[PATCH 0/5] Module loading error handling improvements

[PATCH 0/5] Module loading error handling improvements

[Jinchao Wang]

This series addresses several issues related to module loading error
handling, particularly around force loading and signature verification.

The most critical fix is in patch 1, which resolves a bug where signed
modules were incorrectly rejected when loaded with the -f flag (force
load).

The others improve the user experience when troubleshooting
module loading issues while maintaining the security guarantees of
module signing.

Jinchao Wang (5):
  module: Fix module_sig_check() for modules with ignored modversions/vermagic
  module: signing: Use pr_err for signature rejection
  module: show why force load fails
  module: centralize no-versions force load check
  module: separate vermagic and livepatch checks

 kernel/module/main.c    | 13 +++++++------
 kernel/module/signing.c | 15 +++++----------
 kernel/module/version.c |  9 +++++----
 3 files changed, 17 insertions(+), 20 deletions(-)

-- 
2.43.0

[PATCH 1/5] module: Fix module_sig_check() for modules with ignored modversions/vermagic

[Jinchao Wang]

The current signature check logic incorrectly fails modules that have
valid signatures when the caller specifies MODULE_INIT_IGNORE_MODVERSIONS
or MODULE_INIT_IGNORE_VERMAGIC flags. This happens because the code
treats these flags as indicating a "mangled module" and skips signature
verification entirely.

The key insight is that the intent of the caller (to ignore modversions
or vermagic) should not affect signature verification. A module with
a valid signature should be verified regardless of whether the caller
wants to ignore versioning information.

The signature represents the authenticity and integrity of the module
content, which is independent of version compatibility checks. By
removing the mangled_module check, we allow signature verification to
proceed for modules that have both valid signatures and are being loaded
with version checking disabled.

This fixes cases where modules with correct signatures were being
rejected when loaded with modversions or vermagic ignored, even though
the signature itself was valid and should have been verified.

Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
 kernel/module/signing.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..9e24c79499de 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -73,15 +73,10 @@ int module_sig_check(struct load_info *info, int flags)
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
 	const char *reason;
 	const void *mod = info->hdr;
-	bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
-				       MODULE_INIT_IGNORE_VERMAGIC);
-	/*
-	 * Do not allow mangled modules as a module with version information
-	 * removed is no longer the module that was signed.
-	 */
-	if (!mangled_module &&
-	    info->len > markerlen &&
-	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+
+	if (info->len > markerlen &&
+	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) ==
+		    0) {
 		/* We truncate the module to discard the signature */
 		info->len -= markerlen;
 		err = mod_verify_sig(mod, info);
-- 
2.43.0

[PATCH 2/5] module: signing: Use pr_err for signature rejection

[Jinchao Wang]

Make module signature rejection messages more visible by using pr_err
instead of pr_notice.

Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
 kernel/module/signing.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 9e24c79499de..00f079cafd4f 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -112,7 +112,7 @@ int module_sig_check(struct load_info *info, int flags)
 	}
 
 	if (is_module_sig_enforced()) {
-		pr_notice("Loading of %s is rejected\n", reason);
+		pr_err("Loading of %s is rejected\n", reason);
 		return -EKEYREJECTED;
 	}
 
-- 
2.43.0

[PATCH 3/5] module: show why force load fails

[Jinchao Wang]

Include reason in error message when force loading is disabled.

Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
 kernel/module/main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/module/main.c b/kernel/module/main.c
index c66b26184936..a426bd8a18b5 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1083,6 +1083,7 @@ int try_to_force_load(struct module *mod, const char *reason)
 	add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE);
 	return 0;
 #else
+	pr_err("%s force load is not supported\n", reason);
 	return -ENOEXEC;
 #endif
 }
-- 
2.43.0

[PATCH 4/5] module: centralize no-versions force load check

[Jinchao Wang]

Move try_to_force_load() call from check_version() to
check_modstruct_version() to handle "no versions" case only once before
other version checks.

This prevents duplicate force load attempts and makes the error message
show the proper reason.

Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
 kernel/module/version.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/kernel/module/version.c b/kernel/module/version.c
index 2beefeba82d9..3f07fd03cb30 100644
--- a/kernel/module/version.c
+++ b/kernel/module/version.c
@@ -41,10 +41,6 @@ int check_version(const struct load_info *info,
 		return 1;
 	}
 
-	/* No versions at all?  modprobe --force does this. */
-	if (versindex == 0)
-		return try_to_force_load(mod, symname) == 0;
-
 	versions = (void *)sechdrs[versindex].sh_addr;
 	num_versions = sechdrs[versindex].sh_size
 		/ sizeof(struct modversion_info);
@@ -81,6 +77,11 @@ int check_modstruct_version(const struct load_info *info,
 	};
 	bool have_symbol;
 
+	/* No versions at all?  modprobe --force does this. */
+	if (info->index.vers == 0 &&
+	    try_to_force_load(mod, "no versions module"))
+		return 1;
+
 	/*
 	 * Since this should be found in kernel (which can't be removed), no
 	 * locking is necessary. Regardless use a RCU read section to keep
-- 
2.43.0

[PATCH 5/5] module: separate vermagic and livepatch checks

[Jinchao Wang]

Rename check_modinfo() to check_modinfo_vermagic() to clarify it only
checks vermagic compatibility.

Move livepatch check to happen after vermagic check in early_mod_check(),
creating proper separation of concerns.

This makes the module loading sequence more logical:
- First verify module vermagic
- Then check livepatch-specific requirements

No functional changes, just clearer code organization.

Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
 kernel/module/main.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/module/main.c b/kernel/module/main.c
index a426bd8a18b5..d30bffeef63e 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -2571,7 +2571,7 @@ static void module_augment_kernel_taints(struct module *mod, struct load_info *i
 
 }
 
-static int check_modinfo(struct module *mod, struct load_info *info, int flags)
+static int check_modinfo_vermagic(struct module *mod, struct load_info *info, int flags)
 {
 	const char *modmagic = get_modinfo(info, "vermagic");
 	int err;
@@ -2590,10 +2590,6 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
 		return -ENOEXEC;
 	}
 
-	err = check_modinfo_livepatch(mod, info);
-	if (err)
-		return err;
-
 	return 0;
 }
 
@@ -3334,7 +3330,11 @@ static int early_mod_check(struct load_info *info, int flags)
 	if (!check_modstruct_version(info, info->mod))
 		return -ENOEXEC;
 
-	err = check_modinfo(info->mod, info, flags);
+	err = check_modinfo_vermagic(info->mod, info, flags);
+	if (err)
+		return err;
+
+	err = check_modinfo_livepatch(info->mod, info);
 	if (err)
 		return err;
 
-- 
2.43.0

Re: [PATCH 1/5] module: Fix module_sig_check() for modules with ignored modversions/vermagic

[Sami Tolvanen]

On Fri, Aug 22, 2025 at 5:55 AM Jinchao Wang <wangjinchao600@gmail.com> wrote:
>
> The current signature check logic incorrectly fails modules that have
> valid signatures when the caller specifies MODULE_INIT_IGNORE_MODVERSIONS
> or MODULE_INIT_IGNORE_VERMAGIC flags. This happens because the code
> treats these flags as indicating a "mangled module" and skips signature
> verification entirely.
>
> The key insight is that the intent of the caller (to ignore modversions
> or vermagic) should not affect signature verification. A module with
> a valid signature should be verified regardless of whether the caller
> wants to ignore versioning information.

Why would you need to ignore versions when loading signed modules?
Here's the original series that added this check and I feel it's very
much relevant still:

https://lore.kernel.org/lkml/20160423184421.GL3348@decadent.org.uk/

Sami

Re: [PATCH 1/5] module: Fix module_sig_check() for modules with ignored modversions/vermagic

[Jinchao Wang]

On 8/23/25 03:36, Sami Tolvanen wrote:
> On Fri, Aug 22, 2025 at 5:55 AM Jinchao Wang <wangjinchao600@gmail.com> wrote:
>>
>> The current signature check logic incorrectly fails modules that have
>> valid signatures when the caller specifies MODULE_INIT_IGNORE_MODVERSIONS
>> or MODULE_INIT_IGNORE_VERMAGIC flags. This happens because the code
>> treats these flags as indicating a "mangled module" and skips signature
>> verification entirely.
>>
>> The key insight is that the intent of the caller (to ignore modversions
>> or vermagic) should not affect signature verification. A module with
>> a valid signature should be verified regardless of whether the caller
>> wants to ignore versioning information.
> 
> Why would you need to ignore versions when loading signed modules?
> Here's the original series that added this check and I feel it's very
> much relevant still:
> 
> https://lore.kernel.org/lkml/20160423184421.GL3348@decadent.org.uk/
> 
> Sami

Hi Sami,

Thanks for explaining the historical context. I think there are two 
possible understandings of "ignore."

The original seems to be "do not check, but still taint the module." My 
patch was based on the understanding that "ignore" means to allow the 
module, even if it is not signed or is signed with a different key.

Given your feedback, I've decided to drop the patch for now.
-- 
Best regards,
Jinchao