All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Aaron Tomlin" <atomlin@atomlin.com>
Cc: linux-modules@vger.kernel.org
Subject: Re: [PATCH v5 1/2] module: Extend module_blacklist parameter to built-in modules
Date: Sat, 18 Jul 2026 05:33:20 +0000	[thread overview]
Message-ID: <20260718053320.92B7B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260718051350.344772-2-atomlin@atomlin.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] A fatal modpost section mismatch warning occurs when CONFIG_MODULES=y because a non-__init function references an __init function.
- [High] An unsynchronized TOCTOU race condition in `do_one_initcall()` allows concurrent loadable module initialization to execute freed `__init` memory and access freed `__initdata`.
- [High] The temporal check `system_state < SYSTEM_FREEING_INITMEM` is vulnerable to Spectre v1 branch misprediction, leading to speculative execution of freed `__init` code and speculative reading of freed `__initdata`.
--

--- Patch [1]: [PATCH v5 1/2] module: Extend module_blacklist parameter to built-in modules ---
commit befcdb365a33b92bbd551da11437b39b818bdea2
Author: Aaron Tomlin <atomlin@atomlin.com>
Subject: module: Extend module_blacklist parameter to built-in modules

This patch extends the module_blacklist command-line parameter to apply to
built-in modules by checking an .initcall.modnames table during early boot.
It moves the blacklisting logic to init/main.c and intercepts initcalls in
do_one_initcall().

> diff --git a/init/main.c b/init/main.c
> --- a/init/main.c
> +++ b/init/main.c
[ ... ]
> @@ -1365,12 +1365,58 @@ static const char *__init get_builtin_modname(initcall_t fn)
>  {
>  	struct initcall_modname *p;
>  
>  	for (p = __start_initcall_modnames; p < __stop_initcall_modnames; p++) {
>  		if (dereference_function_descriptor(p->initcall_fn) ==
>  		    dereference_function_descriptor(fn))
>  			return p->modname;
>  	}
>  	return NULL;
>  }
>  
>  int __init_or_module do_one_initcall(initcall_t fn)
>  {
>  	int count = preempt_count();
>  	char msgbuf[64];
> +	const char *modname = NULL;
>  	int ret;
>  
> +	if (system_state < SYSTEM_FREEING_INITMEM && module_blacklist) {

[Severity: High]
Can this unsynchronized system_state check race with concurrent module loading?

If a driver or subsystem schedules an asynchronous task that triggers
request_module(), a worker thread could evaluate this system_state check as
true. Concurrently, another CPU could advance the state and execute
free_initmem(), unmapping and freeing all .init.text and .init.data pages.

If this happens, the worker thread would then call get_builtin_modname(),
executing freed .init.text instructions and scanning the freed
.initcall.modnames array.


[Severity: High]
Is this temporal check vulnerable to Spectre v1 branch misprediction?

During early boot, do_one_initcall() is heavily executed for built-in
modules, training the CPU branch predictor to predict this condition as
true. At runtime (system_state == SYSTEM_RUNNING), an unprivileged user
triggering a module load might cause the CPU to speculatively mispredict
the branch as true.

If the branch is mispredicted, the CPU would speculatively execute a direct
call to the freed .init.text section in get_builtin_modname(), potentially
creating an arbitrary speculative execution gadget if an attacker has
reallocated that memory.

> +		modname = get_builtin_modname(fn);

[Severity: High]
Does this introduce a modpost section mismatch warning when CONFIG_MODULES=y?

When module support is enabled, __init_or_module evaluates to an empty macro,
placing do_one_initcall() in the persistent .text section. Because it
directly calls get_builtin_modname(), which is annotated with __init, modpost
will statically flag this cross-section reference since it doesn't perform
control flow analysis to evaluate the runtime system_state guard.

> +		if (modname && module_is_blacklisted(modname)) {
> +			pr_info("Skipping initcall for blacklisted built-in module %s\n",
> +				modname);
> +			return 0;
> +		}
> +	}
> +
>  	if (initcall_blacklisted(fn))
>  		return -EPERM;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260718051350.344772-1-atomlin@atomlin.com?part=1

  reply	other threads:[~2026-07-18  5:33 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-18  5:13 [PATCH v5 0/2] module: Extend blacklist parameter to support built-in modules Aaron Tomlin
2026-07-18  5:13 ` [PATCH v5 1/2] module: Extend module_blacklist parameter to " Aaron Tomlin
2026-07-18  5:33   ` sashiko-bot [this message]
2026-07-18 14:26   ` Aaron Tomlin
2026-07-18  5:13 ` [PATCH v5 2/2] module: Rename module_blacklist to module_denylist Aaron Tomlin
2026-07-18  5:25   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260718053320.92B7B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atomlin@atomlin.com \
    --cc=linux-modules@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.