From: sashiko-bot@kernel.org
To: "Aaron Tomlin" <atomlin@atomlin.com>
Cc: linux-modules@vger.kernel.org
Subject: Re: [PATCH v3] module: Extend module_blacklist parameter to built-in modules
Date: Mon, 06 Jul 2026 05:16:25 +0000 [thread overview]
Message-ID: <20260706051625.E690F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260706050337.7613-1-atomlin@atomlin.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Iterating the `.initcall.modnames` array locklessly in `initcall_get_modname()` races with `free_initmem()`, causing a Use-After-Free for concurrently loaded modules.
- [High] The built-in module blacklisting functionality is completely disabled when CONFIG_MODULES=n.
--
commit aca1118f7ac6c8d2b798e7bb31a70a4f01638aee
Author: Aaron Tomlin <atomlin@atomlin.com>
Subject: module: Extend module_blacklist parameter to built-in modules
This patch extends the module_blacklist command-line parameter to apply
to built-in modules by checking them during early boot. It introduces a
new memory section to map initcalls to module names, allowing the kernel
to skip the initcall if the module name is present in the blacklist.
> diff --git a/include/linux/module.h b/include/linux/module.h
> index 7566815fabbe8..b9b0dc419aeeb 100644
> --- a/include/linux/module.h
> +++ b/include/linux/module.h
[ ... ]
> @@ -756,6 +756,15 @@ void *dereference_module_function_descriptor(struct module *mod, void *ptr);
> int register_module_notifier(struct notifier_block *nb);
> int unregister_module_notifier(struct notifier_block *nb);
>
> +#ifdef CONFIG_MODULES
> +extern bool module_is_blacklisted(const char *module_name);
> +#else
> +static inline bool module_is_blacklisted(const char *module_name)
> +{
> + return false;
> +}
> +#endif
[Severity: High]
Does this defeat the purpose of blacklisting built-in modules on kernels
built without loadable module support?
If a kernel is built with CONFIG_MODULES=n, the command-line parsing and
state variable in kernel/module/main.c are not compiled. This stub will then
unconditionally return false, meaning the module_blacklist parameter will be
silently ignored for built-in modules on non-modular kernels.
[ ... ]
> diff --git a/init/main.c b/init/main.c
> index 96f93bb06c490..893b20ddcf658 100644
> --- a/init/main.c
> +++ b/init/main.c
[ ... ]
> @@ -1379,12 +1379,39 @@ static inline void do_trace_initcall_level(const char *level)
> }
> #endif /* !TRACEPOINTS_ENABLED */
>
> +extern struct initcall_modname __start_initcall_modnames[];
> +extern struct initcall_modname __stop_initcall_modnames[];
> +
> +static bool initmem_freed __ro_after_init = false;
> +
> +static const char *initcall_get_modname(initcall_t fn)
> +{
> + struct initcall_modname *p;
> +
> + if (initmem_freed)
> + return NULL;
> +
> + for (p = __start_initcall_modnames; p < __stop_initcall_modnames; p++) {
> + if (p->initcall_fn == fn)
> + return p->modname;
> + }
[Severity: High]
Can this race with free_initmem() and cause a use-after-free if a module
is loaded concurrently?
In kernel_init(), free_initmem() is called just before setting initmem_freed
to true:
kernel_init()
free_initmem();
initmem_freed = true;
At this point in the boot sequence, the rootfs is mounted and user-mode
helpers are enabled. If a hardware interrupt triggers request_module()
concurrently, modprobe could execute and invoke the init_module syscall.
When do_init_module() calls do_one_initcall(), it would end up in
initcall_get_modname(). Since initmem_freed is still false, it would
locklessly scan the .initcall.modnames section while it is actively being
freed by free_initmem().
[ ... ]
> @@ -1600,6 +1627,7 @@ static int __ref kernel_init(void *unused)
> kgdb_free_init_mem();
> exit_boot_config();
> free_initmem();
> + initmem_freed = true;
> mark_readonly();
>
> /*
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260706050337.7613-1-atomlin@atomlin.com?part=1
prev parent reply other threads:[~2026-07-06 5:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 5:03 [PATCH v3] module: Extend module_blacklist parameter to built-in modules Aaron Tomlin
2026-07-06 5:16 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260706051625.E690F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=atomlin@atomlin.com \
--cc=linux-modules@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox