Re: [RFC PATCH 2/3] module: Don't fail module loading when setting ro_after_init section RO failed

From: Petr Pavlu
Date: Mon Nov 11 2024 - 12:11:51 EST

Next message: Sean Christopherson: "Re: [PATCH v2 11/12] x86/kvm/emulate: Implement test_cc() in C"
Previous message: Will Deacon: "Re: [PATCH kvmtool] riscv: Pass correct size to snprintf()"
In reply to: Petr Pavlu: "Re: [RFC PATCH 2/3] module: Don't fail module loading when setting ro_after_init section RO failed"
Next in thread: Christophe Leroy: "[RFC PATCH 3/3] module: pre-test setting ro_after_init data read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/9/24 11:35, Christophe Leroy wrote:
> Once module init has succeded it is too late to cancel loading.
> If setting ro_after_init data section to read-only fails, all we
> can do is to inform the user through a warning.

Makes sense to me. If I'm looking correctly, set_memory_ro() could
mostly fail when splitting large pages. If we wanted to fix this
cleanly, I wonder if it would be possible to divide the function into
two. The first one which does the necessary splitting, can fail and is
called prior to a module init, and the second one that eventually
updates page table attributes and is called after the init.

>
> Reported-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@xxxxxxxxxx/
> Fixes: d1909c022173 ("module: Don't ignore errors from set_memory_XX()")
> Signed-off-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
> ---
> kernel/module/main.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 2de4ad7af335..1bf4b0db291b 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -2583,7 +2583,9 @@ static noinline int do_init_module(struct module *mod)
> #endif
> ret = module_enable_rodata_ro_after_init(mod);
> if (ret)
> - goto fail_mutex_unlock;
> + pr_warn("%s: %s() returned %d, ro_after_init data might still be writable\n",
> + mod->name, __func__, ret);
> +

The __func__ magic constant here expands to "do_init_module" but the
message should rather say that "module_enable_rodata_ro_after_init"
failed.

> mod_tree_remove_init(mod);
> module_arch_freeing_init(mod);
> for_class_mod_mem_type(type, init) {
> @@ -2622,8 +2624,6 @@ static noinline int do_init_module(struct module *mod)
>
> return 0;
>
> -fail_mutex_unlock:
> - mutex_unlock(&module_mutex);
> fail_free_freeinit:
> kfree(freeinit);
> fail:

--
Cheers,
Petr

Next message: Sean Christopherson: "Re: [PATCH v2 11/12] x86/kvm/emulate: Implement test_cc() in C"
Previous message: Will Deacon: "Re: [PATCH kvmtool] riscv: Pass correct size to snprintf()"
In reply to: Petr Pavlu: "Re: [RFC PATCH 2/3] module: Don't fail module loading when setting ro_after_init section RO failed"
Next in thread: Christophe Leroy: "[RFC PATCH 3/3] module: pre-test setting ro_after_init data read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]