI runtime calls (e.g., accessing unmapped
>> memory in GetTime()), this causes an unrecoverable hang instead of the
>> expected graceful EFI_ABORTED recovery.
>> 
>> Fix by replacing in_interrupt() with in_hardirq() || in_nmi(). This
>> preserves the original intent of bailing for genuine hardware interrupt
>> or NMI faults, while no longer falsely triggering from the FPU code
>> path's local_bh_disable(). This is safe because softirqs cannot run
>> during EFI calls (they are explicitly blocked by fpregs_lock()), so
>> they can never be the source of a page fault in this context.
>> 
>> Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")
>> Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
>
> Sorry for the trouble here.
>
> Can you check the Sashiko review at
> https://sashiko.dev/#/patchset/20260430074107.27051-1-ivan.hu%40canonical.com
> ?  The two things it found look legitimate.
>

Ah thanks for bringing that up. Yes, those concerns seem valid (as
usual for Sashiko :-))

So we should be using !in_task() here instead, to ensure that
in_serving_softirq() is taken into account too, or we might
trigger the EFI page fault handler inadvertently.

I will send out a patch for the other issue it identified separately.