tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

powerpc/rtas: Avoid warning on invalid token argument to sys_rtas()

rtas_token_to_function() WARNs when passed an invalid token; it's
meant to catch bugs in kernel-based users of RTAS functions. However,
user space controls the token value passed to rtas_token_to_function()
by block_rtas_call(), so user space with sufficient privilege to use
sys_rtas() can trigger the warnings at will:

unexpected failed lookup for token 2048
WARNING: CPU: 20 PID: 2247 at arch/powerpc/kernel/rtas.c:556
rtas_token_to_function+0xfc/0x110
...
NIP rtas_token_to_function+0xfc/0x110
LR rtas_token_to_function+0xf8/0x110
Call Trace:
rtas_token_to_function+0xf8/0x110 (unreliable)
sys_rtas+0x188/0x880
system_call_exception+0x268/0x530
system_call_common+0x160/0x2c4

It's desirable to continue warning on bogus tokens in
rtas_token_to_function(). Currently it is used to look up RTAS
function descriptors when tracing, where we know there has to have
been a successful descriptor lookup by different means already, and it
would be a serious inconsistency for the reverse lookup to fail.

So instead of weakening rtas_token_to_function()'s contract by
removing the warnings, introduce rtas_token_to_function_untrusted(),
which has no opinion on failed lookups. Convert block_rtas_call() and
rtas_token_to_function() to use it.

Fixes: 8252b88294d2 ("powerpc/rtas: improve function information lookups")
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231212-papr-sys_rtas-vs-lockdown-v6-1-e9eafd0c8c6c@linux.ibm.com

authored by

Nathan Lynch and committed by
Michael Ellerman 01e346ff 070b71f4

+17 -2
+17 -2
arch/powerpc/kernel/rtas.c
··· 544 544 } 545 545 arch_initcall(rtas_token_to_function_xarray_init); 546 546 547 + /* 548 + * For use by sys_rtas(), where the token value is provided by user 549 + * space and we don't want to warn on failed lookups. 550 + */ 551 + static const struct rtas_function *rtas_token_to_function_untrusted(s32 token) 552 + { 553 + return xa_load(&rtas_token_to_function_xarray, token); 554 + } 555 + 556 + /* 557 + * Reverse lookup for deriving the function descriptor from a 558 + * known-good token value in contexts where the former is not already 559 + * available. @token must be valid, e.g. derived from the result of a 560 + * prior lookup against the function table. 561 + */ 547 562 static const struct rtas_function *rtas_token_to_function(s32 token) 548 563 { 549 564 const struct rtas_function *func; ··· 566 551 if (WARN_ONCE(token < 0, "invalid token %d", token)) 567 552 return NULL; 568 553 569 - func = xa_load(&rtas_token_to_function_xarray, token); 554 + func = rtas_token_to_function_untrusted(token); 570 555 571 556 if (WARN_ONCE(!func, "unexpected failed lookup for token %d", token)) 572 557 return NULL; ··· 1736 1721 * If this token doesn't correspond to a function the kernel 1737 1722 * understands, you're not allowed to call it. 1738 1723 */ 1739 - func = rtas_token_to_function(token); 1724 + func = rtas_token_to_function_untrusted(token); 1740 1725 if (!func) 1741 1726 goto err; 1742 1727 /*