Linux Modules
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Aaron Tomlin" <atomlin@atomlin.com>
Cc: linux-modules@vger.kernel.org
Subject: Re: [PATCH v5 1/2] module: Extend module_blacklist parameter to built-in modules
Date: Sat, 18 Jul 2026 05:33:20 +0000	[thread overview]
Message-ID: <20260718053320.92B7B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260718051350.344772-2-atomlin@atomlin.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] A fatal modpost section mismatch warning occurs when CONFIG_MODULES=y because a non-__init function references an __init function.
- [High] An unsynchronized TOCTOU race condition in `do_one_initcall()` allows concurrent loadable module initialization to execute freed `__init` memory and access freed `__initdata`.
- [High] The temporal check `system_state < SYSTEM_FREEING_INITMEM` is vulnerable to Spectre v1 branch misprediction, leading to speculative execution of freed `__init` code and speculative reading of freed `__initdata`.
--

--- Patch [1]: [PATCH v5 1/2] module: Extend module_blacklist parameter to built-in modules ---
commit befcdb365a33b92bbd551da11437b39b818bdea2
Author: Aaron Tomlin <atomlin@atomlin.com>
Subject: module: Extend module_blacklist parameter to built-in modules

This patch extends the module_blacklist command-line parameter to apply to
built-in modules by checking an .initcall.modnames table during early boot.
It moves the blacklisting logic to init/main.c and intercepts initcalls in
do_one_initcall().

> diff --git a/init/main.c b/init/main.c
> --- a/init/main.c
> +++ b/init/main.c
[ ... ]
> @@ -1365,12 +1365,58 @@ static const char *__init get_builtin_modname(initcall_t fn)
>  {
>  	struct initcall_modname *p;
>  
>  	for (p = __start_initcall_modnames; p < __stop_initcall_modnames; p++) {
>  		if (dereference_function_descriptor(p->initcall_fn) ==
>  		    dereference_function_descriptor(fn))
>  			return p->modname;
>  	}
>  	return NULL;
>  }
>  
>  int __init_or_module do_one_initcall(initcall_t fn)
>  {
>  	int count = preempt_count();
>  	char msgbuf[64];
> +	const char *modname = NULL;
>  	int ret;
>  
> +	if (system_state < SYSTEM_FREEING_INITMEM && module_blacklist) {

[Severity: High]
Can this unsynchronized system_state check race with concurrent module loading?

If a driver or subsystem schedules an asynchronous task that triggers
request_module(), a worker thread could evaluate this system_state check as
true. Concurrently, another CPU could advance the state and execute
free_initmem(), unmapping and freeing all .init.text and .init.data pages.

If this happens, the worker thread would then call get_builtin_modname(),
executing freed .init.text instructions and scanning the freed
.initcall.modnames array.


[Severity: High]
Is this temporal check vulnerable to Spectre v1 branch misprediction?

During early boot, do_one_initcall() is heavily executed for built-in
modules, training the CPU branch predictor to predict this condition as
true. At runtime (system_state == SYSTEM_RUNNING), an unprivileged user
triggering a module load might cause the CPU to speculatively mispredict
the branch as true.

If the branch is mispredicted, the CPU would speculatively execute a direct
call to the freed .init.text section in get_builtin_modname(), potentially
creating an arbitrary speculative execution gadget if an attacker has
reallocated that memory.

> +		modname = get_builtin_modname(fn);

[Severity: High]
Does this introduce a modpost section mismatch warning when CONFIG_MODULES=y?

When module support is enabled, __init_or_module evaluates to an empty macro,
placing do_one_initcall() in the persistent .text section. Because it
directly calls get_builtin_modname(), which is annotated with __init, modpost
will statically flag this cross-section reference since it doesn't perform
control flow analysis to evaluate the runtime system_state guard.

> +		if (modname && module_is_blacklisted(modname)) {
> +			pr_info("Skipping initcall for blacklisted built-in module %s\n",
> +				modname);
> +			return 0;
> +		}
> +	}
> +
>  	if (initcall_blacklisted(fn))
>  		return -EPERM;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260718051350.344772-1-atomlin@atomlin.com?part=1

  reply	other threads:[~2026-07-18  5:33 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-18  5:13 [PATCH v5 0/2] module: Extend blacklist parameter to support built-in modules Aaron Tomlin
2026-07-18  5:13 ` [PATCH v5 1/2] module: Extend module_blacklist parameter to " Aaron Tomlin
2026-07-18  5:33   ` sashiko-bot [this message]
2026-07-18 14:26   ` Aaron Tomlin
2026-07-18  5:13 ` [PATCH v5 2/2] module: Rename module_blacklist to module_denylist Aaron Tomlin
2026-07-18  5:25   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260718053320.92B7B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atomlin@atomlin.com \
    --cc=linux-modules@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox