2019-05-27 06:55:01 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
*
|
|
|
|
|
* Procedures for interfacing to the RTAS on CHRP machines.
|
|
|
|
|
*
|
|
|
|
|
* Peter Bergner, IBM March 2001.
|
|
|
|
|
* Copyright (C) 2001 IBM.
|
|
|
|
|
*/
|
|
|
|
|
|
2021-08-02 20:40:32 +00:00
|
|
|
#include <linux/stdarg.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
2011-07-22 22:24:23 +00:00
|
|
|
#include <linux/export.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/init.h>
|
2006-01-11 20:17:48 +00:00
|
|
|
#include <linux/capability.h>
|
2005-11-07 05:41:59 +00:00
|
|
|
#include <linux/delay.h>
|
2013-05-07 04:34:11 +00:00
|
|
|
#include <linux/cpu.h>
|
2019-08-02 19:29:25 +00:00
|
|
|
#include <linux/sched.h>
|
2007-11-13 16:15:13 +00:00
|
|
|
#include <linux/smp.h>
|
|
|
|
|
#include <linux/completion.h>
|
|
|
|
|
#include <linux/cpumask.h>
|
2010-07-12 04:36:09 +00:00
|
|
|
#include <linux/memblock.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2011-07-26 00:13:10 +00:00
|
|
|
#include <linux/reboot.h>
|
2022-09-26 13:16:43 +00:00
|
|
|
#include <linux/security.h>
|
2018-05-02 13:20:48 +00:00
|
|
|
#include <linux/syscalls.h>
|
2022-03-08 19:20:25 +00:00
|
|
|
#include <linux/of.h>
|
|
|
|
|
#include <linux/of_fdt.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2021-06-17 15:51:03 +00:00
|
|
|
#include <asm/interrupt.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <asm/rtas.h>
|
2006-01-31 06:17:47 +00:00
|
|
|
#include <asm/hvcall.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <asm/machdep.h>
|
2006-03-28 12:15:54 +00:00
|
|
|
#include <asm/firmware.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <asm/page.h>
|
|
|
|
|
#include <asm/param.h>
|
|
|
|
|
#include <asm/delay.h>
|
2016-12-24 19:46:01 +00:00
|
|
|
#include <linux/uaccess.h>
|
2006-01-11 00:54:09 +00:00
|
|
|
#include <asm/udbg.h>
|
2006-03-22 23:00:08 +00:00
|
|
|
#include <asm/syscalls.h>
|
2007-11-13 16:15:13 +00:00
|
|
|
#include <asm/smp.h>
|
2011-07-26 23:09:06 +00:00
|
|
|
#include <linux/atomic.h>
|
2009-06-16 16:42:50 +00:00
|
|
|
#include <asm/time.h>
|
2009-08-28 12:06:29 +00:00
|
|
|
#include <asm/mmu.h>
|
2010-12-01 12:31:26 +00:00
|
|
|
#include <asm/topology.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2015-11-24 11:26:12 +00:00
|
|
|
/* This is here deliberately so it's only used in this file */
|
|
|
|
|
void enter_rtas(unsigned long);
|
|
|
|
|
|
2021-06-17 15:51:03 +00:00
|
|
|
static inline void do_enter_rtas(unsigned long args)
|
|
|
|
|
{
|
powerpc/rtas: Keep MSR[RI] set when calling RTAS
RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big
endian mode (MSR[SF,LE] unset).
The change in MSR is done in enter_rtas() in a relatively complex way,
since the MSR value could be hardcoded.
Furthermore, a panic has been reported when hitting the watchdog interrupt
while running in RTAS, this leads to the following stack trace:
watchdog: CPU 24 Hard LOCKUP
watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)
...
Supported: No, Unreleased kernel
CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
CFAR: 000000000000011c IRQMASK: 1
GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace:
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
Oops: Unrecoverable System Reset, sig: 6 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
...
Supported: No, Unreleased kernel
CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
CFAR: 000000000000011c IRQMASK: 1
GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace:
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
---[ end trace 3ddec07f638c34a2 ]---
This happens because MSR[RI] is unset when entering RTAS but there is no
valid reason to not set it here.
RTAS is expected to be called with MSR[RI] as specified in PAPR+ section
"7.2.1 Machine State":
R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect
its own critical regions from recursion by setting the MSR[RI] bit to
0 when in the critical regions.
Fixing this by reviewing the way MSR is compute before calling RTAS. Now a
hardcoded value meaning real mode, 32 bits big endian mode and Recoverable
Interrupt is loaded. In the case MSR[S] is set, it will remain set while
entering RTAS as only urfid can unset it (thanks Fabiano).
In addition a check is added in do_enter_rtas() to detect calls made with
MSR[RI] unset, as we are forcing it on later.
This patch has been tested on the following machines:
Power KVM Guest
P8 S822L (host Ubuntu kernel 5.11.0-49-generic)
PowerVM LPAR
P8 9119-MME (FW860.A1)
p9 9008-22L (FW950.00)
P10 9080-HEX (FW1010.00)
Suggested-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Laurent Dufour <ldufour@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220504101244.12107-1-ldufour@linux.ibm.com
2022-05-04 10:12:44 +00:00
|
|
|
unsigned long msr;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Make sure MSR[RI] is currently enabled as it will be forced later
|
|
|
|
|
* in enter_rtas.
|
|
|
|
|
*/
|
|
|
|
|
msr = mfmsr();
|
|
|
|
|
BUG_ON(!(msr & MSR_RI));
|
|
|
|
|
|
2022-03-08 13:50:37 +00:00
|
|
|
BUG_ON(!irqs_disabled());
|
|
|
|
|
|
|
|
|
|
hard_irq_disable(); /* Ensure MSR[EE] is disabled on PPC64 */
|
|
|
|
|
|
2021-06-17 15:51:03 +00:00
|
|
|
enter_rtas(args);
|
|
|
|
|
|
|
|
|
|
srr_regs_clobbered(); /* rtas uses SRRs, invalidate */
|
|
|
|
|
}
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
struct rtas_t rtas = {
|
2009-12-03 11:38:57 +00:00
|
|
|
.lock = __ARCH_SPIN_LOCK_UNLOCKED
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
DEFINE_SPINLOCK(rtas_data_buf_lock);
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_data_buf_lock);
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
char rtas_data_buf[RTAS_DATA_BUF_SIZE] __cacheline_aligned;
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_data_buf);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned long rtas_rmo_buf;
|
|
|
|
|
|
2005-11-03 03:41:19 +00:00
|
|
|
/*
|
|
|
|
|
* If non-NULL, this gets called when the kernel terminates.
|
|
|
|
|
* This is done like this so rtas_flash can be a module.
|
|
|
|
|
*/
|
|
|
|
|
void (*rtas_flash_term_hook)(int);
|
|
|
|
|
EXPORT_SYMBOL(rtas_flash_term_hook);
|
|
|
|
|
|
2009-06-16 16:42:49 +00:00
|
|
|
/* RTAS use home made raw locking instead of spin_lock_irqsave
|
|
|
|
|
* because those can be called from within really nasty contexts
|
|
|
|
|
* such as having the timebase stopped which would lockup with
|
|
|
|
|
* normal locks and spinlock debugging enabled
|
|
|
|
|
*/
|
|
|
|
|
static unsigned long lock_rtas(void)
|
|
|
|
|
{
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
|
|
local_irq_save(flags);
|
|
|
|
|
preempt_disable();
|
2017-10-18 11:51:09 +00:00
|
|
|
arch_spin_lock(&rtas.lock);
|
2009-06-16 16:42:49 +00:00
|
|
|
return flags;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void unlock_rtas(unsigned long flags)
|
|
|
|
|
{
|
2009-12-02 19:01:25 +00:00
|
|
|
arch_spin_unlock(&rtas.lock);
|
2009-06-16 16:42:49 +00:00
|
|
|
local_irq_restore(flags);
|
|
|
|
|
preempt_enable();
|
|
|
|
|
}
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
/*
|
|
|
|
|
* call_rtas_display_status and call_rtas_display_status_delay
|
|
|
|
|
* are designed only for very early low-level debugging, which
|
|
|
|
|
* is why the token is hard-coded to 10.
|
|
|
|
|
*/
|
2013-08-06 16:01:31 +00:00
|
|
|
static void call_rtas_display_status(unsigned char c)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
unsigned long s;
|
|
|
|
|
|
|
|
|
|
if (!rtas.base)
|
|
|
|
|
return;
|
|
|
|
|
|
2015-11-24 11:26:11 +00:00
|
|
|
s = lock_rtas();
|
|
|
|
|
rtas_call_unlocked(&rtas.args, 10, 1, 1, NULL, c);
|
2009-06-16 16:42:49 +00:00
|
|
|
unlock_rtas(s);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2006-01-11 00:54:09 +00:00
|
|
|
static void call_rtas_display_status_delay(char c)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
static int pending_newline = 0; /* did last write end with unprinted newline? */
|
|
|
|
|
static int width = 16;
|
|
|
|
|
|
|
|
|
|
if (c == '\n') {
|
|
|
|
|
while (width-- > 0)
|
|
|
|
|
call_rtas_display_status(' ');
|
|
|
|
|
width = 16;
|
2005-11-07 05:41:59 +00:00
|
|
|
mdelay(500);
|
2005-04-16 22:20:36 +00:00
|
|
|
pending_newline = 1;
|
|
|
|
|
} else {
|
|
|
|
|
if (pending_newline) {
|
|
|
|
|
call_rtas_display_status('\r');
|
|
|
|
|
call_rtas_display_status('\n');
|
|
|
|
|
}
|
|
|
|
|
pending_newline = 0;
|
|
|
|
|
if (width--) {
|
|
|
|
|
call_rtas_display_status(c);
|
|
|
|
|
udelay(10000);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-06-23 08:20:16 +00:00
|
|
|
void __init udbg_init_rtas_panel(void)
|
2006-01-11 00:54:09 +00:00
|
|
|
{
|
|
|
|
|
udbg_putc = call_rtas_display_status_delay;
|
|
|
|
|
}
|
|
|
|
|
|
2006-06-23 08:20:16 +00:00
|
|
|
#ifdef CONFIG_UDBG_RTAS_CONSOLE
|
|
|
|
|
|
|
|
|
|
/* If you think you're dying before early_init_dt_scan_rtas() does its
|
|
|
|
|
* work, you can hard code the token values for your firmware here and
|
|
|
|
|
* hardcode rtas.base/entry etc.
|
|
|
|
|
*/
|
|
|
|
|
static unsigned int rtas_putchar_token = RTAS_UNKNOWN_SERVICE;
|
|
|
|
|
static unsigned int rtas_getchar_token = RTAS_UNKNOWN_SERVICE;
|
|
|
|
|
|
|
|
|
|
static void udbg_rtascon_putc(char c)
|
|
|
|
|
{
|
|
|
|
|
int tries;
|
|
|
|
|
|
|
|
|
|
if (!rtas.base)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Add CRs before LFs */
|
|
|
|
|
if (c == '\n')
|
|
|
|
|
udbg_rtascon_putc('\r');
|
|
|
|
|
|
|
|
|
|
/* if there is more than one character to be displayed, wait a bit */
|
|
|
|
|
for (tries = 0; tries < 16; tries++) {
|
|
|
|
|
if (rtas_call(rtas_putchar_token, 1, 1, NULL, c) == 0)
|
|
|
|
|
break;
|
|
|
|
|
udelay(1000);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int udbg_rtascon_getc_poll(void)
|
|
|
|
|
{
|
|
|
|
|
int c;
|
|
|
|
|
|
|
|
|
|
if (!rtas.base)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (rtas_call(rtas_getchar_token, 0, 2, &c))
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
return c;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int udbg_rtascon_getc(void)
|
|
|
|
|
{
|
|
|
|
|
int c;
|
|
|
|
|
|
|
|
|
|
while ((c = udbg_rtascon_getc_poll()) == -1)
|
|
|
|
|
;
|
|
|
|
|
|
|
|
|
|
return c;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void __init udbg_init_rtas_console(void)
|
|
|
|
|
{
|
|
|
|
|
udbg_putc = udbg_rtascon_putc;
|
|
|
|
|
udbg_getc = udbg_rtascon_getc;
|
|
|
|
|
udbg_getc_poll = udbg_rtascon_getc_poll;
|
|
|
|
|
}
|
|
|
|
|
#endif /* CONFIG_UDBG_RTAS_CONSOLE */
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
void rtas_progress(char *s, unsigned short hex)
|
2005-06-22 23:43:28 +00:00
|
|
|
{
|
|
|
|
|
struct device_node *root;
|
2006-07-12 05:35:54 +00:00
|
|
|
int width;
|
2013-08-06 16:01:29 +00:00
|
|
|
const __be32 *p;
|
2005-06-22 23:43:28 +00:00
|
|
|
char *os;
|
|
|
|
|
static int display_character, set_indicator;
|
2006-07-12 05:35:54 +00:00
|
|
|
static int display_width, display_lines, form_feed;
|
2007-02-17 19:11:19 +00:00
|
|
|
static const int *row_width;
|
2005-06-22 23:43:28 +00:00
|
|
|
static DEFINE_SPINLOCK(progress_lock);
|
2005-06-23 06:09:41 +00:00
|
|
|
static int current_line;
|
2005-06-22 23:43:28 +00:00
|
|
|
static int pending_newline = 0; /* did last write end with unprinted newline? */
|
|
|
|
|
|
|
|
|
|
if (!rtas.base)
|
|
|
|
|
return;
|
|
|
|
|
|
2005-06-23 06:09:41 +00:00
|
|
|
if (display_width == 0) {
|
|
|
|
|
display_width = 0x10;
|
2007-04-24 03:50:55 +00:00
|
|
|
if ((root = of_find_node_by_path("/rtas"))) {
|
2007-04-03 12:26:41 +00:00
|
|
|
if ((p = of_get_property(root,
|
2005-06-23 06:09:41 +00:00
|
|
|
"ibm,display-line-length", NULL)))
|
2013-08-06 16:01:29 +00:00
|
|
|
display_width = be32_to_cpu(*p);
|
2007-04-03 12:26:41 +00:00
|
|
|
if ((p = of_get_property(root,
|
2005-06-23 06:09:41 +00:00
|
|
|
"ibm,form-feed", NULL)))
|
2013-08-06 16:01:29 +00:00
|
|
|
form_feed = be32_to_cpu(*p);
|
2007-04-03 12:26:41 +00:00
|
|
|
if ((p = of_get_property(root,
|
2005-06-23 06:09:41 +00:00
|
|
|
"ibm,display-number-of-lines", NULL)))
|
2013-08-06 16:01:29 +00:00
|
|
|
display_lines = be32_to_cpu(*p);
|
2007-04-03 12:26:41 +00:00
|
|
|
row_width = of_get_property(root,
|
2005-06-23 06:09:41 +00:00
|
|
|
"ibm,display-truncation-length", NULL);
|
2007-04-24 03:50:55 +00:00
|
|
|
of_node_put(root);
|
2005-06-23 06:09:41 +00:00
|
|
|
}
|
2005-06-22 23:43:28 +00:00
|
|
|
display_character = rtas_token("display-character");
|
|
|
|
|
set_indicator = rtas_token("set-indicator");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (display_character == RTAS_UNKNOWN_SERVICE) {
|
|
|
|
|
/* use hex display if available */
|
|
|
|
|
if (set_indicator != RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
rtas_call(set_indicator, 3, 1, NULL, 6, 0, hex);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
spin_lock(&progress_lock);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Last write ended with newline, but we didn't print it since
|
|
|
|
|
* it would just clear the bottom line of output. Print it now
|
|
|
|
|
* instead.
|
|
|
|
|
*
|
2005-06-23 06:09:41 +00:00
|
|
|
* If no newline is pending and form feed is supported, clear the
|
|
|
|
|
* display with a form feed; otherwise, print a CR to start output
|
|
|
|
|
* at the beginning of the line.
|
2005-06-22 23:43:28 +00:00
|
|
|
*/
|
|
|
|
|
if (pending_newline) {
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL, '\r');
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL, '\n');
|
|
|
|
|
pending_newline = 0;
|
|
|
|
|
} else {
|
2005-06-23 06:09:41 +00:00
|
|
|
current_line = 0;
|
|
|
|
|
if (form_feed)
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL,
|
|
|
|
|
(char)form_feed);
|
|
|
|
|
else
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL, '\r');
|
2005-06-22 23:43:28 +00:00
|
|
|
}
|
|
|
|
|
|
2005-06-23 06:09:41 +00:00
|
|
|
if (row_width)
|
|
|
|
|
width = row_width[current_line];
|
|
|
|
|
else
|
|
|
|
|
width = display_width;
|
2005-06-22 23:43:28 +00:00
|
|
|
os = s;
|
|
|
|
|
while (*os) {
|
|
|
|
|
if (*os == '\n' || *os == '\r') {
|
|
|
|
|
/* If newline is the last character, save it
|
|
|
|
|
* until next call to avoid bumping up the
|
|
|
|
|
* display output.
|
|
|
|
|
*/
|
|
|
|
|
if (*os == '\n' && !os[1]) {
|
|
|
|
|
pending_newline = 1;
|
2005-06-23 06:09:41 +00:00
|
|
|
current_line++;
|
|
|
|
|
if (current_line > display_lines-1)
|
|
|
|
|
current_line = display_lines-1;
|
2005-06-22 23:43:28 +00:00
|
|
|
spin_unlock(&progress_lock);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* RTAS wants CR-LF, not just LF */
|
|
|
|
|
|
|
|
|
|
if (*os == '\n') {
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL, '\r');
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL, '\n');
|
|
|
|
|
} else {
|
|
|
|
|
/* CR might be used to re-draw a line, so we'll
|
|
|
|
|
* leave it alone and not add LF.
|
|
|
|
|
*/
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL, *os);
|
|
|
|
|
}
|
|
|
|
|
|
2005-06-23 06:09:41 +00:00
|
|
|
if (row_width)
|
|
|
|
|
width = row_width[current_line];
|
|
|
|
|
else
|
|
|
|
|
width = display_width;
|
2005-06-22 23:43:28 +00:00
|
|
|
} else {
|
|
|
|
|
width--;
|
|
|
|
|
rtas_call(display_character, 1, 1, NULL, *os);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
os++;
|
|
|
|
|
|
|
|
|
|
/* if we overwrite the screen length */
|
|
|
|
|
if (width <= 0)
|
|
|
|
|
while ((*os != 0) && (*os != '\n') && (*os != '\r'))
|
|
|
|
|
os++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
spin_unlock(&progress_lock);
|
|
|
|
|
}
|
2005-11-03 03:41:19 +00:00
|
|
|
EXPORT_SYMBOL(rtas_progress); /* needed by rtas_flash module */
|
2005-06-22 23:43:28 +00:00
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
int rtas_token(const char *service)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2013-08-06 16:01:29 +00:00
|
|
|
const __be32 *tokp;
|
2005-10-26 07:05:24 +00:00
|
|
|
if (rtas.dev == NULL)
|
2005-04-16 22:20:36 +00:00
|
|
|
return RTAS_UNKNOWN_SERVICE;
|
2007-04-03 12:26:41 +00:00
|
|
|
tokp = of_get_property(rtas.dev, service, NULL);
|
2013-08-06 16:01:29 +00:00
|
|
|
return tokp ? be32_to_cpu(*tokp) : RTAS_UNKNOWN_SERVICE;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_token);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-12-07 00:50:45 +00:00
|
|
|
int rtas_service_present(const char *service)
|
|
|
|
|
{
|
|
|
|
|
return rtas_token(service) != RTAS_UNKNOWN_SERVICE;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(rtas_service_present);
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
#ifdef CONFIG_RTAS_ERROR_LOGGING
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* Return the firmware-specified size of the error log buffer
|
|
|
|
|
* for all rtas calls that require an error buffer argument.
|
|
|
|
|
* This includes 'check-exception' and 'rtas-last-error'.
|
|
|
|
|
*/
|
|
|
|
|
int rtas_get_error_log_max(void)
|
|
|
|
|
{
|
|
|
|
|
static int rtas_error_log_max;
|
|
|
|
|
if (rtas_error_log_max)
|
|
|
|
|
return rtas_error_log_max;
|
|
|
|
|
|
|
|
|
|
rtas_error_log_max = rtas_token ("rtas-error-log-max");
|
|
|
|
|
if ((rtas_error_log_max == RTAS_UNKNOWN_SERVICE) ||
|
|
|
|
|
(rtas_error_log_max > RTAS_ERROR_LOG_MAX)) {
|
2005-10-26 07:05:24 +00:00
|
|
|
printk (KERN_WARNING "RTAS: bad log buffer size %d\n",
|
|
|
|
|
rtas_error_log_max);
|
2005-04-16 22:20:36 +00:00
|
|
|
rtas_error_log_max = RTAS_ERROR_LOG_MAX;
|
|
|
|
|
}
|
|
|
|
|
return rtas_error_log_max;
|
|
|
|
|
}
|
2005-10-26 07:05:24 +00:00
|
|
|
EXPORT_SYMBOL(rtas_get_error_log_max);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
|
2008-05-08 04:27:19 +00:00
|
|
|
static char rtas_err_buf[RTAS_ERROR_LOG_MAX];
|
|
|
|
|
static int rtas_last_error_token;
|
2005-10-26 07:05:24 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/** Return a copy of the detailed error text associated with the
|
|
|
|
|
* most recent failed call to rtas. Because the error text
|
|
|
|
|
* might go stale if there are any other intervening rtas calls,
|
|
|
|
|
* this routine must be called atomically with whatever produced
|
|
|
|
|
* the error (i.e. with rtas.lock still held from the previous call).
|
|
|
|
|
*/
|
2005-10-26 07:05:24 +00:00
|
|
|
static char *__fetch_rtas_last_error(char *altbuf)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct rtas_args err_args, save_args;
|
|
|
|
|
u32 bufsz;
|
2005-10-26 07:05:24 +00:00
|
|
|
char *buf = NULL;
|
|
|
|
|
|
|
|
|
|
if (rtas_last_error_token == -1)
|
|
|
|
|
return NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
bufsz = rtas_get_error_log_max();
|
|
|
|
|
|
2013-08-06 16:01:31 +00:00
|
|
|
err_args.token = cpu_to_be32(rtas_last_error_token);
|
|
|
|
|
err_args.nargs = cpu_to_be32(2);
|
|
|
|
|
err_args.nret = cpu_to_be32(1);
|
|
|
|
|
err_args.args[0] = cpu_to_be32(__pa(rtas_err_buf));
|
|
|
|
|
err_args.args[1] = cpu_to_be32(bufsz);
|
2005-04-16 22:20:36 +00:00
|
|
|
err_args.args[2] = 0;
|
|
|
|
|
|
|
|
|
|
save_args = rtas.args;
|
|
|
|
|
rtas.args = err_args;
|
|
|
|
|
|
2021-06-17 15:51:03 +00:00
|
|
|
do_enter_rtas(__pa(&rtas.args));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
err_args = rtas.args;
|
|
|
|
|
rtas.args = save_args;
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
/* Log the error in the unlikely case that there was one. */
|
|
|
|
|
if (unlikely(err_args.args[2] == 0)) {
|
|
|
|
|
if (altbuf) {
|
|
|
|
|
buf = altbuf;
|
|
|
|
|
} else {
|
|
|
|
|
buf = rtas_err_buf;
|
2015-03-30 03:10:37 +00:00
|
|
|
if (slab_is_available())
|
2005-10-26 07:05:24 +00:00
|
|
|
buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC);
|
|
|
|
|
}
|
|
|
|
|
if (buf)
|
|
|
|
|
memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return buf;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
#define get_errorlog_buffer() kmalloc(RTAS_ERROR_LOG_MAX, GFP_KERNEL)
|
|
|
|
|
|
|
|
|
|
#else /* CONFIG_RTAS_ERROR_LOGGING */
|
|
|
|
|
#define __fetch_rtas_last_error(x) NULL
|
|
|
|
|
#define get_errorlog_buffer() NULL
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-12-16 10:01:42 +00:00
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
va_rtas_call_unlocked(struct rtas_args *args, int token, int nargs, int nret,
|
|
|
|
|
va_list list)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
args->token = cpu_to_be32(token);
|
|
|
|
|
args->nargs = cpu_to_be32(nargs);
|
|
|
|
|
args->nret = cpu_to_be32(nret);
|
|
|
|
|
args->rets = &(args->args[nargs]);
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < nargs; ++i)
|
|
|
|
|
args->args[i] = cpu_to_be32(va_arg(list, __u32));
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < nret; ++i)
|
|
|
|
|
args->rets[i] = 0;
|
|
|
|
|
|
2021-06-17 15:51:03 +00:00
|
|
|
do_enter_rtas(__pa(args));
|
2015-12-16 10:01:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void rtas_call_unlocked(struct rtas_args *args, int token, int nargs, int nret, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list list;
|
|
|
|
|
|
|
|
|
|
va_start(list, nret);
|
|
|
|
|
va_rtas_call_unlocked(args, token, nargs, nret, list);
|
|
|
|
|
va_end(list);
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-26 13:16:43 +00:00
|
|
|
static int ibm_open_errinjct_token;
|
|
|
|
|
static int ibm_errinjct_token;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
int rtas_call(int token, int nargs, int nret, int *outputs, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list list;
|
2005-10-26 07:05:24 +00:00
|
|
|
int i;
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned long s;
|
|
|
|
|
struct rtas_args *rtas_args;
|
2005-10-26 07:05:24 +00:00
|
|
|
char *buff_copy = NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
int ret;
|
|
|
|
|
|
2006-06-23 08:20:10 +00:00
|
|
|
if (!rtas.entry || token == RTAS_UNKNOWN_SERVICE)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -1;
|
|
|
|
|
|
2022-09-26 13:16:43 +00:00
|
|
|
if (token == ibm_open_errinjct_token || token == ibm_errinjct_token) {
|
|
|
|
|
/*
|
|
|
|
|
* It would be nicer to not discard the error value
|
|
|
|
|
* from security_locked_down(), but callers expect an
|
|
|
|
|
* RTAS status, not an errno.
|
|
|
|
|
*/
|
|
|
|
|
if (security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION))
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-08 13:50:46 +00:00
|
|
|
if ((mfmsr() & (MSR_IR|MSR_DR)) != (MSR_IR|MSR_DR)) {
|
|
|
|
|
WARN_ON_ONCE(1);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2009-06-16 16:42:49 +00:00
|
|
|
s = lock_rtas();
|
2015-12-16 10:01:42 +00:00
|
|
|
|
|
|
|
|
/* We use the global rtas args buffer */
|
2005-04-16 22:20:36 +00:00
|
|
|
rtas_args = &rtas.args;
|
|
|
|
|
|
|
|
|
|
va_start(list, outputs);
|
2015-12-16 10:01:42 +00:00
|
|
|
va_rtas_call_unlocked(rtas_args, token, nargs, nret, list);
|
2005-04-16 22:20:36 +00:00
|
|
|
va_end(list);
|
|
|
|
|
|
|
|
|
|
/* A -1 return code indicates that the last command couldn't
|
|
|
|
|
be completed due to a hardware error. */
|
2013-08-06 16:01:31 +00:00
|
|
|
if (be32_to_cpu(rtas_args->rets[0]) == -1)
|
2005-10-26 07:05:24 +00:00
|
|
|
buff_copy = __fetch_rtas_last_error(NULL);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (nret > 1 && outputs != NULL)
|
|
|
|
|
for (i = 0; i < nret-1; ++i)
|
2013-08-06 16:01:31 +00:00
|
|
|
outputs[i] = be32_to_cpu(rtas_args->rets[i+1]);
|
|
|
|
|
ret = (nret > 0)? be32_to_cpu(rtas_args->rets[0]): 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-06-16 16:42:49 +00:00
|
|
|
unlock_rtas(s);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (buff_copy) {
|
|
|
|
|
log_error(buff_copy, ERR_TYPE_RTAS_LOG, 0);
|
2015-03-30 03:10:37 +00:00
|
|
|
if (slab_is_available())
|
2005-04-16 22:20:36 +00:00
|
|
|
kfree(buff_copy);
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_call);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2021-11-17 06:02:59 +00:00
|
|
|
/**
|
|
|
|
|
* rtas_busy_delay_time() - From an RTAS status value, calculate the
|
|
|
|
|
* suggested delay time in milliseconds.
|
|
|
|
|
*
|
|
|
|
|
* @status: a value returned from rtas_call() or similar APIs which return
|
|
|
|
|
* the status of a RTAS function call.
|
|
|
|
|
*
|
|
|
|
|
* Context: Any context.
|
|
|
|
|
*
|
|
|
|
|
* Return:
|
|
|
|
|
* * 100000 - If @status is 9905.
|
|
|
|
|
* * 10000 - If @status is 9904.
|
|
|
|
|
* * 1000 - If @status is 9903.
|
|
|
|
|
* * 100 - If @status is 9902.
|
|
|
|
|
* * 10 - If @status is 9901.
|
|
|
|
|
* * 1 - If @status is either 9900 or -2. This is "wrong" for -2, but
|
|
|
|
|
* some callers depend on this behavior, and the worst outcome
|
|
|
|
|
* is that they will delay for longer than necessary.
|
|
|
|
|
* * 0 - If @status is not a busy or extended delay value.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2006-06-05 21:31:48 +00:00
|
|
|
unsigned int rtas_busy_delay_time(int status)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2006-06-05 21:31:48 +00:00
|
|
|
int order;
|
|
|
|
|
unsigned int ms = 0;
|
|
|
|
|
|
|
|
|
|
if (status == RTAS_BUSY) {
|
|
|
|
|
ms = 1;
|
2015-07-22 16:56:47 +00:00
|
|
|
} else if (status >= RTAS_EXTENDED_DELAY_MIN &&
|
|
|
|
|
status <= RTAS_EXTENDED_DELAY_MAX) {
|
|
|
|
|
order = status - RTAS_EXTENDED_DELAY_MIN;
|
2006-06-05 21:31:48 +00:00
|
|
|
for (ms = 1; order > 0; order--)
|
|
|
|
|
ms *= 10;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-06-05 21:31:48 +00:00
|
|
|
return ms;
|
|
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_busy_delay_time);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
powerpc/rtas: rtas_busy_delay() improvements
Generally RTAS cannot block, and in PAPR it is required to return control
to the OS within a few tens of microseconds. In order to support operations
which may take longer to complete, many RTAS primitives can return
intermediate -2 ("busy") or 990x ("extended delay") values, which indicate
that the OS should reattempt the same call with the same arguments at some
point in the future.
Current versions of PAPR are less than clear about this, but the intended
meanings of these values in more detail are:
RTAS_BUSY (-2): RTAS has suspended a potentially long-running operation in
order to meet its latency obligation and give the OS the opportunity to
perform other work. RTAS can resume making progress as soon as the OS
reattempts the call.
RTAS_EXTENDED_DELAY_{MIN...MAX} (9900-9905): RTAS must wait for an external
event to occur or for internal contention to resolve before it can complete
the requested operation. The value encodes a non-binding hint as to roughly
how long the OS should wait before calling again, but the OS is allowed to
reattempt the call sooner or even immediately.
Linux of course must take its own CPU scheduling obligations into account
when handling these statuses; e.g. a task which receives an RTAS_BUSY
status should check whether to reschedule before it attempts the RTAS call
again to avoid starving other tasks.
rtas_busy_delay() is a helper function that "consumes" a busy or extended
delay status. Common usage:
int rc;
do {
rc = rtas_call(rtas_token("some-function"), ...);
} while (rtas_busy_delay(rc));
/* convert rc to Linux error value, etc */
If rc is a busy or extended delay status, the caller can rely on
rtas_busy_delay() to perform an appropriate sleep or reschedule and return
nonzero. Other statuses are handled normally by the caller.
The current implementation of rtas_busy_delay() both oversleeps and
overuses the CPU:
* It performs msleep() for all 990x and even when no delay is
suggested (-2), but this is understood to actually sleep for two jiffies
minimum in practice (20ms with HZ=100). 9900 (1ms) and 9901 (10ms)
appear to be the most common extended delay statuses, and the
oversleeping measurably lengthens DLPAR operations, which perform
many RTAS calls.
* It does not sleep on 990x unless need_resched() is true, causing code
like the loop above to needlessly retry, wasting CPU time.
Alter the logic to align better with the intended meanings:
* When passed RTAS_BUSY, perform cond_resched() and return without
sleeping. The caller should reattempt immediately
* Always sleep when passed an extended delay status, using usleep_range()
for precise shorter sleeps. Limit the sleep time to one second even
though there are higher architected values.
Change rtas_busy_delay()'s return type to bool to better reflect its usage,
and add kernel-doc.
rtas_busy_delay_time() is unchanged, even though it "incorrectly" returns 1
for RTAS_BUSY. There are users of that API with open-coded delay loops in
sensitive contexts that will have to be taken on an individual basis.
Brief results for addition and removal of 5GB memory on a small P9 PowerVM
partition follow. Load was generated with stress-ng --cpu N. For add,
elapsed time is greatly reduced without significant change in the number of
RTAS calls or time spent on CPU. For remove, elapsed time is modestly
reduced, with significant reductions in RTAS calls and time spent on CPU.
With no competing workload (- before, + after):
Performance counter stats for 'bash -c echo "memory add count 20" > /sys/kernel/dlpar' (10 runs):
- 1,935 probe:rtas_call # 0.003 M/sec ( +- 0.22% )
- 609.99 msec task-clock # 0.183 CPUs utilized ( +- 0.19% )
+ 1,956 probe:rtas_call # 0.003 M/sec ( +- 0.17% )
+ 618.56 msec task-clock # 0.278 CPUs utilized ( +- 0.11% )
- 3.3322 +- 0.0670 seconds time elapsed ( +- 2.01% )
+ 2.2222 +- 0.0416 seconds time elapsed ( +- 1.87% )
Performance counter stats for 'bash -c echo "memory remove count 20" > /sys/kernel/dlpar' (10 runs):
- 6,224 probe:rtas_call # 0.008 M/sec ( +- 2.57% )
- 750.36 msec task-clock # 0.190 CPUs utilized ( +- 2.01% )
+ 843 probe:rtas_call # 0.003 M/sec ( +- 0.12% )
+ 250.66 msec task-clock # 0.068 CPUs utilized ( +- 0.17% )
- 3.9394 +- 0.0890 seconds time elapsed ( +- 2.26% )
+ 3.678 +- 0.113 seconds time elapsed ( +- 3.07% )
With all CPUs 100% busy (- before, + after):
Performance counter stats for 'bash -c echo "memory add count 20" > /sys/kernel/dlpar' (10 runs):
- 2,979 probe:rtas_call # 0.003 M/sec ( +- 0.12% )
- 1,096.62 msec task-clock # 0.105 CPUs utilized ( +- 0.10% )
+ 2,981 probe:rtas_call # 0.003 M/sec ( +- 0.22% )
+ 1,095.26 msec task-clock # 0.154 CPUs utilized ( +- 0.21% )
- 10.476 +- 0.104 seconds time elapsed ( +- 1.00% )
+ 7.1124 +- 0.0865 seconds time elapsed ( +- 1.22% )
Performance counter stats for 'bash -c echo "memory remove count 20" > /sys/kernel/dlpar' (10 runs):
- 2,702 probe:rtas_call # 0.004 M/sec ( +- 4.00% )
- 722.71 msec task-clock # 0.067 CPUs utilized ( +- 2.41% )
+ 1,246 probe:rtas_call # 0.003 M/sec ( +- 0.25% )
+ 487.73 msec task-clock # 0.049 CPUs utilized ( +- 0.20% )
- 10.829 +- 0.163 seconds time elapsed ( +- 1.51% )
+ 9.9887 +- 0.0866 seconds time elapsed ( +- 0.87% )
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211117060259.957178-2-nathanl@linux.ibm.com
2021-11-17 06:02:58 +00:00
|
|
|
/**
|
|
|
|
|
* rtas_busy_delay() - helper for RTAS busy and extended delay statuses
|
|
|
|
|
*
|
|
|
|
|
* @status: a value returned from rtas_call() or similar APIs which return
|
|
|
|
|
* the status of a RTAS function call.
|
|
|
|
|
*
|
|
|
|
|
* Context: Process context. May sleep or schedule.
|
|
|
|
|
*
|
|
|
|
|
* Return:
|
|
|
|
|
* * true - @status is RTAS_BUSY or an extended delay hint. The
|
|
|
|
|
* caller may assume that the CPU has been yielded if necessary,
|
|
|
|
|
* and that an appropriate delay for @status has elapsed.
|
|
|
|
|
* Generally the caller should reattempt the RTAS call which
|
|
|
|
|
* yielded @status.
|
|
|
|
|
*
|
|
|
|
|
* * false - @status is not @RTAS_BUSY nor an extended delay hint. The
|
|
|
|
|
* caller is responsible for handling @status.
|
|
|
|
|
*/
|
|
|
|
|
bool rtas_busy_delay(int status)
|
2006-06-05 21:31:48 +00:00
|
|
|
{
|
|
|
|
|
unsigned int ms;
|
powerpc/rtas: rtas_busy_delay() improvements
Generally RTAS cannot block, and in PAPR it is required to return control
to the OS within a few tens of microseconds. In order to support operations
which may take longer to complete, many RTAS primitives can return
intermediate -2 ("busy") or 990x ("extended delay") values, which indicate
that the OS should reattempt the same call with the same arguments at some
point in the future.
Current versions of PAPR are less than clear about this, but the intended
meanings of these values in more detail are:
RTAS_BUSY (-2): RTAS has suspended a potentially long-running operation in
order to meet its latency obligation and give the OS the opportunity to
perform other work. RTAS can resume making progress as soon as the OS
reattempts the call.
RTAS_EXTENDED_DELAY_{MIN...MAX} (9900-9905): RTAS must wait for an external
event to occur or for internal contention to resolve before it can complete
the requested operation. The value encodes a non-binding hint as to roughly
how long the OS should wait before calling again, but the OS is allowed to
reattempt the call sooner or even immediately.
Linux of course must take its own CPU scheduling obligations into account
when handling these statuses; e.g. a task which receives an RTAS_BUSY
status should check whether to reschedule before it attempts the RTAS call
again to avoid starving other tasks.
rtas_busy_delay() is a helper function that "consumes" a busy or extended
delay status. Common usage:
int rc;
do {
rc = rtas_call(rtas_token("some-function"), ...);
} while (rtas_busy_delay(rc));
/* convert rc to Linux error value, etc */
If rc is a busy or extended delay status, the caller can rely on
rtas_busy_delay() to perform an appropriate sleep or reschedule and return
nonzero. Other statuses are handled normally by the caller.
The current implementation of rtas_busy_delay() both oversleeps and
overuses the CPU:
* It performs msleep() for all 990x and even when no delay is
suggested (-2), but this is understood to actually sleep for two jiffies
minimum in practice (20ms with HZ=100). 9900 (1ms) and 9901 (10ms)
appear to be the most common extended delay statuses, and the
oversleeping measurably lengthens DLPAR operations, which perform
many RTAS calls.
* It does not sleep on 990x unless need_resched() is true, causing code
like the loop above to needlessly retry, wasting CPU time.
Alter the logic to align better with the intended meanings:
* When passed RTAS_BUSY, perform cond_resched() and return without
sleeping. The caller should reattempt immediately
* Always sleep when passed an extended delay status, using usleep_range()
for precise shorter sleeps. Limit the sleep time to one second even
though there are higher architected values.
Change rtas_busy_delay()'s return type to bool to better reflect its usage,
and add kernel-doc.
rtas_busy_delay_time() is unchanged, even though it "incorrectly" returns 1
for RTAS_BUSY. There are users of that API with open-coded delay loops in
sensitive contexts that will have to be taken on an individual basis.
Brief results for addition and removal of 5GB memory on a small P9 PowerVM
partition follow. Load was generated with stress-ng --cpu N. For add,
elapsed time is greatly reduced without significant change in the number of
RTAS calls or time spent on CPU. For remove, elapsed time is modestly
reduced, with significant reductions in RTAS calls and time spent on CPU.
With no competing workload (- before, + after):
Performance counter stats for 'bash -c echo "memory add count 20" > /sys/kernel/dlpar' (10 runs):
- 1,935 probe:rtas_call # 0.003 M/sec ( +- 0.22% )
- 609.99 msec task-clock # 0.183 CPUs utilized ( +- 0.19% )
+ 1,956 probe:rtas_call # 0.003 M/sec ( +- 0.17% )
+ 618.56 msec task-clock # 0.278 CPUs utilized ( +- 0.11% )
- 3.3322 +- 0.0670 seconds time elapsed ( +- 2.01% )
+ 2.2222 +- 0.0416 seconds time elapsed ( +- 1.87% )
Performance counter stats for 'bash -c echo "memory remove count 20" > /sys/kernel/dlpar' (10 runs):
- 6,224 probe:rtas_call # 0.008 M/sec ( +- 2.57% )
- 750.36 msec task-clock # 0.190 CPUs utilized ( +- 2.01% )
+ 843 probe:rtas_call # 0.003 M/sec ( +- 0.12% )
+ 250.66 msec task-clock # 0.068 CPUs utilized ( +- 0.17% )
- 3.9394 +- 0.0890 seconds time elapsed ( +- 2.26% )
+ 3.678 +- 0.113 seconds time elapsed ( +- 3.07% )
With all CPUs 100% busy (- before, + after):
Performance counter stats for 'bash -c echo "memory add count 20" > /sys/kernel/dlpar' (10 runs):
- 2,979 probe:rtas_call # 0.003 M/sec ( +- 0.12% )
- 1,096.62 msec task-clock # 0.105 CPUs utilized ( +- 0.10% )
+ 2,981 probe:rtas_call # 0.003 M/sec ( +- 0.22% )
+ 1,095.26 msec task-clock # 0.154 CPUs utilized ( +- 0.21% )
- 10.476 +- 0.104 seconds time elapsed ( +- 1.00% )
+ 7.1124 +- 0.0865 seconds time elapsed ( +- 1.22% )
Performance counter stats for 'bash -c echo "memory remove count 20" > /sys/kernel/dlpar' (10 runs):
- 2,702 probe:rtas_call # 0.004 M/sec ( +- 4.00% )
- 722.71 msec task-clock # 0.067 CPUs utilized ( +- 2.41% )
+ 1,246 probe:rtas_call # 0.003 M/sec ( +- 0.25% )
+ 487.73 msec task-clock # 0.049 CPUs utilized ( +- 0.20% )
- 10.829 +- 0.163 seconds time elapsed ( +- 1.51% )
+ 9.9887 +- 0.0866 seconds time elapsed ( +- 0.87% )
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211117060259.957178-2-nathanl@linux.ibm.com
2021-11-17 06:02:58 +00:00
|
|
|
bool ret;
|
|
|
|
|
|
|
|
|
|
switch (status) {
|
|
|
|
|
case RTAS_EXTENDED_DELAY_MIN...RTAS_EXTENDED_DELAY_MAX:
|
|
|
|
|
ret = true;
|
|
|
|
|
ms = rtas_busy_delay_time(status);
|
|
|
|
|
/*
|
|
|
|
|
* The extended delay hint can be as high as 100 seconds.
|
|
|
|
|
* Surely any function returning such a status is either
|
|
|
|
|
* buggy or isn't going to be significantly slowed by us
|
|
|
|
|
* polling at 1HZ. Clamp the sleep time to one second.
|
|
|
|
|
*/
|
|
|
|
|
ms = clamp(ms, 1U, 1000U);
|
|
|
|
|
/*
|
|
|
|
|
* The delay hint is an order-of-magnitude suggestion, not
|
|
|
|
|
* a minimum. It is fine, possibly even advantageous, for
|
|
|
|
|
* us to pause for less time than hinted. For small values,
|
|
|
|
|
* use usleep_range() to ensure we don't sleep much longer
|
|
|
|
|
* than actually needed.
|
|
|
|
|
*
|
|
|
|
|
* See Documentation/timers/timers-howto.rst for
|
|
|
|
|
* explanation of the threshold used here. In effect we use
|
|
|
|
|
* usleep_range() for 9900 and 9901, msleep() for
|
|
|
|
|
* 9902-9905.
|
|
|
|
|
*/
|
|
|
|
|
if (ms <= 20)
|
|
|
|
|
usleep_range(ms * 100, ms * 1000);
|
|
|
|
|
else
|
|
|
|
|
msleep(ms);
|
|
|
|
|
break;
|
|
|
|
|
case RTAS_BUSY:
|
|
|
|
|
ret = true;
|
|
|
|
|
/*
|
|
|
|
|
* We should call again immediately if there's no other
|
|
|
|
|
* work to do.
|
|
|
|
|
*/
|
|
|
|
|
cond_resched();
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
ret = false;
|
|
|
|
|
/*
|
|
|
|
|
* Not a busy or extended delay status; the caller should
|
|
|
|
|
* handle @status itself. Ensure we warn on misuses in
|
|
|
|
|
* atomic context regardless.
|
|
|
|
|
*/
|
|
|
|
|
might_sleep();
|
|
|
|
|
break;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
powerpc/rtas: rtas_busy_delay() improvements
Generally RTAS cannot block, and in PAPR it is required to return control
to the OS within a few tens of microseconds. In order to support operations
which may take longer to complete, many RTAS primitives can return
intermediate -2 ("busy") or 990x ("extended delay") values, which indicate
that the OS should reattempt the same call with the same arguments at some
point in the future.
Current versions of PAPR are less than clear about this, but the intended
meanings of these values in more detail are:
RTAS_BUSY (-2): RTAS has suspended a potentially long-running operation in
order to meet its latency obligation and give the OS the opportunity to
perform other work. RTAS can resume making progress as soon as the OS
reattempts the call.
RTAS_EXTENDED_DELAY_{MIN...MAX} (9900-9905): RTAS must wait for an external
event to occur or for internal contention to resolve before it can complete
the requested operation. The value encodes a non-binding hint as to roughly
how long the OS should wait before calling again, but the OS is allowed to
reattempt the call sooner or even immediately.
Linux of course must take its own CPU scheduling obligations into account
when handling these statuses; e.g. a task which receives an RTAS_BUSY
status should check whether to reschedule before it attempts the RTAS call
again to avoid starving other tasks.
rtas_busy_delay() is a helper function that "consumes" a busy or extended
delay status. Common usage:
int rc;
do {
rc = rtas_call(rtas_token("some-function"), ...);
} while (rtas_busy_delay(rc));
/* convert rc to Linux error value, etc */
If rc is a busy or extended delay status, the caller can rely on
rtas_busy_delay() to perform an appropriate sleep or reschedule and return
nonzero. Other statuses are handled normally by the caller.
The current implementation of rtas_busy_delay() both oversleeps and
overuses the CPU:
* It performs msleep() for all 990x and even when no delay is
suggested (-2), but this is understood to actually sleep for two jiffies
minimum in practice (20ms with HZ=100). 9900 (1ms) and 9901 (10ms)
appear to be the most common extended delay statuses, and the
oversleeping measurably lengthens DLPAR operations, which perform
many RTAS calls.
* It does not sleep on 990x unless need_resched() is true, causing code
like the loop above to needlessly retry, wasting CPU time.
Alter the logic to align better with the intended meanings:
* When passed RTAS_BUSY, perform cond_resched() and return without
sleeping. The caller should reattempt immediately
* Always sleep when passed an extended delay status, using usleep_range()
for precise shorter sleeps. Limit the sleep time to one second even
though there are higher architected values.
Change rtas_busy_delay()'s return type to bool to better reflect its usage,
and add kernel-doc.
rtas_busy_delay_time() is unchanged, even though it "incorrectly" returns 1
for RTAS_BUSY. There are users of that API with open-coded delay loops in
sensitive contexts that will have to be taken on an individual basis.
Brief results for addition and removal of 5GB memory on a small P9 PowerVM
partition follow. Load was generated with stress-ng --cpu N. For add,
elapsed time is greatly reduced without significant change in the number of
RTAS calls or time spent on CPU. For remove, elapsed time is modestly
reduced, with significant reductions in RTAS calls and time spent on CPU.
With no competing workload (- before, + after):
Performance counter stats for 'bash -c echo "memory add count 20" > /sys/kernel/dlpar' (10 runs):
- 1,935 probe:rtas_call # 0.003 M/sec ( +- 0.22% )
- 609.99 msec task-clock # 0.183 CPUs utilized ( +- 0.19% )
+ 1,956 probe:rtas_call # 0.003 M/sec ( +- 0.17% )
+ 618.56 msec task-clock # 0.278 CPUs utilized ( +- 0.11% )
- 3.3322 +- 0.0670 seconds time elapsed ( +- 2.01% )
+ 2.2222 +- 0.0416 seconds time elapsed ( +- 1.87% )
Performance counter stats for 'bash -c echo "memory remove count 20" > /sys/kernel/dlpar' (10 runs):
- 6,224 probe:rtas_call # 0.008 M/sec ( +- 2.57% )
- 750.36 msec task-clock # 0.190 CPUs utilized ( +- 2.01% )
+ 843 probe:rtas_call # 0.003 M/sec ( +- 0.12% )
+ 250.66 msec task-clock # 0.068 CPUs utilized ( +- 0.17% )
- 3.9394 +- 0.0890 seconds time elapsed ( +- 2.26% )
+ 3.678 +- 0.113 seconds time elapsed ( +- 3.07% )
With all CPUs 100% busy (- before, + after):
Performance counter stats for 'bash -c echo "memory add count 20" > /sys/kernel/dlpar' (10 runs):
- 2,979 probe:rtas_call # 0.003 M/sec ( +- 0.12% )
- 1,096.62 msec task-clock # 0.105 CPUs utilized ( +- 0.10% )
+ 2,981 probe:rtas_call # 0.003 M/sec ( +- 0.22% )
+ 1,095.26 msec task-clock # 0.154 CPUs utilized ( +- 0.21% )
- 10.476 +- 0.104 seconds time elapsed ( +- 1.00% )
+ 7.1124 +- 0.0865 seconds time elapsed ( +- 1.22% )
Performance counter stats for 'bash -c echo "memory remove count 20" > /sys/kernel/dlpar' (10 runs):
- 2,702 probe:rtas_call # 0.004 M/sec ( +- 4.00% )
- 722.71 msec task-clock # 0.067 CPUs utilized ( +- 2.41% )
+ 1,246 probe:rtas_call # 0.003 M/sec ( +- 0.25% )
+ 487.73 msec task-clock # 0.049 CPUs utilized ( +- 0.20% )
- 10.829 +- 0.163 seconds time elapsed ( +- 1.51% )
+ 9.9887 +- 0.0866 seconds time elapsed ( +- 0.87% )
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211117060259.957178-2-nathanl@linux.ibm.com
2021-11-17 06:02:58 +00:00
|
|
|
return ret;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_busy_delay);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-05-08 04:27:19 +00:00
|
|
|
static int rtas_error_rc(int rtas_rc)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
switch (rtas_rc) {
|
|
|
|
|
case -1: /* Hardware Error */
|
|
|
|
|
rc = -EIO;
|
|
|
|
|
break;
|
|
|
|
|
case -3: /* Bad indicator/domain/etc */
|
|
|
|
|
rc = -EINVAL;
|
|
|
|
|
break;
|
|
|
|
|
case -9000: /* Isolation error */
|
|
|
|
|
rc = -EFAULT;
|
|
|
|
|
break;
|
|
|
|
|
case -9001: /* Outstanding TCE/PTE */
|
|
|
|
|
rc = -EEXIST;
|
|
|
|
|
break;
|
|
|
|
|
case -9002: /* No usable slot */
|
|
|
|
|
rc = -ENODEV;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
printk(KERN_ERR "%s: unexpected RTAS error %d\n",
|
2008-03-28 21:21:07 +00:00
|
|
|
__func__, rtas_rc);
|
2005-04-16 22:20:36 +00:00
|
|
|
rc = -ERANGE;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int rtas_get_power_level(int powerdomain, int *level)
|
|
|
|
|
{
|
|
|
|
|
int token = rtas_token("get-power-level");
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
if (token == RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
|
|
while ((rc = rtas_call(token, 1, 2, level, powerdomain)) == RTAS_BUSY)
|
|
|
|
|
udelay(1);
|
|
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
return rtas_error_rc(rc);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_get_power_level);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
int rtas_set_power_level(int powerdomain, int level, int *setlevel)
|
|
|
|
|
{
|
|
|
|
|
int token = rtas_token("set-power-level");
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
if (token == RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
2006-06-05 21:31:48 +00:00
|
|
|
do {
|
2005-04-16 22:20:36 +00:00
|
|
|
rc = rtas_call(token, 2, 2, setlevel, powerdomain, level);
|
2006-06-05 21:31:48 +00:00
|
|
|
} while (rtas_busy_delay(rc));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
return rtas_error_rc(rc);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_set_power_level);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
int rtas_get_sensor(int sensor, int index, int *state)
|
|
|
|
|
{
|
|
|
|
|
int token = rtas_token("get-sensor-state");
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
if (token == RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
2006-06-05 21:31:48 +00:00
|
|
|
do {
|
2005-04-16 22:20:36 +00:00
|
|
|
rc = rtas_call(token, 2, 2, state, sensor, index);
|
2006-06-05 21:31:48 +00:00
|
|
|
} while (rtas_busy_delay(rc));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
return rtas_error_rc(rc);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_get_sensor);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2015-07-17 10:46:58 +00:00
|
|
|
int rtas_get_sensor_fast(int sensor, int index, int *state)
|
|
|
|
|
{
|
|
|
|
|
int token = rtas_token("get-sensor-state");
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
if (token == RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
|
|
rc = rtas_call(token, 2, 2, state, sensor, index);
|
|
|
|
|
WARN_ON(rc == RTAS_BUSY || (rc >= RTAS_EXTENDED_DELAY_MIN &&
|
|
|
|
|
rc <= RTAS_EXTENDED_DELAY_MAX));
|
|
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
return rtas_error_rc(rc);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-11 09:14:25 +00:00
|
|
|
bool rtas_indicator_present(int token, int *maxindex)
|
|
|
|
|
{
|
|
|
|
|
int proplen, count, i;
|
|
|
|
|
const struct indicator_elem {
|
2013-08-06 16:01:29 +00:00
|
|
|
__be32 token;
|
|
|
|
|
__be32 maxindex;
|
2008-12-11 09:14:25 +00:00
|
|
|
} *indicators;
|
|
|
|
|
|
|
|
|
|
indicators = of_get_property(rtas.dev, "rtas-indicators", &proplen);
|
|
|
|
|
if (!indicators)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
count = proplen / sizeof(struct indicator_elem);
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++) {
|
2013-08-06 16:01:29 +00:00
|
|
|
if (__be32_to_cpu(indicators[i].token) != token)
|
2008-12-11 09:14:25 +00:00
|
|
|
continue;
|
|
|
|
|
if (maxindex)
|
2013-08-06 16:01:29 +00:00
|
|
|
*maxindex = __be32_to_cpu(indicators[i].maxindex);
|
2008-12-11 09:14:25 +00:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(rtas_indicator_present);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
int rtas_set_indicator(int indicator, int index, int new_value)
|
|
|
|
|
{
|
|
|
|
|
int token = rtas_token("set-indicator");
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
if (token == RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
2006-06-05 21:31:48 +00:00
|
|
|
do {
|
2005-04-16 22:20:36 +00:00
|
|
|
rc = rtas_call(token, 3, 1, NULL, indicator, index, new_value);
|
2006-06-05 21:31:48 +00:00
|
|
|
} while (rtas_busy_delay(rc));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
return rtas_error_rc(rc);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2006-06-23 08:20:11 +00:00
|
|
|
EXPORT_SYMBOL(rtas_set_indicator);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-07-27 21:29:00 +00:00
|
|
|
/*
|
|
|
|
|
* Ignoring RTAS extended delay
|
|
|
|
|
*/
|
|
|
|
|
int rtas_set_indicator_fast(int indicator, int index, int new_value)
|
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
int token = rtas_token("set-indicator");
|
|
|
|
|
|
|
|
|
|
if (token == RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
|
|
rc = rtas_call(token, 3, 1, NULL, indicator, index, new_value);
|
|
|
|
|
|
2015-07-22 16:56:47 +00:00
|
|
|
WARN_ON(rc == RTAS_BUSY || (rc >= RTAS_EXTENDED_DELAY_MIN &&
|
|
|
|
|
rc <= RTAS_EXTENDED_DELAY_MAX));
|
2006-07-27 21:29:00 +00:00
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
return rtas_error_rc(rc);
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-07 21:51:36 +00:00
|
|
|
/**
|
|
|
|
|
* rtas_ibm_suspend_me() - Call ibm,suspend-me to suspend the LPAR.
|
|
|
|
|
*
|
|
|
|
|
* @fw_status: RTAS call status will be placed here if not NULL.
|
|
|
|
|
*
|
|
|
|
|
* rtas_ibm_suspend_me() should be called only on a CPU which has
|
|
|
|
|
* received H_CONTINUE from the H_JOIN hcall. All other active CPUs
|
|
|
|
|
* should be waiting to return from H_JOIN.
|
|
|
|
|
*
|
|
|
|
|
* rtas_ibm_suspend_me() may suspend execution of the OS
|
|
|
|
|
* indefinitely. Callers should take appropriate measures upon return, such as
|
|
|
|
|
* resetting watchdog facilities.
|
|
|
|
|
*
|
|
|
|
|
* Callers may choose to retry this call if @fw_status is
|
|
|
|
|
* %RTAS_THREADS_ACTIVE.
|
|
|
|
|
*
|
|
|
|
|
* Return:
|
|
|
|
|
* 0 - The partition has resumed from suspend, possibly after
|
|
|
|
|
* migration to a different host.
|
|
|
|
|
* -ECANCELED - The operation was aborted.
|
|
|
|
|
* -EAGAIN - There were other CPUs not in H_JOIN at the time of the call.
|
|
|
|
|
* -EBUSY - Some other condition prevented the suspend from succeeding.
|
|
|
|
|
* -EIO - Hardware/platform error.
|
|
|
|
|
*/
|
|
|
|
|
int rtas_ibm_suspend_me(int *fw_status)
|
|
|
|
|
{
|
|
|
|
|
int fwrc;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
fwrc = rtas_call(rtas_token("ibm,suspend-me"), 0, 1, NULL);
|
|
|
|
|
|
|
|
|
|
switch (fwrc) {
|
|
|
|
|
case 0:
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
case RTAS_SUSPEND_ABORTED:
|
|
|
|
|
ret = -ECANCELED;
|
|
|
|
|
break;
|
|
|
|
|
case RTAS_THREADS_ACTIVE:
|
|
|
|
|
ret = -EAGAIN;
|
|
|
|
|
break;
|
|
|
|
|
case RTAS_NOT_SUSPENDABLE:
|
|
|
|
|
case RTAS_OUTSTANDING_COPROC:
|
|
|
|
|
ret = -EBUSY;
|
|
|
|
|
break;
|
|
|
|
|
case -1:
|
|
|
|
|
default:
|
|
|
|
|
ret = -EIO;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (fw_status)
|
|
|
|
|
*fw_status = fwrc;
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-12 00:54:52 +00:00
|
|
|
void __noreturn rtas_restart(char *cmd)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2005-11-03 03:41:19 +00:00
|
|
|
if (rtas_flash_term_hook)
|
|
|
|
|
rtas_flash_term_hook(SYS_RESTART);
|
2005-04-16 22:20:36 +00:00
|
|
|
printk("RTAS system-reboot returned %d\n",
|
|
|
|
|
rtas_call(rtas_token("system-reboot"), 0, 1, NULL));
|
|
|
|
|
for (;;);
|
|
|
|
|
}
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
void rtas_power_off(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2005-11-03 03:41:19 +00:00
|
|
|
if (rtas_flash_term_hook)
|
|
|
|
|
rtas_flash_term_hook(SYS_POWER_OFF);
|
2005-04-16 22:20:36 +00:00
|
|
|
/* allow power on only with power button press */
|
|
|
|
|
printk("RTAS power-off returned %d\n",
|
|
|
|
|
rtas_call(rtas_token("power-off"), 2, 1, NULL, -1, -1));
|
|
|
|
|
for (;;);
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-12 00:54:52 +00:00
|
|
|
void __noreturn rtas_halt(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2005-11-03 03:41:19 +00:00
|
|
|
if (rtas_flash_term_hook)
|
|
|
|
|
rtas_flash_term_hook(SYS_HALT);
|
|
|
|
|
/* allow power on only with power button press */
|
|
|
|
|
printk("RTAS power-off returned %d\n",
|
|
|
|
|
rtas_call(rtas_token("power-off"), 2, 1, NULL, -1, -1));
|
|
|
|
|
for (;;);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Must be in the RMO region, so we place it here */
|
|
|
|
|
static char rtas_os_term_buf[2048];
|
|
|
|
|
|
2007-12-02 22:30:04 +00:00
|
|
|
void rtas_os_term(char *str)
|
2007-11-20 01:28:15 +00:00
|
|
|
{
|
|
|
|
|
int status;
|
2006-08-21 16:11:32 +00:00
|
|
|
|
powerpc/pseries: Call ibm,os-term if the ibm,extended-os-term is present
We have had issues in the past with ibm,os-term initiating shutdown of a
partition. This is confusing to the user, especially if panic_timeout is
non zero.
The temporary fix was to avoid calling ibm,os-term if a panic_timeout was set
and since we set it on every boot we basically never call ibm,os-term.
An extended version of ibm,os-term has since been implemented which gives us
the behaviour we want:
"When the platform supports extended ibm,os-term behavior, the return to the
RTAS will always occur unless there is a kernel assisted dump active as
initiated by an ibm,configure-kernel-dump call."
This patch checks for the ibm,extended-os-term property and calls ibm,os-term
if it exists.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2010-02-18 12:11:51 +00:00
|
|
|
/*
|
|
|
|
|
* Firmware with the ibm,extended-os-term property is guaranteed
|
|
|
|
|
* to always return from an ibm,os-term call. Earlier versions without
|
|
|
|
|
* this property may terminate the partition which we want to avoid
|
|
|
|
|
* since it interferes with panic_timeout.
|
|
|
|
|
*/
|
|
|
|
|
if (RTAS_UNKNOWN_SERVICE == rtas_token("ibm,os-term") ||
|
|
|
|
|
RTAS_UNKNOWN_SERVICE == rtas_token("ibm,extended-os-term"))
|
2005-04-16 22:20:36 +00:00
|
|
|
return;
|
|
|
|
|
|
2007-12-02 22:30:04 +00:00
|
|
|
snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
do {
|
|
|
|
|
status = rtas_call(rtas_token("ibm,os-term"), 1, 1, NULL,
|
|
|
|
|
__pa(rtas_os_term_buf));
|
2006-06-05 21:31:48 +00:00
|
|
|
} while (rtas_busy_delay(status));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-06-05 21:31:48 +00:00
|
|
|
if (status != 0)
|
powerpc/pseries: Call ibm,os-term if the ibm,extended-os-term is present
We have had issues in the past with ibm,os-term initiating shutdown of a
partition. This is confusing to the user, especially if panic_timeout is
non zero.
The temporary fix was to avoid calling ibm,os-term if a panic_timeout was set
and since we set it on every boot we basically never call ibm,os-term.
An extended version of ibm,os-term has since been implemented which gives us
the behaviour we want:
"When the platform supports extended ibm,os-term behavior, the return to the
RTAS will always occur unless there is a kernel assisted dump active as
initiated by an ibm,configure-kernel-dump call."
This patch checks for the ibm,extended-os-term property and calls ibm,os-term
if it exists.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2010-02-18 12:11:51 +00:00
|
|
|
printk(KERN_EMERG "ibm,os-term call failed %d\n", status);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-07 21:51:37 +00:00
|
|
|
/**
|
|
|
|
|
* rtas_activate_firmware() - Activate a new version of firmware.
|
|
|
|
|
*
|
2021-11-16 21:58:06 +00:00
|
|
|
* Context: This function may sleep.
|
|
|
|
|
*
|
2020-12-07 21:51:37 +00:00
|
|
|
* Activate a new version of partition firmware. The OS must call this
|
|
|
|
|
* after resuming from a partition hibernation or migration in order
|
|
|
|
|
* to maintain the ability to perform live firmware updates. It's not
|
|
|
|
|
* catastrophic for this method to be absent or to fail; just log the
|
|
|
|
|
* condition in that case.
|
|
|
|
|
*/
|
|
|
|
|
void rtas_activate_firmware(void)
|
|
|
|
|
{
|
|
|
|
|
int token;
|
|
|
|
|
int fwrc;
|
|
|
|
|
|
|
|
|
|
token = rtas_token("ibm,activate-firmware");
|
|
|
|
|
if (token == RTAS_UNKNOWN_SERVICE) {
|
|
|
|
|
pr_notice("ibm,activate-firmware method unavailable\n");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
fwrc = rtas_call(token, 0, 1, NULL);
|
|
|
|
|
} while (rtas_busy_delay(fwrc));
|
|
|
|
|
|
|
|
|
|
if (fwrc)
|
|
|
|
|
pr_err("ibm,activate-firmware failed (%i)\n", fwrc);
|
|
|
|
|
}
|
|
|
|
|
|
2012-03-21 15:47:07 +00:00
|
|
|
/**
|
2021-11-16 21:58:06 +00:00
|
|
|
* get_pseries_errorlog() - Find a specific pseries error log in an RTAS
|
|
|
|
|
* extended event log.
|
2012-03-21 15:47:07 +00:00
|
|
|
* @log: RTAS error/event log
|
|
|
|
|
* @section_id: two character section identifier
|
|
|
|
|
*
|
2021-11-16 21:58:06 +00:00
|
|
|
* Return: A pointer to the specified errorlog or NULL if not found.
|
2012-03-21 15:47:07 +00:00
|
|
|
*/
|
2022-05-19 07:45:21 +00:00
|
|
|
noinstr struct pseries_errorlog *get_pseries_errorlog(struct rtas_error_log *log,
|
|
|
|
|
uint16_t section_id)
|
2012-03-21 15:47:07 +00:00
|
|
|
{
|
|
|
|
|
struct rtas_ext_event_log_v6 *ext_log =
|
|
|
|
|
(struct rtas_ext_event_log_v6 *)log->buffer;
|
|
|
|
|
struct pseries_errorlog *sect;
|
|
|
|
|
unsigned char *p, *log_end;
|
2014-04-04 07:35:13 +00:00
|
|
|
uint32_t ext_log_length = rtas_error_extended_log_length(log);
|
|
|
|
|
uint8_t log_format = rtas_ext_event_log_format(ext_log);
|
|
|
|
|
uint32_t company_id = rtas_ext_event_company_id(ext_log);
|
2012-03-21 15:47:07 +00:00
|
|
|
|
|
|
|
|
/* Check that we understand the format */
|
2014-04-04 07:35:13 +00:00
|
|
|
if (ext_log_length < sizeof(struct rtas_ext_event_log_v6) ||
|
|
|
|
|
log_format != RTAS_V6EXT_LOG_FORMAT_EVENT_LOG ||
|
|
|
|
|
company_id != RTAS_V6EXT_COMPANY_ID_IBM)
|
2012-03-21 15:47:07 +00:00
|
|
|
return NULL;
|
|
|
|
|
|
2014-04-04 07:35:13 +00:00
|
|
|
log_end = log->buffer + ext_log_length;
|
2012-03-21 15:47:07 +00:00
|
|
|
p = ext_log->vendor_log;
|
|
|
|
|
|
|
|
|
|
while (p < log_end) {
|
|
|
|
|
sect = (struct pseries_errorlog *)p;
|
2014-04-04 07:35:13 +00:00
|
|
|
if (pseries_errorlog_id(sect) == section_id)
|
2012-03-21 15:47:07 +00:00
|
|
|
return sect;
|
2014-04-04 07:35:13 +00:00
|
|
|
p += pseries_errorlog_length(sect);
|
2012-03-21 15:47:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
#ifdef CONFIG_PPC_RTAS_FILTER
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The sys_rtas syscall, as originally designed, allows root to pass
|
|
|
|
|
* arbitrary physical addresses to RTAS calls. A number of RTAS calls
|
|
|
|
|
* can be abused to write to arbitrary memory and do other things that
|
|
|
|
|
* are potentially harmful to system integrity, and thus should only
|
|
|
|
|
* be used inside the kernel and not exposed to userspace.
|
|
|
|
|
*
|
|
|
|
|
* All known legitimate users of the sys_rtas syscall will only ever
|
|
|
|
|
* pass addresses that fall within the RMO buffer, and use a known
|
|
|
|
|
* subset of RTAS calls.
|
|
|
|
|
*
|
|
|
|
|
* Accordingly, we filter RTAS requests to check that the call is
|
|
|
|
|
* permitted, and that provided pointers fall within the RMO buffer.
|
|
|
|
|
* The rtas_filters list contains an entry for each permitted call,
|
|
|
|
|
* with the indexes of the parameters which are expected to contain
|
|
|
|
|
* addresses and sizes of buffers allocated inside the RMO buffer.
|
|
|
|
|
*/
|
|
|
|
|
struct rtas_filter {
|
|
|
|
|
const char *name;
|
|
|
|
|
int token;
|
|
|
|
|
/* Indexes into the args buffer, -1 if not used */
|
|
|
|
|
int buf_idx1;
|
|
|
|
|
int size_idx1;
|
|
|
|
|
int buf_idx2;
|
|
|
|
|
int size_idx2;
|
|
|
|
|
|
|
|
|
|
int fixed_size;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct rtas_filter rtas_filters[] __ro_after_init = {
|
|
|
|
|
{ "ibm,activate-firmware", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,configure-connector", -1, 0, -1, 1, -1, 4096 }, /* Special cased */
|
|
|
|
|
{ "display-character", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,display-message", -1, 0, -1, -1, -1 },
|
|
|
|
|
{ "ibm,errinjct", -1, 2, -1, -1, -1, 1024 },
|
|
|
|
|
{ "ibm,close-errinjct", -1, -1, -1, -1, -1 },
|
2020-12-08 19:54:34 +00:00
|
|
|
{ "ibm,open-errinjct", -1, -1, -1, -1, -1 },
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
{ "ibm,get-config-addr-info2", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,get-dynamic-sensor-state", -1, 1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,get-indices", -1, 2, 3, -1, -1 },
|
|
|
|
|
{ "get-power-level", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "get-sensor-state", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,get-system-parameter", -1, 1, 2, -1, -1 },
|
|
|
|
|
{ "get-time-of-day", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,get-vpd", -1, 0, -1, 1, 2 },
|
|
|
|
|
{ "ibm,lpar-perftools", -1, 2, 3, -1, -1 },
|
2022-06-14 13:49:52 +00:00
|
|
|
{ "ibm,platform-dump", -1, 4, 5, -1, -1 }, /* Special cased */
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
{ "ibm,read-slot-reset-state", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,scan-log-dump", -1, 0, 1, -1, -1 },
|
|
|
|
|
{ "ibm,set-dynamic-indicator", -1, 2, -1, -1, -1 },
|
|
|
|
|
{ "ibm,set-eeh-option", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "set-indicator", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "set-power-level", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "set-time-for-power-on", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,set-system-parameter", -1, 1, -1, -1, -1 },
|
|
|
|
|
{ "set-time-of-day", -1, -1, -1, -1, -1 },
|
powerpc/rtas: prevent suspend-related sys_rtas use on LE
While drmgr has had work in some areas to make its RTAS syscall
interactions endian-neutral, its code for performing partition
migration via the syscall has never worked on LE. While it is able to
complete ibm,suspend-me successfully, it crashes when attempting the
subsequent ibm,update-nodes call.
drmgr is the only known (or plausible) user of ibm,suspend-me,
ibm,update-nodes, and ibm,update-properties, so allow them only in
big-endian configurations.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20201207215200.1785968-2-nathanl@linux.ibm.com
2020-12-07 21:51:33 +00:00
|
|
|
#ifdef CONFIG_CPU_BIG_ENDIAN
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
{ "ibm,suspend-me", -1, -1, -1, -1, -1 },
|
|
|
|
|
{ "ibm,update-nodes", -1, 0, -1, -1, -1, 4096 },
|
|
|
|
|
{ "ibm,update-properties", -1, 0, -1, -1, -1, 4096 },
|
powerpc/rtas: prevent suspend-related sys_rtas use on LE
While drmgr has had work in some areas to make its RTAS syscall
interactions endian-neutral, its code for performing partition
migration via the syscall has never worked on LE. While it is able to
complete ibm,suspend-me successfully, it crashes when attempting the
subsequent ibm,update-nodes call.
drmgr is the only known (or plausible) user of ibm,suspend-me,
ibm,update-nodes, and ibm,update-properties, so allow them only in
big-endian configurations.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20201207215200.1785968-2-nathanl@linux.ibm.com
2020-12-07 21:51:33 +00:00
|
|
|
#endif
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
{ "ibm,physical-attestation", -1, 0, 1, -1, -1 },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static bool in_rmo_buf(u32 base, u32 end)
|
|
|
|
|
{
|
|
|
|
|
return base >= rtas_rmo_buf &&
|
2021-04-08 14:06:30 +00:00
|
|
|
base < (rtas_rmo_buf + RTAS_USER_REGION_SIZE) &&
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
base <= end &&
|
|
|
|
|
end >= rtas_rmo_buf &&
|
2021-04-08 14:06:30 +00:00
|
|
|
end < (rtas_rmo_buf + RTAS_USER_REGION_SIZE);
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool block_rtas_call(int token, int nargs,
|
|
|
|
|
struct rtas_args *args)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(rtas_filters); i++) {
|
|
|
|
|
struct rtas_filter *f = &rtas_filters[i];
|
|
|
|
|
u32 base, size, end;
|
|
|
|
|
|
|
|
|
|
if (token != f->token)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (f->buf_idx1 != -1) {
|
|
|
|
|
base = be32_to_cpu(args->args[f->buf_idx1]);
|
|
|
|
|
if (f->size_idx1 != -1)
|
|
|
|
|
size = be32_to_cpu(args->args[f->size_idx1]);
|
|
|
|
|
else if (f->fixed_size)
|
|
|
|
|
size = f->fixed_size;
|
|
|
|
|
else
|
|
|
|
|
size = 1;
|
|
|
|
|
|
|
|
|
|
end = base + size - 1;
|
2022-06-14 13:49:52 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Special case for ibm,platform-dump - NULL buffer
|
|
|
|
|
* address is used to indicate end of dump processing
|
|
|
|
|
*/
|
|
|
|
|
if (!strcmp(f->name, "ibm,platform-dump") &&
|
|
|
|
|
base == 0)
|
|
|
|
|
return false;
|
|
|
|
|
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
if (!in_rmo_buf(base, end))
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (f->buf_idx2 != -1) {
|
|
|
|
|
base = be32_to_cpu(args->args[f->buf_idx2]);
|
|
|
|
|
if (f->size_idx2 != -1)
|
|
|
|
|
size = be32_to_cpu(args->args[f->size_idx2]);
|
|
|
|
|
else if (f->fixed_size)
|
|
|
|
|
size = f->fixed_size;
|
|
|
|
|
else
|
|
|
|
|
size = 1;
|
|
|
|
|
end = base + size - 1;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Special case for ibm,configure-connector where the
|
|
|
|
|
* address can be 0
|
|
|
|
|
*/
|
|
|
|
|
if (!strcmp(f->name, "ibm,configure-connector") &&
|
|
|
|
|
base == 0)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (!in_rmo_buf(base, end))
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
pr_err_ratelimited("sys_rtas: RTAS call blocked - exploit attempt?\n");
|
|
|
|
|
pr_err_ratelimited("sys_rtas: token=0x%x, nargs=%d (called by %s)\n",
|
|
|
|
|
token, nargs, current->comm);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-08 14:06:29 +00:00
|
|
|
static void __init rtas_syscall_filter_init(void)
|
|
|
|
|
{
|
|
|
|
|
unsigned int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(rtas_filters); i++)
|
|
|
|
|
rtas_filters[i].token = rtas_token(rtas_filters[i].name);
|
|
|
|
|
}
|
|
|
|
|
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
#else
|
|
|
|
|
|
|
|
|
|
static bool block_rtas_call(int token, int nargs,
|
|
|
|
|
struct rtas_args *args)
|
|
|
|
|
{
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-08 14:06:29 +00:00
|
|
|
static void __init rtas_syscall_filter_init(void)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
#endif /* CONFIG_PPC_RTAS_FILTER */
|
|
|
|
|
|
2014-03-19 16:02:51 +00:00
|
|
|
/* We assume to be passed big endian arguments */
|
2018-05-02 13:20:48 +00:00
|
|
|
SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct rtas_args args;
|
|
|
|
|
unsigned long flags;
|
2005-10-26 07:05:24 +00:00
|
|
|
char *buff_copy, *errbuf = NULL;
|
2014-03-19 16:02:51 +00:00
|
|
|
int nargs, nret, token;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
2015-10-16 10:23:29 +00:00
|
|
|
if (!rtas.entry)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0)
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
2014-03-19 16:02:51 +00:00
|
|
|
nargs = be32_to_cpu(args.nargs);
|
|
|
|
|
nret = be32_to_cpu(args.nret);
|
|
|
|
|
token = be32_to_cpu(args.token);
|
|
|
|
|
|
2016-03-18 06:36:33 +00:00
|
|
|
if (nargs >= ARRAY_SIZE(args.args)
|
2014-03-19 16:02:51 +00:00
|
|
|
|| nret > ARRAY_SIZE(args.args)
|
|
|
|
|
|| nargs + nret > ARRAY_SIZE(args.args))
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/* Copy in args. */
|
|
|
|
|
if (copy_from_user(args.args, uargs->args,
|
|
|
|
|
nargs * sizeof(rtas_arg_t)) != 0)
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
2014-03-19 16:02:51 +00:00
|
|
|
if (token == RTAS_UNKNOWN_SERVICE)
|
2006-01-14 00:39:24 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2008-07-30 16:23:27 +00:00
|
|
|
args.rets = &args.args[nargs];
|
2014-03-19 16:02:51 +00:00
|
|
|
memset(args.rets, 0, nret * sizeof(rtas_arg_t));
|
2008-07-30 16:23:27 +00:00
|
|
|
|
powerpc/rtas: Restrict RTAS requests from userspace
A number of userspace utilities depend on making calls to RTAS to retrieve
information and update various things.
The existing API through which we expose RTAS to userspace exposes more
RTAS functionality than we actually need, through the sys_rtas syscall,
which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
want with arbitrary arguments.
Many RTAS calls take the address of a buffer as an argument, and it's up to
the caller to specify the physical address of the buffer as an argument. We
allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
access, and then expose the physical address and size of this buffer in
/proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
the RTAS call.
However, there's nothing stopping the caller from specifying whatever
address they want in the RTAS call, and it's easy to construct a series of
RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
access).
Additionally, there are some RTAS calls that do potentially dangerous
things and for which there are no legitimate userspace use cases.
In the past, this would not have been a particularly big deal as it was
assumed that root could modify all system state freely, but with Secure
Boot and lockdown we need to care about this.
We can't fundamentally change the ABI at this point, however we can address
this by implementing a filter that checks RTAS calls against a list
of permitted calls and forces the caller to use addresses within the RMO
buffer.
The list is based off the list of calls that are used by the librtas
userspace library, and has been tested with a number of existing userspace
RTAS utilities. For compatibility with any applications we are not aware of
that require other calls, the filter can be turned off at build time.
Cc: stable@vger.kernel.org
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
2020-08-20 04:45:12 +00:00
|
|
|
if (block_rtas_call(token, nargs, &args))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2022-09-26 13:16:43 +00:00
|
|
|
if (token == ibm_open_errinjct_token || token == ibm_errinjct_token) {
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
err = security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION);
|
|
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2006-01-14 00:39:24 +00:00
|
|
|
/* Need to handle ibm,suspend_me call specially */
|
2021-04-08 14:06:28 +00:00
|
|
|
if (token == rtas_token("ibm,suspend-me")) {
|
2015-01-21 02:32:00 +00:00
|
|
|
|
|
|
|
|
/*
|
2015-03-27 19:47:25 +00:00
|
|
|
* rtas_ibm_suspend_me assumes the streamid handle is in cpu
|
|
|
|
|
* endian, or at least the hcall within it requires it.
|
2015-01-21 02:32:00 +00:00
|
|
|
*/
|
2015-03-27 19:47:25 +00:00
|
|
|
int rc = 0;
|
2015-01-21 02:32:00 +00:00
|
|
|
u64 handle = ((u64)be32_to_cpu(args.args[0]) << 32)
|
|
|
|
|
| be32_to_cpu(args.args[1]);
|
2020-12-07 21:51:47 +00:00
|
|
|
rc = rtas_syscall_dispatch_ibm_suspend_me(handle);
|
2015-03-27 19:47:25 +00:00
|
|
|
if (rc == -EAGAIN)
|
|
|
|
|
args.rets[0] = cpu_to_be32(RTAS_NOT_SUSPENDABLE);
|
|
|
|
|
else if (rc == -EIO)
|
|
|
|
|
args.rets[0] = cpu_to_be32(-1);
|
|
|
|
|
else if (rc)
|
2006-01-14 00:39:24 +00:00
|
|
|
return rc;
|
|
|
|
|
goto copy_return;
|
|
|
|
|
}
|
|
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
buff_copy = get_errorlog_buffer();
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-06-16 16:42:49 +00:00
|
|
|
flags = lock_rtas();
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
rtas.args = args;
|
2021-06-17 15:51:03 +00:00
|
|
|
do_enter_rtas(__pa(&rtas.args));
|
2005-04-16 22:20:36 +00:00
|
|
|
args = rtas.args;
|
|
|
|
|
|
|
|
|
|
/* A -1 return code indicates that the last command couldn't
|
|
|
|
|
be completed due to a hardware error. */
|
2014-03-19 16:02:51 +00:00
|
|
|
if (be32_to_cpu(args.rets[0]) == -1)
|
2005-10-26 07:05:24 +00:00
|
|
|
errbuf = __fetch_rtas_last_error(buff_copy);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-06-16 16:42:49 +00:00
|
|
|
unlock_rtas(flags);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (buff_copy) {
|
2005-10-26 07:05:24 +00:00
|
|
|
if (errbuf)
|
|
|
|
|
log_error(errbuf, ERR_TYPE_RTAS_LOG, 0);
|
2005-04-16 22:20:36 +00:00
|
|
|
kfree(buff_copy);
|
|
|
|
|
}
|
|
|
|
|
|
2006-01-14 00:39:24 +00:00
|
|
|
copy_return:
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Copy out args. */
|
|
|
|
|
if (copy_to_user(uargs->args + nargs,
|
|
|
|
|
args.args + nargs,
|
2014-03-19 16:02:51 +00:00
|
|
|
nret * sizeof(rtas_arg_t)) != 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2014-09-17 12:15:34 +00:00
|
|
|
* Call early during boot, before mem init, to retrieve the RTAS
|
|
|
|
|
* information from the device-tree and allocate the RMO buffer for userland
|
2005-04-16 22:20:36 +00:00
|
|
|
* accesses.
|
|
|
|
|
*/
|
|
|
|
|
void __init rtas_initialize(void)
|
|
|
|
|
{
|
2005-10-26 07:05:24 +00:00
|
|
|
unsigned long rtas_region = RTAS_INSTANTIATE_MAX;
|
2017-01-23 22:49:53 +00:00
|
|
|
u32 base, size, entry;
|
|
|
|
|
int no_base, no_size, no_entry;
|
2005-10-26 07:05:24 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Get RTAS dev node and fill up our "rtas" structure with infos
|
|
|
|
|
* about it.
|
|
|
|
|
*/
|
|
|
|
|
rtas.dev = of_find_node_by_name(NULL, "rtas");
|
2005-10-26 07:05:24 +00:00
|
|
|
if (!rtas.dev)
|
|
|
|
|
return;
|
|
|
|
|
|
2017-01-23 22:49:53 +00:00
|
|
|
no_base = of_property_read_u32(rtas.dev, "linux,rtas-base", &base);
|
|
|
|
|
no_size = of_property_read_u32(rtas.dev, "rtas-size", &size);
|
|
|
|
|
if (no_base || no_size) {
|
2017-01-23 22:49:54 +00:00
|
|
|
of_node_put(rtas.dev);
|
2017-01-23 22:49:52 +00:00
|
|
|
rtas.dev = NULL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-23 22:49:53 +00:00
|
|
|
rtas.base = base;
|
|
|
|
|
rtas.size = size;
|
|
|
|
|
no_entry = of_property_read_u32(rtas.dev, "linux,rtas-entry", &entry);
|
|
|
|
|
rtas.entry = no_entry ? rtas.base : entry;
|
2017-01-23 22:49:52 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* If RTAS was found, allocate the RMO buffer for it and look for
|
|
|
|
|
* the stop-self token if any
|
|
|
|
|
*/
|
2005-10-26 07:05:24 +00:00
|
|
|
#ifdef CONFIG_PPC64
|
2021-04-08 14:06:28 +00:00
|
|
|
if (firmware_has_feature(FW_FEATURE_LPAR))
|
2010-07-06 22:39:02 +00:00
|
|
|
rtas_region = min(ppc64_rma_size, RTAS_INSTANTIATE_MAX);
|
2005-10-26 07:05:24 +00:00
|
|
|
#endif
|
2021-04-08 14:06:30 +00:00
|
|
|
rtas_rmo_buf = memblock_phys_alloc_range(RTAS_USER_REGION_SIZE, PAGE_SIZE,
|
2019-03-12 06:29:35 +00:00
|
|
|
0, rtas_region);
|
|
|
|
|
if (!rtas_rmo_buf)
|
|
|
|
|
panic("ERROR: RTAS: Failed to allocate %lx bytes below %pa\n",
|
|
|
|
|
PAGE_SIZE, &rtas_region);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-10-26 07:05:24 +00:00
|
|
|
#ifdef CONFIG_RTAS_ERROR_LOGGING
|
|
|
|
|
rtas_last_error_token = rtas_token("rtas-last-error");
|
|
|
|
|
#endif
|
2022-09-26 13:16:43 +00:00
|
|
|
ibm_open_errinjct_token = rtas_token("ibm,open-errinjct");
|
|
|
|
|
ibm_errinjct_token = rtas_token("ibm,errinjct");
|
2021-04-08 14:06:29 +00:00
|
|
|
rtas_syscall_filter_init();
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2006-06-23 08:20:13 +00:00
|
|
|
|
|
|
|
|
int __init early_init_dt_scan_rtas(unsigned long node,
|
|
|
|
|
const char *uname, int depth, void *data)
|
|
|
|
|
{
|
2014-04-02 04:49:03 +00:00
|
|
|
const u32 *basep, *entryp, *sizep;
|
2006-06-23 08:20:13 +00:00
|
|
|
|
|
|
|
|
if (depth != 1 || strcmp(uname, "rtas") != 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
basep = of_get_flat_dt_prop(node, "linux,rtas-base", NULL);
|
|
|
|
|
entryp = of_get_flat_dt_prop(node, "linux,rtas-entry", NULL);
|
|
|
|
|
sizep = of_get_flat_dt_prop(node, "rtas-size", NULL);
|
|
|
|
|
|
2022-02-04 08:56:01 +00:00
|
|
|
#ifdef CONFIG_PPC64
|
|
|
|
|
/* need this feature to decide the crashkernel offset */
|
|
|
|
|
if (of_get_flat_dt_prop(node, "ibm,hypertas-functions", NULL))
|
|
|
|
|
powerpc_firmware_features |= FW_FEATURE_LPAR;
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-06-23 08:20:13 +00:00
|
|
|
if (basep && entryp && sizep) {
|
|
|
|
|
rtas.base = *basep;
|
|
|
|
|
rtas.entry = *entryp;
|
|
|
|
|
rtas.size = *sizep;
|
|
|
|
|
}
|
|
|
|
|
|
2006-06-23 08:20:16 +00:00
|
|
|
#ifdef CONFIG_UDBG_RTAS_CONSOLE
|
|
|
|
|
basep = of_get_flat_dt_prop(node, "put-term-char", NULL);
|
|
|
|
|
if (basep)
|
|
|
|
|
rtas_putchar_token = *basep;
|
|
|
|
|
|
|
|
|
|
basep = of_get_flat_dt_prop(node, "get-term-char", NULL);
|
|
|
|
|
if (basep)
|
|
|
|
|
rtas_getchar_token = *basep;
|
2006-08-17 04:12:14 +00:00
|
|
|
|
|
|
|
|
if (rtas_putchar_token != RTAS_UNKNOWN_SERVICE &&
|
|
|
|
|
rtas_getchar_token != RTAS_UNKNOWN_SERVICE)
|
|
|
|
|
udbg_init_rtas_console();
|
|
|
|
|
|
2006-06-23 08:20:16 +00:00
|
|
|
#endif
|
|
|
|
|
|
2006-06-23 08:20:13 +00:00
|
|
|
/* break now */
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2009-06-16 16:42:50 +00:00
|
|
|
|
2009-12-02 18:49:50 +00:00
|
|
|
static arch_spinlock_t timebase_lock;
|
2009-06-16 16:42:50 +00:00
|
|
|
static u64 timebase = 0;
|
|
|
|
|
|
2013-06-24 19:30:09 +00:00
|
|
|
void rtas_give_timebase(void)
|
2009-06-16 16:42:50 +00:00
|
|
|
{
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
|
|
local_irq_save(flags);
|
|
|
|
|
hard_irq_disable();
|
2009-12-02 19:01:25 +00:00
|
|
|
arch_spin_lock(&timebase_lock);
|
2009-06-16 16:42:50 +00:00
|
|
|
rtas_call(rtas_token("freeze-time-base"), 0, 1, NULL);
|
|
|
|
|
timebase = get_tb();
|
2009-12-02 19:01:25 +00:00
|
|
|
arch_spin_unlock(&timebase_lock);
|
2009-06-16 16:42:50 +00:00
|
|
|
|
|
|
|
|
while (timebase)
|
|
|
|
|
barrier();
|
|
|
|
|
rtas_call(rtas_token("thaw-time-base"), 0, 1, NULL);
|
|
|
|
|
local_irq_restore(flags);
|
|
|
|
|
}
|
|
|
|
|
|
2013-06-24 19:30:09 +00:00
|
|
|
void rtas_take_timebase(void)
|
2009-06-16 16:42:50 +00:00
|
|
|
{
|
|
|
|
|
while (!timebase)
|
|
|
|
|
barrier();
|
2009-12-02 19:01:25 +00:00
|
|
|
arch_spin_lock(&timebase_lock);
|
2009-06-16 16:42:50 +00:00
|
|
|
set_tb(timebase >> 32, timebase & 0xffffffff);
|
|
|
|
|
timebase = 0;
|
2009-12-02 19:01:25 +00:00
|
|
|
arch_spin_unlock(&timebase_lock);
|
2009-06-16 16:42:50 +00:00
|
|
|
}
|