x86/efi: Fix graceful fault handling after FPU softirq changes
Summary
| CVE | CVE-2026-46290 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-06-08 17:16:47 UTC |
|---|
| Updated | 2026-06-08 17:16:47 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
x86/efi: Fix graceful fault handling after FPU softirq changes
Since commit d02198550423 ("x86/fpu: Improve crypto performance by
making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin()
calls fpregs_lock() which uses local_bh_disable() instead of the
previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count
during the entire EFI runtime service call, causing in_interrupt() to
return true in normal task context.
The graceful page fault handler efi_crash_gracefully_on_page_fault()
uses in_interrupt() to bail out for faults in real interrupt context.
With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI
firmware page faults unhandled. This escalates to die() which also sees
in_interrupt() as true and calls panic("Fatal exception in interrupt"),
resulting in a hard system freeze. On systems with buggy firmware that
triggers page faults during EFI runtime calls (e.g., accessing unmapped
memory in GetTime()), this causes an unrecoverable hang instead of the
expected graceful EFI_ABORTED recovery.
Fix by replacing in_interrupt() with !in_task(). This preserves the
original intent of bailing for interrupts or NMI faults, while no longer
falsely triggering from the FPU code path's local_bh_disable().
[ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a
window where a softirq may be taken before fpregs_lock() is
called, but after efi_rts_work.efi_rts_id has been assigned,
and any page faults occurring in that window will then be
misidentified as having been caused by the firmware. Instead,
use !in_task(), which incorporates in_serving_softirq(). ] |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected d02198550423a0b695e7a24ec77153209ad45b09 22b365ba1af3d8c6036b8e5112fffe80998b85a0 git |
Not specified |
| CNA |
Linux |
Linux |
affected d02198550423a0b695e7a24ec77153209ad45b09 db155b86d1523e85941f61efd7d7ffb594cc9a29 git |
Not specified |
| CNA |
Linux |
Linux |
affected d02198550423a0b695e7a24ec77153209ad45b09 088f65e206087bf903743bd18417261d7a4c9644 git |
Not specified |
| CNA |
Linux |
Linux |
affected 6.15 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.15 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.30 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0.7 7.0.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.1-rc3 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/088f65e206087bf903743bd18417261d7a4c9644 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/db155b86d1523e85941f61efd7d7ffb594cc9a29 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/22b365ba1af3d8c6036b8e5112fffe80998b85a0 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
