* [PATCH] module: dups: use strscpy() to copy module name in dup request
@ 2026-06-03 16:25 Naveen Kumar Chaudhary
2026-06-03 16:36 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Naveen Kumar Chaudhary @ 2026-06-03 16:25 UTC (permalink / raw)
To: mcgrof, petr.pavlu, da.gomez, samitolvanen
Cc: atomlin, linux-modules, linux-kernel
kmod_dup_request_exists_wait() uses memcpy() with strlen(module_name) to
copy into new_kmod_req->name, a fixed-size char[MODULE_NAME_LEN] buffer.
This does not bounds-check the copy and does not explicitly NUL-terminate.
The buffer is zeroed from kzalloc_obj() so NUL-termination happens to
work, but the pattern is fragile and lacks an explicit bounds check.
Replace with strscpy() which bounds the copy and guarantees
NUL-termination.
Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
---
kernel/module/dups.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module/dups.c b/kernel/module/dups.c
index 1d720a5311ba..33bddfb57317 100644
--- a/kernel/module/dups.c
+++ b/kernel/module/dups.c
@@ -129,7 +129,7 @@ bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret)
if (!new_kmod_req)
return false;
- memcpy(new_kmod_req->name, module_name, strlen(module_name));
+ strscpy(new_kmod_req->name, module_name, MODULE_NAME_LEN);
INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete);
INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete);
init_completion(&new_kmod_req->first_req_done);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] module: dups: use strscpy() to copy module name in dup request
2026-06-03 16:25 [PATCH] module: dups: use strscpy() to copy module name in dup request Naveen Kumar Chaudhary
@ 2026-06-03 16:36 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-03 16:36 UTC (permalink / raw)
To: Naveen Kumar Chaudhary; +Cc: linux-modules
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing reference counting on `kmod_req` leads to Use-After-Free (UAF).
- [High] Holding `kmod_dup_mutex` during `synchronize_rcu()` introduces severe system-wide latency spikes.
--
commit c71132da4445b6f78bb4bc00760a72ed998ebd13
Author: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
module: dups: use strscpy() to copy module name in dup request
This commit replaces a fragile memcpy() call with strscpy() when copying
the module name into a duplicate request. This ensures bounds-checking
and explicit NUL-termination for the fixed-size buffer.
> diff --git a/kernel/module/dups.c b/kernel/module/dups.c
> index 1d720a5311ba0..33bddfb573171 100644
> --- a/kernel/module/dups.c
> +++ b/kernel/module/dups.c
> @@ -129,7 +129,7 @@ bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret)
> if (!new_kmod_req)
> return false;
>
> - memcpy(new_kmod_req->name, module_name, strlen(module_name));
> + strscpy(new_kmod_req->name, module_name, MODULE_NAME_LEN);
> INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete);
> INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete);
[Severity: High]
This is a pre-existing issue, but does kmod_dup_request_delete() cause
severe system-wide latency spikes?
In kernel/module/dups.c:kmod_dup_request_delete(), synchronize_rcu() is
called while holding the global kmod_dup_mutex:
mutex_lock(&kmod_dup_mutex);
list_del_rcu(&kmod_req->list);
synchronize_rcu();
mutex_unlock(&kmod_dup_mutex);
Because kmod_dup_mutex is acquired by every request_module() call
system-wide, this stalls all unrelated module autoloading attempts during
the RCU grace period. Furthermore, the RCU synchronization appears
functionally useless because the only reader, kmod_dup_request_lookup(),
strictly requires kmod_dup_mutex to be held rather than relying on RCU:
list_for_each_entry_rcu(kmod_req, &dup_kmod_reqs, list,
lockdep_is_held(&kmod_dup_mutex)) {
> init_completion(&new_kmod_req->first_req_done);
[Severity: Critical]
This is a pre-existing issue, but is there a use-after-free risk for
kmod_req here?
The kmod_req structure lacks a reference count, and its lifetime is
managed by an arbitrary 60-second delayed work queued during completion:
kernel/module/dups.c:kmod_dup_request_complete() {
...
queue_delayed_work(system_dfl_wq, &kmod_req->delete_work, 60 * HZ);
...
}
If a duplicate request task sleeping in wait_for_completion_state() is
delayed for more than 60 seconds (e.g., due to a VM hypervisor pause,
cgroup freezer, or severe scheduler starvation), kmod_dup_request_delete()
will execute and kfree() the structure:
kernel/module/dups.c:kmod_dup_request_delete() {
...
kfree(kmod_req);
...
}
When the delayed task eventually resumes in kmod_dup_request_exists_wait(),
it attempts to read kmod_req->dup_ret or remove itself from the freed
waitqueue:
kernel/module/dups.c:kmod_dup_request_exists_wait() {
...
ret = wait_for_completion_state(&kmod_req->first_req_done,
TASK_KILLABLE);
if (ret) {
*dup_ret = ret;
return true;
}
/* Now the duplicate request has the same exact return value ... */
*dup_ret = kmod_req->dup_ret;
...
}
Would it be safer to use proper reference counting for kmod_req?
--
Sashiko AI review · https://sashiko.dev/#/patchset/v546667lngoo6dxwb7gqzf7liya2opdfeevrtar7iipsbkipfc@uh5fuaofcrty?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-03 16:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-03 16:25 [PATCH] module: dups: use strscpy() to copy module name in dup request Naveen Kumar Chaudhary
2026-06-03 16:36 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox