| Message ID | 20191009191044.308087-10-arnd@arndb.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | compat_ioctl: remove most of fs/compat_ioctl.c | expand |
Hi, If you ever have to resend, the file is now named rtc/dev.c so you could adjust the subject. On 09/10/2019 21:10:10+0200, Arnd Bergmann wrote: > We no longer need the rtc compat handling to be in common code, now that > all drivers are either moved to the rtc-class framework, or (rarely) > exist in drivers/char for architectures without compat mode (m68k, > alpha and ia64, respectively). > > I checked the list of ioctl commands in drivers, and the ones that are > not already handled are all compatible, again with the one exception of > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no > compat mode. > > Since the ioctl commands are either compatible or differ in both structure > and command code between 32-bit and 64-bit, we can merge the compat > handler into the native one and just implement the two common compat > commands (RTC_IRQP_READ, RTC_IRQP_SET) there. The result is a slight > change in behavior, as a native 64-bit process will now also handle the > 32-bit commands (RTC_IRQP_SET32/RTC_IRQP_SET). > > The old conversion handler also deals with RTC_EPOCH_READ and > RTC_EPOCH_SET, which are not handled in rtc-dev.c but only in a single > device driver (rtc-vr41xx), so I'm adding the compat version in the same > place. I don't expect other drivers to need those commands in the future. > > Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com> > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > v2: merge compat handler into ioctl function to avoid the > compat_alloc_user_space() roundtrip, based on feedback > from Al Viro. > --- > drivers/rtc/dev.c | 13 +++++++++- > drivers/rtc/rtc-vr41xx.c | 10 ++++++++ > fs/compat_ioctl.c | 53 ---------------------------------------- > 3 files changed, 22 insertions(+), 54 deletions(-) > > diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c > index 84feb2565abd..1dc5063f78c9 100644 > --- a/drivers/rtc/dev.c > +++ b/drivers/rtc/dev.c > @@ -10,6 +10,7 @@ > > #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > +#include <linux/compat.h> > #include <linux/module.h> > #include <linux/rtc.h> > #include <linux/sched/signal.h> > @@ -357,10 +358,19 @@ static long rtc_dev_ioctl(struct file *file, > mutex_unlock(&rtc->ops_lock); > return rtc_update_irq_enable(rtc, 0); > > +#ifdef CONFIG_64BIT > +#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) > +#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) > + case RTC_IRQP_SET32: > + err = rtc_irq_set_freq(rtc, arg); > + break; > + case RTC_IRQP_READ32: > + err = put_user(rtc->irq_freq, (unsigned int __user *)uarg); > + break; > +#endif > case RTC_IRQP_SET: > err = rtc_irq_set_freq(rtc, arg); > break; > - > case RTC_IRQP_READ: > err = put_user(rtc->irq_freq, (unsigned long __user *)uarg); > break; > @@ -434,6 +444,7 @@ static const struct file_operations rtc_dev_fops = { > .read = rtc_dev_read, > .poll = rtc_dev_poll, > .unlocked_ioctl = rtc_dev_ioctl, > + .compat_ioctl = compat_ptr_ioctl, > .open = rtc_dev_open, > .release = rtc_dev_release, > .fasync = rtc_dev_fasync, > diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c > index c75230562c0d..79f27de545af 100644 > --- a/drivers/rtc/rtc-vr41xx.c > +++ b/drivers/rtc/rtc-vr41xx.c > @@ -4,6 +4,7 @@ > * > * Copyright (C) 2003-2008 Yoichi Yuasa <yuasa@linux-mips.org> > */ > +#include <linux/compat.h> > #include <linux/err.h> > #include <linux/fs.h> > #include <linux/init.h> > @@ -66,6 +67,10 @@ static void __iomem *rtc2_base; > #define rtc2_read(offset) readw(rtc2_base + (offset)) > #define rtc2_write(offset, value) writew((value), rtc2_base + (offset)) > > +/* 32-bit compat for ioctls that nobody else uses */ > +#define RTC_EPOCH_READ32 _IOR('p', 0x0d, __u32) > +#define RTC_EPOCH_SET32 _IOW('p', 0x0e, __u32) > + > static unsigned long epoch = 1970; /* Jan 1 1970 00:00:00 */ > > static DEFINE_SPINLOCK(rtc_lock); > @@ -179,6 +184,11 @@ static int vr41xx_rtc_ioctl(struct device *dev, unsigned int cmd, unsigned long > switch (cmd) { > case RTC_EPOCH_READ: > return put_user(epoch, (unsigned long __user *)arg); > +#ifdef CONFIG_64BIT > + case RTC_EPOCH_READ32: > + return put_user(epoch, (unsigned int __user *)arg); > + case RTC_EPOCH_SET32: > +#endif > case RTC_EPOCH_SET: > /* Doesn't support before 1900 */ > if (arg < 1900) > diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c > index cec3ec0a1727..47da220f95b1 100644 > --- a/fs/compat_ioctl.c > +++ b/fs/compat_ioctl.c > @@ -32,7 +32,6 @@ > #include <linux/vt_kern.h> > #include <linux/raw.h> > #include <linux/blkdev.h> > -#include <linux/rtc.h> > #include <linux/pci.h> > #include <linux/serial.h> > #include <linux/ctype.h> > @@ -436,37 +435,6 @@ static int mt_ioctl_trans(struct file *file, > #define HCIUARTSETFLAGS _IOW('U', 203, int) > #define HCIUARTGETFLAGS _IOR('U', 204, int) > > -#define RTC_IRQP_READ32 _IOR('p', 0x0b, compat_ulong_t) > -#define RTC_IRQP_SET32 _IOW('p', 0x0c, compat_ulong_t) > -#define RTC_EPOCH_READ32 _IOR('p', 0x0d, compat_ulong_t) > -#define RTC_EPOCH_SET32 _IOW('p', 0x0e, compat_ulong_t) > - > -static int rtc_ioctl(struct file *file, > - unsigned cmd, void __user *argp) > -{ > - unsigned long __user *valp = compat_alloc_user_space(sizeof(*valp)); > - int ret; > - > - if (valp == NULL) > - return -EFAULT; > - switch (cmd) { > - case RTC_IRQP_READ32: > - case RTC_EPOCH_READ32: > - ret = do_ioctl(file, (cmd == RTC_IRQP_READ32) ? > - RTC_IRQP_READ : RTC_EPOCH_READ, > - (unsigned long)valp); > - if (ret) > - return ret; > - return convert_in_user(valp, (unsigned int __user *)argp); > - case RTC_IRQP_SET32: > - return do_ioctl(file, RTC_IRQP_SET, (unsigned long)argp); > - case RTC_EPOCH_SET32: > - return do_ioctl(file, RTC_EPOCH_SET, (unsigned long)argp); > - } > - > - return -ENOIOCTLCMD; > -} > - > /* > * simple reversible transform to make our table more evenly > * distributed after sorting. > @@ -503,21 +471,6 @@ COMPATIBLE_IOCTL(SCSI_IOCTL_GET_PCI) > /* Big V (don't complain on serial console) */ > IGNORE_IOCTL(VT_OPENQRY) > IGNORE_IOCTL(VT_GETMODE) > -/* Little p (/dev/rtc, /dev/envctrl, etc.) */ > -COMPATIBLE_IOCTL(RTC_AIE_ON) > -COMPATIBLE_IOCTL(RTC_AIE_OFF) > -COMPATIBLE_IOCTL(RTC_UIE_ON) > -COMPATIBLE_IOCTL(RTC_UIE_OFF) > -COMPATIBLE_IOCTL(RTC_PIE_ON) > -COMPATIBLE_IOCTL(RTC_PIE_OFF) > -COMPATIBLE_IOCTL(RTC_WIE_ON) > -COMPATIBLE_IOCTL(RTC_WIE_OFF) > -COMPATIBLE_IOCTL(RTC_ALM_SET) > -COMPATIBLE_IOCTL(RTC_ALM_READ) > -COMPATIBLE_IOCTL(RTC_RD_TIME) > -COMPATIBLE_IOCTL(RTC_SET_TIME) > -COMPATIBLE_IOCTL(RTC_WKALM_SET) > -COMPATIBLE_IOCTL(RTC_WKALM_RD) > /* > * These two are only for the sbus rtc driver, but > * hwclock tries them on every rtc device first when > @@ -897,12 +850,6 @@ static long do_ioctl_trans(unsigned int cmd, > case MTIOCPOS32: > return mt_ioctl_trans(file, cmd, argp); > #endif > - /* Not implemented in the native kernel */ > - case RTC_IRQP_READ32: > - case RTC_IRQP_SET32: > - case RTC_EPOCH_READ32: > - case RTC_EPOCH_SET32: > - return rtc_ioctl(file, cmd, argp); > } > > /* > -- > 2.20.0 >
On Wed, Oct 9, 2019 at 9:25 PM Alexandre Belloni <alexandre.belloni@bootlin.com> wrote: > > If you ever have to resend, the file is now named rtc/dev.c so you could > adjust the subject. Ok, I fixed up my local copy. Arnd
On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote: > We no longer need the rtc compat handling to be in common code, now that > all drivers are either moved to the rtc-class framework, or (rarely) > exist in drivers/char for architectures without compat mode (m68k, > alpha and ia64, respectively). > > I checked the list of ioctl commands in drivers, and the ones that are > not already handled are all compatible, again with the one exception of > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no > compat mode. > > Since the ioctl commands are either compatible or differ in both structure > and command code between 32-bit and 64-bit, we can merge the compat > handler into the native one and just implement the two common compat > commands (RTC_IRQP_READ, RTC_IRQP_SET) there. [...] I don't think this can work properly on s390, because some of them take integers and some take pointers. Ben.
On Thu, Oct 17, 2019 at 3:42 PM Ben Hutchings <ben.hutchings@codethink.co.uk> wrote: > > On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote: > > We no longer need the rtc compat handling to be in common code, now that > > all drivers are either moved to the rtc-class framework, or (rarely) > > exist in drivers/char for architectures without compat mode (m68k, > > alpha and ia64, respectively). > > > > I checked the list of ioctl commands in drivers, and the ones that are > > not already handled are all compatible, again with the one exception of > > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no > > compat mode. > > > > Since the ioctl commands are either compatible or differ in both structure > > and command code between 32-bit and 64-bit, we can merge the compat > > handler into the native one and just implement the two common compat > > commands (RTC_IRQP_READ, RTC_IRQP_SET) there. > [...] > > I don't think this can work properly on s390, because some of them take > integers and some take pointers. Thanks a lot for taking a look at the patch and pointing this out! I don't remember how I got to this, either I missed the problem or I decided that it was ok, since it will still do the right thing: On s390 only the highest bit is cleared in a pointer value, and we ensure that the RTC_IRQP_SET argument is between 1 and 8192. Passing a value of (0x80000000 + n) where n is in the valid range would lead to the call succeeding unexpectedly on compat s390 (if it had an RTC, which it does not) which is clearly not good but mostly harmless. I certainly had not considered this case. However, looking at this again after your comment I found a rather more serious bug in my new RTC_IRQP_SET handling: Any 64-bit machine can now bypass the permission check for RTC_IRQP_SET by calling RTC_IRQP_SET32 instead. I'll fix it both issues by adding a rtc_compat_dev_ioctl() to handle RTC_IRQP_SET32/RTC_IRQP_READ32: diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c index 1dc5063f78c9..9e4fd5088ead 100644 --- a/drivers/rtc/dev.c +++ b/drivers/rtc/dev.c @@ -358,16 +358,6 @@ static long rtc_dev_ioctl(struct file *file, mutex_unlock(&rtc->ops_lock); return rtc_update_irq_enable(rtc, 0); -#ifdef CONFIG_64BIT -#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) -#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) - case RTC_IRQP_SET32: - err = rtc_irq_set_freq(rtc, arg); - break; - case RTC_IRQP_READ32: - err = put_user(rtc->irq_freq, (unsigned int __user *)uarg); - break; -#endif case RTC_IRQP_SET: err = rtc_irq_set_freq(rtc, arg); break; @@ -409,6 +399,29 @@ static long rtc_dev_ioctl(struct file *file, return err; } +#ifdef CONFIG_COMPAT +#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) +#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) + +static long rtc_dev_compat_ioctl(struct file *file, + unsigned int cmd, unsigned long arg) +{ + struct rtc_device *rtc = file->private_data; + void __user *uarg = compat_ptr(arg); + + switch (cmd) { + case RTC_IRQP_READ32: + return put_user(rtc->irq_freq, (__u32 __user *)uarg); + + case RTC_IRQP_SET32: + /* arg is a plain integer, not pointer */ + return rtc_dev_ioctl(file, RTC_IRQP_SET, arg); + } + + return rtc_dev_ioctl(file, cmd, (unsigned long)uarg); +} +#endif + static int rtc_dev_fasync(int fd, struct file *file, int on) { struct rtc_device *rtc = file->private_data; @@ -444,7 +457,7 @@ static const struct file_operations rtc_dev_fops = { .read = rtc_dev_read, .poll = rtc_dev_poll, .unlocked_ioctl = rtc_dev_ioctl, - .compat_ioctl = compat_ptr_ioctl, + .compat_ioctl = rtc_dev_compat_ioctl, .open = rtc_dev_open, .release = rtc_dev_release, .fasync = rtc_dev_fasync, If you and Alexandre are both happy with this version, I'll fold it into my original patch. Arnd
On Thu, 2019-10-17 at 16:33 +0200, Arnd Bergmann wrote: > On Thu, Oct 17, 2019 at 3:42 PM Ben Hutchings > <ben.hutchings@codethink.co.uk> wrote: > > On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote: > > > We no longer need the rtc compat handling to be in common code, now that > > > all drivers are either moved to the rtc-class framework, or (rarely) > > > exist in drivers/char for architectures without compat mode (m68k, > > > alpha and ia64, respectively). > > > > > > I checked the list of ioctl commands in drivers, and the ones that are > > > not already handled are all compatible, again with the one exception of > > > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no > > > compat mode. > > > > > > Since the ioctl commands are either compatible or differ in both structure > > > and command code between 32-bit and 64-bit, we can merge the compat > > > handler into the native one and just implement the two common compat > > > commands (RTC_IRQP_READ, RTC_IRQP_SET) there. > > [...] > > > > I don't think this can work properly on s390, because some of them take > > integers and some take pointers. > > Thanks a lot for taking a look at the patch and pointing this out! > > I don't remember how I got to this, either I missed the problem or I > decided that it was ok, since it will still do the right thing: > On s390 only the highest bit is cleared in a pointer value, and we > ensure that the RTC_IRQP_SET argument is between 1 and 8192. > > Passing a value of (0x80000000 + n) where n is in the valid range > would lead to the call succeeding unexpectedly on compat s390 > (if it had an RTC, which it does not) which is clearly not good but > mostly harmless. I certainly had not considered this case. > > However, looking at this again after your comment I found a rather > more serious bug in my new RTC_IRQP_SET handling: Any 64-bit > machine can now bypass the permission check for RTC_IRQP_SET by > calling RTC_IRQP_SET32 instead. > > I'll fix it both issues by adding a rtc_compat_dev_ioctl() to handle > RTC_IRQP_SET32/RTC_IRQP_READ32: Reviewed-by: Ben Hutchings <ben.hutchings@codethink.co.uk> > diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c > index 1dc5063f78c9..9e4fd5088ead 100644 > --- a/drivers/rtc/dev.c > +++ b/drivers/rtc/dev.c > @@ -358,16 +358,6 @@ static long rtc_dev_ioctl(struct file *file, > mutex_unlock(&rtc->ops_lock); > return rtc_update_irq_enable(rtc, 0); > > -#ifdef CONFIG_64BIT > -#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) > -#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) > - case RTC_IRQP_SET32: > - err = rtc_irq_set_freq(rtc, arg); > - break; > - case RTC_IRQP_READ32: > - err = put_user(rtc->irq_freq, (unsigned int __user *)uarg); > - break; > -#endif > case RTC_IRQP_SET: > err = rtc_irq_set_freq(rtc, arg); > break; > @@ -409,6 +399,29 @@ static long rtc_dev_ioctl(struct file *file, > return err; > } > > +#ifdef CONFIG_COMPAT > +#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) > +#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) > + > +static long rtc_dev_compat_ioctl(struct file *file, > + unsigned int cmd, unsigned long arg) > +{ > + struct rtc_device *rtc = file->private_data; > + void __user *uarg = compat_ptr(arg); > + > + switch (cmd) { > + case RTC_IRQP_READ32: > + return put_user(rtc->irq_freq, (__u32 __user *)uarg); > + > + case RTC_IRQP_SET32: > + /* arg is a plain integer, not pointer */ > + return rtc_dev_ioctl(file, RTC_IRQP_SET, arg); > + } > + > + return rtc_dev_ioctl(file, cmd, (unsigned long)uarg); > +} > +#endif > + > static int rtc_dev_fasync(int fd, struct file *file, int on) > { > struct rtc_device *rtc = file->private_data; > @@ -444,7 +457,7 @@ static const struct file_operations rtc_dev_fops = { > .read = rtc_dev_read, > .poll = rtc_dev_poll, > .unlocked_ioctl = rtc_dev_ioctl, > - .compat_ioctl = compat_ptr_ioctl, > + .compat_ioctl = rtc_dev_compat_ioctl, > .open = rtc_dev_open, > .release = rtc_dev_release, > .fasync = rtc_dev_fasync, > > If you and Alexandre are both happy with this version, I'll fold it into > my original patch. > > Arnd >
On Thu, Oct 17, 2019 at 04:33:09PM +0200, Arnd Bergmann wrote: > However, looking at this again after your comment I found a rather > more serious bug in my new RTC_IRQP_SET handling: Any 64-bit > machine can now bypass the permission check for RTC_IRQP_SET by > calling RTC_IRQP_SET32 instead. You've lost the check on RTC_EPOCH_SET as well. Another potential issue is drivers/input/misc/hp_sdc_rtc.c, provided that the hardware in question might possibly exist on hppa64 boxen - CONFIG_GSC defaults to y and it's not 32bit-only, so that thing is at least selectable on 64bit kernels.
On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Thu, Oct 17, 2019 at 04:33:09PM +0200, Arnd Bergmann wrote: > > > However, looking at this again after your comment I found a rather > > more serious bug in my new RTC_IRQP_SET handling: Any 64-bit > > machine can now bypass the permission check for RTC_IRQP_SET by > > calling RTC_IRQP_SET32 instead. > > You've lost the check on RTC_EPOCH_SET as well. Right, originally my plan was to keep the epoch handling local to rtc-vr41xx.c as explained in the patch description. The driver is specific to a particular very obsolete MIPS machine that was apparently only ever used with 32-bit kernels. I guess it can't hurt to treat it the same as RTC_IRQP_SET32 if you prefer. Folding in this change now and adapting the changelog text: --- a/drivers/rtc/dev.c +++ b/drivers/rtc/dev.c @@ -402,6 +402,7 @@ static long rtc_dev_ioctl(struct file *file, #ifdef CONFIG_COMPAT #define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) #define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) +#define RTC_EPOCH_SET32 _IOW('p', 0x0e, __u32) static long rtc_dev_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) @@ -416,6 +417,10 @@ static long rtc_dev_compat_ioctl(struct file *file, case RTC_IRQP_SET32: /* arg is a plain integer, not pointer */ return rtc_dev_ioctl(file, RTC_IRQP_SET, arg); + + case RTC_EPOCH_SET32: + /* arg is a plain integer, not pointer */ + return rtc_dev_ioctl(file, RTC_EPOCH_SET, arg); } return rtc_dev_ioctl(file, cmd, (unsigned long)uarg); diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c index 79f27de545af..c3671043ace7 100644 --- a/drivers/rtc/rtc-vr41xx.c +++ b/drivers/rtc/rtc-vr41xx.c @@ -69,7 +69,6 @@ static void __iomem *rtc2_base; /* 32-bit compat for ioctls that nobody else uses */ #define RTC_EPOCH_READ32 _IOR('p', 0x0d, __u32) -#define RTC_EPOCH_SET32 _IOW('p', 0x0e, __u32) static unsigned long epoch = 1970; /* Jan 1 1970 00:00:00 */ @@ -187,7 +186,6 @@ static int vr41xx_rtc_ioctl(struct device *dev, unsigned int cmd, unsigned long #ifdef CONFIG_64BIT case RTC_EPOCH_READ32: return put_user(epoch, (unsigned int __user *)arg); - case RTC_EPOCH_SET32: #endif case RTC_EPOCH_SET: /* Doesn't support before 1900 */ > Another potential issue is drivers/input/misc/hp_sdc_rtc.c, > provided that the hardware in question might possibly exist > on hppa64 boxen - CONFIG_GSC defaults to y and it's not > 32bit-only, so that thing is at least selectable on 64bit > kernels. I decided long ago not to care: that code has never compiled after it was originally merged into the kernel in 2005: static int hp_sdc_rtc_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned long arg) { #if 1 return -EINVAL; #else ... RTC_IRQP_SET, RTC_EPOCH_SET, ... ... #endif } I don't see any chance that this code is revived. If anyone wanted to make it work, the right approach would be to use the rtc framework and rewrite the code first. I could send a patch to remove the dead code though if that helps. Arnd
On 22/10/2019 14:14:21+0200, Arnd Bergmann wrote: > On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > > > On Thu, Oct 17, 2019 at 04:33:09PM +0200, Arnd Bergmann wrote: > > > > > However, looking at this again after your comment I found a rather > > > more serious bug in my new RTC_IRQP_SET handling: Any 64-bit > > > machine can now bypass the permission check for RTC_IRQP_SET by > > > calling RTC_IRQP_SET32 instead. > > > > You've lost the check on RTC_EPOCH_SET as well. > > Right, originally my plan was to keep the epoch handling local to > rtc-vr41xx.c as explained in the patch description. The driver is > specific to a particular very obsolete MIPS machine that was > apparently only ever used with 32-bit kernels. > > I guess it can't hurt to treat it the same as RTC_IRQP_SET32 > if you prefer. Folding in this change now and adapting the > changelog text: > > --- a/drivers/rtc/dev.c > +++ b/drivers/rtc/dev.c > @@ -402,6 +402,7 @@ static long rtc_dev_ioctl(struct file *file, > #ifdef CONFIG_COMPAT > #define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) > #define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) > +#define RTC_EPOCH_SET32 _IOW('p', 0x0e, __u32) > > static long rtc_dev_compat_ioctl(struct file *file, > unsigned int cmd, unsigned long arg) > @@ -416,6 +417,10 @@ static long rtc_dev_compat_ioctl(struct file *file, > case RTC_IRQP_SET32: > /* arg is a plain integer, not pointer */ > return rtc_dev_ioctl(file, RTC_IRQP_SET, arg); > + > + case RTC_EPOCH_SET32: > + /* arg is a plain integer, not pointer */ > + return rtc_dev_ioctl(file, RTC_EPOCH_SET, arg); > } > > return rtc_dev_ioctl(file, cmd, (unsigned long)uarg); > diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c > index 79f27de545af..c3671043ace7 100644 > --- a/drivers/rtc/rtc-vr41xx.c > +++ b/drivers/rtc/rtc-vr41xx.c > @@ -69,7 +69,6 @@ static void __iomem *rtc2_base; > > /* 32-bit compat for ioctls that nobody else uses */ > #define RTC_EPOCH_READ32 _IOR('p', 0x0d, __u32) > -#define RTC_EPOCH_SET32 _IOW('p', 0x0e, __u32) > > static unsigned long epoch = 1970; /* Jan 1 1970 00:00:00 */ > > @@ -187,7 +186,6 @@ static int vr41xx_rtc_ioctl(struct device *dev, > unsigned int cmd, unsigned long > #ifdef CONFIG_64BIT > case RTC_EPOCH_READ32: > return put_user(epoch, (unsigned int __user *)arg); > - case RTC_EPOCH_SET32: > #endif > case RTC_EPOCH_SET: > /* Doesn't support before 1900 */ > > > Another potential issue is drivers/input/misc/hp_sdc_rtc.c, > > provided that the hardware in question might possibly exist > > on hppa64 boxen - CONFIG_GSC defaults to y and it's not > > 32bit-only, so that thing is at least selectable on 64bit > > kernels. > > I decided long ago not to care: that code has never compiled after > it was originally merged into the kernel in 2005: > > static int hp_sdc_rtc_ioctl(struct inode *inode, struct file *file, > unsigned int cmd, unsigned long arg) > { > #if 1 > return -EINVAL; > #else > ... > RTC_IRQP_SET, RTC_EPOCH_SET, ... > ... > #endif > } > > I don't see any chance that this code is revived. If anyone wanted to > make it work, the right approach would be to use the rtc framework > and rewrite the code first. > > I could send a patch to remove the dead code though if that helps. > Please do. IIUC, this doesn't affect arch/alpha/kernel/rtc.c because alpha has always been 64bit.
On 17/10/2019 16:33:09+0200, Arnd Bergmann wrote: > On Thu, Oct 17, 2019 at 3:42 PM Ben Hutchings > <ben.hutchings@codethink.co.uk> wrote: > > > > On Wed, 2019-10-09 at 21:10 +0200, Arnd Bergmann wrote: > > > We no longer need the rtc compat handling to be in common code, now that > > > all drivers are either moved to the rtc-class framework, or (rarely) > > > exist in drivers/char for architectures without compat mode (m68k, > > > alpha and ia64, respectively). > > > > > > I checked the list of ioctl commands in drivers, and the ones that are > > > not already handled are all compatible, again with the one exception of > > > m68k driver, which implements RTC_PLL_GET and RTC_PLL_SET, but has no > > > compat mode. > > > > > > Since the ioctl commands are either compatible or differ in both structure > > > and command code between 32-bit and 64-bit, we can merge the compat > > > handler into the native one and just implement the two common compat > > > commands (RTC_IRQP_READ, RTC_IRQP_SET) there. > > [...] > > > > I don't think this can work properly on s390, because some of them take > > integers and some take pointers. > > Thanks a lot for taking a look at the patch and pointing this out! > > I don't remember how I got to this, either I missed the problem or I > decided that it was ok, since it will still do the right thing: > On s390 only the highest bit is cleared in a pointer value, and we > ensure that the RTC_IRQP_SET argument is between 1 and 8192. > > Passing a value of (0x80000000 + n) where n is in the valid range > would lead to the call succeeding unexpectedly on compat s390 > (if it had an RTC, which it does not) which is clearly not good but > mostly harmless. I certainly had not considered this case. > > However, looking at this again after your comment I found a rather > more serious bug in my new RTC_IRQP_SET handling: Any 64-bit > machine can now bypass the permission check for RTC_IRQP_SET by > calling RTC_IRQP_SET32 instead. > > I'll fix it both issues by adding a rtc_compat_dev_ioctl() to handle > RTC_IRQP_SET32/RTC_IRQP_READ32: > > diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c > index 1dc5063f78c9..9e4fd5088ead 100644 > --- a/drivers/rtc/dev.c > +++ b/drivers/rtc/dev.c > @@ -358,16 +358,6 @@ static long rtc_dev_ioctl(struct file *file, > mutex_unlock(&rtc->ops_lock); > return rtc_update_irq_enable(rtc, 0); > > -#ifdef CONFIG_64BIT > -#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) > -#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) > - case RTC_IRQP_SET32: > - err = rtc_irq_set_freq(rtc, arg); > - break; > - case RTC_IRQP_READ32: > - err = put_user(rtc->irq_freq, (unsigned int __user *)uarg); > - break; > -#endif > case RTC_IRQP_SET: > err = rtc_irq_set_freq(rtc, arg); > break; > @@ -409,6 +399,29 @@ static long rtc_dev_ioctl(struct file *file, > return err; > } > > +#ifdef CONFIG_COMPAT > +#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) > +#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) > + > +static long rtc_dev_compat_ioctl(struct file *file, > + unsigned int cmd, unsigned long arg) > +{ > + struct rtc_device *rtc = file->private_data; > + void __user *uarg = compat_ptr(arg); > + > + switch (cmd) { > + case RTC_IRQP_READ32: > + return put_user(rtc->irq_freq, (__u32 __user *)uarg); > + > + case RTC_IRQP_SET32: > + /* arg is a plain integer, not pointer */ > + return rtc_dev_ioctl(file, RTC_IRQP_SET, arg); > + } > + > + return rtc_dev_ioctl(file, cmd, (unsigned long)uarg); > +} > +#endif > + > static int rtc_dev_fasync(int fd, struct file *file, int on) > { > struct rtc_device *rtc = file->private_data; > @@ -444,7 +457,7 @@ static const struct file_operations rtc_dev_fops = { > .read = rtc_dev_read, > .poll = rtc_dev_poll, > .unlocked_ioctl = rtc_dev_ioctl, > - .compat_ioctl = compat_ptr_ioctl, > + .compat_ioctl = rtc_dev_compat_ioctl, > .open = rtc_dev_open, > .release = rtc_dev_release, > .fasync = rtc_dev_fasync, > > If you and Alexandre are both happy with this version, I'll fold it into > my original patch. > I'm OK with that version
On Wed, Oct 23, 2019 at 12:29 PM Alexandre Belloni <alexandre.belloni@bootlin.com> wrote: > On 22/10/2019 14:14:21+0200, Arnd Bergmann wrote: > > On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > > > I don't see any chance that this code is revived. If anyone wanted to > > make it work, the right approach would be to use the rtc framework > > and rewrite the code first. > > > > I could send a patch to remove the dead code though if that helps. > > > > Please do. Ok, done. Speaking of removing rtc drivers, should we just kill off drivers/char/rtc.c and drivers/char/efirtc.c as well? I don't remember why we left them in the tree, but I'm fairly sure they are not actually needed. Arnd
On 23/10/2019 16:28:40+0200, Arnd Bergmann wrote: > On Wed, Oct 23, 2019 at 12:29 PM Alexandre Belloni > <alexandre.belloni@bootlin.com> wrote: > > On 22/10/2019 14:14:21+0200, Arnd Bergmann wrote: > > > On Tue, Oct 22, 2019 at 6:30 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > > > > > I don't see any chance that this code is revived. If anyone wanted to > > > make it work, the right approach would be to use the rtc framework > > > and rewrite the code first. > > > > > > I could send a patch to remove the dead code though if that helps. > > > > > > > Please do. > > Ok, done. Speaking of removing rtc drivers, should we just kill off > drivers/char/rtc.c and drivers/char/efirtc.c as well? I don't remember > why we left them in the tree, but I'm fairly sure they are not actually > needed. > https://lore.kernel.org/lkml/CAK8P3a0QZNY+K+V1HG056xCerz=_L2jh5UfZ+2LWkDqkw5Zznw@mail.gmail.com/ That's how we left it ;)
On Wed, Oct 23, 2019 at 4:34 PM Alexandre Belloni <alexandre.belloni@bootlin.com> wrote: > On 23/10/2019 16:28:40+0200, Arnd Bergmann wrote: > > Ok, done. Speaking of removing rtc drivers, should we just kill off > > drivers/char/rtc.c and drivers/char/efirtc.c as well? I don't remember > > why we left them in the tree, but I'm fairly sure they are not actually > > needed. > > > > https://lore.kernel.org/lkml/CAK8P3a0QZNY+K+V1HG056xCerz=_L2jh5UfZ+2LWkDqkw5Zznw@mail.gmail.com/ > > That's how we left it ;) Right, that is roughly what I remembered. Sending a patch to remove them now, let's see if anyone cares. Arnd
diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c index 84feb2565abd..1dc5063f78c9 100644 --- a/drivers/rtc/dev.c +++ b/drivers/rtc/dev.c @@ -10,6 +10,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +#include <linux/compat.h> #include <linux/module.h> #include <linux/rtc.h> #include <linux/sched/signal.h> @@ -357,10 +358,19 @@ static long rtc_dev_ioctl(struct file *file, mutex_unlock(&rtc->ops_lock); return rtc_update_irq_enable(rtc, 0); +#ifdef CONFIG_64BIT +#define RTC_IRQP_SET32 _IOW('p', 0x0c, __u32) +#define RTC_IRQP_READ32 _IOR('p', 0x0b, __u32) + case RTC_IRQP_SET32: + err = rtc_irq_set_freq(rtc, arg); + break; + case RTC_IRQP_READ32: + err = put_user(rtc->irq_freq, (unsigned int __user *)uarg); + break; +#endif case RTC_IRQP_SET: err = rtc_irq_set_freq(rtc, arg); break; - case RTC_IRQP_READ: err = put_user(rtc->irq_freq, (unsigned long __user *)uarg); break; @@ -434,6 +444,7 @@ static const struct file_operations rtc_dev_fops = { .read = rtc_dev_read, .poll = rtc_dev_poll, .unlocked_ioctl = rtc_dev_ioctl, + .compat_ioctl = compat_ptr_ioctl, .open = rtc_dev_open, .release = rtc_dev_release, .fasync = rtc_dev_fasync, diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c index c75230562c0d..79f27de545af 100644 --- a/drivers/rtc/rtc-vr41xx.c +++ b/drivers/rtc/rtc-vr41xx.c @@ -4,6 +4,7 @@ * * Copyright (C) 2003-2008 Yoichi Yuasa <yuasa@linux-mips.org> */ +#include <linux/compat.h> #include <linux/err.h> #include <linux/fs.h> #include <linux/init.h> @@ -66,6 +67,10 @@ static void __iomem *rtc2_base; #define rtc2_read(offset) readw(rtc2_base + (offset)) #define rtc2_write(offset, value) writew((value), rtc2_base + (offset)) +/* 32-bit compat for ioctls that nobody else uses */ +#define RTC_EPOCH_READ32 _IOR('p', 0x0d, __u32) +#define RTC_EPOCH_SET32 _IOW('p', 0x0e, __u32) + static unsigned long epoch = 1970; /* Jan 1 1970 00:00:00 */ static DEFINE_SPINLOCK(rtc_lock); @@ -179,6 +184,11 @@ static int vr41xx_rtc_ioctl(struct device *dev, unsigned int cmd, unsigned long switch (cmd) { case RTC_EPOCH_READ: return put_user(epoch, (unsigned long __user *)arg); +#ifdef CONFIG_64BIT + case RTC_EPOCH_READ32: + return put_user(epoch, (unsigned int __user *)arg); + case RTC_EPOCH_SET32: +#endif case RTC_EPOCH_SET: /* Doesn't support before 1900 */ if (arg < 1900) diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c index cec3ec0a1727..47da220f95b1 100644 --- a/fs/compat_ioctl.c +++ b/fs/compat_ioctl.c @@ -32,7 +32,6 @@ #include <linux/vt_kern.h> #include <linux/raw.h> #include <linux/blkdev.h> -#include <linux/rtc.h> #include <linux/pci.h> #include <linux/serial.h> #include <linux/ctype.h> @@ -436,37 +435,6 @@ static int mt_ioctl_trans(struct file *file, #define HCIUARTSETFLAGS _IOW('U', 203, int) #define HCIUARTGETFLAGS _IOR('U', 204, int) -#define RTC_IRQP_READ32 _IOR('p', 0x0b, compat_ulong_t) -#define RTC_IRQP_SET32 _IOW('p', 0x0c, compat_ulong_t) -#define RTC_EPOCH_READ32 _IOR('p', 0x0d, compat_ulong_t) -#define RTC_EPOCH_SET32 _IOW('p', 0x0e, compat_ulong_t) - -static int rtc_ioctl(struct file *file, - unsigned cmd, void __user *argp) -{ - unsigned long __user *valp = compat_alloc_user_space(sizeof(*valp)); - int ret; - - if (valp == NULL) - return -EFAULT; - switch (cmd) { - case RTC_IRQP_READ32: - case RTC_EPOCH_READ32: - ret = do_ioctl(file, (cmd == RTC_IRQP_READ32) ? - RTC_IRQP_READ : RTC_EPOCH_READ, - (unsigned long)valp); - if (ret) - return ret; - return convert_in_user(valp, (unsigned int __user *)argp); - case RTC_IRQP_SET32: - return do_ioctl(file, RTC_IRQP_SET, (unsigned long)argp); - case RTC_EPOCH_SET32: - return do_ioctl(file, RTC_EPOCH_SET, (unsigned long)argp); - } - - return -ENOIOCTLCMD; -} - /* * simple reversible transform to make our table more evenly * distributed after sorting. @@ -503,21 +471,6 @@ COMPATIBLE_IOCTL(SCSI_IOCTL_GET_PCI) /* Big V (don't complain on serial console) */ IGNORE_IOCTL(VT_OPENQRY) IGNORE_IOCTL(VT_GETMODE) -/* Little p (/dev/rtc, /dev/envctrl, etc.) */ -COMPATIBLE_IOCTL(RTC_AIE_ON) -COMPATIBLE_IOCTL(RTC_AIE_OFF) -COMPATIBLE_IOCTL(RTC_UIE_ON) -COMPATIBLE_IOCTL(RTC_UIE_OFF) -COMPATIBLE_IOCTL(RTC_PIE_ON) -COMPATIBLE_IOCTL(RTC_PIE_OFF) -COMPATIBLE_IOCTL(RTC_WIE_ON) -COMPATIBLE_IOCTL(RTC_WIE_OFF) -COMPATIBLE_IOCTL(RTC_ALM_SET) -COMPATIBLE_IOCTL(RTC_ALM_READ) -COMPATIBLE_IOCTL(RTC_RD_TIME) -COMPATIBLE_IOCTL(RTC_SET_TIME) -COMPATIBLE_IOCTL(RTC_WKALM_SET) -COMPATIBLE_IOCTL(RTC_WKALM_RD) /* * These two are only for the sbus rtc driver, but * hwclock tries them on every rtc device first when @@ -897,12 +850,6 @@ static long do_ioctl_trans(unsigned int cmd, case MTIOCPOS32: return mt_ioctl_trans(file, cmd, argp); #endif - /* Not implemented in the native kernel */ - case RTC_IRQP_READ32: - case RTC_IRQP_SET32: - case RTC_EPOCH_READ32: - case RTC_EPOCH_SET32: - return rtc_ioctl(file, cmd, argp); } /*