[PATCH 0/2] Restrict module namespace to in-tree modules and rename macro

[PATCH 0/2] Restrict module namespace to in-tree modules and rename macro

[Vlastimil Babka]

Christian asked [1] for EXPORT_SYMBOL_FOR_MODULES() without the _GPL_
part to avoid controversy converting selected existing EXPORT_SYMBOL().
Christoph argued [2] that the _FOR_MODULES() export is intended for
in-tree modules and thus GPL is implied anyway and can be simply dropped
from the export macro name. Peter agreed [3] about the intention for
in-tree modules only, although nothing currently enforces it.

It seems straightforward to add this enforcement, so patch 1 does that.
Patch 2 then drops the _GPL_ from the name and so we're left with
EXPORT_SYMBOL_FOR_MODULES() restricted to in-tree modules only.

Current -next has some new instances of EXPORT_SYMBOL_GPL_FOR_MODULES()
in drivers/tty/serial/8250/8250_rsa.c by commit b20d6576cdb3 ("serial:
8250: export RSA functions"). Hopefully it's resolvable by a merge
commit fixup and we don't need to provide a temporary alias.

[1] https://lore.kernel.org/all/20250623-warmwasser-giftig-ff656fce89ad@brauner/
[2] https://lore.kernel.org/all/aFleJN_fE-RbSoFD@infradead.org/
[3] https://lore.kernel.org/all/20250623142836.GT1613200@noisy.programming.kicks-ass.net/

Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
---
Vlastimil Babka (2):
      module: Restrict module namespace access to in-tree modules
      module: Rename EXPORT_SYMBOL_GPL_FOR_MODULES to EXPORT_SYMBOL_FOR_MODULES

 Documentation/core-api/symbol-namespaces.rst | 11 ++++++-----
 fs/anon_inodes.c                             |  2 +-
 include/linux/export.h                       |  2 +-
 kernel/module/main.c                         |  3 ++-
 scripts/mod/modpost.c                        |  6 +++++-
 5 files changed, 15 insertions(+), 9 deletions(-)
---
base-commit: d7b8f8e20813f0179d8ef519541a3527e7661d3a
change-id: 20250708-export_modules-12908fa41006

Best regards,
-- 
Vlastimil Babka <vbabka@suse.cz>

[PATCH 1/2] module: Restrict module namespace access to in-tree modules

[Vlastimil Babka]

The module namespace support has been introduced to allow restricting
exports to specific modules only, and intended for in-tree modules such
as kvm. Make this intention explicit by disallowing out of tree modules
both for the module loader and modpost.

Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
---
 Documentation/core-api/symbol-namespaces.rst | 5 +++--
 kernel/module/main.c                         | 3 ++-
 scripts/mod/modpost.c                        | 6 +++++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
index 32fc73dc5529e8844c2ce2580987155bcd13cd09..dc228ac738a5cdc49cc736c29170ca96df6a28dc 100644
--- a/Documentation/core-api/symbol-namespaces.rst
+++ b/Documentation/core-api/symbol-namespaces.rst
@@ -83,13 +83,14 @@ Symbols exported using this macro are put into a module namespace. This
 namespace cannot be imported.
 
 The macro takes a comma separated list of module names, allowing only those
-modules to access this symbol. Simple tail-globs are supported.
+modules to access this symbol. The access is restricted to in-tree modules.
+Simple tail-globs are supported.
 
 For example::
 
   EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
 
-will limit usage of this symbol to modules whoes name matches the given
+will limit usage of this symbol to in-tree modules whoes name matches the given
 patterns.
 
 How to use Symbols exported in Namespaces
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 413ac6ea37021bc8ae260f624ca2745ed85333fc..ec7d8daa0347e3b65713396d6b6d14c2cb0270d3 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1157,7 +1157,8 @@ static int verify_namespace_is_imported(const struct load_info *info,
 	namespace = kernel_symbol_namespace(sym);
 	if (namespace && namespace[0]) {
 
-		if (verify_module_namespace(namespace, mod->name))
+		if (get_modinfo(info, "intree") &&
+		    verify_module_namespace(namespace, mod->name))
 			return 0;
 
 		for_each_modinfo_entry(imported_namespace, info, "import_ns") {
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 5ca7c268294ebb65acb0ba52a671eddca9279c61..d78be9834ed75f4b6ddb9af02a300a9bcc9234cc 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1695,7 +1695,8 @@ void buf_write(struct buffer *buf, const char *s, int len)
  * @modname: module name
  *
  * If @namespace is prefixed with "module:" to indicate it is a module namespace
- * then test if @modname matches any of the comma separated patterns.
+ * then test if @modname matches any of the comma separated patterns. Access to
+ * module namespaces is restricted to in-tree modules only.
  *
  * The patterns only support tail-glob.
  */
@@ -1706,6 +1707,9 @@ static bool verify_module_namespace(const char *namespace, const char *modname)
 	const char *sep;
 	bool glob;
 
+	if (external_module)
+		return false;
+
 	if (!strstarts(namespace, prefix))
 		return false;
 

-- 
2.50.0

[PATCH 2/2] module: Rename EXPORT_SYMBOL_GPL_FOR_MODULES to EXPORT_SYMBOL_FOR_MODULES

[Vlastimil Babka]

With module namespace access restricted to in-tree modules, the GPL
requirement becomes implied. Drop it from the name of the export helper.

Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
---
 Documentation/core-api/symbol-namespaces.rst | 6 +++---
 fs/anon_inodes.c                             | 2 +-
 include/linux/export.h                       | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
index dc228ac738a5cdc49cc736c29170ca96df6a28dc..aafbc0469cd6a4b76225e0e96a86025de512008e 100644
--- a/Documentation/core-api/symbol-namespaces.rst
+++ b/Documentation/core-api/symbol-namespaces.rst
@@ -76,8 +76,8 @@ A second option to define the default namespace is directly in the compilation
 within the corresponding compilation unit before the #include for
 <linux/export.h>. Typically it's placed before the first #include statement.
 
-Using the EXPORT_SYMBOL_GPL_FOR_MODULES() macro
------------------------------------------------
+Using the EXPORT_SYMBOL_FOR_MODULES() macro
+-------------------------------------------
 
 Symbols exported using this macro are put into a module namespace. This
 namespace cannot be imported.
@@ -88,7 +88,7 @@ Simple tail-globs are supported.
 
 For example::
 
-  EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
+  EXPORT_SYMBOL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
 
 will limit usage of this symbol to in-tree modules whoes name matches the given
 patterns.
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index 1d847a939f29a41356af3f12e5f61372ec2fb550..180a458fc4f74249d674ec3c6e01277df1d9e743 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -129,7 +129,7 @@ struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *n
 	}
 	return inode;
 }
-EXPORT_SYMBOL_GPL_FOR_MODULES(anon_inode_make_secure_inode, "kvm");
+EXPORT_SYMBOL_FOR_MODULES(anon_inode_make_secure_inode, "kvm");
 
 static struct file *__anon_inode_getfile(const char *name,
 					 const struct file_operations *fops,
diff --git a/include/linux/export.h b/include/linux/export.h
index f35d03b4113b19798036d2993d67eb932ad8ce6f..a686fd0ba406509da5f397e3a415d05c5a051c0d 100644
--- a/include/linux/export.h
+++ b/include/linux/export.h
@@ -91,6 +91,6 @@
 #define EXPORT_SYMBOL_NS(sym, ns)	__EXPORT_SYMBOL(sym, "", ns)
 #define EXPORT_SYMBOL_NS_GPL(sym, ns)	__EXPORT_SYMBOL(sym, "GPL", ns)
 
-#define EXPORT_SYMBOL_GPL_FOR_MODULES(sym, mods) __EXPORT_SYMBOL(sym, "GPL", "module:" mods)
+#define EXPORT_SYMBOL_FOR_MODULES(sym, mods) __EXPORT_SYMBOL(sym, "GPL", "module:" mods)
 
 #endif /* _LINUX_EXPORT_H */

-- 
2.50.0

Re: [PATCH 0/2] Restrict module namespace to in-tree modules and rename macro

[Christian Brauner]

On Tue, Jul 08, 2025 at 09:28:56AM +0200, Vlastimil Babka wrote:
> Christian asked [1] for EXPORT_SYMBOL_FOR_MODULES() without the _GPL_
> part to avoid controversy converting selected existing EXPORT_SYMBOL().
> Christoph argued [2] that the _FOR_MODULES() export is intended for
> in-tree modules and thus GPL is implied anyway and can be simply dropped
> from the export macro name. Peter agreed [3] about the intention for
> in-tree modules only, although nothing currently enforces it.
> 
> It seems straightforward to add this enforcement, so patch 1 does that.
> Patch 2 then drops the _GPL_ from the name and so we're left with
> EXPORT_SYMBOL_FOR_MODULES() restricted to in-tree modules only.
> 
> Current -next has some new instances of EXPORT_SYMBOL_GPL_FOR_MODULES()
> in drivers/tty/serial/8250/8250_rsa.c by commit b20d6576cdb3 ("serial:
> 8250: export RSA functions"). Hopefully it's resolvable by a merge
> commit fixup and we don't need to provide a temporary alias.
> 
> [1] https://lore.kernel.org/all/20250623-warmwasser-giftig-ff656fce89ad@brauner/
> [2] https://lore.kernel.org/all/aFleJN_fE-RbSoFD@infradead.org/
> [3] https://lore.kernel.org/all/20250623142836.GT1613200@noisy.programming.kicks-ass.net/
> 
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---

Love this. It'd be great to get this in as a bugfix,
Acked-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 0/2] Restrict module namespace to in-tree modules and rename macro

[David Hildenbrand]

On 08.07.25 09:40, Christian Brauner wrote:
> On Tue, Jul 08, 2025 at 09:28:56AM +0200, Vlastimil Babka wrote:
>> Christian asked [1] for EXPORT_SYMBOL_FOR_MODULES() without the _GPL_
>> part to avoid controversy converting selected existing EXPORT_SYMBOL().
>> Christoph argued [2] that the _FOR_MODULES() export is intended for
>> in-tree modules and thus GPL is implied anyway and can be simply dropped
>> from the export macro name. Peter agreed [3] about the intention for
>> in-tree modules only, although nothing currently enforces it.
>>
>> It seems straightforward to add this enforcement, so patch 1 does that.
>> Patch 2 then drops the _GPL_ from the name and so we're left with
>> EXPORT_SYMBOL_FOR_MODULES() restricted to in-tree modules only.
>>
>> Current -next has some new instances of EXPORT_SYMBOL_GPL_FOR_MODULES()
>> in drivers/tty/serial/8250/8250_rsa.c by commit b20d6576cdb3 ("serial:
>> 8250: export RSA functions"). Hopefully it's resolvable by a merge
>> commit fixup and we don't need to provide a temporary alias.
>>
>> [1] https://lore.kernel.org/all/20250623-warmwasser-giftig-ff656fce89ad@brauner/
>> [2] https://lore.kernel.org/all/aFleJN_fE-RbSoFD@infradead.org/
>> [3] https://lore.kernel.org/all/20250623142836.GT1613200@noisy.programming.kicks-ass.net/
>>
>> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
>> ---
> 
> Love this. It'd be great to get this in as a bugfix,
> Acked-by: Christian Brauner <brauner@kernel.org>

Yes, looks like the right thing to do

Acked-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb

Re: [PATCH 0/2] Restrict module namespace to in-tree modules and rename macro

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 2235 bytes --]

Hi Vlastimil,

On Tue, 08 Jul 2025 09:28:56 +0200 Vlastimil Babka <vbabka@suse.cz> wrote:
>
> Christian asked [1] for EXPORT_SYMBOL_FOR_MODULES() without the _GPL_
> part to avoid controversy converting selected existing EXPORT_SYMBOL().
> Christoph argued [2] that the _FOR_MODULES() export is intended for
> in-tree modules and thus GPL is implied anyway and can be simply dropped
> from the export macro name. Peter agreed [3] about the intention for
> in-tree modules only, although nothing currently enforces it.
> 
> It seems straightforward to add this enforcement, so patch 1 does that.
> Patch 2 then drops the _GPL_ from the name and so we're left with
> EXPORT_SYMBOL_FOR_MODULES() restricted to in-tree modules only.
> 
> Current -next has some new instances of EXPORT_SYMBOL_GPL_FOR_MODULES()
> in drivers/tty/serial/8250/8250_rsa.c by commit b20d6576cdb3 ("serial:
> 8250: export RSA functions"). Hopefully it's resolvable by a merge
> commit fixup and we don't need to provide a temporary alias.

Thanks for the heads up and it seems easy enough.  You probably should
have cc'd Greg KH (the maintainer for the tty tree), though (done now).

> 
> [1] https://lore.kernel.org/all/20250623-warmwasser-giftig-ff656fce89ad@brauner/
> [2] https://lore.kernel.org/all/aFleJN_fE-RbSoFD@infradead.org/
> [3] https://lore.kernel.org/all/20250623142836.GT1613200@noisy.programming.kicks-ass.net/
> 
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---
> Vlastimil Babka (2):
>       module: Restrict module namespace access to in-tree modules
>       module: Rename EXPORT_SYMBOL_GPL_FOR_MODULES to EXPORT_SYMBOL_FOR_MODULES
> 
>  Documentation/core-api/symbol-namespaces.rst | 11 ++++++-----
>  fs/anon_inodes.c                             |  2 +-
>  include/linux/export.h                       |  2 +-
>  kernel/module/main.c                         |  3 ++-
>  scripts/mod/modpost.c                        |  6 +++++-
>  5 files changed, 15 insertions(+), 9 deletions(-)
> ---
> base-commit: d7b8f8e20813f0179d8ef519541a3527e7661d3a
> change-id: 20250708-export_modules-12908fa41006
> 
> Best regards,
> -- 
> Vlastimil Babka <vbabka@suse.cz>

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 1/2] module: Restrict module namespace access to in-tree modules

[Shivank Garg]

On 7/8/2025 12:58 PM, Vlastimil Babka wrote:
> The module namespace support has been introduced to allow restricting
> exports to specific modules only, and intended for in-tree modules such
> as kvm. Make this intention explicit by disallowing out of tree modules
> both for the module loader and modpost.
> 
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---
>  Documentation/core-api/symbol-namespaces.rst | 5 +++--
>  kernel/module/main.c                         | 3 ++-
>  scripts/mod/modpost.c                        | 6 +++++-
>  3 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
> index 32fc73dc5529e8844c2ce2580987155bcd13cd09..dc228ac738a5cdc49cc736c29170ca96df6a28dc 100644
> --- a/Documentation/core-api/symbol-namespaces.rst
> +++ b/Documentation/core-api/symbol-namespaces.rst
> @@ -83,13 +83,14 @@ Symbols exported using this macro are put into a module namespace. This
>  namespace cannot be imported.
>  
>  The macro takes a comma separated list of module names, allowing only those
> -modules to access this symbol. Simple tail-globs are supported.
> +modules to access this symbol. The access is restricted to in-tree modules.
> +Simple tail-globs are supported.
>  
>  For example::
>  
>    EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
>  
> -will limit usage of this symbol to modules whoes name matches the given
> +will limit usage of this symbol to in-tree modules whoes name matches the given
>  patterns.
>  
>  How to use Symbols exported in Namespaces
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 413ac6ea37021bc8ae260f624ca2745ed85333fc..ec7d8daa0347e3b65713396d6b6d14c2cb0270d3 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -1157,7 +1157,8 @@ static int verify_namespace_is_imported(const struct load_info *info,
>  	namespace = kernel_symbol_namespace(sym);
>  	if (namespace && namespace[0]) {
>  
> -		if (verify_module_namespace(namespace, mod->name))
> +		if (get_modinfo(info, "intree") &&
> +		    verify_module_namespace(namespace, mod->name))
>  			return 0;
>  
>  		for_each_modinfo_entry(imported_namespace, info, "import_ns") {
> diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
> index 5ca7c268294ebb65acb0ba52a671eddca9279c61..d78be9834ed75f4b6ddb9af02a300a9bcc9234cc 100644
> --- a/scripts/mod/modpost.c
> +++ b/scripts/mod/modpost.c
> @@ -1695,7 +1695,8 @@ void buf_write(struct buffer *buf, const char *s, int len)
>   * @modname: module name
>   *
>   * If @namespace is prefixed with "module:" to indicate it is a module namespace
> - * then test if @modname matches any of the comma separated patterns.
> + * then test if @modname matches any of the comma separated patterns. Access to
> + * module namespaces is restricted to in-tree modules only.
>   *
>   * The patterns only support tail-glob.
>   */
> @@ -1706,6 +1707,9 @@ static bool verify_module_namespace(const char *namespace, const char *modname)
>  	const char *sep;
>  	bool glob;
>  
> +	if (external_module)
> +		return false;
> +
>  	if (!strstarts(namespace, prefix))
>  		return false;
>  
> 

Reviewed-by: Shivank Garg <shivankg@amd.com>

Thanks,
Shivank

Re: [PATCH 2/2] module: Rename EXPORT_SYMBOL_GPL_FOR_MODULES to EXPORT_SYMBOL_FOR_MODULES

[Shivank Garg]

On 7/8/2025 12:58 PM, Vlastimil Babka wrote:
> With module namespace access restricted to in-tree modules, the GPL
> requirement becomes implied. Drop it from the name of the export helper.
> 
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---
>  Documentation/core-api/symbol-namespaces.rst | 6 +++---
>  fs/anon_inodes.c                             | 2 +-
>  include/linux/export.h                       | 2 +-
>  3 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
> index dc228ac738a5cdc49cc736c29170ca96df6a28dc..aafbc0469cd6a4b76225e0e96a86025de512008e 100644
> --- a/Documentation/core-api/symbol-namespaces.rst
> +++ b/Documentation/core-api/symbol-namespaces.rst
> @@ -76,8 +76,8 @@ A second option to define the default namespace is directly in the compilation
>  within the corresponding compilation unit before the #include for
>  <linux/export.h>. Typically it's placed before the first #include statement.
>  
> -Using the EXPORT_SYMBOL_GPL_FOR_MODULES() macro
> ------------------------------------------------
> +Using the EXPORT_SYMBOL_FOR_MODULES() macro
> +-------------------------------------------
>  
>  Symbols exported using this macro are put into a module namespace. This
>  namespace cannot be imported.
> @@ -88,7 +88,7 @@ Simple tail-globs are supported.
>  
>  For example::
>  
> -  EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
> +  EXPORT_SYMBOL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
>  
>  will limit usage of this symbol to in-tree modules whoes name matches the given
>  patterns.
> diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
> index 1d847a939f29a41356af3f12e5f61372ec2fb550..180a458fc4f74249d674ec3c6e01277df1d9e743 100644
> --- a/fs/anon_inodes.c
> +++ b/fs/anon_inodes.c
> @@ -129,7 +129,7 @@ struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *n
>  	}
>  	return inode;
>  }
> -EXPORT_SYMBOL_GPL_FOR_MODULES(anon_inode_make_secure_inode, "kvm");
> +EXPORT_SYMBOL_FOR_MODULES(anon_inode_make_secure_inode, "kvm");
>  
>  static struct file *__anon_inode_getfile(const char *name,
>  					 const struct file_operations *fops,
> diff --git a/include/linux/export.h b/include/linux/export.h
> index f35d03b4113b19798036d2993d67eb932ad8ce6f..a686fd0ba406509da5f397e3a415d05c5a051c0d 100644
> --- a/include/linux/export.h
> +++ b/include/linux/export.h
> @@ -91,6 +91,6 @@
>  #define EXPORT_SYMBOL_NS(sym, ns)	__EXPORT_SYMBOL(sym, "", ns)
>  #define EXPORT_SYMBOL_NS_GPL(sym, ns)	__EXPORT_SYMBOL(sym, "GPL", ns)
>  
> -#define EXPORT_SYMBOL_GPL_FOR_MODULES(sym, mods) __EXPORT_SYMBOL(sym, "GPL", "module:" mods)
> +#define EXPORT_SYMBOL_FOR_MODULES(sym, mods) __EXPORT_SYMBOL(sym, "GPL", "module:" mods)
>  
>  #endif /* _LINUX_EXPORT_H */
> 

LGTM!

Reviewed-by: Shivank Garg <shivankg@amd.com>

Thanks,
Shivank

Re: [PATCH 1/2] module: Restrict module namespace access to in-tree modules

[Masahiro Yamada]

On Tue, Jul 8, 2025 at 4:29 PM Vlastimil Babka <vbabka@suse.cz> wrote:
>
> The module namespace support has been introduced to allow restricting
> exports to specific modules only, and intended for in-tree modules such
> as kvm. Make this intention explicit by disallowing out of tree modules
> both for the module loader and modpost.
>
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>



In my understanding, an external module with the same name
can override the internal one.

This change disallows such a use-case.



-- 
Best Regards
Masahiro Yamada

Re: [PATCH 1/2] module: Restrict module namespace access to in-tree modules

[Petr Pavlu]

On 7/8/25 9:28 AM, Vlastimil Babka wrote:
> The module namespace support has been introduced to allow restricting
> exports to specific modules only, and intended for in-tree modules such
> as kvm. Make this intention explicit by disallowing out of tree modules
> both for the module loader and modpost.
> 
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---
> [...]
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 413ac6ea37021bc8ae260f624ca2745ed85333fc..ec7d8daa0347e3b65713396d6b6d14c2cb0270d3 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -1157,7 +1157,8 @@ static int verify_namespace_is_imported(const struct load_info *info,
>  	namespace = kernel_symbol_namespace(sym);
>  	if (namespace && namespace[0]) {
>  
> -		if (verify_module_namespace(namespace, mod->name))
> +		if (get_modinfo(info, "intree") &&
> +		    verify_module_namespace(namespace, mod->name))
>  			return 0;
>  
>  		for_each_modinfo_entry(imported_namespace, info, "import_ns") {

I'd rather avoid another walk of the modinfo data in
verify_namespace_is_imported(). I suggest checking whether mod->taints
has TAINT_OOT_MODULE set instead, which should provide the same
information. The symbol resolution already relies on the taint flags, so
this is consistent with the rest of the code.

-- 
Thanks,
Petr

Re: [PATCH 1/2] module: Restrict module namespace access to in-tree modules

[Vlastimil Babka]

On 7/8/25 14:41, Masahiro Yamada wrote:
> On Tue, Jul 8, 2025 at 4:29 PM Vlastimil Babka <vbabka@suse.cz> wrote:
>>
>> The module namespace support has been introduced to allow restricting
>> exports to specific modules only, and intended for in-tree modules such
>> as kvm. Make this intention explicit by disallowing out of tree modules
>> both for the module loader and modpost.
>>
>> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> 
> 
> 
> In my understanding, an external module with the same name
> can override the internal one.
> 
> This change disallows such a use-case.

Hmm I'm not familiar with this, but for such cases to be legitimate we can
assume the external module has to be derived from the internal one and not
something completely unrelated impersonating the internal one? So in that
case just patch 2 alone would be sufficient and not break any legitimate use
cases?

Re: [PATCH 1/2] module: Restrict module namespace access to in-tree modules

[Masahiro Yamada]

On Wed, Jul 9, 2025 at 12:08 AM Vlastimil Babka <vbabka@suse.cz> wrote:
>
> On 7/8/25 14:41, Masahiro Yamada wrote:
> > On Tue, Jul 8, 2025 at 4:29 PM Vlastimil Babka <vbabka@suse.cz> wrote:
> >>
> >> The module namespace support has been introduced to allow restricting
> >> exports to specific modules only, and intended for in-tree modules such
> >> as kvm. Make this intention explicit by disallowing out of tree modules
> >> both for the module loader and modpost.
> >>
> >> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> >
> >
> >
> > In my understanding, an external module with the same name
> > can override the internal one.
> >
> > This change disallows such a use-case.
>
> Hmm I'm not familiar with this, but for such cases to be legitimate we can
> assume the external module has to be derived from the internal one and not
> something completely unrelated impersonating the internal one? So in that
> case just patch 2 alone would be sufficient and not break any legitimate use
> cases?
>

IIRC, nvdimm uses this feature for testing.


In-tree drivers:
  drivers/nvdimm/Makefile

Out-of-tree drivers:
  tools/testing/nvdimm/Makefile
  tools/testing/nvdimm/Kbuild




-- 
Best Regards
Masahiro Yamada

Re: [PATCH 1/2] module: Restrict module namespace access to in-tree modules

[Nicolas Schier]

On Tue, Jul 08, 2025 at 09:28:57AM +0200 Vlastimil Babka wrote:
> The module namespace support has been introduced to allow restricting
> exports to specific modules only, and intended for in-tree modules such
> as kvm. Make this intention explicit by disallowing out of tree modules
> both for the module loader and modpost.
> 
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---
>  Documentation/core-api/symbol-namespaces.rst | 5 +++--
>  kernel/module/main.c                         | 3 ++-
>  scripts/mod/modpost.c                        | 6 +++++-
>  3 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
> index 32fc73dc5529e8844c2ce2580987155bcd13cd09..dc228ac738a5cdc49cc736c29170ca96df6a28dc 100644
> --- a/Documentation/core-api/symbol-namespaces.rst
> +++ b/Documentation/core-api/symbol-namespaces.rst
> @@ -83,13 +83,14 @@ Symbols exported using this macro are put into a module namespace. This
>  namespace cannot be imported.
>  
>  The macro takes a comma separated list of module names, allowing only those
> -modules to access this symbol. Simple tail-globs are supported.
> +modules to access this symbol. The access is restricted to in-tree modules.
> +Simple tail-globs are supported.
>  
>  For example::
>  
>    EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
>  
> -will limit usage of this symbol to modules whoes name matches the given
> +will limit usage of this symbol to in-tree modules whoes name matches the given

If you keep touching this line, might you fix the typo?

s/whoes/whose/

Kind regards,
Nicolas

Re: [PATCH 0/2] Restrict module namespace to in-tree modules and rename macro

[David Laight]

On Tue, 8 Jul 2025 09:40:37 +0200
Christian Brauner <brauner@kernel.org> wrote:

> On Tue, Jul 08, 2025 at 09:28:56AM +0200, Vlastimil Babka wrote:
> > Christian asked [1] for EXPORT_SYMBOL_FOR_MODULES() without the _GPL_
> > part to avoid controversy converting selected existing EXPORT_SYMBOL().
> > Christoph argued [2] that the _FOR_MODULES() export is intended for
> > in-tree modules and thus GPL is implied anyway and can be simply dropped
> > from the export macro name. Peter agreed [3] about the intention for
> > in-tree modules only, although nothing currently enforces it.
> > 
> > It seems straightforward to add this enforcement, so patch 1 does that.
> > Patch 2 then drops the _GPL_ from the name and so we're left with
> > EXPORT_SYMBOL_FOR_MODULES() restricted to in-tree modules only.

Bikeshedding somewhat, isn't that a silly name.
All EXPORT_SYMBOL are 'for modules'.
Wouldn't something like EXPORT_SYMBOL_IN_TREE be more descriptive.

	David

> > 
> > Current -next has some new instances of EXPORT_SYMBOL_GPL_FOR_MODULES()
> > in drivers/tty/serial/8250/8250_rsa.c by commit b20d6576cdb3 ("serial:
> > 8250: export RSA functions"). Hopefully it's resolvable by a merge
> > commit fixup and we don't need to provide a temporary alias.
> > 
> > [1] https://lore.kernel.org/all/20250623-warmwasser-giftig-ff656fce89ad@brauner/
> > [2] https://lore.kernel.org/all/aFleJN_fE-RbSoFD@infradead.org/
> > [3] https://lore.kernel.org/all/20250623142836.GT1613200@noisy.programming.kicks-ass.net/
> > 
> > Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> > ---  
> 
> Love this. It'd be great to get this in as a bugfix,
> Acked-by: Christian Brauner <brauner@kernel.org>
>