lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <D5GXESPXRVH3.1M4T003I1F7BU@samsung.com>
Date: Fri, 8 Nov 2024 17:09:17 +0100
From: Daniel Gomez <da.gomez@...sung.com>
To: Luis Chamberlain <mcgrof@...nel.org>, Christophe Leroy
	<christophe.leroy@...roup.eu>, Petr Pavlu <petr.pavlu@...e.com>, "Sami
 Tolvanen" <samitolvanen@...gle.com>, <linux-modules@...r.kernel.org>
CC: Mike Rapoport <rppt@...nel.org>, Thomas Gleixner <tglx@...utronix.de>,
	Jinjie Ruan <ruanjinjie@...wei.com>, <linux-kernel@...r.kernel.org>, "Peter
 Zijlstra (Intel)" <peterz@...radead.org>, Josh Poimboeuf
	<jpoimboe@...nel.org>, "Liu Shixin" <liushixin2@...wei.com>
Subject: Re: [PATCH] static_call: Handle module init failure correctly in
 static_call_del_module()

On Fri Nov 8, 2024 at 4:49 PM CET, Luis Chamberlain wrote:
> + Other new module maintainers
>
> On Fri, Nov 08, 2024 at 09:12:03AM +0100, Christophe Leroy wrote:
>> Hi Luis,
>> 
>> Le 24/09/2024 à 09:22, Mike Rapoport a écrit :
>> > On Thu, Sep 19, 2024 at 02:53:34AM -0700, Luis Chamberlain wrote:
>> > > On Fri, Sep 06, 2024 at 04:24:56PM -0700, Luis Chamberlain wrote:
>> > > > On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
>> > > > > Now you at least provided the information that the missing cleanup in
>> > > > > the init() function is not the problem. So the obvious place to look is
>> > > > > in the module core code whether there is a failure path _after_
>> > > > > module->init() returned success.
>> > > > > 
>> > > > > do_init_module()
>> > > > >          ret = do_one_initcall(mod->init);
>> > > > >          ...
>> > > > > 	ret = module_enable_rodata_ro(mod, true);
>> > > > > 	if (ret)
>> > > > > 		goto fail_mutex_unlock;
>> > > > > 
>> > > > > and that error path does _not_ invoke module->exit(), which is obviously
>> > > > > not correct. Luis?
>> > > > 
>> > > > You're spot on this needs fixing.
>> > > 
>> > > Christophe, this is a regression caused by the second hunk of your commit
>> > > d1909c0221739 ("module: Don't ignore errors from set_memory_XX()") on v6.9.
>> > > Sadly there are a few issues with trying to get to call mod->exit():
>> > > 
>> > > - We should try try_stop_module()  and that can fail
>> > > - source_list may not be empty and that would block removal
>> > > - mod->exit may not exist
>> > > 
>> > > I'm wondering if instead we should try to do the module_enable_rodata_ro()
>> > > before the init, but that requires a bit more careful evaluation...
>> > 
>> > There is ro_after_init section, we can't really make it RO before ->init()
>> 
>> Surprisingly I never received Luis's email
>
> So odd..
>
>> allthough I got this answer from Mike that I overlooked.
>> 
>> So coming back here from
>> https://lore.kernel.org/all/ZyQhbHxDTRXTJgIx@bombadil.infradead.org/
>> 
>> As far as I understand, indeed once init is called it is too late to fail,
>
> Partly yes, party no. Party yes in that its a can of worms we have not
> had to deal with before, and also I worry about deadlocks, and the code
> to address this seems complex. right ?

I have a RFC ready with this, I'll send this now so we can discuss on
with a proposal.

>
>
>> Especially when the module has no exit() path or when
>> CONFIG_MODULE_UNLOAD is not built in.
>
> That's exactly the other extreme case I fear for.
>
>> So the only thing we can do then is a big fat warning telling
>> set_memory_ro() on ro_after_init memory has failed ?
>
> I suspect this is more sensible to do.

I came to the same conclusion while trying to fix this path. + I added
an alternative for discussion.

>
>> Maybe we should try and change it to RO then back to RW before calling init,
>> to be on a safer side hopping that if change to RO works once it will work
>> twice ?
>
> That's another approach wich could work, if we proove that this does
> work, it's a nice best effort and I think less or a mess to the codebase
> then special-casing the error handling of trying to deal with the
> driver's exit.
>
> Daniel Gomez has been looking at this, so his feedback here would be
> valuable.

What if we detect ro_after_init first, and block any module
initialization depending on this ro_after_init to actually start loading
it? That way we can stop and unload the module successfully.

>
>   Luis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ