From 7bba3167c08a3bebda6e5fcc0179482b4517ba5b Mon Sep 17 00:00:00 2001 From: Petr Pavlu Date: Thu, 6 Mar 2025 14:13:52 +0100 Subject: [PATCH 1/4] module: Constify parameters of module_enforce_rwx_sections() Minor cleanup, this is a non-functional change. Reviewed-by: Sami Tolvanen Reviewed-by: Luis Chamberlain Link: https://lore.kernel.org/r/20250306131430.7016-2-petr.pavlu@suse.com Signed-off-by: Petr Pavlu --- kernel/module/internal.h | 5 +++-- kernel/module/strict_rwx.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 626cf8668a7e..e7ab2a2e7a32 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -322,8 +322,9 @@ int module_enable_rodata_ro(const struct module *mod); int module_enable_rodata_ro_after_init(const struct module *mod); int module_enable_data_nx(const struct module *mod); int module_enable_text_rox(const struct module *mod); -int module_enforce_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, - char *secstrings, struct module *mod); +int module_enforce_rwx_sections(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, + const char *secstrings, + const struct module *mod); #ifdef CONFIG_MODULE_SIG int module_sig_check(struct load_info *info, int flags); diff --git a/kernel/module/strict_rwx.c b/kernel/module/strict_rwx.c index 03f4142cfbf4..9c20a2f3eaa4 100644 --- a/kernel/module/strict_rwx.c +++ b/kernel/module/strict_rwx.c @@ -87,8 +87,9 @@ int module_enable_data_nx(const struct module *mod) return 0; } -int module_enforce_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, - char *secstrings, struct module *mod) +int module_enforce_rwx_sections(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, + const char *secstrings, + const struct module *mod) { const unsigned long shf_wx = SHF_WRITE | SHF_EXECINSTR; int i; From f7984942630b0508c44276ceaa3a3a47d8fd3d2c Mon Sep 17 00:00:00 2001 From: Petr Pavlu Date: Thu, 6 Mar 2025 14:13:53 +0100 Subject: [PATCH 2/4] module: Add a separate function to mark sections as read-only after init Move the logic to mark special sections as read-only after module initialization into a separate function, along other related code in strict_rwx.c. Use a table with names of such sections to make it easier to add more. Reviewed-by: Sami Tolvanen Reviewed-by: Luis Chamberlain Link: https://lore.kernel.org/r/20250306131430.7016-3-petr.pavlu@suse.com Signed-off-by: Petr Pavlu --- kernel/module/internal.h | 2 ++ kernel/module/main.c | 18 +++--------------- kernel/module/strict_rwx.c | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 15 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index e7ab2a2e7a32..8d74b0a21c82 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -325,6 +325,8 @@ int module_enable_text_rox(const struct module *mod); int module_enforce_rwx_sections(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, const char *secstrings, const struct module *mod); +void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs, + const char *secstrings); #ifdef CONFIG_MODULE_SIG int module_sig_check(struct load_info *info, int flags); diff --git a/kernel/module/main.c b/kernel/module/main.c index a2859dc3eea6..15781c2fb008 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2768,7 +2768,6 @@ core_param(module_blacklist, module_blacklist, charp, 0400); static struct module *layout_and_allocate(struct load_info *info, int flags) { struct module *mod; - unsigned int ndx; int err; /* Allow arches to frob section contents and sizes. */ @@ -2786,22 +2785,11 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; /* - * Mark ro_after_init section with SHF_RO_AFTER_INIT so that - * layout_sections() can put it in the right place. + * Mark relevant sections as SHF_RO_AFTER_INIT so layout_sections() can + * put them in the right place. * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. */ - ndx = find_sec(info, ".data..ro_after_init"); - if (ndx) - info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; - /* - * Mark the __jump_table section as ro_after_init as well: these data - * structures are never modified, with the exception of entries that - * refer to code in the __init section, which are annotated as such - * at module load time. - */ - ndx = find_sec(info, "__jump_table"); - if (ndx) - info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; + module_mark_ro_after_init(info->hdr, info->sechdrs, info->secstrings); /* * Determine total sizes, and put offsets in sh_entsize. For now diff --git a/kernel/module/strict_rwx.c b/kernel/module/strict_rwx.c index 9c20a2f3eaa4..7aab6a524ecc 100644 --- a/kernel/module/strict_rwx.c +++ b/kernel/module/strict_rwx.c @@ -107,3 +107,36 @@ int module_enforce_rwx_sections(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, return 0; } + +static const char *const ro_after_init[] = { + /* + * Section .data..ro_after_init holds data explicitly annotated by + * __ro_after_init. + */ + ".data..ro_after_init", + + /* + * Section __jump_table holds data structures that are never modified, + * with the exception of entries that refer to code in the __init + * section, which are marked as such at module load time. + */ + "__jump_table", +}; + +void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs, + const char *secstrings) +{ + int i, j; + + for (i = 1; i < hdr->e_shnum; i++) { + Elf_Shdr *shdr = &sechdrs[i]; + + for (j = 0; j < ARRAY_SIZE(ro_after_init); j++) { + if (strcmp(secstrings + shdr->sh_name, + ro_after_init[j]) == 0) { + shdr->sh_flags |= SHF_RO_AFTER_INIT; + break; + } + } + } +} From 60b57b9cb002df575a54635da1c55f361533deb7 Mon Sep 17 00:00:00 2001 From: Petr Pavlu Date: Thu, 6 Mar 2025 14:13:54 +0100 Subject: [PATCH 3/4] module: Make .static_call_sites read-only after init Section .static_call_sites holds data structures that need to be sorted and processed only at module load time. This initial processing happens in static_call_add_module(), which is invoked as a callback to the MODULE_STATE_COMING notification from prepare_coming_module(). The section is never modified afterwards. Make it therefore read-only after module initialization to avoid any (non-)accidental modifications. Reviewed-by: Sami Tolvanen Reviewed-by: Luis Chamberlain Link: https://lore.kernel.org/r/20250306131430.7016-4-petr.pavlu@suse.com Signed-off-by: Petr Pavlu --- kernel/module/strict_rwx.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/module/strict_rwx.c b/kernel/module/strict_rwx.c index 7aab6a524ecc..8fd438529fbc 100644 --- a/kernel/module/strict_rwx.c +++ b/kernel/module/strict_rwx.c @@ -121,6 +121,15 @@ static const char *const ro_after_init[] = { * section, which are marked as such at module load time. */ "__jump_table", + +#ifdef CONFIG_HAVE_STATIC_CALL_INLINE + /* + * Section .static_call_sites holds data structures that need to be + * sorted and processed at module load time but are never modified + * afterwards. + */ + ".static_call_sites", +#endif }; void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs, From a0b018a495a3f68693e45ab570fae8191d907d86 Mon Sep 17 00:00:00 2001 From: Valentin Schneider Date: Tue, 29 Apr 2025 13:32:39 +0200 Subject: [PATCH 4/4] module: Remove outdated comment about text_size The text_size bit referred to by the comment has been removed as of commit ac3b43283923 ("module: replace module_layout with module_memory") and is thus no longer relevant. Remove it and comment about the contents of the masks array instead. Signed-off-by: Valentin Schneider Link: https://lore.kernel.org/r/20250429113242.998312-23-vschneid@redhat.com Signed-off-by: Petr Pavlu --- kernel/module/main.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/module/main.c b/kernel/module/main.c index 15781c2fb008..2b6bfaade36a 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -1562,12 +1562,11 @@ static void __layout_sections(struct module *mod, struct load_info *info, bool i { unsigned int m, i; + /* + * { Mask of required section header flags, + * Mask of excluded section header flags } + */ static const unsigned long masks[][2] = { - /* - * NOTE: all executable code must be the first section - * in this array; otherwise modify the text_size - * finder in the two loops below - */ { SHF_EXECINSTR | SHF_ALLOC, ARCH_SHF_SMALL }, { SHF_ALLOC, SHF_WRITE | ARCH_SHF_SMALL }, { SHF_RO_AFTER_INIT | SHF_ALLOC, ARCH_SHF_SMALL },