2019-06-03 05:44:46 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
2015-09-09 22:38:55 +00:00
|
|
|
* kexec.c - kexec_load system call
|
2005-06-25 21:57:52 +00:00
|
|
|
* Copyright (C) 2002-2004 Eric Biederman <ebiederm@xmission.com>
|
|
|
|
|
*/
|
|
|
|
|
|
kexec: use file name as the output message prefix
kexec output message misses the prefix "kexec", when Dave Young split the
kexec code. Now, we use file name as the output message prefix.
Currently, the format of output message:
[ 140.290795] SYSC_kexec_load: hello, world
[ 140.291534] kexec: sanity_check_segment_list: hello, world
Ideally, the format of output message:
[ 30.791503] kexec: SYSC_kexec_load, Hello, world
[ 79.182752] kexec_core: sanity_check_segment_list, Hello, world
Remove the custom prefix "kexec" in output message.
Signed-off-by: Minfei Huang <mnfhuang@gmail.com>
Acked-by: Dave Young <dyoung@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-11-07 00:32:45 +00:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
|
2006-01-11 20:17:46 +00:00
|
|
|
#include <linux/capability.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
#include <linux/mm.h>
|
|
|
|
|
#include <linux/file.h>
|
2018-07-13 18:05:57 +00:00
|
|
|
#include <linux/security.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
#include <linux/kexec.h>
|
2008-08-15 07:40:27 +00:00
|
|
|
#include <linux/mutex.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
#include <linux/list.h>
|
|
|
|
|
#include <linux/syscalls.h>
|
2015-09-09 22:38:51 +00:00
|
|
|
#include <linux/vmalloc.h>
|
2015-09-09 22:38:55 +00:00
|
|
|
#include <linux/slab.h>
|
2005-06-25 21:57:52 +00:00
|
|
|
|
2015-09-09 22:38:51 +00:00
|
|
|
#include "kexec_internal.h"
|
|
|
|
|
|
2014-08-08 21:25:48 +00:00
|
|
|
static int kimage_alloc_init(struct kimage **rimage, unsigned long entry,
|
|
|
|
|
unsigned long nr_segments,
|
2021-09-08 22:18:13 +00:00
|
|
|
struct kexec_segment *segments,
|
2014-08-08 21:25:48 +00:00
|
|
|
unsigned long flags)
|
2005-06-25 21:57:52 +00:00
|
|
|
{
|
2014-08-08 21:25:48 +00:00
|
|
|
int ret;
|
2005-06-25 21:57:52 +00:00
|
|
|
struct kimage *image;
|
2014-08-08 21:25:48 +00:00
|
|
|
bool kexec_on_panic = flags & KEXEC_ON_CRASH;
|
|
|
|
|
|
2024-01-24 05:12:44 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2014-08-08 21:25:48 +00:00
|
|
|
if (kexec_on_panic) {
|
|
|
|
|
/* Verify we have a valid entry point */
|
2016-08-02 21:06:04 +00:00
|
|
|
if ((entry < phys_to_boot_phys(crashk_res.start)) ||
|
|
|
|
|
(entry > phys_to_boot_phys(crashk_res.end)))
|
2014-08-08 21:25:48 +00:00
|
|
|
return -EADDRNOTAVAIL;
|
|
|
|
|
}
|
2024-01-24 05:12:44 +00:00
|
|
|
#endif
|
2005-06-25 21:57:52 +00:00
|
|
|
|
|
|
|
|
/* Allocate and initialize a controlling structure */
|
2014-08-08 21:25:45 +00:00
|
|
|
image = do_kimage_alloc_init();
|
|
|
|
|
if (!image)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
image->start = entry;
|
2021-09-08 22:18:13 +00:00
|
|
|
image->nr_segments = nr_segments;
|
|
|
|
|
memcpy(image->segment, segments, nr_segments * sizeof(*segments));
|
2014-08-08 21:25:45 +00:00
|
|
|
|
2024-01-24 05:12:44 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2014-08-08 21:25:48 +00:00
|
|
|
if (kexec_on_panic) {
|
2016-01-20 23:00:31 +00:00
|
|
|
/* Enable special crash kernel control page alloc policy. */
|
2014-08-08 21:25:48 +00:00
|
|
|
image->control_page = crashk_res.start;
|
|
|
|
|
image->type = KEXEC_TYPE_CRASH;
|
|
|
|
|
}
|
2024-01-24 05:12:44 +00:00
|
|
|
#endif
|
2014-08-08 21:25:48 +00:00
|
|
|
|
2016-01-20 23:00:31 +00:00
|
|
|
ret = sanity_check_segment_list(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out_free_image;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
|
|
|
|
* Find a location for the control code buffer, and add it
|
|
|
|
|
* the vector of segments so that it's pages will also be
|
|
|
|
|
* counted as destination pages.
|
|
|
|
|
*/
|
2014-08-08 21:25:48 +00:00
|
|
|
ret = -ENOMEM;
|
2005-06-25 21:57:52 +00:00
|
|
|
image->control_code_page = kimage_alloc_control_pages(image,
|
2008-08-15 07:40:22 +00:00
|
|
|
get_order(KEXEC_CONTROL_PAGE_SIZE));
|
2005-06-25 21:57:52 +00:00
|
|
|
if (!image->control_code_page) {
|
2014-06-06 21:37:09 +00:00
|
|
|
pr_err("Could not allocate control_code_buffer\n");
|
2014-08-08 21:25:45 +00:00
|
|
|
goto out_free_image;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
|
2014-08-08 21:25:48 +00:00
|
|
|
if (!kexec_on_panic) {
|
|
|
|
|
image->swap_page = kimage_alloc_control_pages(image, 0);
|
|
|
|
|
if (!image->swap_page) {
|
|
|
|
|
pr_err("Could not allocate swap buffer\n");
|
|
|
|
|
goto out_free_control_pages;
|
|
|
|
|
}
|
2008-07-26 02:45:07 +00:00
|
|
|
}
|
|
|
|
|
|
2013-02-28 01:03:29 +00:00
|
|
|
*rimage = image;
|
|
|
|
|
return 0;
|
2014-08-08 21:25:45 +00:00
|
|
|
out_free_control_pages:
|
2013-02-28 01:03:29 +00:00
|
|
|
kimage_free_page_list(&image->control_pages);
|
2014-08-08 21:25:45 +00:00
|
|
|
out_free_image:
|
2013-02-28 01:03:29 +00:00
|
|
|
kfree(image);
|
2014-08-08 21:25:48 +00:00
|
|
|
return ret;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
static int do_kexec_load(unsigned long entry, unsigned long nr_segments,
|
2021-09-08 22:18:13 +00:00
|
|
|
struct kexec_segment *segments, unsigned long flags)
|
2016-05-23 23:24:19 +00:00
|
|
|
{
|
|
|
|
|
struct kimage **dest_image, *image;
|
|
|
|
|
unsigned long i;
|
|
|
|
|
int ret;
|
|
|
|
|
|
2021-09-08 22:18:10 +00:00
|
|
|
/*
|
|
|
|
|
* Because we write directly to the reserved memory region when loading
|
2022-06-30 22:32:58 +00:00
|
|
|
* crash kernels we need a serialization here to prevent multiple crash
|
|
|
|
|
* kernels from attempting to load simultaneously.
|
2021-09-08 22:18:10 +00:00
|
|
|
*/
|
2022-06-30 22:32:58 +00:00
|
|
|
if (!kexec_trylock())
|
2021-09-08 22:18:10 +00:00
|
|
|
return -EBUSY;
|
|
|
|
|
|
2024-01-24 05:12:44 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2016-05-23 23:24:19 +00:00
|
|
|
if (flags & KEXEC_ON_CRASH) {
|
|
|
|
|
dest_image = &kexec_crash_image;
|
|
|
|
|
if (kexec_crash_image)
|
|
|
|
|
arch_kexec_unprotect_crashkres();
|
2024-01-24 05:12:44 +00:00
|
|
|
} else
|
|
|
|
|
#endif
|
2016-05-23 23:24:19 +00:00
|
|
|
dest_image = &kexec_image;
|
|
|
|
|
|
|
|
|
|
if (nr_segments == 0) {
|
|
|
|
|
/* Uninstall image */
|
|
|
|
|
kimage_free(xchg(dest_image, NULL));
|
2021-09-08 22:18:10 +00:00
|
|
|
ret = 0;
|
|
|
|
|
goto out_unlock;
|
2016-05-23 23:24:19 +00:00
|
|
|
}
|
|
|
|
|
if (flags & KEXEC_ON_CRASH) {
|
|
|
|
|
/*
|
|
|
|
|
* Loading another kernel to switch to if this one
|
|
|
|
|
* crashes. Free any current crash dump kernel before
|
|
|
|
|
* we corrupt it.
|
|
|
|
|
*/
|
|
|
|
|
kimage_free(xchg(&kexec_crash_image, NULL));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = kimage_alloc_init(&image, entry, nr_segments, segments, flags);
|
|
|
|
|
if (ret)
|
2021-09-08 22:18:10 +00:00
|
|
|
goto out_unlock;
|
2016-05-23 23:24:19 +00:00
|
|
|
|
|
|
|
|
if (flags & KEXEC_PRESERVE_CONTEXT)
|
|
|
|
|
image->preserve_context = 1;
|
|
|
|
|
|
crash: hotplug support for kexec_load()
The hotplug support for kexec_load() requires changes to the userspace
kexec-tools and a little extra help from the kernel.
Given a kdump capture kernel loaded via kexec_load(), and a subsequent
hotplug event, the crash hotplug handler finds the elfcorehdr and rewrites
it to reflect the hotplug change. That is the desired outcome, however,
at kernel panic time, the purgatory integrity check fails (because the
elfcorehdr changed), and the capture kernel does not boot and no vmcore is
generated.
Therefore, the userspace kexec-tools/kexec must indicate to the kernel
that the elfcorehdr can be modified (because the kexec excluded the
elfcorehdr from the digest, and sized the elfcorehdr memory buffer
appropriately).
To facilitate hotplug support with kexec_load():
- a new kexec flag KEXEC_UPATE_ELFCOREHDR indicates that it is
safe for the kernel to modify the kexec_load()'d elfcorehdr
- the /sys/kernel/crash_elfcorehdr_size node communicates the
preferred size of the elfcorehdr memory buffer
- The sysfs crash_hotplug nodes (ie.
/sys/devices/system/[cpu|memory]/crash_hotplug) dynamically
take into account kexec_file_load() vs kexec_load() and
KEXEC_UPDATE_ELFCOREHDR.
This is critical so that the udev rule processing of crash_hotplug
is all that is needed to determine if the userspace unload-then-load
of the kdump image is to be skipped, or not. The proposed udev
rule change looks like:
# The kernel updates the crash elfcorehdr for CPU and memory changes
SUBSYSTEM=="cpu", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
SUBSYSTEM=="memory", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
The table below indicates the behavior of kexec_load()'d kdump image
updates (with the new udev crash_hotplug rule in place):
Kernel |Kexec
-------+-----+----
Old |Old |New
| a | a
-------+-----+----
New | a | b
-------+-----+----
where kexec 'old' and 'new' delineate kexec-tools has the needed
modifications for the crash hotplug feature, and kernel 'old' and 'new'
delineate the kernel supports this crash hotplug feature.
Behavior 'a' indicates the unload-then-reload of the entire kdump image.
For the kexec 'old' column, the unload-then-reload occurs due to the
missing flag KEXEC_UPDATE_ELFCOREHDR. An 'old' kernel (with 'new' kexec)
does not present the crash_hotplug sysfs node, which leads to the
unload-then-reload of the kdump image.
Behavior 'b' indicates the desired optimized behavior of the kernel
directly modifying the elfcorehdr and avoiding the unload-then-reload of
the kdump image.
If the udev rule is not updated with crash_hotplug node check, then no
matter any combination of kernel or kexec is new or old, the kdump image
continues to be unload-then-reload on hotplug changes.
To fully support crash hotplug feature, there needs to be a rollout of
kernel, kexec-tools and udev rule changes. However, the order of the
rollout of these pieces does not matter; kexec_load()'d kdump images still
function for hotplug as-is.
Link: https://lkml.kernel.org/r/20230814214446.6659-7-eric.devolder@oracle.com
Signed-off-by: Eric DeVolder <eric.devolder@oracle.com>
Suggested-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Akhil Raj <lf32.dev@gmail.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov (AMD) <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Thomas Weißschuh <linux@weissschuh.net>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-08-14 21:44:44 +00:00
|
|
|
#ifdef CONFIG_CRASH_HOTPLUG
|
2024-03-26 05:54:09 +00:00
|
|
|
if ((flags & KEXEC_ON_CRASH) && arch_crash_hotplug_support(image, flags))
|
|
|
|
|
image->hotplug_support = 1;
|
crash: hotplug support for kexec_load()
The hotplug support for kexec_load() requires changes to the userspace
kexec-tools and a little extra help from the kernel.
Given a kdump capture kernel loaded via kexec_load(), and a subsequent
hotplug event, the crash hotplug handler finds the elfcorehdr and rewrites
it to reflect the hotplug change. That is the desired outcome, however,
at kernel panic time, the purgatory integrity check fails (because the
elfcorehdr changed), and the capture kernel does not boot and no vmcore is
generated.
Therefore, the userspace kexec-tools/kexec must indicate to the kernel
that the elfcorehdr can be modified (because the kexec excluded the
elfcorehdr from the digest, and sized the elfcorehdr memory buffer
appropriately).
To facilitate hotplug support with kexec_load():
- a new kexec flag KEXEC_UPATE_ELFCOREHDR indicates that it is
safe for the kernel to modify the kexec_load()'d elfcorehdr
- the /sys/kernel/crash_elfcorehdr_size node communicates the
preferred size of the elfcorehdr memory buffer
- The sysfs crash_hotplug nodes (ie.
/sys/devices/system/[cpu|memory]/crash_hotplug) dynamically
take into account kexec_file_load() vs kexec_load() and
KEXEC_UPDATE_ELFCOREHDR.
This is critical so that the udev rule processing of crash_hotplug
is all that is needed to determine if the userspace unload-then-load
of the kdump image is to be skipped, or not. The proposed udev
rule change looks like:
# The kernel updates the crash elfcorehdr for CPU and memory changes
SUBSYSTEM=="cpu", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
SUBSYSTEM=="memory", ATTRS{crash_hotplug}=="1", GOTO="kdump_reload_end"
The table below indicates the behavior of kexec_load()'d kdump image
updates (with the new udev crash_hotplug rule in place):
Kernel |Kexec
-------+-----+----
Old |Old |New
| a | a
-------+-----+----
New | a | b
-------+-----+----
where kexec 'old' and 'new' delineate kexec-tools has the needed
modifications for the crash hotplug feature, and kernel 'old' and 'new'
delineate the kernel supports this crash hotplug feature.
Behavior 'a' indicates the unload-then-reload of the entire kdump image.
For the kexec 'old' column, the unload-then-reload occurs due to the
missing flag KEXEC_UPDATE_ELFCOREHDR. An 'old' kernel (with 'new' kexec)
does not present the crash_hotplug sysfs node, which leads to the
unload-then-reload of the kdump image.
Behavior 'b' indicates the desired optimized behavior of the kernel
directly modifying the elfcorehdr and avoiding the unload-then-reload of
the kdump image.
If the udev rule is not updated with crash_hotplug node check, then no
matter any combination of kernel or kexec is new or old, the kdump image
continues to be unload-then-reload on hotplug changes.
To fully support crash hotplug feature, there needs to be a rollout of
kernel, kexec-tools and udev rule changes. However, the order of the
rollout of these pieces does not matter; kexec_load()'d kdump images still
function for hotplug as-is.
Link: https://lkml.kernel.org/r/20230814214446.6659-7-eric.devolder@oracle.com
Signed-off-by: Eric DeVolder <eric.devolder@oracle.com>
Suggested-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Akhil Raj <lf32.dev@gmail.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov (AMD) <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Thomas Weißschuh <linux@weissschuh.net>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-08-14 21:44:44 +00:00
|
|
|
#endif
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
ret = machine_kexec_prepare(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
|
kdump: protect vmcoreinfo data under the crash memory
Currently vmcoreinfo data is updated at boot time subsys_initcall(), it
has the risk of being modified by some wrong code during system is
running.
As a result, vmcore dumped may contain the wrong vmcoreinfo. Later on,
when using "crash", "makedumpfile", etc utility to parse this vmcore, we
probably will get "Segmentation fault" or other unexpected errors.
E.g. 1) wrong code overwrites vmcoreinfo_data; 2) further crashes the
system; 3) trigger kdump, then we obviously will fail to recognize the
crash context correctly due to the corrupted vmcoreinfo.
Now except for vmcoreinfo, all the crash data is well
protected(including the cpu note which is fully updated in the crash
path, thus its correctness is guaranteed). Given that vmcoreinfo data
is a large chunk prepared for kdump, we better protect it as well.
To solve this, we relocate and copy vmcoreinfo_data to the crash memory
when kdump is loading via kexec syscalls. Because the whole crash
memory will be protected by existing arch_kexec_protect_crashkres()
mechanism, we naturally protect vmcoreinfo_data from write(even read)
access under kernel direct mapping after kdump is loaded.
Since kdump is usually loaded at the very early stage after boot, we can
trust the correctness of the vmcoreinfo data copied.
On the other hand, we still need to operate the vmcoreinfo safe copy
when crash happens to generate vmcoreinfo_note again, we rely on vmap()
to map out a new kernel virtual address and update to use this new one
instead in the following crash_save_vmcoreinfo().
BTW, we do not touch vmcoreinfo_note, because it will be fully updated
using the protected vmcoreinfo_data after crash which is surely correct
just like the cpu crash note.
Link: http://lkml.kernel.org/r/1493281021-20737-3-git-send-email-xlpang@redhat.com
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
Tested-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Dave Young <dyoung@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Hari Bathini <hbathini@linux.vnet.ibm.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-12 21:33:21 +00:00
|
|
|
/*
|
|
|
|
|
* Some architecture(like S390) may touch the crash memory before
|
|
|
|
|
* machine_kexec_prepare(), we must copy vmcoreinfo data after it.
|
|
|
|
|
*/
|
|
|
|
|
ret = kimage_crash_copy_vmcoreinfo(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
for (i = 0; i < nr_segments; i++) {
|
kexec: enable CMA based contiguous allocation
When booting a new kernel with kexec_file, the kernel picks a target
location that the kernel should live at, then allocates random pages,
checks whether any of those patches magically happens to coincide with a
target address range and if so, uses them for that range.
For every page allocated this way, it then creates a page list that the
relocation code - code that executes while all CPUs are off and we are
just about to jump into the new kernel - copies to their final memory
location. We can not put them there before, because chances are pretty
good that at least some page in the target range is already in use by the
currently running Linux environment. Copying is happening from a single
CPU at RAM rate, which takes around 4-50 ms per 100 MiB.
All of this is inefficient and error prone.
To successfully kexec, we need to quiesce all devices of the outgoing
kernel so they don't scribble over the new kernel's memory. We have seen
cases where that does not happen properly (*cough* GIC *cough*) and hence
the new kernel was corrupted. This started a month long journey to root
cause failing kexecs to eventually see memory corruption, because the new
kernel was corrupted severely enough that it could not emit output to tell
us about the fact that it was corrupted. By allocating memory for the
next kernel from a memory range that is guaranteed scribbling free, we can
boot the next kernel up to a point where it is at least able to detect
corruption and maybe even stop it before it becomes severe. This
increases the chance for successful kexecs.
Since kexec got introduced, Linux has gained the CMA framework which can
perform physically contiguous memory mappings, while keeping that memory
available for movable memory when it is not needed for contiguous
allocations. The default CMA allocator is for DMA allocations.
This patch adds logic to the kexec file loader to attempt to place the
target payload at a location allocated from CMA. If successful, it uses
that memory range directly instead of creating copy instructions during
the hot phase. To ensure that there is a safety net in case anything goes
wrong with the CMA allocation, it also adds a flag for user space to force
disable CMA allocations.
Using CMA allocations has two advantages:
1) Faster by 4-50 ms per 100 MiB. There is no more need to copy in the
hot phase.
2) More robust. Even if by accident some page is still in use for DMA,
the new kernel image will be safe from that access because it resides
in a memory region that is considered allocated in the old kernel and
has a chance to reinitialize that component.
Link: https://lkml.kernel.org/r/20250610085327.51817-1-graf@amazon.com
Signed-off-by: Alexander Graf <graf@amazon.com>
Acked-by: Baoquan He <bhe@redhat.com>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: Zhongkun He <hezhongkun.hzk@bytedance.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-06-10 08:53:27 +00:00
|
|
|
ret = kimage_load_segment(image, i);
|
2016-05-23 23:24:19 +00:00
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
kimage_terminate(image);
|
|
|
|
|
|
2019-12-04 15:59:15 +00:00
|
|
|
ret = machine_kexec_post_load(image);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2016-05-23 23:24:19 +00:00
|
|
|
/* Install the new kernel and uninstall the old */
|
|
|
|
|
image = xchg(dest_image, image);
|
|
|
|
|
|
|
|
|
|
out:
|
2024-01-24 05:12:44 +00:00
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
2016-05-23 23:24:19 +00:00
|
|
|
if ((flags & KEXEC_ON_CRASH) && kexec_crash_image)
|
|
|
|
|
arch_kexec_protect_crashkres();
|
2024-01-24 05:12:44 +00:00
|
|
|
#endif
|
2016-05-23 23:24:19 +00:00
|
|
|
|
|
|
|
|
kimage_free(image);
|
2021-09-08 22:18:10 +00:00
|
|
|
out_unlock:
|
2022-06-30 22:32:58 +00:00
|
|
|
kexec_unlock();
|
2016-05-23 23:24:19 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
|
|
|
|
* Exec Kernel system call: for obvious reasons only root may call it.
|
|
|
|
|
*
|
|
|
|
|
* This call breaks up into three pieces.
|
|
|
|
|
* - A generic part which loads the new kernel from the current
|
|
|
|
|
* address space, and very carefully places the data in the
|
|
|
|
|
* allocated pages.
|
|
|
|
|
*
|
|
|
|
|
* - A generic part that interacts with the kernel and tells all of
|
|
|
|
|
* the devices to shut down. Preventing on-going dmas, and placing
|
|
|
|
|
* the devices in a consistent state so a later kernel can
|
|
|
|
|
* reinitialize them.
|
|
|
|
|
*
|
|
|
|
|
* - A machine specific part that includes the syscall number
|
2013-09-15 09:35:37 +00:00
|
|
|
* and then copies the image to it's final destination. And
|
2005-06-25 21:57:52 +00:00
|
|
|
* jumps into the image at entry.
|
|
|
|
|
*
|
|
|
|
|
* kexec does not sync, or unmount filesystems so if you need
|
|
|
|
|
* that to happen you need to do that yourself.
|
|
|
|
|
*/
|
2008-08-15 07:40:27 +00:00
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
static inline int kexec_load_check(unsigned long nr_segments,
|
|
|
|
|
unsigned long flags)
|
2005-06-25 21:57:52 +00:00
|
|
|
{
|
2023-01-04 14:38:48 +00:00
|
|
|
int image_type = (flags & KEXEC_ON_CRASH) ?
|
|
|
|
|
KEXEC_TYPE_CRASH : KEXEC_TYPE_DEFAULT;
|
2018-07-13 18:05:57 +00:00
|
|
|
int result;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/* We only trust the superuser with rebooting the system. */
|
2023-01-04 14:38:48 +00:00
|
|
|
if (!kexec_load_permitted(image_type))
|
2005-06-25 21:57:52 +00:00
|
|
|
return -EPERM;
|
|
|
|
|
|
2018-07-13 18:05:57 +00:00
|
|
|
/* Permit LSMs and IMA to fail the kexec */
|
2020-10-02 17:38:20 +00:00
|
|
|
result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
|
2018-07-13 18:05:57 +00:00
|
|
|
if (result < 0)
|
|
|
|
|
return result;
|
|
|
|
|
|
2019-08-20 00:17:42 +00:00
|
|
|
/*
|
|
|
|
|
* kexec can be used to circumvent module loading restrictions, so
|
|
|
|
|
* prevent loading in that case
|
|
|
|
|
*/
|
|
|
|
|
result = security_locked_down(LOCKDOWN_KEXEC);
|
|
|
|
|
if (result)
|
|
|
|
|
return result;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/*
|
|
|
|
|
* Verify we have a legal set of flags
|
|
|
|
|
* This leaves us room for future extensions.
|
|
|
|
|
*/
|
|
|
|
|
if ((flags & KEXEC_FLAGS) != (flags & ~KEXEC_ARCH_MASK))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/* Put an artificial cap on the number
|
|
|
|
|
* of segments passed to kexec_load.
|
|
|
|
|
*/
|
|
|
|
|
if (nr_segments > KEXEC_SEGMENT_MAX)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
|
|
|
|
struct kexec_segment __user *, segments, unsigned long, flags)
|
|
|
|
|
{
|
2021-09-08 22:18:13 +00:00
|
|
|
struct kexec_segment *ksegments;
|
|
|
|
|
unsigned long result;
|
2018-03-17 14:18:30 +00:00
|
|
|
|
|
|
|
|
result = kexec_load_check(nr_segments, flags);
|
|
|
|
|
if (result)
|
|
|
|
|
return result;
|
|
|
|
|
|
|
|
|
|
/* Verify we are on the appropriate architecture */
|
|
|
|
|
if (((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH) &&
|
|
|
|
|
((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH_DEFAULT))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2023-09-20 12:36:10 +00:00
|
|
|
ksegments = memdup_array_user(segments, nr_segments, sizeof(ksegments[0]));
|
2021-09-08 22:18:13 +00:00
|
|
|
if (IS_ERR(ksegments))
|
|
|
|
|
return PTR_ERR(ksegments);
|
|
|
|
|
|
|
|
|
|
result = do_kexec_load(entry, nr_segments, ksegments, flags);
|
|
|
|
|
kfree(ksegments);
|
2005-06-25 21:57:52 +00:00
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
2014-03-04 16:13:42 +00:00
|
|
|
COMPAT_SYSCALL_DEFINE4(kexec_load, compat_ulong_t, entry,
|
|
|
|
|
compat_ulong_t, nr_segments,
|
|
|
|
|
struct compat_kexec_segment __user *, segments,
|
|
|
|
|
compat_ulong_t, flags)
|
2005-06-25 21:57:52 +00:00
|
|
|
{
|
|
|
|
|
struct compat_kexec_segment in;
|
2021-09-08 22:18:13 +00:00
|
|
|
struct kexec_segment *ksegments;
|
2005-06-25 21:57:52 +00:00
|
|
|
unsigned long i, result;
|
|
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
result = kexec_load_check(nr_segments, flags);
|
|
|
|
|
if (result)
|
|
|
|
|
return result;
|
|
|
|
|
|
2005-06-25 21:57:52 +00:00
|
|
|
/* Don't allow clients that don't understand the native
|
|
|
|
|
* architecture to do anything.
|
|
|
|
|
*/
|
2005-06-25 21:58:28 +00:00
|
|
|
if ((flags & KEXEC_ARCH_MASK) == KEXEC_ARCH_DEFAULT)
|
2005-06-25 21:57:52 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2021-09-08 22:18:13 +00:00
|
|
|
ksegments = kmalloc_array(nr_segments, sizeof(ksegments[0]),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (!ksegments)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2014-06-06 21:37:09 +00:00
|
|
|
for (i = 0; i < nr_segments; i++) {
|
2005-06-25 21:57:52 +00:00
|
|
|
result = copy_from_user(&in, &segments[i], sizeof(in));
|
2005-06-25 21:58:28 +00:00
|
|
|
if (result)
|
2021-09-08 22:18:13 +00:00
|
|
|
goto fail;
|
2005-06-25 21:57:52 +00:00
|
|
|
|
2021-09-08 22:18:13 +00:00
|
|
|
ksegments[i].buf = compat_ptr(in.buf);
|
|
|
|
|
ksegments[i].bufsz = in.bufsz;
|
|
|
|
|
ksegments[i].mem = in.mem;
|
|
|
|
|
ksegments[i].memsz = in.memsz;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-17 14:18:30 +00:00
|
|
|
result = do_kexec_load(entry, nr_segments, ksegments, flags);
|
|
|
|
|
|
2021-09-08 22:18:13 +00:00
|
|
|
fail:
|
|
|
|
|
kfree(ksegments);
|
2018-03-17 14:18:30 +00:00
|
|
|
return result;
|
2005-06-25 21:57:52 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
