Linux Modules
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Aaron Tomlin" <atomlin@atomlin.com>
Cc: linux-modules@vger.kernel.org
Subject: Re: [PATCH v3] module: Extend module_blacklist parameter to built-in modules
Date: Mon, 06 Jul 2026 05:16:25 +0000	[thread overview]
Message-ID: <20260706051625.E690F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260706050337.7613-1-atomlin@atomlin.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Iterating the `.initcall.modnames` array locklessly in `initcall_get_modname()` races with `free_initmem()`, causing a Use-After-Free for concurrently loaded modules.
- [High] The built-in module blacklisting functionality is completely disabled when CONFIG_MODULES=n.
--

commit aca1118f7ac6c8d2b798e7bb31a70a4f01638aee
Author: Aaron Tomlin <atomlin@atomlin.com>
Subject: module: Extend module_blacklist parameter to built-in modules

This patch extends the module_blacklist command-line parameter to apply
to built-in modules by checking them during early boot. It introduces a
new memory section to map initcalls to module names, allowing the kernel
to skip the initcall if the module name is present in the blacklist.

> diff --git a/include/linux/module.h b/include/linux/module.h
> index 7566815fabbe8..b9b0dc419aeeb 100644
> --- a/include/linux/module.h
> +++ b/include/linux/module.h
[ ... ]
> @@ -756,6 +756,15 @@ void *dereference_module_function_descriptor(struct module *mod, void *ptr);
>  int register_module_notifier(struct notifier_block *nb);
>  int unregister_module_notifier(struct notifier_block *nb);
>  
> +#ifdef CONFIG_MODULES
> +extern bool module_is_blacklisted(const char *module_name);
> +#else
> +static inline bool module_is_blacklisted(const char *module_name)
> +{
> +	return false;
> +}
> +#endif

[Severity: High]
Does this defeat the purpose of blacklisting built-in modules on kernels
built without loadable module support?

If a kernel is built with CONFIG_MODULES=n, the command-line parsing and
state variable in kernel/module/main.c are not compiled. This stub will then
unconditionally return false, meaning the module_blacklist parameter will be
silently ignored for built-in modules on non-modular kernels.

[ ... ]
> diff --git a/init/main.c b/init/main.c
> index 96f93bb06c490..893b20ddcf658 100644
> --- a/init/main.c
> +++ b/init/main.c
[ ... ]
> @@ -1379,12 +1379,39 @@ static inline void do_trace_initcall_level(const char *level)
>  }
>  #endif /* !TRACEPOINTS_ENABLED */
>  
> +extern struct initcall_modname __start_initcall_modnames[];
> +extern struct initcall_modname __stop_initcall_modnames[];
> +
> +static bool initmem_freed __ro_after_init = false;
> +
> +static const char *initcall_get_modname(initcall_t fn)
> +{
> +	struct initcall_modname *p;
> +
> +	if (initmem_freed)
> +		return NULL;
> +
> +	for (p = __start_initcall_modnames; p < __stop_initcall_modnames; p++) {
> +		if (p->initcall_fn == fn)
> +			return p->modname;
> +	}

[Severity: High]
Can this race with free_initmem() and cause a use-after-free if a module
is loaded concurrently?

In kernel_init(), free_initmem() is called just before setting initmem_freed
to true:

kernel_init()
    free_initmem();
    initmem_freed = true;

At this point in the boot sequence, the rootfs is mounted and user-mode
helpers are enabled. If a hardware interrupt triggers request_module()
concurrently, modprobe could execute and invoke the init_module syscall. 

When do_init_module() calls do_one_initcall(), it would end up in
initcall_get_modname(). Since initmem_freed is still false, it would
locklessly scan the .initcall.modnames section while it is actively being
freed by free_initmem().

[ ... ]
> @@ -1600,6 +1627,7 @@ static int __ref kernel_init(void *unused)
>  	kgdb_free_init_mem();
>  	exit_boot_config();
>  	free_initmem();
> +	initmem_freed = true;
>  	mark_readonly();
>  
>  	/*

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260706050337.7613-1-atomlin@atomlin.com?part=1

      reply	other threads:[~2026-07-06  5:16 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-06  5:03 [PATCH v3] module: Extend module_blacklist parameter to built-in modules Aaron Tomlin
2026-07-06  5:16 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260706051625.E690F1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atomlin@atomlin.com \
    --cc=linux-modules@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox