From patchwork Thu Aug 11 23:03:58 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thiago Jung Bauermann X-Patchwork-Id: 73825 Delivered-To: patch@linaro.org Received: by 10.140.29.52 with SMTP id a49csp346960qga; Thu, 11 Aug 2016 16:04:54 -0700 (PDT) X-Received: by 10.98.131.8 with SMTP id h8mr21644763pfe.124.1470956694675; Thu, 11 Aug 2016 16:04:54 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b64si5361568pfc.170.2016.08.11.16.04.52; Thu, 11 Aug 2016 16:04:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752423AbcHKXEh (ORCPT + 27 others); Thu, 11 Aug 2016 19:04:37 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:16923 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752282AbcHKXEe (ORCPT ); Thu, 11 Aug 2016 19:04:34 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u7BN4GeW047698 for ; Thu, 11 Aug 2016 19:04:33 -0400 Received: from e24smtp04.br.ibm.com (e24smtp04.br.ibm.com [32.104.18.25]) by mx0a-001b2d01.pphosted.com with ESMTP id 24qm9vfawj-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 11 Aug 2016 19:04:33 -0400 Received: from localhost by e24smtp04.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 11 Aug 2016 20:04:30 -0300 Received: from d24dlp02.br.ibm.com (9.18.248.206) by e24smtp04.br.ibm.com (10.172.0.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 11 Aug 2016 20:04:27 -0300 X-IBM-Helo: d24dlp02.br.ibm.com X-IBM-MailFrom: bauerman@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org Received: from d24relay01.br.ibm.com (d24relay01.br.ibm.com [9.8.31.16]) by d24dlp02.br.ibm.com (Postfix) with ESMTP id 0C1C81DC0054 for ; Thu, 11 Aug 2016 19:04:18 -0400 (EDT) Received: from d24av04.br.ibm.com (d24av04.br.ibm.com [9.8.31.97]) by d24relay01.br.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u7BN4RQA5013518 for ; Thu, 11 Aug 2016 20:04:27 -0300 Received: from d24av04.br.ibm.com (localhost [127.0.0.1]) by d24av04.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u7BN4PlH019260 for ; Thu, 11 Aug 2016 20:04:26 -0300 Received: from hactar.ibm.com (mwramos.br.ibm.com [9.18.201.183] (may be forged)) by d24av04.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id u7BN4KWL019189; Thu, 11 Aug 2016 20:04:24 -0300 From: Thiago Jung Bauermann To: kexec@lists.infradead.org Cc: linuxppc-dev@lists.ozlabs.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, AKASHI Takahiro , Eric Biederman , Dave Young , Vivek Goyal , Baoquan He , David Laight , Michael Ellerman , Benjamin Herrenschmidt , Stewart Smith , Arnd Bergmann , Mark Rutland , Russell King - ARM Linux , Andrew Morton , Thiago Jung Bauermann Subject: [PATCH v2 2/2] kexec: extend kexec_file_load system call Date: Thu, 11 Aug 2016 20:03:58 -0300 X-Mailer: git-send-email 1.9.1 In-Reply-To: <1470956638-3589-1-git-send-email-bauerman@linux.vnet.ibm.com> References: <1470956638-3589-1-git-send-email-bauerman@linux.vnet.ibm.com> X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16081123-0028-0000-0000-00000132086B X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16081123-0029-0000-0000-000013E6F5D6 Message-Id: <1470956638-3589-3-git-send-email-bauerman@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-11_14:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=38 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608110297 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: AKASHI Takahiro Device tree blob must be passed to a second kernel on DTB-capable archs, like powerpc and arm64, but the current kernel interface lacks this support. This patch extends kexec_file_load system call by adding an extra argument to this syscall so that an arbitrary number of file descriptors can be handed out from user space to the kernel. long sys_kexec_file_load(int kernel_fd, int initrd_fd, unsigned long cmdline_len, const char __user *cmdline_ptr, unsigned long flags, const struct kexec_fdset __user *ufdset); If KEXEC_FILE_EXTRA_FDS is set to the "flags" argument, the "ufdset" argument points to the following struct buffer: struct kexec_fdset { int nr_fds; struct kexec_file_fd fds[0]; } Signed-off-by: AKASHI Takahiro Signed-off-by: Thiago Jung Bauermann --- include/linux/fs.h | 1 + include/linux/kexec.h | 7 ++-- include/linux/syscalls.h | 4 ++- include/uapi/linux/kexec.h | 22 ++++++++++++ kernel/kexec_file.c | 83 ++++++++++++++++++++++++++++++++++++++++++---- 5 files changed, 108 insertions(+), 9 deletions(-) -- 1.9.1 diff --git a/include/linux/fs.h b/include/linux/fs.h index 3523bf62f328..847d9c31f428 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2656,6 +2656,7 @@ extern int do_pipe_flags(int *, int); id(MODULE, kernel-module) \ id(KEXEC_IMAGE, kexec-image) \ id(KEXEC_INITRAMFS, kexec-initramfs) \ + id(KEXEC_PARTIAL_DTB, kexec-partial-dtb) \ id(POLICY, security-policy) \ id(MAX_ID, ) diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 4f85d284ed0b..29202935055d 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -148,7 +148,10 @@ struct kexec_file_ops { kexec_verify_sig_t *verify_sig; #endif }; -#endif + +int __weak arch_kexec_verify_buffer(enum kexec_file_type type, const void *buf, + unsigned long size); +#endif /* CONFIG_KEXEC_FILE */ struct kimage { kimage_entry_t head; @@ -280,7 +283,7 @@ extern int kexec_load_disabled; /* List of defined/legal kexec file flags */ #define KEXEC_FILE_FLAGS (KEXEC_FILE_UNLOAD | KEXEC_FILE_ON_CRASH | \ - KEXEC_FILE_NO_INITRAMFS) + KEXEC_FILE_NO_INITRAMFS | KEXEC_FILE_EXTRA_FDS) #define VMCOREINFO_BYTES (4096) #define VMCOREINFO_NOTE_NAME "VMCOREINFO" diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index d02239022bd0..fc072bdb74e3 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -66,6 +66,7 @@ struct perf_event_attr; struct file_handle; struct sigaltstack; union bpf_attr; +struct kexec_fdset; #include #include @@ -321,7 +322,8 @@ asmlinkage long sys_kexec_load(unsigned long entry, unsigned long nr_segments, asmlinkage long sys_kexec_file_load(int kernel_fd, int initrd_fd, unsigned long cmdline_len, const char __user *cmdline_ptr, - unsigned long flags); + unsigned long flags, + const struct kexec_fdset __user *ufdset); asmlinkage long sys_exit(int error_code); asmlinkage long sys_exit_group(int error_code); diff --git a/include/uapi/linux/kexec.h b/include/uapi/linux/kexec.h index aae5ebf2022b..6279be79efba 100644 --- a/include/uapi/linux/kexec.h +++ b/include/uapi/linux/kexec.h @@ -23,6 +23,28 @@ #define KEXEC_FILE_UNLOAD 0x00000001 #define KEXEC_FILE_ON_CRASH 0x00000002 #define KEXEC_FILE_NO_INITRAMFS 0x00000004 +#define KEXEC_FILE_EXTRA_FDS 0x00000008 + +enum kexec_file_type { + KEXEC_FILE_TYPE_KERNEL, + KEXEC_FILE_TYPE_INITRAMFS, + + /* + * Device Tree Blob containing just the nodes and properties that + * the kexec_file_load caller wants to add or modify. + */ + KEXEC_FILE_TYPE_PARTIAL_DTB, +}; + +struct kexec_file_fd { + enum kexec_file_type type; + int fd; +}; + +struct kexec_fdset { + int nr_fds; + struct kexec_file_fd fds[0]; +}; /* These values match the ELF architecture values. * Unless there is a good reason that should continue to be the case. diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 113af2f219b9..d6803dd884e2 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -25,6 +25,9 @@ #include #include "kexec_internal.h" +#define MAX_FDSET_SIZE (sizeof(struct kexec_fdset) + \ + KEXEC_SEGMENT_MAX * sizeof(struct kexec_file_fd)) + /* * Declare these symbols weak so that if architecture provides a purgatory, * these will be overridden. @@ -116,6 +119,22 @@ void kimage_file_post_load_cleanup(struct kimage *image) image->image_loader_data = NULL; } +/** + * arch_kexec_verify_buffer() - check that the given kexec file is valid + * + * Device trees in particular can contain properties that may make the kernel + * execute code that it wasn't supposed to (e.g., use the wrong entry point + * when calling firmware functions). Because of this, the kernel needs to + * verify that it is safe to use the device tree blob passed from userspace. + * + * Return: 0 on success, negative errno on error. + */ +int __weak arch_kexec_verify_buffer(enum kexec_file_type type, const void *buf, + unsigned long size) +{ + return -EINVAL; +} + /* * In file mode list of segments is prepared by kernel. Copy relevant * data from user space, do error checking, prepare segment list @@ -123,7 +142,8 @@ void kimage_file_post_load_cleanup(struct kimage *image) static int kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, - unsigned long cmdline_len, unsigned flags) + unsigned long cmdline_len, unsigned long flags, + const struct kexec_fdset __user *ufdset) { int ret = 0; void *ldata; @@ -160,6 +180,55 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, image->initrd_buf_len = size; } + if (flags & KEXEC_FILE_EXTRA_FDS) { + int nr_fds, i; + size_t fdset_size; + char fdset_buf[MAX_FDSET_SIZE]; + struct kexec_fdset *fdset = (struct kexec_fdset *) fdset_buf; + + ret = copy_from_user(&nr_fds, ufdset, sizeof(int)); + if (ret) { + ret = -EFAULT; + goto out; + } + + if (nr_fds > KEXEC_SEGMENT_MAX) { + ret = -E2BIG; + goto out; + } + + fdset_size = sizeof(struct kexec_fdset) + + nr_fds * sizeof(struct kexec_file_fd); + + ret = copy_from_user(fdset, ufdset, fdset_size); + if (ret) { + ret = -EFAULT; + goto out; + } + + for (i = 0; i < fdset->nr_fds; i++) { + if (fdset->fds[i].type == KEXEC_FILE_TYPE_PARTIAL_DTB) { + ret = kernel_read_file_from_fd(fdset->fds[i].fd, + &image->dtb_buf, &size, INT_MAX, + READING_KEXEC_PARTIAL_DTB); + if (ret) + goto out; + image->dtb_buf_len = size; + + ret = arch_kexec_verify_buffer(KEXEC_FILE_TYPE_PARTIAL_DTB, + image->dtb_buf, + image->dtb_buf_len); + if (ret) + goto out; + } else { + pr_debug("unknown file type %d failed.\n", + fdset->fds[i].type); + ret = -EINVAL; + goto out; + } + } + } + if (cmdline_len) { image->cmdline_buf = kzalloc(cmdline_len, GFP_KERNEL); if (!image->cmdline_buf) { @@ -202,7 +271,8 @@ out: static int kimage_file_alloc_init(struct kimage **rimage, int kernel_fd, int initrd_fd, const char __user *cmdline_ptr, - unsigned long cmdline_len, unsigned long flags) + unsigned long cmdline_len, unsigned long flags, + const struct kexec_fdset __user *ufdset) { int ret; struct kimage *image; @@ -221,7 +291,8 @@ kimage_file_alloc_init(struct kimage **rimage, int kernel_fd, } ret = kimage_file_prepare_segments(image, kernel_fd, initrd_fd, - cmdline_ptr, cmdline_len, flags); + cmdline_ptr, cmdline_len, flags, + ufdset); if (ret) goto out_free_image; @@ -256,9 +327,9 @@ out_free_image: return ret; } -SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, +SYSCALL_DEFINE6(kexec_file_load, int, kernel_fd, int, initrd_fd, unsigned long, cmdline_len, const char __user *, cmdline_ptr, - unsigned long, flags) + unsigned long, flags, const struct kexec_fdset __user *, ufdset) { int ret = 0, i; struct kimage **dest_image, *image; @@ -295,7 +366,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, kimage_free(xchg(&kexec_crash_image, NULL)); ret = kimage_file_alloc_init(&image, kernel_fd, initrd_fd, cmdline_ptr, - cmdline_len, flags); + cmdline_len, flags, ufdset); if (ret) goto out;