2019-06-03 05:44:46 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
2015-09-09 22:38:55 +00:00
|
|
|
* kexec.c - kexec_load system call
|
2005-06-25 21:57:52 +00:00
|
|
|
* Copyright (C) 2002-2004 Eric Biederman <ebiederm@xmission.com>
|
|
|
|
|
*/
|
|
|
|
|
|
kexec: use file name as the output message prefix
kexec output message misses the prefix "kexec", when Dave Young split the
kexec code. Now, we use file name as the output message prefix.
Currently, the format of output message:
[ 140.290795] SYSC_kexec_load: hello, world
[ 140.291534] kexec: sanity_check_segment_list: hello, world
Ideally, the format of output message:
[ 30.791503] kexec: SYSC_kexec_load, Hello, world
[ 79.182752] kexec_core: sanity_check_segment_list, Hello, world
Remove the custom prefix "kexec" in output message.
Signed-off-by: Minfei Huang <mnfhuang@gmail.com>
Acked-by: Dave Young <dyoung@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-11-07 00:32:45 +00:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
|
2006-01-11 20:17:46 +00:00
|
|
|
#include <linux/capability.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
#include <linux/mm.h>
|
|
|
|
|
#include <linux/file.h>
|
2018-07-13 18:05:57 +00:00
|
|
|
#include <linux/security.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
#include <linux/kexec.h>
|
2008-08-15 07:40:27 +00:00
|
|
|
#include <linux/mutex.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
#include <linux/list.h>
|
|
|
|
|
#include <linux/syscalls.h>
|
2015-09-09 22:38:51 +00:00
|
|
|
#include <linux/vmalloc.h>
|
2015-09-09 22:38:55 +00:00
|
|
|
#include <linux/slab.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
|
2015-09-09 22:38:51 +00:00
|
|
|
#include "kexec_internal.h"
|
|
|
|
|
|
2014-08-08 21:25:48 +00:00
|
|
|
static int kimage_alloc_init(struct kimage **rimage, unsigned long entry,
|
|
|
|
|
unsigned long nr_segments,
|
2021-11-29 16:38:42 +00:00
|
|
|
struct kexec_segment *segments,
|
2014-08-08 21:25:48 +00:00
|
|
|
unsigned long flags)
|
2005-06-25 21:57:52 +00:00
|
|
|
{
|
2014-08-08 21:25:48 +00:00
|
|
|
int ret;
|
2005-06-25 21:57:52 +00:00
|
|
|
struct kimage *image;
|
2014-08-08 21:25:48 +00:00
|
|
|
bool kexec_on_panic = flags & KEXEC_ON_CRASH;
|
|
|
|
|
|
2024-10-31 05:40:53 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2014-08-08 21:25:48 +00:00
|
|
|
if (kexec_on_panic) {
|
|
|
|
|
/* Verify we have a valid entry point */
|
2016-08-02 21:06:04 +00:00
|
|
|
if ((entry < phys_to_boot_phys(crashk_res.start)) ||
|
|
|
|
|
(entry > phys_to_boot_phys(crashk_res.end)))
|
2014-08-08 21:25:48 +00:00
|
|
|
return -EADDRNOTAVAIL;
|
|
|
|
|
}
|
2024-10-31 05:40:53 +00:00
|
|
|
#endif
|
2005-06-25 21:57:52 +00:00
|
|
|
|
|
|
|
|
/* Allocate and initialize a controlling structure */
|
2014-08-08 21:25:45 +00:00
|
|
|
image = do_kimage_alloc_init();
|
|
|
|
|
if (!image)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
image->start = entry;
|
2021-11-29 16:38:42 +00:00
|
|
|
image->nr_segments = nr_segments;
|
|
|
|
|
memcpy(image->segment, segments, nr_segments * sizeof(*segments));
|
2014-08-08 21:25:45 +00:00
|
|
|
|
2024-10-31 05:40:53 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2014-08-08 21:25:48 +00:00
|
|
|
if (kexec_on_panic) {
|
2016-01-20 23:00:31 +00:00
|
|
|
/* Enable special crash kernel control page alloc policy. */
|
2014-08-08 21:25:48 +00:00
|
|
|
image->control_page = crashk_res.start;
|
|
|
|
|
image->type = KEXEC_TYPE_CRASH;
|
|
|
|
|
}
|
2024-10-31 05:40:53 +00:00
|
|
|
#endif
|
2014-08-08 21:25:48 +00:00
|
|
|
|
2016-01-20 23:00:31 +00:00
|
|
|
ret = sanity_check_segment_list(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out_free_image;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
|
|
|
|
* Find a location for the control code buffer, and add it
|
|
|
|
|
* the vector of segments so that it's pages will also be
|
|
|
|
|
* counted as destination pages.
|
|
|
|
|
*/
|
2014-08-08 21:25:48 +00:00
|
|
|
ret = -ENOMEM;
|
2005-06-25 21:57:52 +00:00
|
|
|
image->control_code_page = kimage_alloc_control_pages(image,
|
2008-08-15 07:40:22 +00:00
|
|
|
get_order(KEXEC_CONTROL_PAGE_SIZE));
|
2005-06-25 21:57:52 +00:00
|
|
|
if (!image->control_code_page) {
|
2014-06-06 21:37:09 +00:00
|
|
|
pr_err("Could not allocate control_code_buffer\n");
|
2014-08-08 21:25:45 +00:00
|
|
|
goto out_free_image;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
|
2014-08-08 21:25:48 +00:00
|
|
|
if (!kexec_on_panic) {
|
|
|
|
|
image->swap_page = kimage_alloc_control_pages(image, 0);
|
|
|
|
|
if (!image->swap_page) {
|
|
|
|
|
pr_err("Could not allocate swap buffer\n");
|
|
|
|
|
goto out_free_control_pages;
|
|
|
|
|
}
|
2008-07-26 02:45:07 +00:00
|
|
|
}
|
|
|
|
|
|
2013-02-28 01:03:29 +00:00
|
|
|
*rimage = image;
|
|
|
|
|
return 0;
|
2014-08-08 21:25:45 +00:00
|
|
|
out_free_control_pages:
|
2013-02-28 01:03:29 +00:00
|
|
|
kimage_free_page_list(&image->control_pages);
|
2014-08-08 21:25:45 +00:00
|
|
|
out_free_image:
|
2013-02-28 01:03:29 +00:00
|
|
|
kfree(image);
|
2014-08-08 21:25:48 +00:00
|
|
|
return ret;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
static int do_kexec_load(unsigned long entry, unsigned long nr_segments,
|
2021-11-29 16:38:42 +00:00
|
|
|
struct kexec_segment *segments, unsigned long flags)
|
2016-05-23 23:24:19 +00:00
|
|
|
{
|
|
|
|
|
struct kimage **dest_image, *image;
|
|
|
|
|
unsigned long i;
|
|
|
|
|
int ret;
|
|
|
|
|
|
2021-11-29 16:38:41 +00:00
|
|
|
/*
|
|
|
|
|
* Because we write directly to the reserved memory region when loading
|
2023-02-02 18:05:46 +00:00
|
|
|
* crash kernels we need a serialization here to prevent multiple crash
|
|
|
|
|
* kernels from attempting to load simultaneously.
|
2021-11-29 16:38:41 +00:00
|
|
|
*/
|
2023-02-02 18:05:46 +00:00
|
|
|
if (!kexec_trylock())
|
2021-11-29 16:38:41 +00:00
|
|
|
return -EBUSY;
|
|
|
|
|
|
2024-10-31 05:40:53 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2016-05-23 23:24:19 +00:00
|
|
|
if (flags & KEXEC_ON_CRASH) {
|
|
|
|
|
dest_image = &kexec_crash_image;
|
|
|
|
|
if (kexec_crash_image)
|
|
|
|
|
arch_kexec_unprotect_crashkres();
|
2024-10-31 05:40:53 +00:00
|
|
|
} else
|
|
|
|
|
#endif
|
2016-05-23 23:24:19 +00:00
|
|
|
dest_image = &kexec_image;
|
|
|
|
|
|
|
|
|
|
if (nr_segments == 0) {
|
|
|
|
|
/* Uninstall image */
|
|
|
|
|
kimage_free(xchg(dest_image, NULL));
|
2021-11-29 16:38:41 +00:00
|
|
|
ret = 0;
|
|
|
|
|
goto out_unlock;
|
2016-05-23 23:24:19 +00:00
|
|
|
}
|
|
|
|
|
if (flags & KEXEC_ON_CRASH) {
|
|
|
|
|
/*
|
|
|
|
|
* Loading another kernel to switch to if this one
|
|
|
|
|
* crashes. Free any current crash dump kernel before
|
|
|
|
|
* we corrupt it.
|
|
|
|
|
*/
|
|
|
|
|
kimage_free(xchg(&kexec_crash_image, NULL));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = kimage_alloc_init(&image, entry, nr_segments, segments, flags);
|
|
|
|
|
if (ret)
|
2021-11-29 16:38:41 +00:00
|
|
|
goto out_unlock;
|
2016-05-23 23:24:19 +00:00
|
|
|
|
|
|
|
|
if (flags & KEXEC_PRESERVE_CONTEXT)
|
|
|
|
|
image->preserve_context = 1;
|
|
|
|
|
|
crash: hotplug support for kexec_load()
JIRA: https://issues.redhat.com/browse/RHEL-58641
Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Conflicts: There's conflict in last hunk of include/linux/kexec.h
because commit cbc2fe9d9cb2 ("kexec_file: add kexec_file
flag to control debug printing") has been back ported, and
in 1st hunk of kernel/ksysfs.c because of fuzz.
Meanwhile move definition of kexec_dprintk down for easier
latter back porting.
commit a72bbec70da285a7e09e53fb13c2da7da2032da9
Author: Eric DeVolder <eric.devolder@oracle.com>
Date: Mon Aug 14 17:44:44 2023 -0400
crash: hotplug support for kexec_load()
The hotplug support for kexec_load() requires changes to the userspace
kexec-tools and a little extra help from the kernel.
Given a kdump capture kernel loaded via kexec_load(), and a subsequent
hotplug event, the crash hotplug handler finds the elfcorehdr and rewrites
it to reflect the hotplug change. That is the desired outcome, however,
at kernel panic time, the purgatory integrity check fails (because the
elfcorehdr changed), and the capture kernel does not boot and no vmcore is
generated.
Therefore, the userspace kexec-tools/kexec must indicate to the kernel
that the elfcorehdr can be modified (because the kexec excluded the
elfcorehdr from the digest, and sized the elfcorehdr memory buffer
appropriately).
To facilitate hotplug support with kexec_load():
- a new kexec flag KEXEC_UPATE_ELFCOREHDR indicates that it is
safe for the kernel to modify the kexec_load()'d elfcorehdr
- the /sys/kernel/crash_elfcorehdr_size node communicates the
preferred size of the elfcorehdr memory buffer
- The sysfs crash_hotplug nodes (ie.
/sys/devices/system/[cpu|memory]/crash_hotplug) dynamically
take into account kexec_file_load() vs kexec_load() and
KEXEC_UPDATE_ELFCOREHDR.
This is critical so that the udev rule processing of crash_hotplug
is all that is needed to determine if the userspace unload-then-load
of the kdump image is to be skipped, or not. The proposed udev
rule change looks like:
# The kernel updates the crash elfcorehdr for CPU and memory changes
SUBSYSTEM=="cpu", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
SUBSYSTEM=="memory", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
The table below indicates the behavior of kexec_load()'d kdump image
updates (with the new udev crash_hotplug rule in place):
Kernel |Kexec
-------+-----+----
Old |Old |New
| a | a
-------+-----+----
New | a | b
-------+-----+----
where kexec 'old' and 'new' delineate kexec-tools has the needed
modifications for the crash hotplug feature, and kernel 'old' and 'new'
delineate the kernel supports this crash hotplug feature.
Behavior 'a' indicates the unload-then-reload of the entire kdump image.
For the kexec 'old' column, the unload-then-reload occurs due to the
missing flag KEXEC_UPDATE_ELFCOREHDR. An 'old' kernel (with 'new' kexec)
does not present the crash_hotplug sysfs node, which leads to the
unload-then-reload of the kdump image.
Behavior 'b' indicates the desired optimized behavior of the kernel
directly modifying the elfcorehdr and avoiding the unload-then-reload of
the kdump image.
If the udev rule is not updated with crash_hotplug node check, then no
matter any combination of kernel or kexec is new or old, the kdump image
continues to be unload-then-reload on hotplug changes.
To fully support crash hotplug feature, there needs to be a rollout of
kernel, kexec-tools and udev rule changes. However, the order of the
rollout of these pieces does not matter; kexec_load()'d kdump images still
function for hotplug as-is.
Link: https://lkml.kernel.org/r/20230814214446.6659-7-eric.devolder@oracle.com
Signed-off-by: Eric DeVolder <eric.devolder@oracle.com>
Suggested-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Akhil Raj <lf32.dev@gmail.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov (AMD) <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Thomas Weißschuh <linux@weissschuh.net>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Baoquan He <bhe@redhat.com>
2024-10-29 11:13:19 +00:00
|
|
|
#ifdef CONFIG_CRASH_HOTPLUG
|
2024-11-04 02:51:12 +00:00
|
|
|
if ((flags & KEXEC_ON_CRASH) && arch_crash_hotplug_support(image, flags))
|
|
|
|
|
image->hotplug_support = 1;
|
crash: hotplug support for kexec_load()
JIRA: https://issues.redhat.com/browse/RHEL-58641
Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Conflicts: There's conflict in last hunk of include/linux/kexec.h
because commit cbc2fe9d9cb2 ("kexec_file: add kexec_file
flag to control debug printing") has been back ported, and
in 1st hunk of kernel/ksysfs.c because of fuzz.
Meanwhile move definition of kexec_dprintk down for easier
latter back porting.
commit a72bbec70da285a7e09e53fb13c2da7da2032da9
Author: Eric DeVolder <eric.devolder@oracle.com>
Date: Mon Aug 14 17:44:44 2023 -0400
crash: hotplug support for kexec_load()
The hotplug support for kexec_load() requires changes to the userspace
kexec-tools and a little extra help from the kernel.
Given a kdump capture kernel loaded via kexec_load(), and a subsequent
hotplug event, the crash hotplug handler finds the elfcorehdr and rewrites
it to reflect the hotplug change. That is the desired outcome, however,
at kernel panic time, the purgatory integrity check fails (because the
elfcorehdr changed), and the capture kernel does not boot and no vmcore is
generated.
Therefore, the userspace kexec-tools/kexec must indicate to the kernel
that the elfcorehdr can be modified (because the kexec excluded the
elfcorehdr from the digest, and sized the elfcorehdr memory buffer
appropriately).
To facilitate hotplug support with kexec_load():
- a new kexec flag KEXEC_UPATE_ELFCOREHDR indicates that it is
safe for the kernel to modify the kexec_load()'d elfcorehdr
- the /sys/kernel/crash_elfcorehdr_size node communicates the
preferred size of the elfcorehdr memory buffer
- The sysfs crash_hotplug nodes (ie.
/sys/devices/system/[cpu|memory]/crash_hotplug) dynamically
take into account kexec_file_load() vs kexec_load() and
KEXEC_UPDATE_ELFCOREHDR.
This is critical so that the udev rule processing of crash_hotplug
is all that is needed to determine if the userspace unload-then-load
of the kdump image is to be skipped, or not. The proposed udev
rule change looks like:
# The kernel updates the crash elfcorehdr for CPU and memory changes
SUBSYSTEM=="cpu", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
SUBSYSTEM=="memory", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
The table below indicates the behavior of kexec_load()'d kdump image
updates (with the new udev crash_hotplug rule in place):
Kernel |Kexec
-------+-----+----
Old |Old |New
| a | a
-------+-----+----
New | a | b
-------+-----+----
where kexec 'old' and 'new' delineate kexec-tools has the needed
modifications for the crash hotplug feature, and kernel 'old' and 'new'
delineate the kernel supports this crash hotplug feature.
Behavior 'a' indicates the unload-then-reload of the entire kdump image.
For the kexec 'old' column, the unload-then-reload occurs due to the
missing flag KEXEC_UPDATE_ELFCOREHDR. An 'old' kernel (with 'new' kexec)
does not present the crash_hotplug sysfs node, which leads to the
unload-then-reload of the kdump image.
Behavior 'b' indicates the desired optimized behavior of the kernel
directly modifying the elfcorehdr and avoiding the unload-then-reload of
the kdump image.
If the udev rule is not updated with crash_hotplug node check, then no
matter any combination of kernel or kexec is new or old, the kdump image
continues to be unload-then-reload on hotplug changes.
To fully support crash hotplug feature, there needs to be a rollout of
kernel, kexec-tools and udev rule changes. However, the order of the
rollout of these pieces does not matter; kexec_load()'d kdump images still
function for hotplug as-is.
Link: https://lkml.kernel.org/r/20230814214446.6659-7-eric.devolder@oracle.com
Signed-off-by: Eric DeVolder <eric.devolder@oracle.com>
Suggested-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Akhil Raj <lf32.dev@gmail.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov (AMD) <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Thomas Weißschuh <linux@weissschuh.net>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Baoquan He <bhe@redhat.com>
2024-10-29 11:13:19 +00:00
|
|
|
#endif
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
ret = machine_kexec_prepare(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
|
kdump: protect vmcoreinfo data under the crash memory
Currently vmcoreinfo data is updated at boot time subsys_initcall(), it
has the risk of being modified by some wrong code during system is
running.
As a result, vmcore dumped may contain the wrong vmcoreinfo. Later on,
when using "crash", "makedumpfile", etc utility to parse this vmcore, we
probably will get "Segmentation fault" or other unexpected errors.
E.g. 1) wrong code overwrites vmcoreinfo_data; 2) further crashes the
system; 3) trigger kdump, then we obviously will fail to recognize the
crash context correctly due to the corrupted vmcoreinfo.
Now except for vmcoreinfo, all the crash data is well
protected(including the cpu note which is fully updated in the crash
path, thus its correctness is guaranteed). Given that vmcoreinfo data
is a large chunk prepared for kdump, we better protect it as well.
To solve this, we relocate and copy vmcoreinfo_data to the crash memory
when kdump is loading via kexec syscalls. Because the whole crash
memory will be protected by existing arch_kexec_protect_crashkres()
mechanism, we naturally protect vmcoreinfo_data from write(even read)
access under kernel direct mapping after kdump is loaded.
Since kdump is usually loaded at the very early stage after boot, we can
trust the correctness of the vmcoreinfo data copied.
On the other hand, we still need to operate the vmcoreinfo safe copy
when crash happens to generate vmcoreinfo_note again, we rely on vmap()
to map out a new kernel virtual address and update to use this new one
instead in the following crash_save_vmcoreinfo().
BTW, we do not touch vmcoreinfo_note, because it will be fully updated
using the protected vmcoreinfo_data after crash which is surely correct
just like the cpu crash note.
Link: http://lkml.kernel.org/r/1493281021-20737-3-git-send-email-xlpang@redhat.com
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
Tested-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Dave Young <dyoung@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Hari Bathini <hbathini@linux.vnet.ibm.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-12 21:33:21 +00:00
|
|
|
/*
|
|
|
|
|
* Some architecture(like S390) may touch the crash memory before
|
|
|
|
|
* machine_kexec_prepare(), we must copy vmcoreinfo data after it.
|
|
|
|
|
*/
|
|
|
|
|
ret = kimage_crash_copy_vmcoreinfo(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
for (i = 0; i < nr_segments; i++) {
|
|
|
|
|
ret = kimage_load_segment(image, &image->segment[i]);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
kimage_terminate(image);
|
|
|
|
|
|
2019-12-04 15:59:15 +00:00
|
|
|
ret = machine_kexec_post_load(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
/* Install the new kernel and uninstall the old */
|
|
|
|
|
image = xchg(dest_image, image);
|
|
|
|
|
|
|
|
|
|
out:
|
2024-10-31 05:40:53 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2016-05-23 23:24:19 +00:00
|
|
|
if ((flags & KEXEC_ON_CRASH) && kexec_crash_image)
|
|
|
|
|
arch_kexec_protect_crashkres();
|
2024-10-31 05:40:53 +00:00
|
|
|
#endif
|
2016-05-23 23:24:19 +00:00
|
|
|
|
|
|
|
|
kimage_free(image);
|
2021-11-29 16:38:41 +00:00
|
|
|
out_unlock:
|
2023-02-02 18:05:46 +00:00
|
|
|
kexec_unlock();
|
2016-05-23 23:24:19 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
|
|
|
|
* Exec Kernel system call: for obvious reasons only root may call it.
|
|
|
|
|
*
|
|
|
|
|
* This call breaks up into three pieces.
|
|
|
|
|
* - A generic part which loads the new kernel from the current
|
|
|
|
|
* address space, and very carefully places the data in the
|
|
|
|
|
* allocated pages.
|
|
|
|
|
*
|
|
|
|
|
* - A generic part that interacts with the kernel and tells all of
|
|
|
|
|
* the devices to shut down. Preventing on-going dmas, and placing
|
|
|
|
|
* the devices in a consistent state so a later kernel can
|
|
|
|
|
* reinitialize them.
|
|
|
|
|
*
|
|
|
|
|
* - A machine specific part that includes the syscall number
|
2013-09-15 09:35:37 +00:00
|
|
|
* and then copies the image to it's final destination. And
|
2005-06-25 21:57:52 +00:00
|
|
|
* jumps into the image at entry.
|
|
|
|
|
*
|
|
|
|
|
* kexec does not sync, or unmount filesystems so if you need
|
|
|
|
|
* that to happen you need to do that yourself.
|
|
|
|
|
*/
|
2008-08-15 07:40:27 +00:00
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
static inline int kexec_load_check(unsigned long nr_segments,
|
|
|
|
|
unsigned long flags)
|
2005-06-25 21:57:52 +00:00
|
|
|
{
|
2024-04-15 03:16:00 +00:00
|
|
|
int image_type = (flags & KEXEC_ON_CRASH) ?
|
|
|
|
|
KEXEC_TYPE_CRASH : KEXEC_TYPE_DEFAULT;
|
2018-07-13 18:05:57 +00:00
|
|
|
int result;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/* We only trust the superuser with rebooting the system. */
|
2024-04-15 03:16:00 +00:00
|
|
|
if (!kexec_load_permitted(image_type))
|
2005-06-25 21:57:52 +00:00
|
|
|
return -EPERM;
|
|
|
|
|
|
2018-07-13 18:05:57 +00:00
|
|
|
/* Permit LSMs and IMA to fail the kexec */
|
2020-10-02 17:38:20 +00:00
|
|
|
result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
|
2018-07-13 18:05:57 +00:00
|
|
|
if (result < 0)
|
|
|
|
|
return result;
|
|
|
|
|
|
2019-08-20 00:17:42 +00:00
|
|
|
/*
|
|
|
|
|
* kexec can be used to circumvent module loading restrictions, so
|
|
|
|
|
* prevent loading in that case
|
|
|
|
|
*/
|
|
|
|
|
result = security_locked_down(LOCKDOWN_KEXEC);
|
|
|
|
|
if (result)
|
|
|
|
|
return result;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
|
|
|
|
* Verify we have a legal set of flags
|
|
|
|
|
* This leaves us room for future extensions.
|
|
|
|
|
*/
|
|
|
|
|
if ((flags & KEXEC_FLAGS) != (flags & ~KEXEC_ARCH_MASK))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/* Put an artificial cap on the number
|
|
|
|
|
* of segments passed to kexec_load.
|
|
|
|
|
*/
|
|
|
|
|
if (nr_segments > KEXEC_SEGMENT_MAX)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
|
|
|
|
struct kexec_segment __user *, segments, unsigned long, flags)
|
|
|
|
|
{
|
2021-11-29 16:38:42 +00:00
|
|
|
struct kexec_segment *ksegments;
|
|
|
|
|
unsigned long result;
|
2018-03-17 14:18:30 +00:00
|
|
|
|
|
|
|
|
result = kexec_load_check(nr_segments, flags);
|
|
|
|
|
if (result)
|
|
|
|
|
return result;
|
|
|
|
|
|
|
|
|
|
/* Verify we are on the appropriate architecture */
|
|
|
|
|
if (((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH) &&
|
|
|
|
|
((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH_DEFAULT))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2024-10-30 03:17:36 +00:00
|
|
|
ksegments = memdup_array_user(segments, nr_segments, sizeof(ksegments[0]));
|
2021-11-29 16:38:42 +00:00
|
|
|
if (IS_ERR(ksegments))
|
|
|
|
|
return PTR_ERR(ksegments);
|
|
|
|
|
|
|
|
|
|
result = do_kexec_load(entry, nr_segments, ksegments, flags);
|
|
|
|
|
kfree(ksegments);
|
2005-06-25 21:57:52 +00:00
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
2014-03-04 16:13:42 +00:00
|
|
|
COMPAT_SYSCALL_DEFINE4(kexec_load, compat_ulong_t, entry,
|
|
|
|
|
compat_ulong_t, nr_segments,
|
|
|
|
|
struct compat_kexec_segment __user *, segments,
|
|
|
|
|
compat_ulong_t, flags)
|
2005-06-25 21:57:52 +00:00
|
|
|
{
|
|
|
|
|
struct compat_kexec_segment in;
|
2021-11-29 16:38:42 +00:00
|
|
|
struct kexec_segment *ksegments;
|
2005-06-25 21:57:52 +00:00
|
|
|
unsigned long i, result;
|
|
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
result = kexec_load_check(nr_segments, flags);
|
|
|
|
|
if (result)
|
|
|
|
|
return result;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/* Don't allow clients that don't understand the native
|
|
|
|
|
* architecture to do anything.
|
|
|
|
|
*/
|
2005-06-25 21:58:28 +00:00
|
|
|
if ((flags & KEXEC_ARCH_MASK) == KEXEC_ARCH_DEFAULT)
|
2005-06-25 21:57:52 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2021-11-29 16:38:42 +00:00
|
|
|
ksegments = kmalloc_array(nr_segments, sizeof(ksegments[0]),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (!ksegments)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2014-06-06 21:37:09 +00:00
|
|
|
for (i = 0; i < nr_segments; i++) {
|
2005-06-25 21:57:52 +00:00
|
|
|
result = copy_from_user(&in, &segments[i], sizeof(in));
|
2005-06-25 21:58:28 +00:00
|
|
|
if (result)
|
2021-11-29 16:38:42 +00:00
|
|
|
goto fail;
|
2005-06-25 21:57:52 +00:00
|
|
|
|
2021-11-29 16:38:42 +00:00
|
|
|
ksegments[i].buf = compat_ptr(in.buf);
|
|
|
|
|
ksegments[i].bufsz = in.bufsz;
|
|
|
|
|
ksegments[i].mem = in.mem;
|
|
|
|
|
ksegments[i].memsz = in.memsz;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
result = do_kexec_load(entry, nr_segments, ksegments, flags);
|
|
|
|
|
|
2021-11-29 16:38:42 +00:00
|
|
|
fail:
|
|
|
|
|
kfree(ksegments);
|
2018-03-17 14:18:30 +00:00
|
|
|
return result;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
