From: sashiko-bot@kernel.org
To: "Aaron Tomlin" <atomlin@atomlin.com>
Cc: linux-modules@vger.kernel.org
Subject: Re: [PATCH v5 1/2] module: Extend module_blacklist parameter to built-in modules
Date: Sat, 18 Jul 2026 05:33:20 +0000 [thread overview]
Message-ID: <20260718053320.92B7B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260718051350.344772-2-atomlin@atomlin.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] A fatal modpost section mismatch warning occurs when CONFIG_MODULES=y because a non-__init function references an __init function.
- [High] An unsynchronized TOCTOU race condition in `do_one_initcall()` allows concurrent loadable module initialization to execute freed `__init` memory and access freed `__initdata`.
- [High] The temporal check `system_state < SYSTEM_FREEING_INITMEM` is vulnerable to Spectre v1 branch misprediction, leading to speculative execution of freed `__init` code and speculative reading of freed `__initdata`.
--
--- Patch [1]: [PATCH v5 1/2] module: Extend module_blacklist parameter to built-in modules ---
commit befcdb365a33b92bbd551da11437b39b818bdea2
Author: Aaron Tomlin <atomlin@atomlin.com>
Subject: module: Extend module_blacklist parameter to built-in modules
This patch extends the module_blacklist command-line parameter to apply to
built-in modules by checking an .initcall.modnames table during early boot.
It moves the blacklisting logic to init/main.c and intercepts initcalls in
do_one_initcall().
> diff --git a/init/main.c b/init/main.c
> --- a/init/main.c
> +++ b/init/main.c
[ ... ]
> @@ -1365,12 +1365,58 @@ static const char *__init get_builtin_modname(initcall_t fn)
> {
> struct initcall_modname *p;
>
> for (p = __start_initcall_modnames; p < __stop_initcall_modnames; p++) {
> if (dereference_function_descriptor(p->initcall_fn) ==
> dereference_function_descriptor(fn))
> return p->modname;
> }
> return NULL;
> }
>
> int __init_or_module do_one_initcall(initcall_t fn)
> {
> int count = preempt_count();
> char msgbuf[64];
> + const char *modname = NULL;
> int ret;
>
> + if (system_state < SYSTEM_FREEING_INITMEM && module_blacklist) {
[Severity: High]
Can this unsynchronized system_state check race with concurrent module loading?
If a driver or subsystem schedules an asynchronous task that triggers
request_module(), a worker thread could evaluate this system_state check as
true. Concurrently, another CPU could advance the state and execute
free_initmem(), unmapping and freeing all .init.text and .init.data pages.
If this happens, the worker thread would then call get_builtin_modname(),
executing freed .init.text instructions and scanning the freed
.initcall.modnames array.
[Severity: High]
Is this temporal check vulnerable to Spectre v1 branch misprediction?
During early boot, do_one_initcall() is heavily executed for built-in
modules, training the CPU branch predictor to predict this condition as
true. At runtime (system_state == SYSTEM_RUNNING), an unprivileged user
triggering a module load might cause the CPU to speculatively mispredict
the branch as true.
If the branch is mispredicted, the CPU would speculatively execute a direct
call to the freed .init.text section in get_builtin_modname(), potentially
creating an arbitrary speculative execution gadget if an attacker has
reallocated that memory.
> + modname = get_builtin_modname(fn);
[Severity: High]
Does this introduce a modpost section mismatch warning when CONFIG_MODULES=y?
When module support is enabled, __init_or_module evaluates to an empty macro,
placing do_one_initcall() in the persistent .text section. Because it
directly calls get_builtin_modname(), which is annotated with __init, modpost
will statically flag this cross-section reference since it doesn't perform
control flow analysis to evaluate the runtime system_state guard.
> + if (modname && module_is_blacklisted(modname)) {
> + pr_info("Skipping initcall for blacklisted built-in module %s\n",
> + modname);
> + return 0;
> + }
> + }
> +
> if (initcall_blacklisted(fn))
> return -EPERM;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260718051350.344772-1-atomlin@atomlin.com?part=1
next prev parent reply other threads:[~2026-07-18 5:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-18 5:13 [PATCH v5 0/2] module: Extend blacklist parameter to support built-in modules Aaron Tomlin
2026-07-18 5:13 ` [PATCH v5 1/2] module: Extend module_blacklist parameter to " Aaron Tomlin
2026-07-18 5:33 ` sashiko-bot [this message]
2026-07-18 14:26 ` Aaron Tomlin
2026-07-18 5:13 ` [PATCH v5 2/2] module: Rename module_blacklist to module_denylist Aaron Tomlin
2026-07-18 5:25 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260718053320.92B7B1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=atomlin@atomlin.com \
--cc=linux-modules@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox