Re: [PATCH makedumpfile] Fix incorrect exclusion of slab pages on Linux 6.2-rc1
On 2022/12/21 11:06, HAGIO KAZUHITO(萩尾 一仁) wrote: > From: Kazuhito Hagio > > * Required for kernel 6.2 > > Kernel commit 130d4df57390 ("mm/sl[au]b: rearrange struct slab fields to > allow larger rcu_head"), which is contained in Linux 6.2-rc1 and later, > made the offset of slab.slabs equal to page.mapping's one. As a result, > "makedumpfile -d 8", which should exclude user data, excludes some slab > pages incorrectly because isAnon() returns true when slab.slabs is an > odd number. With such dumpfiles, crash can fail to start session with > an error like this: > ># crash vmlinux dumpfile >... >crash: page excluded: kernel virtual address: 8fa047ac2fe8 type: > "xa_node shift" > > Make isAnon() check that the page is not slab to fix this. > > Signed-off-by: Kazuhito Hagio Applied. https://github.com/makedumpfile/makedumpfile/commit/5f17bdd2128998a3eeeb4521d136a19fadb6 Thanks, Kazu ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [Crash-utility][PATCH V4 1/9] Add RISCV64 framework code support
On 2022/11/09 18:01, Xianting Tian wrote: >> On the kernel side, some relevant kernel patches got ack, it seems >> they won't change anymore. >> >> And the V4 looks good to me, so: Ack. > Thanks, Linux kenrel RISC-V maintainer still don't apply the kernel patch, > let's wait. Now I see 649d6b1019a2 ("RISC-V: Add arch_crash_save_vmcoreinfo") in the mainline, so applied the crash patchset. https://github.com/crash-utility/crash/compare/88a4910d95d4...0d5ad129252a Thanks, Kazu ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: kdump kernel randomly hang with tick_periodic call trace on bare metal system
On 12/21/22 at 12:46pm, Guilherme G. Piccoli wrote: > On 20/12/2022 02:51, Baoquan He wrote: > > On 12/20/22 at 01:41pm, Baoquan He wrote: > >> On one intel bare metal system, I can randomly reproduce the kdump hang > >> as below with tick_periodic call trace. Attach the kernel config for > >> reference. > > > > Forgot mentioning this random hang is also caused by adding > > 'nr_cpus=2' into normal kernel's cmdline, then triggering crash will get > > kdump kernel hang as below kdump log shown. > > > > The weird thing is that you seem to be using "nr_cpus=1" instead - this > is the cmdline from the log: > > "nr_cpus=2 irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off > numa=off udev.children-max=2 panic=10 acpi_no_memhotplug > transparent_hugepage=never nokaslr hest_disable novmcoredd cma=0 > hugetlb_cma=0 disable_cpu_apicid=16 [...]" > > You seems to pass twice the "nr_cpus" thing, and I guess kernel pick the > last one? >From the kdump kernel boot log, yes, the nr_cpus=1 is taken. The parse_early_param() will parse the kernel parameters one by one, then the last one will take effect. Here, the problem is not at nr_cpus=2 or 1, the bare metal system has 16 cpus, only 2 cpus is present, it seems to be the halted 14 cpus get wrong message and behave incorrectly to cause the issue. > > Also, what is "disable_cpu_apicid=16"? Could this be related? Not really. Please check disable_cpu_apicid in Documentation/admin-guide/kdump/kdump.rst, it's bsp's apic id. ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [PATCH v5 3/3] kexec: Introduce sysctl parameters kexec_load_limit_*
Hi, On 12/21/22 at 08:45pm, Ricardo Ribalda wrote: > Add two parameters to specify how many times a kexec kernel can be loaded. > > The sysadmin can set different limits for kexec panic and kexec reboot > kernels. > > The value can be modified at runtime via sysctl, but only with a value > smaller than the current one (except -1). This patch is not complex, and doens't add code complexity. And from code comment and document, we can easily know how the new toggles can be used. BUT I am wondering if everybody have got why they are needed, and where or when they are needed and will be used, except of stupid me. We have had a toggle kexec_load_disabled which can be used to close the door before alread loading image. Now we want another two toggles to guard how many times we can flip the door. I am not familiar with kernel security policy, is it not safe to provide details in log? If so, please ignore this mail. In fact, my concern is that in the future, if a new user of kexec/kdump want to know why these two knobs are added, while can't get any helpful information from commit message. If she/he asks me, I can only shrug. Up to now, I don't know what real use case these two toggles are used for, why they have to be added. And the default value of them are '-1', how will we make use of them in distros? What's the suggested value? Or '-1' is the suggested value, you just use them in some cornor case on some mysterious system? Just saying we want to add some new useful stuffs, that's it. Frankly speaking, w/o special reason, this is not the way we are supposed to add new stuffs into kernel. Thanks Baoquan > > Signed-off-by: Ricardo Ribalda > --- > Documentation/admin-guide/sysctl/kernel.rst | 18 ++ > include/linux/kexec.h | 2 +- > kernel/kexec.c | 4 +- > kernel/kexec_core.c | 87 > - > kernel/kexec_file.c | 11 ++-- > 5 files changed, 114 insertions(+), 8 deletions(-) > > diff --git a/Documentation/admin-guide/sysctl/kernel.rst > b/Documentation/admin-guide/sysctl/kernel.rst > index 97394bd9d065..a3922dffbd47 100644 > --- a/Documentation/admin-guide/sysctl/kernel.rst > +++ b/Documentation/admin-guide/sysctl/kernel.rst > @@ -461,6 +461,24 @@ allowing a system to set up (and later use) an image > without it being > altered. > Generally used together with the `modules_disabled`_ sysctl. > > +kexec_load_limit_panic > +== > + > +This parameter specifies a limit to the number of times the syscalls > +``kexec_load`` and ``kexec_file_load`` can be called with a crash > +image. It can only be set with a more restrictive value than the > +current one. > + > += = > +-1 Unlimited calls to kexec. This is the default setting. > +N Number of calls left. > += = > + > +kexec_load_limit_reboot > +== > + > +Similar functionality as ``kexec_load_limit_panic``, but for a crash > +image. > > kptr_restrict > = > diff --git a/include/linux/kexec.h b/include/linux/kexec.h > index 182e0c11b87b..791e65829f86 100644 > --- a/include/linux/kexec.h > +++ b/include/linux/kexec.h > @@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage > *image); > extern struct kimage *kexec_image; > extern struct kimage *kexec_crash_image; > > -bool kexec_load_permitted(void); > +bool kexec_load_permitted(int kexec_image_type); > > #ifndef kexec_flush_icache_page > #define kexec_flush_icache_page(page) > diff --git a/kernel/kexec.c b/kernel/kexec.c > index ce1bca874a8d..92d301f98776 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -190,10 +190,12 @@ static int do_kexec_load(unsigned long entry, unsigned > long nr_segments, > static inline int kexec_load_check(unsigned long nr_segments, > unsigned long flags) > { > + int image_type = (flags & KEXEC_ON_CRASH) ? > + KEXEC_TYPE_CRASH : KEXEC_TYPE_DEFAULT; > int result; > > /* We only trust the superuser with rebooting the system. */ > - if (!kexec_load_permitted()) > + if (!kexec_load_permitted(image_type)) > return -EPERM; > > /* Permit LSMs and IMA to fail the kexec */ > diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c > index a1efc70f4158..951541d78ca8 100644 > --- a/kernel/kexec_core.c > +++ b/kernel/kexec_core.c > @@ -926,10 +926,64 @@ int kimage_load_segment(struct kimage *image, > return result; > } > > +struct kexec_load_limit { > + /* Mutex protects the limit count. */ > + struct mutex mutex; > + int limit; > +}; > + > +static struct kexec_load_limit load_limit_reboot = { > + .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex), > + .limit = -1, > +}; > + > +static struct kexec_load_limit
Re: [PATCH v5 0/3] kexec: Add new parameter to limit the access to kexec
On Wed, 21 Dec 2022 20:45:56 +0100 Ricardo Ribalda wrote: > Add two parameter to specify how many times a kexec kernel can be loaded. > > These parameter allow hardening the system. > > While we are at it, fix a documentation issue and refactor some code. > > To: Jonathan Corbet > To: Eric Biederman > Cc: linux-...@vger.kernel.org > Cc: linux-ker...@vger.kernel.org > Cc: kexec@lists.infradead.org > Cc: Joel Fernandes (Google) > Cc: Sergey Senozhatsky > Cc: Steven Rostedt > Cc: Ross Zwisler > To: Philipp Rudo > To: Guilherme G. Piccoli > Signed-off-by: Ricardo Ribalda Reviewed-by: Steven Rostedt (Google) -- Steve ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v5 1/3] Documentation: sysctl: Correct kexec_load_disabled
kexec_load_disabled affects both ``kexec_load`` and ``kexec_file_load`` syscalls. Make it explicit. Signed-off-by: Ricardo Ribalda --- Documentation/admin-guide/sysctl/kernel.rst | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst index 98d1b198b2b4..97394bd9d065 100644 --- a/Documentation/admin-guide/sysctl/kernel.rst +++ b/Documentation/admin-guide/sysctl/kernel.rst @@ -450,9 +450,10 @@ this allows system administrators to override the kexec_load_disabled === -A toggle indicating if the ``kexec_load`` syscall has been disabled. -This value defaults to 0 (false: ``kexec_load`` enabled), but can be -set to 1 (true: ``kexec_load`` disabled). +A toggle indicating if the syscalls ``kexec_load`` and +``kexec_file_load`` have been disabled. +This value defaults to 0 (false: ``kexec_*load`` enabled), but can be +set to 1 (true: ``kexec_*load`` disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, -- 2.39.0.314.g84b9a713c41-goog-b4-0.11.0-dev-696ae ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v5 0/3] kexec: Add new parameter to limit the access to kexec
Add two parameter to specify how many times a kexec kernel can be loaded. These parameter allow hardening the system. While we are at it, fix a documentation issue and refactor some code. To: Jonathan Corbet To: Eric Biederman Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kexec@lists.infradead.org Cc: Joel Fernandes (Google) Cc: Sergey Senozhatsky Cc: Steven Rostedt Cc: Ross Zwisler To: Philipp Rudo To: Guilherme G. Piccoli Signed-off-by: Ricardo Ribalda --- Changes in v5: - Remove maxlen from ctl_table. Thanks Steven! - Link to v4: https://lore.kernel.org/r/20221114-disable-kexec-reset-v4-0-ab809c8d9...@chromium.org Changes in v4 (Thanks Steven!): - Uses sysctl instead or module_parameters - Pass image type instead of boolean to permitted - Fix typo on flag handling - Return -EINVAL for values that does not change the current value. - Link to v3: https://lore.kernel.org/r/20221114-disable-kexec-reset-v3-0-4ef4e929a...@chromium.org Changes in v3: - s/paramter/parameter/ Thanks Ghilherme! - s/permited/permitted/ Thanks Joel! - Link to v2: https://lore.kernel.org/r/20221114-disable-kexec-reset-v2-0-c498313c1...@chromium.org Changes in v2: - Instead of kexec_reboot_disabled, add two new counters (Thanks Philipp!) - Link to v1: https://lore.kernel.org/r/20221114-disable-kexec-reset-v1-0-fb51d20cf...@chromium.org --- Ricardo Ribalda (3): Documentation: sysctl: Correct kexec_load_disabled kexec: Factor out kexec_load_permitted kexec: Introduce sysctl parameters kexec_load_limit_* Documentation/admin-guide/sysctl/kernel.rst | 25 +++- include/linux/kexec.h | 3 +- kernel/kexec.c | 4 +- kernel/kexec_core.c | 94 - kernel/kexec_file.c | 11 ++-- 5 files changed, 127 insertions(+), 10 deletions(-) --- base-commit: 479174d402bcf60789106eedc4def3957c060bad change-id: 20221114-disable-kexec-reset-19b7e117338f Best regards, -- Ricardo Ribalda ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v5 2/3] kexec: Factor out kexec_load_permitted
Both syscalls (kexec and kexec_file) do the same check, lets factor it out. Signed-off-by: Ricardo Ribalda --- include/linux/kexec.h | 3 ++- kernel/kexec.c| 2 +- kernel/kexec_core.c | 11 ++- kernel/kexec_file.c | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 41a686996aaa..182e0c11b87b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -406,7 +406,8 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image); extern struct kimage *kexec_image; extern struct kimage *kexec_crash_image; -extern int kexec_load_disabled; + +bool kexec_load_permitted(void); #ifndef kexec_flush_icache_page #define kexec_flush_icache_page(page) diff --git a/kernel/kexec.c b/kernel/kexec.c index cb8e6e6f983c..ce1bca874a8d 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments, int result; /* We only trust the superuser with rebooting the system. */ - if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) + if (!kexec_load_permitted()) return -EPERM; /* Permit LSMs and IMA to fail the kexec */ diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c index ca2743f9c634..a1efc70f4158 100644 --- a/kernel/kexec_core.c +++ b/kernel/kexec_core.c @@ -928,7 +928,7 @@ int kimage_load_segment(struct kimage *image, struct kimage *kexec_image; struct kimage *kexec_crash_image; -int kexec_load_disabled; +static int kexec_load_disabled; #ifdef CONFIG_SYSCTL static struct ctl_table kexec_core_sysctls[] = { { @@ -952,6 +952,15 @@ static int __init kexec_core_sysctl_init(void) late_initcall(kexec_core_sysctl_init); #endif +bool kexec_load_permitted(void) +{ + /* +* Only the superuser can use the kexec syscall and if it has not +* been disabled. +*/ + return capable(CAP_SYS_BOOT) && !kexec_load_disabled; +} + /* * No panic_cpu check version of crash_kexec(). This function is called * only when panic_cpu holds the current CPU number; this is the only CPU diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 45637511e0de..29efa43ea951 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, struct kimage **dest_image, *image; /* We only trust the superuser with rebooting the system. */ - if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) + if (!kexec_load_permitted()) return -EPERM; /* Make sure we have a legal set of flags */ -- 2.39.0.314.g84b9a713c41-goog-b4-0.11.0-dev-696ae ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v5 3/3] kexec: Introduce sysctl parameters kexec_load_limit_*
Add two parameters to specify how many times a kexec kernel can be loaded. The sysadmin can set different limits for kexec panic and kexec reboot kernels. The value can be modified at runtime via sysctl, but only with a value smaller than the current one (except -1). Signed-off-by: Ricardo Ribalda --- Documentation/admin-guide/sysctl/kernel.rst | 18 ++ include/linux/kexec.h | 2 +- kernel/kexec.c | 4 +- kernel/kexec_core.c | 87 - kernel/kexec_file.c | 11 ++-- 5 files changed, 114 insertions(+), 8 deletions(-) diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst index 97394bd9d065..a3922dffbd47 100644 --- a/Documentation/admin-guide/sysctl/kernel.rst +++ b/Documentation/admin-guide/sysctl/kernel.rst @@ -461,6 +461,24 @@ allowing a system to set up (and later use) an image without it being altered. Generally used together with the `modules_disabled`_ sysctl. +kexec_load_limit_panic +== + +This parameter specifies a limit to the number of times the syscalls +``kexec_load`` and ``kexec_file_load`` can be called with a crash +image. It can only be set with a more restrictive value than the +current one. + += = +-1 Unlimited calls to kexec. This is the default setting. +N Number of calls left. += = + +kexec_load_limit_reboot +== + +Similar functionality as ``kexec_load_limit_panic``, but for a crash +image. kptr_restrict = diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 182e0c11b87b..791e65829f86 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image); extern struct kimage *kexec_image; extern struct kimage *kexec_crash_image; -bool kexec_load_permitted(void); +bool kexec_load_permitted(int kexec_image_type); #ifndef kexec_flush_icache_page #define kexec_flush_icache_page(page) diff --git a/kernel/kexec.c b/kernel/kexec.c index ce1bca874a8d..92d301f98776 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -190,10 +190,12 @@ static int do_kexec_load(unsigned long entry, unsigned long nr_segments, static inline int kexec_load_check(unsigned long nr_segments, unsigned long flags) { + int image_type = (flags & KEXEC_ON_CRASH) ? +KEXEC_TYPE_CRASH : KEXEC_TYPE_DEFAULT; int result; /* We only trust the superuser with rebooting the system. */ - if (!kexec_load_permitted()) + if (!kexec_load_permitted(image_type)) return -EPERM; /* Permit LSMs and IMA to fail the kexec */ diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c index a1efc70f4158..951541d78ca8 100644 --- a/kernel/kexec_core.c +++ b/kernel/kexec_core.c @@ -926,10 +926,64 @@ int kimage_load_segment(struct kimage *image, return result; } +struct kexec_load_limit { + /* Mutex protects the limit count. */ + struct mutex mutex; + int limit; +}; + +static struct kexec_load_limit load_limit_reboot = { + .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex), + .limit = -1, +}; + +static struct kexec_load_limit load_limit_panic = { + .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex), + .limit = -1, +}; + struct kimage *kexec_image; struct kimage *kexec_crash_image; static int kexec_load_disabled; + #ifdef CONFIG_SYSCTL +static int kexec_limit_handler(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) +{ + struct kexec_load_limit *limit = table->data; + int val; + struct ctl_table tmp = { + .data = , + .maxlen = sizeof(val), + .mode = table->mode, + }; + int ret; + + if (write) { + ret = proc_dointvec(, write, buffer, lenp, ppos); + if (ret) + return ret; + + if (val < 0) + return -EINVAL; + + mutex_lock(>mutex); + if (limit->limit != -1 && val >= limit->limit) + ret = -EINVAL; + else + limit->limit = val; + mutex_unlock(>mutex); + + return ret; + } + + mutex_lock(>mutex); + val = limit->limit; + mutex_unlock(>mutex); + + return proc_dointvec(, write, buffer, lenp, ppos); +} + static struct ctl_table kexec_core_sysctls[] = { { .procname = "kexec_load_disabled", @@ -941,6 +995,18 @@ static struct ctl_table kexec_core_sysctls[] = { .extra1 = SYSCTL_ONE, .extra2 =
Re: kdump kernel randomly hang with tick_periodic call trace on bare metal system
On 20/12/2022 02:51, Baoquan He wrote: > On 12/20/22 at 01:41pm, Baoquan He wrote: >> On one intel bare metal system, I can randomly reproduce the kdump hang >> as below with tick_periodic call trace. Attach the kernel config for >> reference. > > Forgot mentioning this random hang is also caused by adding > 'nr_cpus=2' into normal kernel's cmdline, then triggering crash will get > kdump kernel hang as below kdump log shown. > The weird thing is that you seem to be using "nr_cpus=1" instead - this is the cmdline from the log: "nr_cpus=2 irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 acpi_no_memhotplug transparent_hugepage=never nokaslr hest_disable novmcoredd cma=0 hugetlb_cma=0 disable_cpu_apicid=16 [...]" You seems to pass twice the "nr_cpus" thing, and I guess kernel pick the last one? Also, what is "disable_cpu_apicid=16"? Could this be related? Thanks for the report! Cheers, Guilherme ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[ANNOUNCE] kexec-tools 2.0.26
Hi all, I am happy to announce the release of kexec-tools 2.0.26. This is a feature release coinciding with the release of v6.1 of the Linux Kernel. This release can be downloaded from kernel.org: http://kernel.org/pub/linux/utils/kernel/kexec/kexec-tools-2.0.26.tar.xz http://kernel.org/pub/linux/utils/kernel/kexec/ It is also tagged it in git: git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git Thanks to everyone who has contributed to kexec! Commits since v2.0.25: ae1bd3dde601 kexec-tools 2.0.26 ffb186b83420 kexec-tools 2.0.26-rc1 b9de05184816 m68k: pass rng seed via BI_RNG_SEED b0381b817910 workflow: update to checkout@v3 834be38cc044 LoongArch: Remove redundant cmdline parameters when using --reuse-cmdline option 84138f41efd5 LoongArch: Add purgatory framework code 615b6757dcab LoongArch: PE format image loading support 1c8bf2dc0127 LoongArch: Add kexec/kdump support dceb1d8926e6 config: Add LoongArch architecture support in config.guess and config.sub files 6b6187f546f0 ppc64: remove rma_top limit bc38df5e8e24 kexec-tools 2.0.25.git ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [PATCH v4 3/3] kexec: Introduce sysctl parameters kexec_load_limit_*
On Wed, 21 Dec 2022 13:50:03 +0100 Ricardo Ribalda wrote: > @@ -941,6 +995,20 @@ static struct ctl_table kexec_core_sysctls[] = { > .extra1 = SYSCTL_ONE, > .extra2 = SYSCTL_ONE, > }, > + { > + .procname = "kexec_load_limit_panic", > + .data = _limit_panic, > + .maxlen = sizeof(load_limit_panic), If I understand the sysctl logic correctly, the .maxlen is the maxlen of the input to the sysctl, and not the data. Usually set to sizeof(data) because most proc_handlers write to data directly. In this case, I believe it's not even used (you override it with the struct ctl_table tmp). I guess it doesn't really matter what it's set to. Perhaps just set it to zero and leave it out? > + .mode = 0644, > + .proc_handler = kexec_limit_handler, > + }, > + { > + .procname = "kexec_load_limit_reboot", > + .data = _limit_reboot, > + .maxlen = sizeof(load_limit_reboot), Same here. -- Steve > + .mode = 0644, > + .proc_handler = kexec_limit_handler, > + }, > { } > }; > ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v4 0/3] kexec: Add new parameter to limit the access to kexec
Add two parameter to specify how many times a kexec kernel can be loaded. These parameter allow hardening the system. While we are at it, fix a documentation issue and refactor some code. To: Jonathan Corbet To: Eric Biederman Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kexec@lists.infradead.org Cc: Joel Fernandes (Google) Cc: Sergey Senozhatsky Cc: Steven Rostedt Cc: Ross Zwisler To: Philipp Rudo To: Guilherme G. Piccoli Signed-off-by: Ricardo Ribalda --- Changes in v4 (Thanks Steven!): - Uses sysctl instead or module_parameters - Pass image type instead of boolean to permitted - Fix typo on flag handling - Return -EINVAL for values that does not change the current value. - Link to v3: https://lore.kernel.org/r/20221114-disable-kexec-reset-v3-0-4ef4e929a...@chromium.org Changes in v3: - s/paramter/parameter/ Thanks Ghilherme! - s/permited/permitted/ Thanks Joel! - Link to v2: https://lore.kernel.org/r/20221114-disable-kexec-reset-v2-0-c498313c1...@chromium.org Changes in v2: - Instead of kexec_reboot_disabled, add two new counters (Thanks Philipp!) - Link to v1: https://lore.kernel.org/r/20221114-disable-kexec-reset-v1-0-fb51d20cf...@chromium.org --- Ricardo Ribalda (3): Documentation: sysctl: Correct kexec_load_disabled kexec: Factor out kexec_load_permitted kexec: Introduce sysctl parameters kexec_load_limit_* Documentation/admin-guide/sysctl/kernel.rst | 25 +++- include/linux/kexec.h | 3 +- kernel/kexec.c | 4 +- kernel/kexec_core.c | 96 - kernel/kexec_file.c | 11 ++-- 5 files changed, 129 insertions(+), 10 deletions(-) --- base-commit: 479174d402bcf60789106eedc4def3957c060bad change-id: 20221114-disable-kexec-reset-19b7e117338f Best regards, -- Ricardo Ribalda ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v4 2/3] kexec: Factor out kexec_load_permitted
Both syscalls (kexec and kexec_file) do the same check, lets factor it out. Signed-off-by: Ricardo Ribalda --- include/linux/kexec.h | 3 ++- kernel/kexec.c| 2 +- kernel/kexec_core.c | 11 ++- kernel/kexec_file.c | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 41a686996aaa..182e0c11b87b 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -406,7 +406,8 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image); extern struct kimage *kexec_image; extern struct kimage *kexec_crash_image; -extern int kexec_load_disabled; + +bool kexec_load_permitted(void); #ifndef kexec_flush_icache_page #define kexec_flush_icache_page(page) diff --git a/kernel/kexec.c b/kernel/kexec.c index cb8e6e6f983c..ce1bca874a8d 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -193,7 +193,7 @@ static inline int kexec_load_check(unsigned long nr_segments, int result; /* We only trust the superuser with rebooting the system. */ - if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) + if (!kexec_load_permitted()) return -EPERM; /* Permit LSMs and IMA to fail the kexec */ diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c index ca2743f9c634..a1efc70f4158 100644 --- a/kernel/kexec_core.c +++ b/kernel/kexec_core.c @@ -928,7 +928,7 @@ int kimage_load_segment(struct kimage *image, struct kimage *kexec_image; struct kimage *kexec_crash_image; -int kexec_load_disabled; +static int kexec_load_disabled; #ifdef CONFIG_SYSCTL static struct ctl_table kexec_core_sysctls[] = { { @@ -952,6 +952,15 @@ static int __init kexec_core_sysctl_init(void) late_initcall(kexec_core_sysctl_init); #endif +bool kexec_load_permitted(void) +{ + /* +* Only the superuser can use the kexec syscall and if it has not +* been disabled. +*/ + return capable(CAP_SYS_BOOT) && !kexec_load_disabled; +} + /* * No panic_cpu check version of crash_kexec(). This function is called * only when panic_cpu holds the current CPU number; this is the only CPU diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 45637511e0de..29efa43ea951 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -330,7 +330,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, struct kimage **dest_image, *image; /* We only trust the superuser with rebooting the system. */ - if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) + if (!kexec_load_permitted()) return -EPERM; /* Make sure we have a legal set of flags */ -- 2.39.0.314.g84b9a713c41-goog-b4-0.11.0-dev-696ae ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v4 1/3] Documentation: sysctl: Correct kexec_load_disabled
kexec_load_disabled affects both ``kexec_load`` and ``kexec_file_load`` syscalls. Make it explicit. Signed-off-by: Ricardo Ribalda --- Documentation/admin-guide/sysctl/kernel.rst | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst index 98d1b198b2b4..97394bd9d065 100644 --- a/Documentation/admin-guide/sysctl/kernel.rst +++ b/Documentation/admin-guide/sysctl/kernel.rst @@ -450,9 +450,10 @@ this allows system administrators to override the kexec_load_disabled === -A toggle indicating if the ``kexec_load`` syscall has been disabled. -This value defaults to 0 (false: ``kexec_load`` enabled), but can be -set to 1 (true: ``kexec_load`` disabled). +A toggle indicating if the syscalls ``kexec_load`` and +``kexec_file_load`` have been disabled. +This value defaults to 0 (false: ``kexec_*load`` enabled), but can be +set to 1 (true: ``kexec_*load`` disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, -- 2.39.0.314.g84b9a713c41-goog-b4-0.11.0-dev-696ae ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v4 3/3] kexec: Introduce sysctl parameters kexec_load_limit_*
Add two parameters to specify how many times a kexec kernel can be loaded. The sysadmin can set different limits for kexec panic and kexec reboot kernels. The value can be modified at runtime via sysctl, but only with a value smaller than the current one (except -1). Signed-off-by: Ricardo Ribalda --- Documentation/admin-guide/sysctl/kernel.rst | 18 ++ include/linux/kexec.h | 2 +- kernel/kexec.c | 4 +- kernel/kexec_core.c | 89 - kernel/kexec_file.c | 11 ++-- 5 files changed, 116 insertions(+), 8 deletions(-) diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst index 97394bd9d065..a3922dffbd47 100644 --- a/Documentation/admin-guide/sysctl/kernel.rst +++ b/Documentation/admin-guide/sysctl/kernel.rst @@ -461,6 +461,24 @@ allowing a system to set up (and later use) an image without it being altered. Generally used together with the `modules_disabled`_ sysctl. +kexec_load_limit_panic +== + +This parameter specifies a limit to the number of times the syscalls +``kexec_load`` and ``kexec_file_load`` can be called with a crash +image. It can only be set with a more restrictive value than the +current one. + += = +-1 Unlimited calls to kexec. This is the default setting. +N Number of calls left. += = + +kexec_load_limit_reboot +== + +Similar functionality as ``kexec_load_limit_panic``, but for a crash +image. kptr_restrict = diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 182e0c11b87b..791e65829f86 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -407,7 +407,7 @@ extern int kimage_crash_copy_vmcoreinfo(struct kimage *image); extern struct kimage *kexec_image; extern struct kimage *kexec_crash_image; -bool kexec_load_permitted(void); +bool kexec_load_permitted(int kexec_image_type); #ifndef kexec_flush_icache_page #define kexec_flush_icache_page(page) diff --git a/kernel/kexec.c b/kernel/kexec.c index ce1bca874a8d..92d301f98776 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -190,10 +190,12 @@ static int do_kexec_load(unsigned long entry, unsigned long nr_segments, static inline int kexec_load_check(unsigned long nr_segments, unsigned long flags) { + int image_type = (flags & KEXEC_ON_CRASH) ? +KEXEC_TYPE_CRASH : KEXEC_TYPE_DEFAULT; int result; /* We only trust the superuser with rebooting the system. */ - if (!kexec_load_permitted()) + if (!kexec_load_permitted(image_type)) return -EPERM; /* Permit LSMs and IMA to fail the kexec */ diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c index a1efc70f4158..6131b1aee165 100644 --- a/kernel/kexec_core.c +++ b/kernel/kexec_core.c @@ -926,10 +926,64 @@ int kimage_load_segment(struct kimage *image, return result; } +struct kexec_load_limit { + /* Mutex protects the limit count. */ + struct mutex mutex; + int limit; +}; + +static struct kexec_load_limit load_limit_reboot = { + .mutex = __MUTEX_INITIALIZER(load_limit_reboot.mutex), + .limit = -1, +}; + +static struct kexec_load_limit load_limit_panic = { + .mutex = __MUTEX_INITIALIZER(load_limit_panic.mutex), + .limit = -1, +}; + struct kimage *kexec_image; struct kimage *kexec_crash_image; static int kexec_load_disabled; + #ifdef CONFIG_SYSCTL +static int kexec_limit_handler(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) +{ + struct kexec_load_limit *limit = table->data; + int val; + struct ctl_table tmp = { + .data = , + .maxlen = sizeof(val), + .mode = table->mode, + }; + int ret; + + if (write) { + ret = proc_dointvec(, write, buffer, lenp, ppos); + if (ret) + return ret; + + if (val < 0) + return -EINVAL; + + mutex_lock(>mutex); + if (limit->limit != -1 && val >= limit->limit) + ret = -EINVAL; + else + limit->limit = val; + mutex_unlock(>mutex); + + return ret; + } + + mutex_lock(>mutex); + val = limit->limit; + mutex_unlock(>mutex); + + return proc_dointvec(, write, buffer, lenp, ppos); +} + static struct ctl_table kexec_core_sysctls[] = { { .procname = "kexec_load_disabled", @@ -941,6 +995,20 @@ static struct ctl_table kexec_core_sysctls[] = { .extra1 = SYSCTL_ONE, .extra2 =