2005-06-26 01:57:52 +04:00
/*
2015-09-10 01:38:55 +03:00
* kexec . c - kexec_load system call
2005-06-26 01:57:52 +04:00
* Copyright ( C ) 2002 - 2004 Eric Biederman < ebiederm @ xmission . com >
*
* This source code is licensed under the GNU General Public License ,
* Version 2. See the file COPYING for more details .
*/
kexec: use file name as the output message prefix
kexec output message misses the prefix "kexec", when Dave Young split the
kexec code. Now, we use file name as the output message prefix.
Currently, the format of output message:
[ 140.290795] SYSC_kexec_load: hello, world
[ 140.291534] kexec: sanity_check_segment_list: hello, world
Ideally, the format of output message:
[ 30.791503] kexec: SYSC_kexec_load, Hello, world
[ 79.182752] kexec_core: sanity_check_segment_list, Hello, world
Remove the custom prefix "kexec" in output message.
Signed-off-by: Minfei Huang <mnfhuang@gmail.com>
Acked-by: Dave Young <dyoung@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-11-07 03:32:45 +03:00
# define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
2006-01-11 23:17:46 +03:00
# include <linux/capability.h>
2005-06-26 01:57:52 +04:00
# include <linux/mm.h>
# include <linux/file.h>
# include <linux/kexec.h>
2008-08-15 11:40:27 +04:00
# include <linux/mutex.h>
2005-06-26 01:57:52 +04:00
# include <linux/list.h>
# include <linux/syscalls.h>
2015-09-10 01:38:51 +03:00
# include <linux/vmalloc.h>
2015-09-10 01:38:55 +03:00
# include <linux/slab.h>
2005-06-26 01:57:52 +04:00
2015-09-10 01:38:51 +03:00
# include "kexec_internal.h"
2014-08-09 01:25:45 +04:00
static int copy_user_segment_list ( struct kimage * image ,
unsigned long nr_segments ,
struct kexec_segment __user * segments )
2005-06-26 01:57:52 +04:00
{
2014-08-09 01:25:45 +04:00
int ret ;
2005-06-26 01:57:52 +04:00
size_t segment_bytes ;
/* Read in the segments */
image - > nr_segments = nr_segments ;
segment_bytes = nr_segments * sizeof ( * segments ) ;
2014-08-09 01:25:45 +04:00
ret = copy_from_user ( image - > segment , segments , segment_bytes ) ;
if ( ret )
ret = - EFAULT ;
return ret ;
}
2014-08-09 01:25:48 +04:00
static int kimage_alloc_init ( struct kimage * * rimage , unsigned long entry ,
unsigned long nr_segments ,
struct kexec_segment __user * segments ,
unsigned long flags )
2005-06-26 01:57:52 +04:00
{
2014-08-09 01:25:48 +04:00
int ret ;
2005-06-26 01:57:52 +04:00
struct kimage * image ;
2014-08-09 01:25:48 +04:00
bool kexec_on_panic = flags & KEXEC_ON_CRASH ;
if ( kexec_on_panic ) {
/* Verify we have a valid entry point */
2016-08-03 00:06:04 +03:00
if ( ( entry < phys_to_boot_phys ( crashk_res . start ) ) | |
( entry > phys_to_boot_phys ( crashk_res . end ) ) )
2014-08-09 01:25:48 +04:00
return - EADDRNOTAVAIL ;
}
2005-06-26 01:57:52 +04:00
/* Allocate and initialize a controlling structure */
2014-08-09 01:25:45 +04:00
image = do_kimage_alloc_init ( ) ;
if ( ! image )
return - ENOMEM ;
image - > start = entry ;
2014-08-09 01:25:48 +04:00
ret = copy_user_segment_list ( image , nr_segments , segments ) ;
if ( ret )
2014-08-09 01:25:45 +04:00
goto out_free_image ;
2014-08-09 01:25:48 +04:00
if ( kexec_on_panic ) {
2016-01-21 02:00:31 +03:00
/* Enable special crash kernel control page alloc policy. */
2014-08-09 01:25:48 +04:00
image - > control_page = crashk_res . start ;
image - > type = KEXEC_TYPE_CRASH ;
}
2016-01-21 02:00:31 +03:00
ret = sanity_check_segment_list ( image ) ;
if ( ret )
goto out_free_image ;
2005-06-26 01:57:52 +04:00
/*
* Find a location for the control code buffer , and add it
* the vector of segments so that it ' s pages will also be
* counted as destination pages .
*/
2014-08-09 01:25:48 +04:00
ret = - ENOMEM ;
2005-06-26 01:57:52 +04:00
image - > control_code_page = kimage_alloc_control_pages ( image ,
2008-08-15 11:40:22 +04:00
get_order ( KEXEC_CONTROL_PAGE_SIZE ) ) ;
2005-06-26 01:57:52 +04:00
if ( ! image - > control_code_page ) {
2014-06-07 01:37:09 +04:00
pr_err ( " Could not allocate control_code_buffer \n " ) ;
2014-08-09 01:25:45 +04:00
goto out_free_image ;
2005-06-26 01:57:52 +04:00
}
2014-08-09 01:25:48 +04:00
if ( ! kexec_on_panic ) {
image - > swap_page = kimage_alloc_control_pages ( image , 0 ) ;
if ( ! image - > swap_page ) {
pr_err ( " Could not allocate swap buffer \n " ) ;
goto out_free_control_pages ;
}
2008-07-26 06:45:07 +04:00
}
2013-02-28 05:03:29 +04:00
* rimage = image ;
return 0 ;
2014-08-09 01:25:45 +04:00
out_free_control_pages :
2013-02-28 05:03:29 +04:00
kimage_free_page_list ( & image - > control_pages ) ;
2014-08-09 01:25:45 +04:00
out_free_image :
2013-02-28 05:03:29 +04:00
kfree ( image ) ;
2014-08-09 01:25:48 +04:00
return ret ;
2005-06-26 01:57:52 +04:00
}
2016-05-24 02:24:19 +03:00
static int do_kexec_load ( unsigned long entry , unsigned long nr_segments ,
struct kexec_segment __user * segments , unsigned long flags )
{
struct kimage * * dest_image , * image ;
unsigned long i ;
int ret ;
if ( flags & KEXEC_ON_CRASH ) {
dest_image = & kexec_crash_image ;
if ( kexec_crash_image )
arch_kexec_unprotect_crashkres ( ) ;
} else {
dest_image = & kexec_image ;
}
if ( nr_segments = = 0 ) {
/* Uninstall image */
kimage_free ( xchg ( dest_image , NULL ) ) ;
return 0 ;
}
if ( flags & KEXEC_ON_CRASH ) {
/*
* Loading another kernel to switch to if this one
* crashes . Free any current crash dump kernel before
* we corrupt it .
*/
kimage_free ( xchg ( & kexec_crash_image , NULL ) ) ;
}
ret = kimage_alloc_init ( & image , entry , nr_segments , segments , flags ) ;
if ( ret )
return ret ;
if ( flags & KEXEC_PRESERVE_CONTEXT )
image - > preserve_context = 1 ;
ret = machine_kexec_prepare ( image ) ;
if ( ret )
goto out ;
for ( i = 0 ; i < nr_segments ; i + + ) {
ret = kimage_load_segment ( image , & image - > segment [ i ] ) ;
if ( ret )
goto out ;
}
kimage_terminate ( image ) ;
/* Install the new kernel and uninstall the old */
image = xchg ( dest_image , image ) ;
out :
if ( ( flags & KEXEC_ON_CRASH ) & & kexec_crash_image )
arch_kexec_protect_crashkres ( ) ;
kimage_free ( image ) ;
return ret ;
}
2005-06-26 01:57:52 +04:00
/*
* Exec Kernel system call : for obvious reasons only root may call it .
*
* This call breaks up into three pieces .
* - A generic part which loads the new kernel from the current
* address space , and very carefully places the data in the
* allocated pages .
*
* - A generic part that interacts with the kernel and tells all of
* the devices to shut down . Preventing on - going dmas , and placing
* the devices in a consistent state so a later kernel can
* reinitialize them .
*
* - A machine specific part that includes the syscall number
2013-09-15 13:35:37 +04:00
* and then copies the image to it ' s final destination . And
2005-06-26 01:57:52 +04:00
* jumps into the image at entry .
*
* kexec does not sync , or unmount filesystems so if you need
* that to happen you need to do that yourself .
*/
2008-08-15 11:40:27 +04:00
2009-01-14 16:14:09 +03:00
SYSCALL_DEFINE4 ( kexec_load , unsigned long , entry , unsigned long , nr_segments ,
struct kexec_segment __user * , segments , unsigned long , flags )
2005-06-26 01:57:52 +04:00
{
int result ;
/* We only trust the superuser with rebooting the system. */
kexec: add sysctl to disable kexec_load
For general-purpose (i.e. distro) kernel builds it makes sense to build
with CONFIG_KEXEC to allow end users to choose what kind of things they
want to do with kexec. However, in the face of trying to lock down a
system with such a kernel, there needs to be a way to disable kexec_load
(much like module loading can be disabled). Without this, it is too easy
for the root user to modify kernel memory even when CONFIG_STRICT_DEVMEM
and modules_disabled are set. With this change, it is still possible to
load an image for use later, then disable kexec_load so the image (or lack
of image) can't be altered.
The intention is for using this in environments where "perfect"
enforcement is hard. Without a verified boot, along with verified
modules, and along with verified kexec, this is trying to give a system a
better chance to defend itself (or at least grow the window of
discoverability) against attack in the face of a privilege escalation.
In my mind, I consider several boot scenarios:
1) Verified boot of read-only verified root fs loading fd-based
verification of kexec images.
2) Secure boot of writable root fs loading signed kexec images.
3) Regular boot loading kexec (e.g. kcrash) image early and locking it.
4) Regular boot with no control of kexec image at all.
1 and 2 don't exist yet, but will soon once the verified kexec series has
landed. 4 is the state of things now. The gap between 2 and 4 is too
large, so this change creates scenario 3, a middle-ground above 4 when 2
and 1 are not possible for a system.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-01-24 03:55:59 +04:00
if ( ! capable ( CAP_SYS_BOOT ) | | kexec_load_disabled )
2005-06-26 01:57:52 +04:00
return - EPERM ;
/*
* Verify we have a legal set of flags
* This leaves us room for future extensions .
*/
if ( ( flags & KEXEC_FLAGS ) ! = ( flags & ~ KEXEC_ARCH_MASK ) )
return - EINVAL ;
/* Verify we are on the appropriate architecture */
if ( ( ( flags & KEXEC_ARCH_MASK ) ! = KEXEC_ARCH ) & &
( ( flags & KEXEC_ARCH_MASK ) ! = KEXEC_ARCH_DEFAULT ) )
return - EINVAL ;
/* Put an artificial cap on the number
* of segments passed to kexec_load .
*/
if ( nr_segments > KEXEC_SEGMENT_MAX )
return - EINVAL ;
/* Because we write directly to the reserved memory
* region when loading crash kernels we need a mutex here to
* prevent multiple crash kernels from attempting to load
* simultaneously , and to prevent a crash kernel from loading
* over the top of a in use crash kernel .
*
* KISS : always take the mutex .
*/
2008-08-15 11:40:27 +04:00
if ( ! mutex_trylock ( & kexec_mutex ) )
2005-06-26 01:57:52 +04:00
return - EBUSY ;
2005-06-26 01:58:28 +04:00
2016-05-24 02:24:19 +03:00
result = do_kexec_load ( entry , nr_segments , segments , flags ) ;
2005-06-26 01:57:52 +04:00
2008-08-15 11:40:27 +04:00
mutex_unlock ( & kexec_mutex ) ;
2005-06-26 01:58:28 +04:00
2005-06-26 01:57:52 +04:00
return result ;
}
# ifdef CONFIG_COMPAT
2014-03-04 20:13:42 +04:00
COMPAT_SYSCALL_DEFINE4 ( kexec_load , compat_ulong_t , entry ,
compat_ulong_t , nr_segments ,
struct compat_kexec_segment __user * , segments ,
compat_ulong_t , flags )
2005-06-26 01:57:52 +04:00
{
struct compat_kexec_segment in ;
struct kexec_segment out , __user * ksegments ;
unsigned long i , result ;
/* Don't allow clients that don't understand the native
* architecture to do anything .
*/
2005-06-26 01:58:28 +04:00
if ( ( flags & KEXEC_ARCH_MASK ) = = KEXEC_ARCH_DEFAULT )
2005-06-26 01:57:52 +04:00
return - EINVAL ;
2005-06-26 01:58:28 +04:00
if ( nr_segments > KEXEC_SEGMENT_MAX )
2005-06-26 01:57:52 +04:00
return - EINVAL ;
ksegments = compat_alloc_user_space ( nr_segments * sizeof ( out ) ) ;
2014-06-07 01:37:09 +04:00
for ( i = 0 ; i < nr_segments ; i + + ) {
2005-06-26 01:57:52 +04:00
result = copy_from_user ( & in , & segments [ i ] , sizeof ( in ) ) ;
2005-06-26 01:58:28 +04:00
if ( result )
2005-06-26 01:57:52 +04:00
return - EFAULT ;
out . buf = compat_ptr ( in . buf ) ;
out . bufsz = in . bufsz ;
out . mem = in . mem ;
out . memsz = in . memsz ;
result = copy_to_user ( & ksegments [ i ] , & out , sizeof ( out ) ) ;
2005-06-26 01:58:28 +04:00
if ( result )
2005-06-26 01:57:52 +04:00
return - EFAULT ;
}
return sys_kexec_load ( entry , nr_segments , ksegments , flags ) ;
}
# endif