From: sashiko-bot@kernel.org
To: "Aaron Tomlin" <atomlin@atomlin.com>
Cc: linux-modules@vger.kernel.org
Subject: Re: [PATCH v3] module: Extend module_blacklist parameter to built-in modules
Date: Mon, 06 Jul 2026 05:16:25 +0000 [thread overview]
Message-ID: <20260706051625.E690F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260706050337.7613-1-atomlin@atomlin.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Iterating the `.initcall.modnames` array locklessly in `initcall_get_modname()` races with `free_initmem()`, causing a Use-After-Free for concurrently loaded modules.
- [High] The built-in module blacklisting functionality is completely disabled when CONFIG_MODULES=n.
--
commit aca1118f7ac6c8d2b798e7bb31a70a4f01638aee
Author: Aaron Tomlin <atomlin@atomlin.com>
Subject: module: Extend module_blacklist parameter to built-in modules
This patch extends the module_blacklist command-line parameter to apply
to built-in modules by checking them during early boot. It introduces a
new memory section to map initcalls to module names, allowing the kernel
to skip the initcall if the module name is present in the blacklist.
> diff --git a/include/linux/module.h b/include/linux/module.h
> index 7566815fabbe8..b9b0dc419aeeb 100644
> --- a/include/linux/module.h
> +++ b/include/linux/module.h
[ ... ]
> @@ -756,6 +756,15 @@ void *dereference_module_function_descriptor(struct module *mod, void *ptr);
> int register_module_notifier(struct notifier_block *nb);
> int unregister_module_notifier(struct notifier_block *nb);
>
> +#ifdef CONFIG_MODULES
> +extern bool module_is_blacklisted(const char *module_name);
> +#else
> +static inline bool module_is_blacklisted(const char *module_name)
> +{
> + return false;
> +}
> +#endif
[Severity: High]
Does this defeat the purpose of blacklisting built-in modules on kernels
built without loadable module support?
If a kernel is built with CONFIG_MODULES=n, the command-line parsing and
state variable in kernel/module/main.c are not compiled. This stub will then
unconditionally return false, meaning the module_blacklist parameter will be
silently ignored for built-in modules on non-modular kernels.
[ ... ]
> diff --git a/init/main.c b/init/main.c
> index 96f93bb06c490..893b20ddcf658 100644
> --- a/init/main.c
> +++ b/init/main.c
[ ... ]
> @@ -1379,12 +1379,39 @@ static inline void do_trace_initcall_level(const char *level)
> }
> #endif /* !TRACEPOINTS_ENABLED */
>
> +extern struct initcall_modname __start_initcall_modnames[];
> +extern struct initcall_modname __stop_initcall_modnames[];
> +
> +static bool initmem_freed __ro_after_init = false;
> +
> +static const char *initcall_get_modname(initcall_t fn)
> +{
> + struct initcall_modname *p;
> +
> + if (initmem_freed)
> + return NULL;
> +
> + for (p = __start_initcall_modnames; p < __stop_initcall_modnames; p++) {
> + if (p->initcall_fn == fn)
> + return p->modname;
> + }
[Severity: High]
Can this race with free_initmem() and cause a use-after-free if a module
is loaded concurrently?
In kernel_init(), free_initmem() is called just before setting initmem_freed
to true:
kernel_init()
free_initmem();
initmem_freed = true;
At this point in the boot sequence, the rootfs is mounted and user-mode
helpers are enabled. If a hardware interrupt triggers request_module()
concurrently, modprobe could execute and invoke the init_module syscall.
When do_init_module() calls do_one_initcall(), it would end up in
initcall_get_modname(). Since initmem_freed is still false, it would
locklessly scan the .initcall.modnames section while it is actively being
freed by free_initmem().
[ ... ]
> @@ -1600,6 +1627,7 @@ static int __ref kernel_init(void *unused)
> kgdb_free_init_mem();
> exit_boot_config();
> free_initmem();
> + initmem_freed = true;
> mark_readonly();
>
> /*
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260706050337.7613-1-atomlin@atomlin.com?part=1
next prev parent reply other threads:[~2026-07-06 5:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 5:03 [PATCH v3] module: Extend module_blacklist parameter to built-in modules Aaron Tomlin
2026-07-06 5:16 ` sashiko-bot [this message]
2026-07-07 19:38 ` Aaron Tomlin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260706051625.E690F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=atomlin@atomlin.com \
--cc=linux-modules@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.