[v6,10/43] compat_ioctl: move rtc handling into rtc-dev.c

Message ID	20191009191044.308087-10-arnd@arndb.de
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; From: Arnd Bergmann <arnd@arndb.de> To: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-kernel@vger.kernel.org, y2038@lists.linaro.org, linux-fsdevel@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Alexandre Belloni <alexandre.belloni@bootlin.com> Subject: [PATCH v6 10/43] compat_ioctl: move rtc handling into rtc-dev.c Date: Wed, 9 Oct 2019 21:10:10 +0200 Message-Id: <20191009191044.308087-10-arnd@arndb.de> In-Reply-To: <20191009190853.245077-1-arnd@arndb.de> References: <20191009190853.245077-1-arnd@arndb.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk
Series	[v6,01/43] fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP \| expand [v6,01/43] fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP [v6,02/43] FIGETBSZ: fix compat [v6,03/43] compat: itanic doesn't have one [v6,04/43] do_vfs_ioctl(): use saner types [v6,05/43] compat: move FS_IOC_RESVSP_32 handling to fs/ioctl.c [v6,06/43] compat_sys_ioctl(): make parallel to do_vfs_ioctl() [v6,07/43] ceph: fix compat_ioctl for ceph_dir_operations [v6,08/43] compat_ioctl: drop FIOQSIZE table entry [v6,09/43] compat_ioctl: add compat_ptr_ioctl() [v6,10/43] compat_ioctl: move rtc handling into rtc-dev.c [v6,11/43] compat_ioctl: move drivers to compat_ptr_ioctl [v6,12/43] compat_ioctl: move more drivers to compat_ptr_ioctl [v6,13/43] compat_ioctl: use correct compat_ptr() translation in drivers [v6,14/43] compat_ioctl: move tape handling into drivers [v6,15/43] compat_ioctl: move ATYFB_CLK handling to atyfb driver [v6,16/43] compat_ioctl: move isdn/capi ioctl translation into driver [v6,17/43] compat_ioctl: move rfcomm handlers into driver [v6,18/43] compat_ioctl: move hci_sock handlers into driver [v6,19/43] compat_ioctl: remove HCIUART handling [v6,20/43] compat_ioctl: remove HIDIO translation [v6,21/43] compat_ioctl: remove translation for sound ioctls [v6,22/43] compat_ioctl: remove IGNORE_IOCTL() [v6,23/43] compat_ioctl: remove /dev/random commands [v6,24/43] compat_ioctl: remove joystick ioctl translation [v6,25/43] compat_ioctl: remove PCI ioctl translation [v6,26/43] compat_ioctl: remove /dev/raw ioctl translation [v6,27/43] compat_ioctl: remove last RAID handling code [v6,28/43] compat_ioctl: remove unused convert_in_user macro [v6,29/43] REPLACE gfs2: add compat_ioctl support [v6,30/43] fs: compat_ioctl: move FITRIM emulation into file systems [v6,31/43] compat_ioctl: move WDIOC handling into wdt drivers [v6,32/43] compat_ioctl: reimplement SG_IO handling [v6,33/43] af_unix: add compat_ioctl support [v6,34/43] compat_ioctl: handle SIOCOUTQNSD [v6,35/43] compat_ioctl: move SIOCOUTQ out of compat_ioctl.c [v6,36/43] tty: handle compat PPP ioctls [v6,38/43] compat_ioctl: move PPPIOCSCOMPRESS to ppp_generic [v6,39/43] compat_ioctl: handle PPPIOCGIDLE for 64-bit time_t [v6,41/43] compat_ioctl: move SG_GET_REQUEST_TABLE handling [v6,42/43] pktcdvd: add compat_ioctl handler [v6,43/43] scsi: sd: enable compat ioctls for sed-opal

Arnd Bergmann Oct. 9, 2019, 7:10 p.m. UTC

We no longer need the rtc compat handling to be in common code, now that
all drivers are either moved to the rtc-class framework, or (rarely)
exist in drivers/char for architectures without compat mode (m68k,
alpha and ia64, respectively).

I checked the list of ioctl commands in drivers, and the ones that are
not already handled are all compatible, again with the one exception of
m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no
compat mode.

Since the ioctl commands are either compatible or differ in both structure
and command code between 32-bit and 64-bit, we can merge the compat
handler into the native one and just implement the two common compat
commands (RTC_IRQP_READ, RTC_IRQP_SET) there. The result is a slight
change in behavior, as a native 64-bit process will now also handle the
32-bit commands (RTC_IRQP_SET32/RTC_IRQP_SET).

The old conversion handler also deals with RTC_EPOCH_READ and
RTC_EPOCH_SET, which are not handled in rtc-dev.c but only in a single
device driver (rtc-vr41xx), so I'm adding the compat version in the same
place. I don't expect other drivers to need those commands in the future.

Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

Signed-off-by: Arnd Bergmann <arnd@arndb.de>

---
v2: merge compat handler into ioctl function to avoid the
    compat_alloc_user_space() roundtrip, based on feedback
    from Al Viro.
---
 drivers/rtc/dev.c        | 13 +++++++++-
 drivers/rtc/rtc-vr41xx.c | 10 ++++++++
 fs/compat_ioctl.c        | 53 ----------------------------------------
 3 files changed, 22 insertions(+), 54 deletions(-)

-- 
2.20.0

Alexandre Belloni Oct. 9, 2019, 7:25 p.m. UTC | #1

Hi,

If you ever have to resend, the file is now named rtc/dev.c so you could
adjust the subject.

On 09/10/2019 21:10:10+0200, Arnd Bergmann wrote:
> We no longer need the rtc compat handling to be in common code, now that

> all drivers are either moved to the rtc-class framework, or (rarely)

> exist in drivers/char for architectures without compat mode (m68k,

> alpha and ia64, respectively).

> 

> I checked the list of ioctl commands in drivers, and the ones that are

> not already handled are all compatible, again with the one exception of

> m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no

> compat mode.

> 

> Since the ioctl commands are either compatible or differ in both structure

> and command code between 32-bit and 64-bit, we can merge the compat

> handler into the native one and just implement the two common compat

> commands (RTC_IRQP_READ, RTC_IRQP_SET) there. The result is a slight

> change in behavior, as a native 64-bit process will now also handle the

> 32-bit commands (RTC_IRQP_SET32/RTC_IRQP_SET).

> 

> The old conversion handler also deals with RTC_EPOCH_READ and

> RTC_EPOCH_SET, which are not handled in rtc-dev.c but only in a single

> device driver (rtc-vr41xx), so I'm adding the compat version in the same

> place. I don't expect other drivers to need those commands in the future.

> 

> Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

> ---

> v2: merge compat handler into ioctl function to avoid the

>     compat_alloc_user_space() roundtrip, based on feedback

>     from Al Viro.

> ---

>  drivers/rtc/dev.c        | 13 +++++++++-

>  drivers/rtc/rtc-vr41xx.c | 10 ++++++++

>  fs/compat_ioctl.c        | 53 ----------------------------------------

>  3 files changed, 22 insertions(+), 54 deletions(-)

> 

> diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c

> index 84feb2565abd..1dc5063f78c9 100644

> --- a/drivers/rtc/dev.c

> +++ b/drivers/rtc/dev.c

> @@ -10,6 +10,7 @@

>  

>  #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

>  

> +#include <linux/compat.h>

>  #include <linux/module.h>

>  #include <linux/rtc.h>

>  #include <linux/sched/signal.h>

> @@ -357,10 +358,19 @@ static long rtc_dev_ioctl(struct file *file,

>  		mutex_unlock(&rtc->ops_lock);

>  		return rtc_update_irq_enable(rtc, 0);

>  

> +#ifdef CONFIG_64BIT

> +#define RTC_IRQP_SET32		_IOW('p', 0x0c, __u32)

> +#define RTC_IRQP_READ32		_IOR('p', 0x0b, __u32)

> +	case RTC_IRQP_SET32:

> +		err = rtc_irq_set_freq(rtc, arg);

> +		break;

> +	case RTC_IRQP_READ32:

> +		err = put_user(rtc->irq_freq, (unsigned int __user *)uarg);

> +		break;

> +#endif

>  	case RTC_IRQP_SET:

>  		err = rtc_irq_set_freq(rtc, arg);

>  		break;

> -

>  	case RTC_IRQP_READ:

>  		err = put_user(rtc->irq_freq, (unsigned long __user *)uarg);

>  		break;

> @@ -434,6 +444,7 @@ static const struct file_operations rtc_dev_fops = {

>  	.read		= rtc_dev_read,

>  	.poll		= rtc_dev_poll,

>  	.unlocked_ioctl	= rtc_dev_ioctl,

> +	.compat_ioctl	= compat_ptr_ioctl,

>  	.open		= rtc_dev_open,

>  	.release	= rtc_dev_release,

>  	.fasync		= rtc_dev_fasync,

> diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c

> index c75230562c0d..79f27de545af 100644

> --- a/drivers/rtc/rtc-vr41xx.c

> +++ b/drivers/rtc/rtc-vr41xx.c

> @@ -4,6 +4,7 @@

>   *

>   *  Copyright (C) 2003-2008  Yoichi Yuasa <yuasa@linux-mips.org>

>   */

> +#include <linux/compat.h>

>  #include <linux/err.h>

>  #include <linux/fs.h>

>  #include <linux/init.h>

> @@ -66,6 +67,10 @@ static void __iomem *rtc2_base;

>  #define rtc2_read(offset)		readw(rtc2_base + (offset))

>  #define rtc2_write(offset, value)	writew((value), rtc2_base + (offset))

>  

> +/* 32-bit compat for ioctls that nobody else uses */

> +#define RTC_EPOCH_READ32	_IOR('p', 0x0d, __u32)

> +#define RTC_EPOCH_SET32		_IOW('p', 0x0e, __u32)

> +

>  static unsigned long epoch = 1970;	/* Jan 1 1970 00:00:00 */

>  

>  static DEFINE_SPINLOCK(rtc_lock);

> @@ -179,6 +184,11 @@ static int vr41xx_rtc_ioctl(struct device *dev, unsigned int cmd, unsigned long

>  	switch (cmd) {

>  	case RTC_EPOCH_READ:

>  		return put_user(epoch, (unsigned long __user *)arg);

> +#ifdef CONFIG_64BIT

> +	case RTC_EPOCH_READ32:

> +		return put_user(epoch, (unsigned int __user *)arg);

> +	case RTC_EPOCH_SET32:

> +#endif

>  	case RTC_EPOCH_SET:

>  		/* Doesn't support before 1900 */

>  		if (arg < 1900)

> diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c

> index cec3ec0a1727..47da220f95b1 100644

> --- a/fs/compat_ioctl.c

> +++ b/fs/compat_ioctl.c

> @@ -32,7 +32,6 @@

>  #include <linux/vt_kern.h>

>  #include <linux/raw.h>

>  #include <linux/blkdev.h>

> -#include <linux/rtc.h>

>  #include <linux/pci.h>

>  #include <linux/serial.h>

>  #include <linux/ctype.h>

> @@ -436,37 +435,6 @@ static int mt_ioctl_trans(struct file *file,

>  #define HCIUARTSETFLAGS		_IOW('U', 203, int)

>  #define HCIUARTGETFLAGS		_IOR('U', 204, int)

>  

> -#define RTC_IRQP_READ32		_IOR('p', 0x0b, compat_ulong_t)

> -#define RTC_IRQP_SET32		_IOW('p', 0x0c, compat_ulong_t)

> -#define RTC_EPOCH_READ32	_IOR('p', 0x0d, compat_ulong_t)

> -#define RTC_EPOCH_SET32		_IOW('p', 0x0e, compat_ulong_t)

> -

> -static int rtc_ioctl(struct file *file,

> -		unsigned cmd, void __user *argp)

> -{

> -	unsigned long __user *valp = compat_alloc_user_space(sizeof(*valp));

> -	int ret;

> -

> -	if (valp == NULL)

> -		return -EFAULT;

> -	switch (cmd) {

> -	case RTC_IRQP_READ32:

> -	case RTC_EPOCH_READ32:

> -		ret = do_ioctl(file, (cmd == RTC_IRQP_READ32) ?

> -					RTC_IRQP_READ : RTC_EPOCH_READ,

> -					(unsigned long)valp);

> -		if (ret)

> -			return ret;

> -		return convert_in_user(valp, (unsigned int __user *)argp);

> -	case RTC_IRQP_SET32:

> -		return do_ioctl(file, RTC_IRQP_SET, (unsigned long)argp);

> -	case RTC_EPOCH_SET32:

> -		return do_ioctl(file, RTC_EPOCH_SET, (unsigned long)argp);

> -	}

> -

> -	return -ENOIOCTLCMD;

> -}

> -

>  /*

>   * simple reversible transform to make our table more evenly

>   * distributed after sorting.

> @@ -503,21 +471,6 @@ COMPATIBLE_IOCTL(SCSI_IOCTL_GET_PCI)

>  /* Big V (don't complain on serial console) */

>  IGNORE_IOCTL(VT_OPENQRY)

>  IGNORE_IOCTL(VT_GETMODE)

> -/* Little p (/dev/rtc, /dev/envctrl, etc.) */

> -COMPATIBLE_IOCTL(RTC_AIE_ON)

> -COMPATIBLE_IOCTL(RTC_AIE_OFF)

> -COMPATIBLE_IOCTL(RTC_UIE_ON)

> -COMPATIBLE_IOCTL(RTC_UIE_OFF)

> -COMPATIBLE_IOCTL(RTC_PIE_ON)

> -COMPATIBLE_IOCTL(RTC_PIE_OFF)

> -COMPATIBLE_IOCTL(RTC_WIE_ON)

> -COMPATIBLE_IOCTL(RTC_WIE_OFF)

> -COMPATIBLE_IOCTL(RTC_ALM_SET)

> -COMPATIBLE_IOCTL(RTC_ALM_READ)

> -COMPATIBLE_IOCTL(RTC_RD_TIME)

> -COMPATIBLE_IOCTL(RTC_SET_TIME)

> -COMPATIBLE_IOCTL(RTC_WKALM_SET)

> -COMPATIBLE_IOCTL(RTC_WKALM_RD)

>  /*

>   * These two are only for the sbus rtc driver, but

>   * hwclock tries them on every rtc device first when

> @@ -897,12 +850,6 @@ static long do_ioctl_trans(unsigned int cmd,

>  	case MTIOCPOS32:

>  		return mt_ioctl_trans(file, cmd, argp);

>  #endif

> -	/* Not implemented in the native kernel */

> -	case RTC_IRQP_READ32:

> -	case RTC_IRQP_SET32:

> -	case RTC_EPOCH_READ32:

> -	case RTC_EPOCH_SET32:

> -		return rtc_ioctl(file, cmd, argp);

>  	}

>  

>  	/*

> -- 

> 2.20.0

> 


-- 
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Arnd Bergmann Oct. 9, 2019, 7:31 p.m. UTC | #2

On Wed, Oct 9, 2019 at 9:25 PM Alexandre Belloni
<alexandre.belloni@bootlin.com> wrote:
>

> If you ever have to resend, the file is now named rtc/dev.c so you could

> adjust the subject.


Ok, I fixed up my local copy.

      Arnd

Ben Hutchings Oct. 17, 2019, 1:42 p.m. UTC | #3

On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote:
> We no longer need the rtc compat handling to be in common code, now that

> all drivers are either moved to the rtc-class framework, or (rarely)

> exist in drivers/char for architectures without compat mode (m68k,

> alpha and ia64, respectively).

> 

> I checked the list of ioctl commands in drivers, and the ones that are

> not already handled are all compatible, again with the one exception of

> m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no

> compat mode.

>

> Since the ioctl commands are either compatible or differ in both structure

> and command code between 32-bit and 64-bit, we can merge the compat

> handler into the native one and just implement the two common compat

> commands (RTC_IRQP_READ, RTC_IRQP_SET) there.

[...]

I don't think this can work properly on s390, because some of them take
integers and some take pointers.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

Arnd Bergmann Oct. 17, 2019, 2:33 p.m. UTC | #4

On Thu, Oct 17, 2019 at 3:42 PM Ben Hutchings
<ben.hutchings@codethink.co.uk> wrote:
>

> On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote:

> > We no longer need the rtc compat handling to be in common code, now that

> > all drivers are either moved to the rtc-class framework, or (rarely)

> > exist in drivers/char for architectures without compat mode (m68k,

> > alpha and ia64, respectively).

> >

> > I checked the list of ioctl commands in drivers, and the ones that are

> > not already handled are all compatible, again with the one exception of

> > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no

> > compat mode.

> >

> > Since the ioctl commands are either compatible or differ in both structure

> > and command code between 32-bit and 64-bit, we can merge the compat

> > handler into the native one and just implement the two common compat

> > commands (RTC_IRQP_READ, RTC_IRQP_SET) there.

> [...]

>

> I don't think this can work properly on s390, because some of them take

> integers and some take pointers.


Thanks a lot for taking a look at the patch and pointing this out!

I don't remember how I got to this, either I missed the problem or I
decided that it was ok, since it will still do the right thing:
On s390 only the highest bit is cleared in a pointer value, and we
ensure that the RTC_IRQP_SET argument is between 1 and 8192.

Passing a value of (0x80000000 + n) where n is in the valid range
would lead to the call succeeding unexpectedly on compat s390
(if it had an RTC, which it does not) which is clearly not good but
mostly harmless. I certainly had not considered this case.

However, looking at this again after your comment I found a rather
more serious bug in my new RTC_IRQP_SET handling: Any 64-bit
machine can now bypass the permission check for RTC_IRQP_SET by
calling RTC_IRQP_SET32 instead.

I'll fix it both issues by adding a rtc_compat_dev_ioctl() to handle
RTC_IRQP_SET32/RTC_IRQP_READ32:

diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c
index 1dc5063f78c9..9e4fd5088ead 100644
--- a/drivers/rtc/dev.c
+++ b/drivers/rtc/dev.c
@@ -358,16 +358,6 @@ static long rtc_dev_ioctl(struct file *file,
                mutex_unlock(&rtc->ops_lock);
                return rtc_update_irq_enable(rtc, 0);

-#ifdef CONFIG_64BIT
-#define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)
-#define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)
-       case RTC_IRQP_SET32:
-               err = rtc_irq_set_freq(rtc, arg);
-               break;
-       case RTC_IRQP_READ32:
-               err = put_user(rtc->irq_freq, (unsigned int __user *)uarg);
-               break;
-#endif
        case RTC_IRQP_SET:
                err = rtc_irq_set_freq(rtc, arg);
                break;
@@ -409,6 +399,29 @@ static long rtc_dev_ioctl(struct file *file,
        return err;
 }

+#ifdef CONFIG_COMPAT
+#define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)
+#define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)
+
+static long rtc_dev_compat_ioctl(struct file *file,
+                                unsigned int cmd, unsigned long arg)
+{
+       struct rtc_device *rtc = file->private_data;
+       void __user *uarg = compat_ptr(arg);
+
+       switch (cmd) {
+       case RTC_IRQP_READ32:
+               return put_user(rtc->irq_freq, (__u32 __user *)uarg);
+
+       case RTC_IRQP_SET32:
+               /* arg is a plain integer, not pointer */
+               return rtc_dev_ioctl(file, RTC_IRQP_SET, arg);
+       }
+
+       return rtc_dev_ioctl(file, cmd, (unsigned long)uarg);
+}
+#endif
+
 static int rtc_dev_fasync(int fd, struct file *file, int on)
 {
        struct rtc_device *rtc = file->private_data;
@@ -444,7 +457,7 @@ static const struct file_operations rtc_dev_fops = {
        .read           = rtc_dev_read,
        .poll           = rtc_dev_poll,
        .unlocked_ioctl = rtc_dev_ioctl,
-       .compat_ioctl   = compat_ptr_ioctl,
+       .compat_ioctl   = rtc_dev_compat_ioctl,
        .open           = rtc_dev_open,
        .release        = rtc_dev_release,
        .fasync         = rtc_dev_fasync,

If you and Alexandre are both happy with this version, I'll fold it into
my original patch.

      Arnd

Ben Hutchings Oct. 17, 2019, 6:19 p.m. UTC | #5

On Thu, 2019-10-17 at 16:33 +0200, Arnd Bergmann wrote:
> On Thu, Oct 17, 2019 at 3:42 PM Ben Hutchings

> <ben.hutchings@codethink.co.uk> wrote:

> > On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote:

> > > We no longer need the rtc compat handling to be in common code, now that

> > > all drivers are either moved to the rtc-class framework, or (rarely)

> > > exist in drivers/char for architectures without compat mode (m68k,

> > > alpha and ia64, respectively).

> > > 

> > > I checked the list of ioctl commands in drivers, and the ones that are

> > > not already handled are all compatible, again with the one exception of

> > > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no

> > > compat mode.

> > > 

> > > Since the ioctl commands are either compatible or differ in both structure

> > > and command code between 32-bit and 64-bit, we can merge the compat

> > > handler into the native one and just implement the two common compat

> > > commands (RTC_IRQP_READ, RTC_IRQP_SET) there.

> > [...]

> > 

> > I don't think this can work properly on s390, because some of them take

> > integers and some take pointers.

> 

> Thanks a lot for taking a look at the patch and pointing this out!

> 

> I don't remember how I got to this, either I missed the problem or I

> decided that it was ok, since it will still do the right thing:

> On s390 only the highest bit is cleared in a pointer value, and we

> ensure that the RTC_IRQP_SET argument is between 1 and 8192.

> 

> Passing a value of (0x80000000 + n) where n is in the valid range

> would lead to the call succeeding unexpectedly on compat s390

> (if it had an RTC, which it does not) which is clearly not good but

> mostly harmless. I certainly had not considered this case.

> 

> However, looking at this again after your comment I found a rather

> more serious bug in my new RTC_IRQP_SET handling: Any 64-bit

> machine can now bypass the permission check for RTC_IRQP_SET by

> calling RTC_IRQP_SET32 instead.

> 

> I'll fix it both issues by adding a rtc_compat_dev_ioctl() to handle

> RTC_IRQP_SET32/RTC_IRQP_READ32:


Reviewed-by: Ben Hutchings <ben.hutchings@codethink.co.uk>


> diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c

> index 1dc5063f78c9..9e4fd5088ead 100644

> --- a/drivers/rtc/dev.c

> +++ b/drivers/rtc/dev.c

> @@ -358,16 +358,6 @@ static long rtc_dev_ioctl(struct file *file,

>                 mutex_unlock(&rtc->ops_lock);

>                 return rtc_update_irq_enable(rtc, 0);

> 

> -#ifdef CONFIG_64BIT

> -#define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)

> -#define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)

> -       case RTC_IRQP_SET32:

> -               err = rtc_irq_set_freq(rtc, arg);

> -               break;

> -       case RTC_IRQP_READ32:

> -               err = put_user(rtc->irq_freq, (unsigned int __user *)uarg);

> -               break;

> -#endif

>         case RTC_IRQP_SET:

>                 err = rtc_irq_set_freq(rtc, arg);

>                 break;

> @@ -409,6 +399,29 @@ static long rtc_dev_ioctl(struct file *file,

>         return err;

>  }

> 

> +#ifdef CONFIG_COMPAT

> +#define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)

> +#define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)

> +

> +static long rtc_dev_compat_ioctl(struct file *file,

> +                                unsigned int cmd, unsigned long arg)

> +{

> +       struct rtc_device *rtc = file->private_data;

> +       void __user *uarg = compat_ptr(arg);

> +

> +       switch (cmd) {

> +       case RTC_IRQP_READ32:

> +               return put_user(rtc->irq_freq, (__u32 __user *)uarg);

> +

> +       case RTC_IRQP_SET32:

> +               /* arg is a plain integer, not pointer */

> +               return rtc_dev_ioctl(file, RTC_IRQP_SET, arg);

> +       }

> +

> +       return rtc_dev_ioctl(file, cmd, (unsigned long)uarg);

> +}

> +#endif

> +

>  static int rtc_dev_fasync(int fd, struct file *file, int on)

>  {

>         struct rtc_device *rtc = file->private_data;

> @@ -444,7 +457,7 @@ static const struct file_operations rtc_dev_fops = {

>         .read           = rtc_dev_read,

>         .poll           = rtc_dev_poll,

>         .unlocked_ioctl = rtc_dev_ioctl,

> -       .compat_ioctl   = compat_ptr_ioctl,

> +       .compat_ioctl   = rtc_dev_compat_ioctl,

>         .open           = rtc_dev_open,

>         .release        = rtc_dev_release,

>         .fasync         = rtc_dev_fasync,

> 

> If you and Alexandre are both happy with this version, I'll fold it into

> my original patch.

> 

>       Arnd

> 

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

Al Viro Oct. 22, 2019, 4:30 a.m. UTC | #6

On Thu, Oct 17, 2019 at 04:33:09PM +0200, Arnd Bergmann wrote:

> However, looking at this again after your comment I found a rather

> more serious bug in my new RTC_IRQP_SET handling: Any 64-bit

> machine can now bypass the permission check for RTC_IRQP_SET by

> calling RTC_IRQP_SET32 instead.

You've lost the check on RTC_EPOCH_SET as well.

Another potential issue is drivers/input/misc/hp_sdc_rtc.c,
provided that the hardware in question might possibly exist
on hppa64 boxen - CONFIG_GSC defaults to y and it's not
32bit-only, so that thing is at least selectable on 64bit
kernels.

Arnd Bergmann Oct. 22, 2019, 12:14 p.m. UTC | #7

On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
>

> On Thu, Oct 17, 2019 at 04:33:09PM +0200, Arnd Bergmann wrote:

>

> > However, looking at this again after your comment I found a rather

> > more serious bug in my new RTC_IRQP_SET handling: Any 64-bit

> > machine can now bypass the permission check for RTC_IRQP_SET by

> > calling RTC_IRQP_SET32 instead.

>

> You've lost the check on RTC_EPOCH_SET as well.


Right, originally my plan was to keep the epoch handling local to
rtc-vr41xx.c as explained in the patch description. The driver is
specific to a particular very obsolete MIPS machine that was
apparently only ever used with 32-bit kernels.

I guess it can't hurt to treat it the same as RTC_IRQP_SET32
if you prefer. Folding in this change now and adapting the
changelog text:

--- a/drivers/rtc/dev.c
+++ b/drivers/rtc/dev.c
@@ -402,6 +402,7 @@ static long rtc_dev_ioctl(struct file *file,
 #ifdef CONFIG_COMPAT
 #define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)
 #define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)
+#define RTC_EPOCH_SET32                _IOW('p', 0x0e, __u32)

 static long rtc_dev_compat_ioctl(struct file *file,
                                 unsigned int cmd, unsigned long arg)
@@ -416,6 +417,10 @@ static long rtc_dev_compat_ioctl(struct file *file,
        case RTC_IRQP_SET32:
                /* arg is a plain integer, not pointer */
                return rtc_dev_ioctl(file, RTC_IRQP_SET, arg);
+
+       case RTC_EPOCH_SET32:
+               /* arg is a plain integer, not pointer */
+               return rtc_dev_ioctl(file, RTC_EPOCH_SET, arg);
        }

        return rtc_dev_ioctl(file, cmd, (unsigned long)uarg);
diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c
index 79f27de545af..c3671043ace7 100644
--- a/drivers/rtc/rtc-vr41xx.c
+++ b/drivers/rtc/rtc-vr41xx.c
@@ -69,7 +69,6 @@ static void __iomem *rtc2_base;

 /* 32-bit compat for ioctls that nobody else uses */
 #define RTC_EPOCH_READ32       _IOR('p', 0x0d, __u32)
-#define RTC_EPOCH_SET32                _IOW('p', 0x0e, __u32)

 static unsigned long epoch = 1970;     /* Jan 1 1970 00:00:00 */

@@ -187,7 +186,6 @@ static int vr41xx_rtc_ioctl(struct device *dev,
unsigned int cmd, unsigned long
 #ifdef CONFIG_64BIT
        case RTC_EPOCH_READ32:
                return put_user(epoch, (unsigned int __user *)arg);
-       case RTC_EPOCH_SET32:
 #endif
        case RTC_EPOCH_SET:
                /* Doesn't support before 1900 */

> Another potential issue is drivers/input/misc/hp_sdc_rtc.c,

> provided that the hardware in question might possibly exist

> on hppa64 boxen - CONFIG_GSC defaults to y and it's not

> 32bit-only, so that thing is at least selectable on 64bit

> kernels.


I decided long ago not to care: that code has never compiled after
it was originally merged into the kernel in 2005:

static int hp_sdc_rtc_ioctl(struct inode *inode, struct file *file,
                           unsigned int cmd, unsigned long arg)
{
#if 1
       return -EINVAL;
#else
      ...
    RTC_IRQP_SET, RTC_EPOCH_SET, ...
      ...
#endif
}

I don't see any chance that this code is revived. If anyone wanted to
make it work, the right approach would be to use the rtc framework
and rewrite the code first.

I could send a patch to remove the dead code though if that helps.

     Arnd

Alexandre Belloni Oct. 23, 2019, 10:29 a.m. UTC | #8

On 22/10/2019 14:14:21+0200, Arnd Bergmann wrote:
> On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote:

> >

> > On Thu, Oct 17, 2019 at 04:33:09PM +0200, Arnd Bergmann wrote:

> >

> > > However, looking at this again after your comment I found a rather

> > > more serious bug in my new RTC_IRQP_SET handling: Any 64-bit

> > > machine can now bypass the permission check for RTC_IRQP_SET by

> > > calling RTC_IRQP_SET32 instead.

> >

> > You've lost the check on RTC_EPOCH_SET as well.

> 

> Right, originally my plan was to keep the epoch handling local to

> rtc-vr41xx.c as explained in the patch description. The driver is

> specific to a particular very obsolete MIPS machine that was

> apparently only ever used with 32-bit kernels.

> 

> I guess it can't hurt to treat it the same as RTC_IRQP_SET32

> if you prefer. Folding in this change now and adapting the

> changelog text:

> 

> --- a/drivers/rtc/dev.c

> +++ b/drivers/rtc/dev.c

> @@ -402,6 +402,7 @@ static long rtc_dev_ioctl(struct file *file,

>  #ifdef CONFIG_COMPAT

>  #define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)

>  #define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)

> +#define RTC_EPOCH_SET32                _IOW('p', 0x0e, __u32)

> 

>  static long rtc_dev_compat_ioctl(struct file *file,

>                                  unsigned int cmd, unsigned long arg)

> @@ -416,6 +417,10 @@ static long rtc_dev_compat_ioctl(struct file *file,

>         case RTC_IRQP_SET32:

>                 /* arg is a plain integer, not pointer */

>                 return rtc_dev_ioctl(file, RTC_IRQP_SET, arg);

> +

> +       case RTC_EPOCH_SET32:

> +               /* arg is a plain integer, not pointer */

> +               return rtc_dev_ioctl(file, RTC_EPOCH_SET, arg);

>         }

> 

>         return rtc_dev_ioctl(file, cmd, (unsigned long)uarg);

> diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c

> index 79f27de545af..c3671043ace7 100644

> --- a/drivers/rtc/rtc-vr41xx.c

> +++ b/drivers/rtc/rtc-vr41xx.c

> @@ -69,7 +69,6 @@ static void __iomem *rtc2_base;

> 

>  /* 32-bit compat for ioctls that nobody else uses */

>  #define RTC_EPOCH_READ32       _IOR('p', 0x0d, __u32)

> -#define RTC_EPOCH_SET32                _IOW('p', 0x0e, __u32)

> 

>  static unsigned long epoch = 1970;     /* Jan 1 1970 00:00:00 */

> 

> @@ -187,7 +186,6 @@ static int vr41xx_rtc_ioctl(struct device *dev,

> unsigned int cmd, unsigned long

>  #ifdef CONFIG_64BIT

>         case RTC_EPOCH_READ32:

>                 return put_user(epoch, (unsigned int __user *)arg);

> -       case RTC_EPOCH_SET32:

>  #endif

>         case RTC_EPOCH_SET:

>                 /* Doesn't support before 1900 */

> 

> > Another potential issue is drivers/input/misc/hp_sdc_rtc.c,

> > provided that the hardware in question might possibly exist

> > on hppa64 boxen - CONFIG_GSC defaults to y and it's not

> > 32bit-only, so that thing is at least selectable on 64bit

> > kernels.

> 

> I decided long ago not to care: that code has never compiled after

> it was originally merged into the kernel in 2005:

> 

> static int hp_sdc_rtc_ioctl(struct inode *inode, struct file *file,

>                            unsigned int cmd, unsigned long arg)

> {

> #if 1

>        return -EINVAL;

> #else

>       ...

>     RTC_IRQP_SET, RTC_EPOCH_SET, ...

>       ...

> #endif

> }

> 

> I don't see any chance that this code is revived. If anyone wanted to

> make it work, the right approach would be to use the rtc framework

> and rewrite the code first.

> 

> I could send a patch to remove the dead code though if that helps.

> 


Please do.

IIUC, this doesn't affect arch/alpha/kernel/rtc.c because alpha has
always been 64bit.


-- 
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Alexandre Belloni Oct. 23, 2019, 10:32 a.m. UTC | #9

On 17/10/2019 16:33:09+0200, Arnd Bergmann wrote:
> On Thu, Oct 17, 2019 at 3:42 PM Ben Hutchings

> <ben.hutchings@codethink.co.uk> wrote:

> >

> > On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote:

> > > We no longer need the rtc compat handling to be in common code, now that

> > > all drivers are either moved to the rtc-class framework, or (rarely)

> > > exist in drivers/char for architectures without compat mode (m68k,

> > > alpha and ia64, respectively).

> > >

> > > I checked the list of ioctl commands in drivers, and the ones that are

> > > not already handled are all compatible, again with the one exception of

> > > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no

> > > compat mode.

> > >

> > > Since the ioctl commands are either compatible or differ in both structure

> > > and command code between 32-bit and 64-bit, we can merge the compat

> > > handler into the native one and just implement the two common compat

> > > commands (RTC_IRQP_READ, RTC_IRQP_SET) there.

> > [...]

> >

> > I don't think this can work properly on s390, because some of them take

> > integers and some take pointers.

> 

> Thanks a lot for taking a look at the patch and pointing this out!

> 

> I don't remember how I got to this, either I missed the problem or I

> decided that it was ok, since it will still do the right thing:

> On s390 only the highest bit is cleared in a pointer value, and we

> ensure that the RTC_IRQP_SET argument is between 1 and 8192.

> 

> Passing a value of (0x80000000 + n) where n is in the valid range

> would lead to the call succeeding unexpectedly on compat s390

> (if it had an RTC, which it does not) which is clearly not good but

> mostly harmless. I certainly had not considered this case.

> 

> However, looking at this again after your comment I found a rather

> more serious bug in my new RTC_IRQP_SET handling: Any 64-bit

> machine can now bypass the permission check for RTC_IRQP_SET by

> calling RTC_IRQP_SET32 instead.

> 

> I'll fix it both issues by adding a rtc_compat_dev_ioctl() to handle

> RTC_IRQP_SET32/RTC_IRQP_READ32:

> 

> diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c

> index 1dc5063f78c9..9e4fd5088ead 100644

> --- a/drivers/rtc/dev.c

> +++ b/drivers/rtc/dev.c

> @@ -358,16 +358,6 @@ static long rtc_dev_ioctl(struct file *file,

>                 mutex_unlock(&rtc->ops_lock);

>                 return rtc_update_irq_enable(rtc, 0);

> 

> -#ifdef CONFIG_64BIT

> -#define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)

> -#define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)

> -       case RTC_IRQP_SET32:

> -               err = rtc_irq_set_freq(rtc, arg);

> -               break;

> -       case RTC_IRQP_READ32:

> -               err = put_user(rtc->irq_freq, (unsigned int __user *)uarg);

> -               break;

> -#endif

>         case RTC_IRQP_SET:

>                 err = rtc_irq_set_freq(rtc, arg);

>                 break;

> @@ -409,6 +399,29 @@ static long rtc_dev_ioctl(struct file *file,

>         return err;

>  }

> 

> +#ifdef CONFIG_COMPAT

> +#define RTC_IRQP_SET32         _IOW('p', 0x0c, __u32)

> +#define RTC_IRQP_READ32                _IOR('p', 0x0b, __u32)

> +

> +static long rtc_dev_compat_ioctl(struct file *file,

> +                                unsigned int cmd, unsigned long arg)

> +{

> +       struct rtc_device *rtc = file->private_data;

> +       void __user *uarg = compat_ptr(arg);

> +

> +       switch (cmd) {

> +       case RTC_IRQP_READ32:

> +               return put_user(rtc->irq_freq, (__u32 __user *)uarg);

> +

> +       case RTC_IRQP_SET32:

> +               /* arg is a plain integer, not pointer */

> +               return rtc_dev_ioctl(file, RTC_IRQP_SET, arg);

> +       }

> +

> +       return rtc_dev_ioctl(file, cmd, (unsigned long)uarg);

> +}

> +#endif

> +

>  static int rtc_dev_fasync(int fd, struct file *file, int on)

>  {

>         struct rtc_device *rtc = file->private_data;

> @@ -444,7 +457,7 @@ static const struct file_operations rtc_dev_fops = {

>         .read           = rtc_dev_read,

>         .poll           = rtc_dev_poll,

>         .unlocked_ioctl = rtc_dev_ioctl,

> -       .compat_ioctl   = compat_ptr_ioctl,

> +       .compat_ioctl   = rtc_dev_compat_ioctl,

>         .open           = rtc_dev_open,

>         .release        = rtc_dev_release,

>         .fasync         = rtc_dev_fasync,

> 

> If you and Alexandre are both happy with this version, I'll fold it into

> my original patch.

> 


I'm OK with that version

-- 
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Arnd Bergmann Oct. 23, 2019, 2:28 p.m. UTC | #10

On Wed, Oct 23, 2019 at 12:29 PM Alexandre Belloni
<alexandre.belloni@bootlin.com> wrote:
> On 22/10/2019 14:14:21+0200, Arnd Bergmann wrote:

> > On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote:

> >

> > I don't see any chance that this code is revived. If anyone wanted to

> > make it work, the right approach would be to use the rtc framework

> > and rewrite the code first.

> >

> > I could send a patch to remove the dead code though if that helps.

> >

>

> Please do.


Ok, done. Speaking of removing rtc drivers, should we just kill off
drivers/char/rtc.c and drivers/char/efirtc.c as well? I don't remember
why we left them in the tree, but I'm fairly sure they are not actually
needed.

      Arnd

Alexandre Belloni Oct. 23, 2019, 2:34 p.m. UTC | #11

On 23/10/2019 16:28:40+0200, Arnd Bergmann wrote:
> On Wed, Oct 23, 2019 at 12:29 PM Alexandre Belloni

> <alexandre.belloni@bootlin.com> wrote:

> > On 22/10/2019 14:14:21+0200, Arnd Bergmann wrote:

> > > On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote:

> > >

> > > I don't see any chance that this code is revived. If anyone wanted to

> > > make it work, the right approach would be to use the rtc framework

> > > and rewrite the code first.

> > >

> > > I could send a patch to remove the dead code though if that helps.

> > >

> >

> > Please do.

> 

> Ok, done. Speaking of removing rtc drivers, should we just kill off

> drivers/char/rtc.c and drivers/char/efirtc.c as well? I don't remember

> why we left them in the tree, but I'm fairly sure they are not actually

> needed.

> 


https://lore.kernel.org/lkml/CAK8P3a0QZNY+K+V1HG056xCerz=_L2jh5UfZ+2LWkDqkw5Zznw@mail.gmail.com/

That's how we left it ;)

-- 
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Arnd Bergmann Oct. 23, 2019, 3:02 p.m. UTC | #12

On Wed, Oct 23, 2019 at 4:34 PM Alexandre Belloni
<alexandre.belloni@bootlin.com> wrote:
> On 23/10/2019 16:28:40+0200, Arnd Bergmann wrote:

> > Ok, done. Speaking of removing rtc drivers, should we just kill off

> > drivers/char/rtc.c and drivers/char/efirtc.c as well? I don't remember

> > why we left them in the tree, but I'm fairly sure they are not actually

> > needed.

> >

>

> https://lore.kernel.org/lkml/CAK8P3a0QZNY+K+V1HG056xCerz=_L2jh5UfZ+2LWkDqkw5Zznw@mail.gmail.com/

>

> That's how we left it ;)


Right, that is roughly what I remembered. Sending a patch to remove them
now, let's see if anyone cares.

          Arnd

[v6,10/43] compat_ioctl: move rtc handling into rtc-dev.c

Commit Message

Comments

Patch