UEFI requires us to support nested interrupts, but provides no way for
an interrupt handler to call RestoreTPL() without implicitly
re-enabling interrupts.  In a virtual machine, it is possible for a
large burst of interrupts to arrive.  We must prevent such a burst
from leading to stack underrun, while continuing to allow nested
interrupts to occur.
This can be achieved by allowing, when provably safe to do so, an
inner interrupt handler to return from the interrupt without restoring
the TPL and with interrupts remaining disabled after IRET, with the
deferred call to RestoreTPL() then being issued from the outer
interrupt handler.  This is necessarily messy and involves direct
manipulation of the interrupt stack frame, and so should not be
implemented as open-coded logic within each interrupt handler.
Add the Nested Interrupt TPL Library (NestedInterruptTplLib) to
provide helper functions that can be used by nested interrupt handlers
in place of RaiseTPL()/RestoreTPL().
Example call tree for a timer interrupt occurring at TPL_APPLICATION
with a nested timer interrupt that makes its own call to RestoreTPL():
  outer TimerInterruptHandler()
    InterruptedTPL == TPL_APPLICATION
    ...
    IsrState->InProgressRestoreTPL = TPL_APPLICATION;
    gBS->RestoreTPL (TPL_APPLICATION);
      EnableInterrupts();
      dispatch a TPL_CALLBACK event
        gEfiCurrentTpl = TPL_CALLBACK;
        nested timer interrupt occurs
        inner TimerInterruptHandler()
          InterruptedTPL == TPL_CALLBACK
          ...
          IsrState->InProgressRestoreTPL = TPL_CALLBACK;
          gBS->RestoreTPL (TPL_CALLBACK);
            EnableInterrupts();
          DisableInterrupts();
          IsrState->InProgressRestoreTPL = TPL_APPLICATION;
          IRET re-enables interrupts
      ... finish dispatching TPL_CALLBACK events ...
      gEfiCurrentTpl = TPL_APPLICATION;
    DisableInterrupts();
    IsrState->InProgressRestoreTPL = 0;
    sees IsrState->DeferredRestoreTPL == FALSE and returns
    IRET re-enables interrupts
Example call tree for a timer interrupt occurring at TPL_APPLICATION
with a nested timer interrupt that defers its call to RestoreTPL() to
the outer instance of the interrupt handler:
  outer TimerInterruptHandler()
    InterruptedTPL == TPL_APPLICATION
    ...
    IsrState->InProgressRestoreTPL = TPL_APPLICATION;
    gBS->RestoreTPL (TPL_APPLICATION);
      EnableInterrupts();
      dispatch a TPL_CALLBACK event
      ... finish dispatching TPL_CALLBACK events ...
      gEfiCurrentTpl = TPL_APPLICATION;
      nested timer interrupt occurs
      inner TimerInterruptHandler()
        InterruptedTPL == TPL_APPLICATION;
        ...
        sees InterruptedTPL == IsrState->InProgressRestoreTPL
        IsrState->DeferredRestoreTPL = TRUE;
        DisableInterruptsOnIret();
        IRET returns without re-enabling interrupts
    DisableInterrupts();
    IsrState->InProgressRestoreTPL = 0;
    sees IsrState->DeferredRestoreTPL == TRUE and loops
    IsrState->InProgressRestoreTPL = TPL_APPLICATION;
    gBS->RestoreTPL (TPL_APPLICATION);  <-- deferred call
      EnableInterrupts();
    DisableInterrupts();
    IsrState->InProgressRestoreTPL = 0;
    sees IsrState->DeferredRestoreTPL == FALSE and returns
    IRET re-enables interrupts
Cc: Paolo Bonzini <pbonzini@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=4162
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
		
	
		
			
				
	
	
		
			63 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			63 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /** @file
 | |
|   Force interrupt handler to return with interrupts still disabled.
 | |
| 
 | |
|   Copyright (C) 2022, Fen Systems Ltd.
 | |
| 
 | |
|   SPDX-License-Identifier: BSD-2-Clause-Patent
 | |
| **/
 | |
| 
 | |
| #include <Library/BaseLib.h>
 | |
| #include <Library/DebugLib.h>
 | |
| 
 | |
| #include "Iret.h"
 | |
| 
 | |
| /**
 | |
|   Force interrupt handler to return with interrupts still disabled.
 | |
| 
 | |
|   @param SystemContext         A pointer to the system context when the
 | |
|                                interrupt occurred.
 | |
| **/
 | |
| VOID
 | |
| DisableInterruptsOnIret (
 | |
|   IN OUT EFI_SYSTEM_CONTEXT  SystemContext
 | |
|   )
 | |
| {
 | |
|  #if defined (MDE_CPU_X64)
 | |
| 
 | |
|   IA32_EFLAGS32  Rflags;
 | |
| 
 | |
|   //
 | |
|   // Get flags from system context.
 | |
|   //
 | |
|   Rflags.UintN = SystemContext.SystemContextX64->Rflags;
 | |
|   ASSERT (Rflags.Bits.IF);
 | |
| 
 | |
|   //
 | |
|   // Clear interrupts-enabled flag.
 | |
|   //
 | |
|   Rflags.Bits.IF                         = 0;
 | |
|   SystemContext.SystemContextX64->Rflags = Rflags.UintN;
 | |
| 
 | |
|  #elif defined (MDE_CPU_IA32)
 | |
| 
 | |
|   IA32_EFLAGS32  Eflags;
 | |
| 
 | |
|   //
 | |
|   // Get flags from system context.
 | |
|   //
 | |
|   Eflags.UintN = SystemContext.SystemContextIa32->Eflags;
 | |
|   ASSERT (Eflags.Bits.IF);
 | |
| 
 | |
|   //
 | |
|   // Clear interrupts-enabled flag.
 | |
|   //
 | |
|   Eflags.Bits.IF                          = 0;
 | |
|   SystemContext.SystemContextIa32->Eflags = Eflags.UintN;
 | |
| 
 | |
|  #else
 | |
| 
 | |
|   #error "Unsupported CPU"
 | |
| 
 | |
|  #endif
 | |
| }
 |