1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2002 Richard Henderson 4 * Copyright (C) 2001 Rusty Russell, 2002, 2010 Rusty Russell IBM. 5 * Copyright (C) 2023 Luis Chamberlain <mcgrof@kernel.org> 6 */ 7 8 #define INCLUDE_VERMAGIC 9 10 #include <linux/export.h> 11 #include <linux/extable.h> 12 #include <linux/moduleloader.h> 13 #include <linux/module_signature.h> 14 #include <linux/module_symbol.h> 15 #include <linux/trace_events.h> 16 #include <linux/init.h> 17 #include <linux/kallsyms.h> 18 #include <linux/buildid.h> 19 #include <linux/fs.h> 20 #include <linux/kernel.h> 21 #include <linux/kernel_read_file.h> 22 #include <linux/kstrtox.h> 23 #include <linux/slab.h> 24 #include <linux/vmalloc.h> 25 #include <linux/elf.h> 26 #include <linux/seq_file.h> 27 #include <linux/syscalls.h> 28 #include <linux/fcntl.h> 29 #include <linux/rcupdate.h> 30 #include <linux/capability.h> 31 #include <linux/cpu.h> 32 #include <linux/moduleparam.h> 33 #include <linux/errno.h> 34 #include <linux/err.h> 35 #include <linux/vermagic.h> 36 #include <linux/notifier.h> 37 #include <linux/sched.h> 38 #include <linux/device.h> 39 #include <linux/string.h> 40 #include <linux/mutex.h> 41 #include <linux/rculist.h> 42 #include <linux/uaccess.h> 43 #include <asm/cacheflush.h> 44 #include <linux/set_memory.h> 45 #include <asm/mmu_context.h> 46 #include <linux/license.h> 47 #include <asm/sections.h> 48 #include <linux/tracepoint.h> 49 #include <linux/ftrace.h> 50 #include <linux/livepatch.h> 51 #include <linux/async.h> 52 #include <linux/percpu.h> 53 #include <linux/kmemleak.h> 54 #include <linux/jump_label.h> 55 #include <linux/pfn.h> 56 #include <linux/bsearch.h> 57 #include <linux/dynamic_debug.h> 58 #include <linux/audit.h> 59 #include <linux/cfi.h> 60 #include <linux/codetag.h> 61 #include <linux/debugfs.h> 62 #include <linux/execmem.h> 63 #include <uapi/linux/module.h> 64 #include "internal.h" 65 66 #define CREATE_TRACE_POINTS 67 #include <trace/events/module.h> 68 69 /* 70 * Mutex protects: 71 * 1) List of modules (also safely readable within RCU read section), 72 * 2) module_use links, 73 * 3) mod_tree.addr_min/mod_tree.addr_max. 74 * (delete and add uses RCU list operations). 75 */ 76 DEFINE_MUTEX(module_mutex); 77 LIST_HEAD(modules); 78 79 /* Work queue for freeing init sections in success case */ 80 static void do_free_init(struct work_struct *w); 81 static DECLARE_WORK(init_free_wq, do_free_init); 82 static LLIST_HEAD(init_free_list); 83 84 struct mod_tree_root mod_tree __cacheline_aligned = { 85 .addr_min = -1UL, 86 }; 87 88 struct symsearch { 89 const struct kernel_symbol *start, *stop; 90 const u32 *crcs; 91 const u8 *flagstab; 92 }; 93 94 /* 95 * Bounds of module memory, for speeding up __module_address. 96 * Protected by module_mutex. 97 */ 98 static void __mod_update_bounds(enum mod_mem_type type __maybe_unused, void *base, 99 unsigned int size, struct mod_tree_root *tree) 100 { 101 unsigned long min = (unsigned long)base; 102 unsigned long max = min + size; 103 104 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 105 if (mod_mem_type_is_core_data(type)) { 106 if (min < tree->data_addr_min) 107 tree->data_addr_min = min; 108 if (max > tree->data_addr_max) 109 tree->data_addr_max = max; 110 return; 111 } 112 #endif 113 if (min < tree->addr_min) 114 tree->addr_min = min; 115 if (max > tree->addr_max) 116 tree->addr_max = max; 117 } 118 119 static void mod_update_bounds(struct module *mod) 120 { 121 for_each_mod_mem_type(type) { 122 struct module_memory *mod_mem = &mod->mem[type]; 123 124 if (mod_mem->size) 125 __mod_update_bounds(type, mod_mem->base, mod_mem->size, &mod_tree); 126 } 127 } 128 129 /* Block module loading/unloading? */ 130 static int modules_disabled; 131 core_param(nomodule, modules_disabled, bint, 0); 132 133 static const struct ctl_table module_sysctl_table[] = { 134 { 135 .procname = "modprobe", 136 .data = &modprobe_path, 137 .maxlen = KMOD_PATH_LEN, 138 .mode = 0644, 139 .proc_handler = proc_dostring, 140 }, 141 { 142 .procname = "modules_disabled", 143 .data = &modules_disabled, 144 .maxlen = sizeof(int), 145 .mode = 0644, 146 /* only handle a transition from default "0" to "1" */ 147 .proc_handler = proc_dointvec_minmax, 148 .extra1 = SYSCTL_ONE, 149 .extra2 = SYSCTL_ONE, 150 }, 151 }; 152 153 static int __init init_module_sysctl(void) 154 { 155 register_sysctl_init("kernel", module_sysctl_table); 156 return 0; 157 } 158 159 subsys_initcall(init_module_sysctl); 160 161 /* Waiting for a module to finish initializing? */ 162 static DECLARE_WAIT_QUEUE_HEAD(module_wq); 163 164 static BLOCKING_NOTIFIER_HEAD(module_notify_list); 165 166 int register_module_notifier(struct notifier_block *nb) 167 { 168 return blocking_notifier_chain_register(&module_notify_list, nb); 169 } 170 EXPORT_SYMBOL(register_module_notifier); 171 172 int unregister_module_notifier(struct notifier_block *nb) 173 { 174 return blocking_notifier_chain_unregister(&module_notify_list, nb); 175 } 176 EXPORT_SYMBOL(unregister_module_notifier); 177 178 /* 179 * We require a truly strong try_module_get(): 0 means success. 180 * Otherwise an error is returned due to ongoing or failed 181 * initialization etc. 182 */ 183 static inline int strong_try_module_get(struct module *mod) 184 { 185 BUG_ON(mod && mod->state == MODULE_STATE_UNFORMED); 186 if (mod && mod->state == MODULE_STATE_COMING) 187 return -EBUSY; 188 if (try_module_get(mod)) 189 return 0; 190 else 191 return -ENOENT; 192 } 193 194 static inline void add_taint_module(struct module *mod, unsigned flag, 195 enum lockdep_ok lockdep_ok) 196 { 197 add_taint(flag, lockdep_ok); 198 set_bit(flag, &mod->taints); 199 } 200 201 /* 202 * Like strncmp(), except s/-/_/g as per scripts/Makefile.lib:name-fix-token rule. 203 */ 204 static int mod_strncmp(const char *str_a, const char *str_b, size_t n) 205 { 206 for (int i = 0; i < n; i++) { 207 char a = str_a[i]; 208 char b = str_b[i]; 209 int d; 210 211 if (a == '-') a = '_'; 212 if (b == '-') b = '_'; 213 214 d = a - b; 215 if (d) 216 return d; 217 218 if (!a) 219 break; 220 } 221 222 return 0; 223 } 224 225 /* 226 * A thread that wants to hold a reference to a module only while it 227 * is running can call this to safely exit. 228 */ 229 void __noreturn __module_put_and_kthread_exit(struct module *mod, long code) 230 { 231 module_put(mod); 232 kthread_exit(code); 233 } 234 EXPORT_SYMBOL(__module_put_and_kthread_exit); 235 236 /* Find a module section: 0 means not found. */ 237 static unsigned int find_sec(const struct load_info *info, const char *name) 238 { 239 unsigned int i; 240 241 for (i = 1; i < info->hdr->e_shnum; i++) { 242 Elf_Shdr *shdr = &info->sechdrs[i]; 243 /* Alloc bit cleared means "ignore it." */ 244 if ((shdr->sh_flags & SHF_ALLOC) 245 && strcmp(info->secstrings + shdr->sh_name, name) == 0) 246 return i; 247 } 248 return 0; 249 } 250 251 /** 252 * find_any_unique_sec() - Find a unique section index by name 253 * @info: Load info for the module to scan 254 * @name: Name of the section we're looking for 255 * 256 * Locates a unique section by name. Ignores SHF_ALLOC. 257 * 258 * Return: Section index if found uniquely, zero if absent, negative count 259 * of total instances if multiple were found. 260 */ 261 static int find_any_unique_sec(const struct load_info *info, const char *name) 262 { 263 unsigned int idx; 264 unsigned int count = 0; 265 int i; 266 267 for (i = 1; i < info->hdr->e_shnum; i++) { 268 if (strcmp(info->secstrings + info->sechdrs[i].sh_name, 269 name) == 0) { 270 count++; 271 idx = i; 272 } 273 } 274 if (count == 1) { 275 return idx; 276 } else if (count == 0) { 277 return 0; 278 } else { 279 return -count; 280 } 281 } 282 283 /* Find a module section, or NULL. */ 284 static void *section_addr(const struct load_info *info, const char *name) 285 { 286 /* Section 0 has sh_addr 0. */ 287 return (void *)info->sechdrs[find_sec(info, name)].sh_addr; 288 } 289 290 /* Find a module section, or NULL. Fill in number of "objects" in section. */ 291 static void *section_objs(const struct load_info *info, 292 const char *name, 293 size_t object_size, 294 unsigned int *num) 295 { 296 unsigned int sec = find_sec(info, name); 297 298 /* Section 0 has sh_addr 0 and sh_size 0. */ 299 *num = info->sechdrs[sec].sh_size / object_size; 300 return (void *)info->sechdrs[sec].sh_addr; 301 } 302 303 /* Find a module section: 0 means not found. Ignores SHF_ALLOC flag. */ 304 static unsigned int find_any_sec(const struct load_info *info, const char *name) 305 { 306 unsigned int i; 307 308 for (i = 1; i < info->hdr->e_shnum; i++) { 309 Elf_Shdr *shdr = &info->sechdrs[i]; 310 if (strcmp(info->secstrings + shdr->sh_name, name) == 0) 311 return i; 312 } 313 return 0; 314 } 315 316 /* 317 * Find a module section, or NULL. Fill in number of "objects" in section. 318 * Ignores SHF_ALLOC flag. 319 */ 320 static __maybe_unused void *any_section_objs(const struct load_info *info, 321 const char *name, 322 size_t object_size, 323 unsigned int *num) 324 { 325 unsigned int sec = find_any_sec(info, name); 326 327 /* Section 0 has sh_addr 0 and sh_size 0. */ 328 *num = info->sechdrs[sec].sh_size / object_size; 329 return (void *)info->sechdrs[sec].sh_addr; 330 } 331 332 #ifndef CONFIG_MODVERSIONS 333 #define symversion(base, idx) NULL 334 #else 335 #define symversion(base, idx) ((base != NULL) ? ((base) + (idx)) : NULL) 336 #endif 337 338 static const char *kernel_symbol_name(const struct kernel_symbol *sym) 339 { 340 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 341 return offset_to_ptr(&sym->name_offset); 342 #else 343 return sym->name; 344 #endif 345 } 346 347 static const char *kernel_symbol_namespace(const struct kernel_symbol *sym) 348 { 349 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 350 if (!sym->namespace_offset) 351 return NULL; 352 return offset_to_ptr(&sym->namespace_offset); 353 #else 354 return sym->namespace; 355 #endif 356 } 357 358 int cmp_name(const void *name, const void *sym) 359 { 360 return strcmp(name, kernel_symbol_name(sym)); 361 } 362 363 static bool find_exported_symbol_in_section(const struct symsearch *syms, 364 struct module *owner, 365 struct find_symbol_arg *fsa) 366 { 367 struct kernel_symbol *sym; 368 u8 sym_flags; 369 370 sym = bsearch(fsa->name, syms->start, syms->stop - syms->start, 371 sizeof(struct kernel_symbol), cmp_name); 372 if (!sym) 373 return false; 374 375 sym_flags = *(syms->flagstab + (sym - syms->start)); 376 if (!fsa->gplok && (sym_flags & KSYM_FLAG_GPL_ONLY)) 377 return false; 378 379 fsa->owner = owner; 380 fsa->crc = symversion(syms->crcs, sym - syms->start); 381 fsa->sym = sym; 382 fsa->license = (sym_flags & KSYM_FLAG_GPL_ONLY) ? GPL_ONLY : NOT_GPL_ONLY; 383 384 return true; 385 } 386 387 /* 388 * Find an exported symbol and return it, along with, (optional) crc and 389 * (optional) module which owns it. Needs RCU or module_mutex. 390 */ 391 bool find_symbol(struct find_symbol_arg *fsa) 392 { 393 const struct symsearch syms = { 394 .start = __start___ksymtab, 395 .stop = __stop___ksymtab, 396 .crcs = __start___kcrctab, 397 .flagstab = __start___kflagstab, 398 }; 399 struct module *mod; 400 401 if (find_exported_symbol_in_section(&syms, NULL, fsa)) 402 return true; 403 404 list_for_each_entry_rcu(mod, &modules, list, 405 lockdep_is_held(&module_mutex)) { 406 const struct symsearch syms = { 407 .start = mod->syms, 408 .stop = mod->syms + mod->num_syms, 409 .crcs = mod->crcs, 410 .flagstab = mod->flagstab, 411 }; 412 413 if (mod->state == MODULE_STATE_UNFORMED) 414 continue; 415 416 if (find_exported_symbol_in_section(&syms, mod, fsa)) 417 return true; 418 } 419 420 pr_debug("Failed to find symbol %s\n", fsa->name); 421 return false; 422 } 423 424 /* 425 * Search for module by name: must hold module_mutex (or RCU for read-only 426 * access). 427 */ 428 struct module *find_module_all(const char *name, size_t len, 429 bool even_unformed) 430 { 431 struct module *mod; 432 433 list_for_each_entry_rcu(mod, &modules, list, 434 lockdep_is_held(&module_mutex)) { 435 if (!even_unformed && mod->state == MODULE_STATE_UNFORMED) 436 continue; 437 if (strlen(mod->name) == len && !memcmp(mod->name, name, len)) 438 return mod; 439 } 440 return NULL; 441 } 442 443 struct module *find_module(const char *name) 444 { 445 return find_module_all(name, strlen(name), false); 446 } 447 448 #ifdef CONFIG_SMP 449 450 static inline void __percpu *mod_percpu(struct module *mod) 451 { 452 return mod->percpu; 453 } 454 455 static int percpu_modalloc(struct module *mod, struct load_info *info) 456 { 457 Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu]; 458 unsigned long align = pcpusec->sh_addralign; 459 460 if (!pcpusec->sh_size) 461 return 0; 462 463 if (align > PAGE_SIZE) { 464 pr_warn("%s: per-cpu alignment %li > %li\n", 465 mod->name, align, PAGE_SIZE); 466 align = PAGE_SIZE; 467 } 468 469 mod->percpu = __alloc_reserved_percpu(pcpusec->sh_size, align); 470 if (!mod->percpu) { 471 pr_warn("%s: Could not allocate %lu bytes percpu data\n", 472 mod->name, (unsigned long)pcpusec->sh_size); 473 return -ENOMEM; 474 } 475 mod->percpu_size = pcpusec->sh_size; 476 return 0; 477 } 478 479 static void percpu_modfree(struct module *mod) 480 { 481 free_percpu(mod->percpu); 482 } 483 484 static unsigned int find_pcpusec(struct load_info *info) 485 { 486 return find_sec(info, ".data..percpu"); 487 } 488 489 static void percpu_modcopy(struct module *mod, 490 const void *from, unsigned long size) 491 { 492 int cpu; 493 494 for_each_possible_cpu(cpu) 495 memcpy(per_cpu_ptr(mod->percpu, cpu), from, size); 496 } 497 498 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 499 { 500 struct module *mod; 501 unsigned int cpu; 502 503 guard(rcu)(); 504 list_for_each_entry_rcu(mod, &modules, list) { 505 if (mod->state == MODULE_STATE_UNFORMED) 506 continue; 507 if (!mod->percpu_size) 508 continue; 509 for_each_possible_cpu(cpu) { 510 void *start = per_cpu_ptr(mod->percpu, cpu); 511 void *va = (void *)addr; 512 513 if (va >= start && va < start + mod->percpu_size) { 514 if (can_addr) { 515 *can_addr = (unsigned long) (va - start); 516 *can_addr += (unsigned long) 517 per_cpu_ptr(mod->percpu, 518 get_boot_cpu_id()); 519 } 520 return true; 521 } 522 } 523 } 524 return false; 525 } 526 527 /** 528 * is_module_percpu_address() - test whether address is from module static percpu 529 * @addr: address to test 530 * 531 * Test whether @addr belongs to module static percpu area. 532 * 533 * Return: %true if @addr is from module static percpu area 534 */ 535 bool is_module_percpu_address(unsigned long addr) 536 { 537 return __is_module_percpu_address(addr, NULL); 538 } 539 540 #else /* ... !CONFIG_SMP */ 541 542 static inline void __percpu *mod_percpu(struct module *mod) 543 { 544 return NULL; 545 } 546 static int percpu_modalloc(struct module *mod, struct load_info *info) 547 { 548 /* UP modules shouldn't have this section: ENOMEM isn't quite right */ 549 if (info->sechdrs[info->index.pcpu].sh_size != 0) 550 return -ENOMEM; 551 return 0; 552 } 553 static inline void percpu_modfree(struct module *mod) 554 { 555 } 556 static unsigned int find_pcpusec(struct load_info *info) 557 { 558 return 0; 559 } 560 static inline void percpu_modcopy(struct module *mod, 561 const void *from, unsigned long size) 562 { 563 /* pcpusec should be 0, and size of that section should be 0. */ 564 BUG_ON(size != 0); 565 } 566 bool is_module_percpu_address(unsigned long addr) 567 { 568 return false; 569 } 570 571 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 572 { 573 return false; 574 } 575 576 #endif /* CONFIG_SMP */ 577 578 #define MODINFO_ATTR(field) \ 579 static void setup_modinfo_##field(struct module *mod, const char *s) \ 580 { \ 581 mod->field = kstrdup(s, GFP_KERNEL); \ 582 } \ 583 static ssize_t show_modinfo_##field(const struct module_attribute *mattr, \ 584 struct module_kobject *mk, char *buffer) \ 585 { \ 586 return scnprintf(buffer, PAGE_SIZE, "%s\n", mk->mod->field); \ 587 } \ 588 static int modinfo_##field##_exists(struct module *mod) \ 589 { \ 590 return mod->field != NULL; \ 591 } \ 592 static void free_modinfo_##field(struct module *mod) \ 593 { \ 594 kfree(mod->field); \ 595 mod->field = NULL; \ 596 } \ 597 static const struct module_attribute modinfo_##field = { \ 598 .attr = { .name = __stringify(field), .mode = 0444 }, \ 599 .show = show_modinfo_##field, \ 600 .setup = setup_modinfo_##field, \ 601 .test = modinfo_##field##_exists, \ 602 .free = free_modinfo_##field, \ 603 }; 604 605 MODINFO_ATTR(version); 606 MODINFO_ATTR(srcversion); 607 608 static void setup_modinfo_import_ns(struct module *mod, const char *s) 609 { 610 mod->imported_namespaces = NULL; 611 } 612 613 static ssize_t show_modinfo_import_ns(const struct module_attribute *mattr, 614 struct module_kobject *mk, char *buffer) 615 { 616 return sysfs_emit(buffer, "%s\n", mk->mod->imported_namespaces); 617 } 618 619 static int modinfo_import_ns_exists(struct module *mod) 620 { 621 return mod->imported_namespaces != NULL; 622 } 623 624 static void free_modinfo_import_ns(struct module *mod) 625 { 626 kfree(mod->imported_namespaces); 627 mod->imported_namespaces = NULL; 628 } 629 630 static const struct module_attribute modinfo_import_ns = { 631 .attr = { .name = "import_ns", .mode = 0444 }, 632 .show = show_modinfo_import_ns, 633 .setup = setup_modinfo_import_ns, 634 .test = modinfo_import_ns_exists, 635 .free = free_modinfo_import_ns, 636 }; 637 638 static struct { 639 char name[MODULE_NAME_LEN]; 640 char taints[MODULE_FLAGS_BUF_SIZE]; 641 } last_unloaded_module; 642 643 #ifdef CONFIG_MODULE_UNLOAD 644 645 EXPORT_TRACEPOINT_SYMBOL(module_get); 646 647 /* MODULE_REF_BASE is the base reference count by kmodule loader. */ 648 #define MODULE_REF_BASE 1 649 650 /* Init the unload section of the module. */ 651 static int module_unload_init(struct module *mod) 652 { 653 /* 654 * Initialize reference counter to MODULE_REF_BASE. 655 * refcnt == 0 means module is going. 656 */ 657 atomic_set(&mod->refcnt, MODULE_REF_BASE); 658 659 INIT_LIST_HEAD(&mod->source_list); 660 INIT_LIST_HEAD(&mod->target_list); 661 662 /* Hold reference count during initialization. */ 663 atomic_inc(&mod->refcnt); 664 665 return 0; 666 } 667 668 /* Does a already use b? */ 669 static int already_uses(struct module *a, struct module *b) 670 { 671 struct module_use *use; 672 673 list_for_each_entry(use, &b->source_list, source_list) { 674 if (use->source == a) 675 return 1; 676 } 677 pr_debug("%s does not use %s!\n", a->name, b->name); 678 return 0; 679 } 680 681 /* 682 * Module a uses b 683 * - we add 'a' as a "source", 'b' as a "target" of module use 684 * - the module_use is added to the list of 'b' sources (so 685 * 'b' can walk the list to see who sourced them), and of 'a' 686 * targets (so 'a' can see what modules it targets). 687 */ 688 static int add_module_usage(struct module *a, struct module *b) 689 { 690 struct module_use *use; 691 692 pr_debug("Allocating new usage for %s.\n", a->name); 693 use = kmalloc_obj(*use, GFP_ATOMIC); 694 if (!use) 695 return -ENOMEM; 696 697 use->source = a; 698 use->target = b; 699 list_add(&use->source_list, &b->source_list); 700 list_add(&use->target_list, &a->target_list); 701 return 0; 702 } 703 704 /* Module a uses b: caller needs module_mutex() */ 705 static int ref_module(struct module *a, struct module *b) 706 { 707 int err; 708 709 if (b == NULL || already_uses(a, b)) 710 return 0; 711 712 /* If module isn't available, we fail. */ 713 err = strong_try_module_get(b); 714 if (err) 715 return err; 716 717 err = add_module_usage(a, b); 718 if (err) { 719 module_put(b); 720 return err; 721 } 722 return 0; 723 } 724 725 /* Clear the unload stuff of the module. */ 726 static void module_unload_free(struct module *mod) 727 { 728 struct module_use *use, *tmp; 729 730 mutex_lock(&module_mutex); 731 list_for_each_entry_safe(use, tmp, &mod->target_list, target_list) { 732 struct module *i = use->target; 733 pr_debug("%s unusing %s\n", mod->name, i->name); 734 module_put(i); 735 list_del(&use->source_list); 736 list_del(&use->target_list); 737 kfree(use); 738 } 739 mutex_unlock(&module_mutex); 740 } 741 742 #ifdef CONFIG_MODULE_FORCE_UNLOAD 743 static inline int try_force_unload(unsigned int flags) 744 { 745 int ret = (flags & O_TRUNC); 746 if (ret) 747 add_taint(TAINT_FORCED_RMMOD, LOCKDEP_NOW_UNRELIABLE); 748 return ret; 749 } 750 #else 751 static inline int try_force_unload(unsigned int flags) 752 { 753 return 0; 754 } 755 #endif /* CONFIG_MODULE_FORCE_UNLOAD */ 756 757 /* Try to release refcount of module, 0 means success. */ 758 static int try_release_module_ref(struct module *mod) 759 { 760 int ret; 761 762 /* Try to decrement refcnt which we set at loading */ 763 ret = atomic_sub_return(MODULE_REF_BASE, &mod->refcnt); 764 BUG_ON(ret < 0); 765 if (ret) 766 /* Someone can put this right now, recover with checking */ 767 ret = atomic_add_unless(&mod->refcnt, MODULE_REF_BASE, 0); 768 769 return ret; 770 } 771 772 static int try_stop_module(struct module *mod, int flags, int *forced) 773 { 774 /* If it's not unused, quit unless we're forcing. */ 775 if (try_release_module_ref(mod) != 0) { 776 *forced = try_force_unload(flags); 777 if (!(*forced)) 778 return -EWOULDBLOCK; 779 } 780 781 /* Mark it as dying. */ 782 mod->state = MODULE_STATE_GOING; 783 784 return 0; 785 } 786 787 /** 788 * module_refcount() - return the refcount or -1 if unloading 789 * @mod: the module we're checking 790 * 791 * Return: 792 * -1 if the module is in the process of unloading 793 * otherwise the number of references in the kernel to the module 794 */ 795 int module_refcount(struct module *mod) 796 { 797 return atomic_read(&mod->refcnt) - MODULE_REF_BASE; 798 } 799 EXPORT_SYMBOL(module_refcount); 800 801 /* This exists whether we can unload or not */ 802 static void free_module(struct module *mod); 803 804 SYSCALL_DEFINE2(delete_module, const char __user *, name_user, 805 unsigned int, flags) 806 { 807 struct module *mod; 808 char name[MODULE_NAME_LEN]; 809 char buf[MODULE_FLAGS_BUF_SIZE]; 810 int ret, len, forced = 0; 811 812 if (!capable(CAP_SYS_MODULE) || modules_disabled) 813 return -EPERM; 814 815 len = strncpy_from_user(name, name_user, MODULE_NAME_LEN); 816 if (len == 0 || len == MODULE_NAME_LEN) 817 return -ENOENT; 818 if (len < 0) 819 return len; 820 821 audit_log_kern_module(name); 822 823 if (mutex_lock_interruptible(&module_mutex) != 0) 824 return -EINTR; 825 826 mod = find_module(name); 827 if (!mod) { 828 ret = -ENOENT; 829 goto out; 830 } 831 832 if (!list_empty(&mod->source_list)) { 833 /* Other modules depend on us: get rid of them first. */ 834 ret = -EWOULDBLOCK; 835 goto out; 836 } 837 838 /* Doing init or already dying? */ 839 if (mod->state != MODULE_STATE_LIVE) { 840 /* FIXME: if (force), slam module count damn the torpedoes */ 841 pr_debug("%s already dying\n", mod->name); 842 ret = -EBUSY; 843 goto out; 844 } 845 846 /* If it has an init func, it must have an exit func to unload */ 847 if (mod->init && !mod->exit) { 848 forced = try_force_unload(flags); 849 if (!forced) { 850 /* This module can't be removed */ 851 ret = -EBUSY; 852 goto out; 853 } 854 } 855 856 ret = try_stop_module(mod, flags, &forced); 857 if (ret != 0) 858 goto out; 859 860 mutex_unlock(&module_mutex); 861 /* Final destruction now no one is using it. */ 862 if (mod->exit != NULL) 863 mod->exit(); 864 blocking_notifier_call_chain(&module_notify_list, 865 MODULE_STATE_GOING, mod); 866 klp_module_going(mod); 867 ftrace_release_mod(mod); 868 869 async_synchronize_full(); 870 871 /* Store the name and taints of the last unloaded module for diagnostic purposes */ 872 strscpy(last_unloaded_module.name, mod->name); 873 strscpy(last_unloaded_module.taints, module_flags(mod, buf, false)); 874 875 free_module(mod); 876 /* someone could wait for the module in add_unformed_module() */ 877 wake_up_all(&module_wq); 878 return 0; 879 out: 880 mutex_unlock(&module_mutex); 881 return ret; 882 } 883 884 void __symbol_put(const char *symbol) 885 { 886 struct find_symbol_arg fsa = { 887 .name = symbol, 888 .gplok = true, 889 }; 890 891 guard(rcu)(); 892 BUG_ON(!find_symbol(&fsa)); 893 module_put(fsa.owner); 894 } 895 EXPORT_SYMBOL(__symbol_put); 896 897 /* Note this assumes addr is a function, which it currently always is. */ 898 void symbol_put_addr(void *addr) 899 { 900 struct module *modaddr; 901 unsigned long a = (unsigned long)dereference_function_descriptor(addr); 902 903 if (core_kernel_text(a)) 904 return; 905 906 /* 907 * Even though we hold a reference on the module; we still need to 908 * RCU read section in order to safely traverse the data structure. 909 */ 910 guard(rcu)(); 911 modaddr = __module_text_address(a); 912 BUG_ON(!modaddr); 913 module_put(modaddr); 914 } 915 EXPORT_SYMBOL_GPL(symbol_put_addr); 916 917 static ssize_t show_refcnt(const struct module_attribute *mattr, 918 struct module_kobject *mk, char *buffer) 919 { 920 return sprintf(buffer, "%i\n", module_refcount(mk->mod)); 921 } 922 923 static const struct module_attribute modinfo_refcnt = 924 __ATTR(refcnt, 0444, show_refcnt, NULL); 925 926 void __module_get(struct module *module) 927 { 928 if (module) { 929 atomic_inc(&module->refcnt); 930 trace_module_get(module, _RET_IP_); 931 } 932 } 933 EXPORT_SYMBOL(__module_get); 934 935 bool try_module_get(struct module *module) 936 { 937 bool ret = true; 938 939 if (module) { 940 /* Note: here, we can fail to get a reference */ 941 if (likely(module_is_live(module) && 942 atomic_inc_not_zero(&module->refcnt) != 0)) 943 trace_module_get(module, _RET_IP_); 944 else 945 ret = false; 946 } 947 return ret; 948 } 949 EXPORT_SYMBOL(try_module_get); 950 951 void module_put(struct module *module) 952 { 953 int ret; 954 955 if (module) { 956 ret = atomic_dec_if_positive(&module->refcnt); 957 WARN_ON(ret < 0); /* Failed to put refcount */ 958 trace_module_put(module, _RET_IP_); 959 } 960 } 961 EXPORT_SYMBOL(module_put); 962 963 #else /* !CONFIG_MODULE_UNLOAD */ 964 static inline void module_unload_free(struct module *mod) 965 { 966 } 967 968 static int ref_module(struct module *a, struct module *b) 969 { 970 return strong_try_module_get(b); 971 } 972 973 static inline int module_unload_init(struct module *mod) 974 { 975 return 0; 976 } 977 #endif /* CONFIG_MODULE_UNLOAD */ 978 979 size_t module_flags_taint(unsigned long taints, char *buf) 980 { 981 size_t l = 0; 982 int i; 983 984 for (i = 0; i < TAINT_FLAGS_COUNT; i++) { 985 if (test_bit(i, &taints)) 986 buf[l++] = taint_flags[i].c_true; 987 } 988 989 return l; 990 } 991 992 static ssize_t show_initstate(const struct module_attribute *mattr, 993 struct module_kobject *mk, char *buffer) 994 { 995 const char *state = "unknown"; 996 997 switch (mk->mod->state) { 998 case MODULE_STATE_LIVE: 999 state = "live"; 1000 break; 1001 case MODULE_STATE_COMING: 1002 state = "coming"; 1003 break; 1004 case MODULE_STATE_GOING: 1005 state = "going"; 1006 break; 1007 default: 1008 BUG(); 1009 } 1010 return sprintf(buffer, "%s\n", state); 1011 } 1012 1013 static const struct module_attribute modinfo_initstate = 1014 __ATTR(initstate, 0444, show_initstate, NULL); 1015 1016 static ssize_t store_uevent(const struct module_attribute *mattr, 1017 struct module_kobject *mk, 1018 const char *buffer, size_t count) 1019 { 1020 int rc; 1021 1022 rc = kobject_synth_uevent(&mk->kobj, buffer, count); 1023 return rc ? rc : count; 1024 } 1025 1026 const struct module_attribute module_uevent = 1027 __ATTR(uevent, 0200, NULL, store_uevent); 1028 1029 static ssize_t show_coresize(const struct module_attribute *mattr, 1030 struct module_kobject *mk, char *buffer) 1031 { 1032 unsigned int size = mk->mod->mem[MOD_TEXT].size; 1033 1034 if (!IS_ENABLED(CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC)) { 1035 for_class_mod_mem_type(type, core_data) 1036 size += mk->mod->mem[type].size; 1037 } 1038 return sprintf(buffer, "%u\n", size); 1039 } 1040 1041 static const struct module_attribute modinfo_coresize = 1042 __ATTR(coresize, 0444, show_coresize, NULL); 1043 1044 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 1045 static ssize_t show_datasize(const struct module_attribute *mattr, 1046 struct module_kobject *mk, char *buffer) 1047 { 1048 unsigned int size = 0; 1049 1050 for_class_mod_mem_type(type, core_data) 1051 size += mk->mod->mem[type].size; 1052 return sprintf(buffer, "%u\n", size); 1053 } 1054 1055 static const struct module_attribute modinfo_datasize = 1056 __ATTR(datasize, 0444, show_datasize, NULL); 1057 #endif 1058 1059 static ssize_t show_initsize(const struct module_attribute *mattr, 1060 struct module_kobject *mk, char *buffer) 1061 { 1062 unsigned int size = 0; 1063 1064 for_class_mod_mem_type(type, init) 1065 size += mk->mod->mem[type].size; 1066 return sprintf(buffer, "%u\n", size); 1067 } 1068 1069 static const struct module_attribute modinfo_initsize = 1070 __ATTR(initsize, 0444, show_initsize, NULL); 1071 1072 static ssize_t show_taint(const struct module_attribute *mattr, 1073 struct module_kobject *mk, char *buffer) 1074 { 1075 size_t l; 1076 1077 l = module_flags_taint(mk->mod->taints, buffer); 1078 buffer[l++] = '\n'; 1079 return l; 1080 } 1081 1082 static const struct module_attribute modinfo_taint = 1083 __ATTR(taint, 0444, show_taint, NULL); 1084 1085 const struct module_attribute *const modinfo_attrs[] = { 1086 &module_uevent, 1087 &modinfo_version, 1088 &modinfo_srcversion, 1089 &modinfo_import_ns, 1090 &modinfo_initstate, 1091 &modinfo_coresize, 1092 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 1093 &modinfo_datasize, 1094 #endif 1095 &modinfo_initsize, 1096 &modinfo_taint, 1097 #ifdef CONFIG_MODULE_UNLOAD 1098 &modinfo_refcnt, 1099 #endif 1100 NULL, 1101 }; 1102 1103 const size_t modinfo_attrs_count = ARRAY_SIZE(modinfo_attrs); 1104 1105 static const char vermagic[] = VERMAGIC_STRING; 1106 1107 int try_to_force_load(struct module *mod, const char *reason) 1108 { 1109 #ifdef CONFIG_MODULE_FORCE_LOAD 1110 if (!test_taint(TAINT_FORCED_MODULE)) 1111 pr_warn("%s: %s: kernel tainted.\n", mod->name, reason); 1112 add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE); 1113 return 0; 1114 #else 1115 return -ENOEXEC; 1116 #endif 1117 } 1118 1119 /* Parse tag=value strings from .modinfo section */ 1120 char *module_next_tag_pair(char *string, unsigned long *secsize) 1121 { 1122 /* Skip non-zero chars */ 1123 while (string[0]) { 1124 string++; 1125 if ((*secsize)-- <= 1) 1126 return NULL; 1127 } 1128 1129 /* Skip any zero padding. */ 1130 while (!string[0]) { 1131 string++; 1132 if ((*secsize)-- <= 1) 1133 return NULL; 1134 } 1135 return string; 1136 } 1137 1138 static char *get_next_modinfo(const struct load_info *info, const char *tag, 1139 char *prev) 1140 { 1141 char *p; 1142 unsigned int taglen = strlen(tag); 1143 Elf_Shdr *infosec = &info->sechdrs[info->index.info]; 1144 unsigned long size = infosec->sh_size; 1145 1146 /* 1147 * get_modinfo() calls made before rewrite_section_headers() 1148 * must use sh_offset, as sh_addr isn't set! 1149 */ 1150 char *modinfo = (char *)info->hdr + infosec->sh_offset; 1151 1152 if (prev) { 1153 size -= prev - modinfo; 1154 modinfo = module_next_tag_pair(prev, &size); 1155 } 1156 1157 for (p = modinfo; p; p = module_next_tag_pair(p, &size)) { 1158 if (strncmp(p, tag, taglen) == 0 && p[taglen] == '=') 1159 return p + taglen + 1; 1160 } 1161 return NULL; 1162 } 1163 1164 static char *get_modinfo(const struct load_info *info, const char *tag) 1165 { 1166 return get_next_modinfo(info, tag, NULL); 1167 } 1168 1169 /** 1170 * verify_module_namespace() - does @modname have access to this symbol's @namespace 1171 * @namespace: export symbol namespace 1172 * @modname: module name 1173 * 1174 * If @namespace is prefixed with "module:" to indicate it is a module namespace 1175 * then test if @modname matches any of the comma separated patterns. 1176 * 1177 * The patterns only support tail-glob. 1178 */ 1179 static bool verify_module_namespace(const char *namespace, const char *modname) 1180 { 1181 size_t len, modlen = strlen(modname); 1182 const char *prefix = "module:"; 1183 const char *sep; 1184 bool glob; 1185 1186 if (!strstarts(namespace, prefix)) 1187 return false; 1188 1189 for (namespace += strlen(prefix); *namespace; namespace = sep) { 1190 sep = strchrnul(namespace, ','); 1191 len = sep - namespace; 1192 1193 glob = false; 1194 if (sep[-1] == '*') { 1195 len--; 1196 glob = true; 1197 } 1198 1199 if (*sep) 1200 sep++; 1201 1202 if (mod_strncmp(namespace, modname, len) == 0 && (glob || len == modlen)) 1203 return true; 1204 } 1205 1206 return false; 1207 } 1208 1209 static int verify_namespace_is_imported(const struct load_info *info, 1210 const struct kernel_symbol *sym, 1211 struct module *mod) 1212 { 1213 const char *namespace; 1214 char *imported_namespace; 1215 1216 namespace = kernel_symbol_namespace(sym); 1217 if (namespace && namespace[0]) { 1218 1219 if (verify_module_namespace(namespace, mod->name)) 1220 return 0; 1221 1222 for_each_modinfo_entry(imported_namespace, info, "import_ns") { 1223 if (strcmp(namespace, imported_namespace) == 0) 1224 return 0; 1225 } 1226 #ifdef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1227 pr_warn( 1228 #else 1229 pr_err( 1230 #endif 1231 "%s: module uses symbol (%s) from namespace %s, but does not import it.\n", 1232 mod->name, kernel_symbol_name(sym), namespace); 1233 #ifndef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1234 return -EINVAL; 1235 #endif 1236 } 1237 return 0; 1238 } 1239 1240 static bool inherit_taint(struct module *mod, struct module *owner, const char *name) 1241 { 1242 if (!owner || !test_bit(TAINT_PROPRIETARY_MODULE, &owner->taints)) 1243 return true; 1244 1245 if (mod->using_gplonly_symbols) { 1246 pr_err("%s: module using GPL-only symbols uses symbols %s from proprietary module %s.\n", 1247 mod->name, name, owner->name); 1248 return false; 1249 } 1250 1251 if (!test_bit(TAINT_PROPRIETARY_MODULE, &mod->taints)) { 1252 pr_warn("%s: module uses symbols %s from proprietary module %s, inheriting taint.\n", 1253 mod->name, name, owner->name); 1254 set_bit(TAINT_PROPRIETARY_MODULE, &mod->taints); 1255 } 1256 return true; 1257 } 1258 1259 /* Resolve a symbol for this module. I.e. if we find one, record usage. */ 1260 static const struct kernel_symbol *resolve_symbol(struct module *mod, 1261 const struct load_info *info, 1262 const char *name, 1263 char ownername[]) 1264 { 1265 struct find_symbol_arg fsa = { 1266 .name = name, 1267 .gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)), 1268 .warn = true, 1269 }; 1270 int err; 1271 1272 /* 1273 * The module_mutex should not be a heavily contended lock; 1274 * if we get the occasional sleep here, we'll go an extra iteration 1275 * in the wait_event_interruptible(), which is harmless. 1276 */ 1277 sched_annotate_sleep(); 1278 mutex_lock(&module_mutex); 1279 if (!find_symbol(&fsa)) 1280 goto unlock; 1281 1282 if (fsa.license == GPL_ONLY) 1283 mod->using_gplonly_symbols = true; 1284 1285 if (!inherit_taint(mod, fsa.owner, name)) { 1286 fsa.sym = NULL; 1287 goto getname; 1288 } 1289 1290 if (!check_version(info, name, mod, fsa.crc)) { 1291 fsa.sym = ERR_PTR(-EINVAL); 1292 goto getname; 1293 } 1294 1295 err = verify_namespace_is_imported(info, fsa.sym, mod); 1296 if (err) { 1297 fsa.sym = ERR_PTR(err); 1298 goto getname; 1299 } 1300 1301 err = ref_module(mod, fsa.owner); 1302 if (err) { 1303 fsa.sym = ERR_PTR(err); 1304 goto getname; 1305 } 1306 1307 getname: 1308 /* We must make copy under the lock if we failed to get ref. */ 1309 strscpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN); 1310 unlock: 1311 mutex_unlock(&module_mutex); 1312 return fsa.sym; 1313 } 1314 1315 static const struct kernel_symbol * 1316 resolve_symbol_wait(struct module *mod, 1317 const struct load_info *info, 1318 const char *name) 1319 { 1320 const struct kernel_symbol *ksym; 1321 char owner[MODULE_NAME_LEN]; 1322 1323 if (wait_event_interruptible_timeout(module_wq, 1324 !IS_ERR(ksym = resolve_symbol(mod, info, name, owner)) 1325 || PTR_ERR(ksym) != -EBUSY, 1326 30 * HZ) <= 0) { 1327 pr_warn("%s: gave up waiting for init of module %s.\n", 1328 mod->name, owner); 1329 } 1330 return ksym; 1331 } 1332 1333 void __weak module_arch_cleanup(struct module *mod) 1334 { 1335 } 1336 1337 void __weak module_arch_freeing_init(struct module *mod) 1338 { 1339 } 1340 1341 static int module_memory_alloc(struct module *mod, enum mod_mem_type type) 1342 { 1343 unsigned int size = PAGE_ALIGN(mod->mem[type].size); 1344 enum execmem_type execmem_type; 1345 void *ptr; 1346 1347 mod->mem[type].size = size; 1348 1349 if (mod_mem_type_is_data(type)) 1350 execmem_type = EXECMEM_MODULE_DATA; 1351 else 1352 execmem_type = EXECMEM_MODULE_TEXT; 1353 1354 ptr = execmem_alloc_rw(execmem_type, size); 1355 if (!ptr) 1356 return -ENOMEM; 1357 1358 mod->mem[type].is_rox = execmem_is_rox(execmem_type); 1359 1360 /* 1361 * The pointer to these blocks of memory are stored on the module 1362 * structure and we keep that around so long as the module is 1363 * around. We only free that memory when we unload the module. 1364 * Just mark them as not being a leak then. The .init* ELF 1365 * sections *do* get freed after boot so we *could* treat them 1366 * slightly differently with kmemleak_ignore() and only grey 1367 * them out as they work as typical memory allocations which 1368 * *do* eventually get freed, but let's just keep things simple 1369 * and avoid *any* false positives. 1370 */ 1371 if (!mod->mem[type].is_rox) 1372 kmemleak_not_leak(ptr); 1373 1374 memset(ptr, 0, size); 1375 mod->mem[type].base = ptr; 1376 1377 return 0; 1378 } 1379 1380 static void module_memory_restore_rox(struct module *mod) 1381 { 1382 for_class_mod_mem_type(type, text) { 1383 struct module_memory *mem = &mod->mem[type]; 1384 1385 if (mem->is_rox) 1386 execmem_restore_rox(mem->base, mem->size); 1387 } 1388 } 1389 1390 static void module_memory_free(struct module *mod, enum mod_mem_type type) 1391 { 1392 struct module_memory *mem = &mod->mem[type]; 1393 1394 execmem_free(mem->base); 1395 } 1396 1397 static void free_mod_mem(struct module *mod) 1398 { 1399 for_each_mod_mem_type(type) { 1400 struct module_memory *mod_mem = &mod->mem[type]; 1401 1402 if (type == MOD_DATA) 1403 continue; 1404 1405 /* Free lock-classes; relies on the preceding sync_rcu(). */ 1406 lockdep_free_key_range(mod_mem->base, mod_mem->size); 1407 if (mod_mem->size) 1408 module_memory_free(mod, type); 1409 } 1410 1411 /* MOD_DATA hosts mod, so free it at last */ 1412 lockdep_free_key_range(mod->mem[MOD_DATA].base, mod->mem[MOD_DATA].size); 1413 module_memory_free(mod, MOD_DATA); 1414 } 1415 1416 /* Free a module, remove from lists, etc. */ 1417 static void free_module(struct module *mod) 1418 { 1419 trace_module_free(mod); 1420 1421 codetag_unload_module(mod); 1422 1423 mod_sysfs_teardown(mod); 1424 1425 /* 1426 * We leave it in list to prevent duplicate loads, but make sure 1427 * that noone uses it while it's being deconstructed. 1428 */ 1429 mutex_lock(&module_mutex); 1430 mod->state = MODULE_STATE_UNFORMED; 1431 mutex_unlock(&module_mutex); 1432 1433 /* Arch-specific cleanup. */ 1434 module_arch_cleanup(mod); 1435 1436 /* Module unload stuff */ 1437 module_unload_free(mod); 1438 1439 /* Free any allocated parameters. */ 1440 module_destroy_params(mod->kp, mod->num_kp); 1441 1442 if (is_livepatch_module(mod)) 1443 free_module_elf(mod); 1444 1445 /* Now we can delete it from the lists */ 1446 mutex_lock(&module_mutex); 1447 /* Unlink carefully: kallsyms could be walking list. */ 1448 list_del_rcu(&mod->list); 1449 mod_tree_remove(mod); 1450 /* Remove this module from bug list, this uses list_del_rcu */ 1451 module_bug_cleanup(mod); 1452 /* Wait for RCU synchronizing before releasing mod->list and buglist. */ 1453 synchronize_rcu(); 1454 if (try_add_tainted_module(mod)) 1455 pr_err("%s: adding tainted module to the unloaded tainted modules list failed.\n", 1456 mod->name); 1457 mutex_unlock(&module_mutex); 1458 1459 /* This may be empty, but that's OK */ 1460 module_arch_freeing_init(mod); 1461 kfree(mod->args); 1462 percpu_modfree(mod); 1463 1464 free_mod_mem(mod); 1465 } 1466 1467 void *__symbol_get(const char *symbol) 1468 { 1469 struct find_symbol_arg fsa = { 1470 .name = symbol, 1471 .gplok = true, 1472 .warn = true, 1473 }; 1474 1475 scoped_guard(rcu) { 1476 if (!find_symbol(&fsa)) 1477 return NULL; 1478 if (fsa.license != GPL_ONLY) { 1479 pr_warn("failing symbol_get of non-GPLONLY symbol %s.\n", 1480 symbol); 1481 return NULL; 1482 } 1483 if (strong_try_module_get(fsa.owner)) 1484 return NULL; 1485 } 1486 return (void *)kernel_symbol_value(fsa.sym); 1487 } 1488 EXPORT_SYMBOL_GPL(__symbol_get); 1489 1490 /* 1491 * Ensure that an exported symbol [global namespace] does not already exist 1492 * in the kernel or in some other module's exported symbol table. 1493 * 1494 * You must hold the module_mutex. 1495 */ 1496 static int verify_exported_symbols(struct module *mod) 1497 { 1498 const struct kernel_symbol *s; 1499 for (s = mod->syms; s < mod->syms + mod->num_syms; s++) { 1500 struct find_symbol_arg fsa = { 1501 .name = kernel_symbol_name(s), 1502 .gplok = true, 1503 }; 1504 if (find_symbol(&fsa)) { 1505 pr_err("%s: exports duplicate symbol %s (owned by %s)\n", 1506 mod->name, kernel_symbol_name(s), 1507 module_name(fsa.owner)); 1508 return -ENOEXEC; 1509 } 1510 } 1511 return 0; 1512 } 1513 1514 static bool ignore_undef_symbol(Elf_Half emachine, const char *name) 1515 { 1516 /* 1517 * On x86, PIC code and Clang non-PIC code may have call foo@PLT. GNU as 1518 * before 2.37 produces an unreferenced _GLOBAL_OFFSET_TABLE_ on x86-64. 1519 * i386 has a similar problem but may not deserve a fix. 1520 * 1521 * If we ever have to ignore many symbols, consider refactoring the code to 1522 * only warn if referenced by a relocation. 1523 */ 1524 if (emachine == EM_386 || emachine == EM_X86_64) 1525 return !strcmp(name, "_GLOBAL_OFFSET_TABLE_"); 1526 return false; 1527 } 1528 1529 /* Change all symbols so that st_value encodes the pointer directly. */ 1530 static int simplify_symbols(struct module *mod, const struct load_info *info) 1531 { 1532 Elf_Shdr *symsec = &info->sechdrs[info->index.sym]; 1533 Elf_Sym *sym = (void *)symsec->sh_addr; 1534 unsigned long secbase; 1535 unsigned int i; 1536 int ret = 0; 1537 const struct kernel_symbol *ksym; 1538 1539 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { 1540 const char *name = info->strtab + sym[i].st_name; 1541 1542 switch (sym[i].st_shndx) { 1543 case SHN_COMMON: 1544 /* Ignore common symbols */ 1545 if (!strncmp(name, "__gnu_lto", 9)) 1546 break; 1547 1548 /* 1549 * We compiled with -fno-common. These are not 1550 * supposed to happen. 1551 */ 1552 pr_debug("Common symbol: %s\n", name); 1553 pr_warn("%s: please compile with -fno-common\n", 1554 mod->name); 1555 ret = -ENOEXEC; 1556 break; 1557 1558 case SHN_ABS: 1559 /* Don't need to do anything */ 1560 pr_debug("Absolute symbol: 0x%08lx %s\n", 1561 (long)sym[i].st_value, name); 1562 break; 1563 1564 case SHN_LIVEPATCH: 1565 /* Livepatch symbols are resolved by livepatch */ 1566 break; 1567 1568 case SHN_UNDEF: 1569 ksym = resolve_symbol_wait(mod, info, name); 1570 /* Ok if resolved. */ 1571 if (ksym && !IS_ERR(ksym)) { 1572 sym[i].st_value = kernel_symbol_value(ksym); 1573 break; 1574 } 1575 1576 /* Ok if weak or ignored. */ 1577 if (!ksym && 1578 (ELF_ST_BIND(sym[i].st_info) == STB_WEAK || 1579 ignore_undef_symbol(info->hdr->e_machine, name))) 1580 break; 1581 1582 ret = PTR_ERR(ksym) ?: -ENOENT; 1583 pr_warn("%s: Unknown symbol %s (err %d)\n", 1584 mod->name, name, ret); 1585 break; 1586 1587 default: 1588 if (sym[i].st_shndx >= info->hdr->e_shnum) { 1589 pr_err("%s: Symbol %s has an invalid section index %u (max %u)\n", 1590 mod->name, name, sym[i].st_shndx, info->hdr->e_shnum - 1); 1591 ret = -ENOEXEC; 1592 break; 1593 } 1594 1595 /* Divert to percpu allocation if a percpu var. */ 1596 if (sym[i].st_shndx == info->index.pcpu) 1597 secbase = (unsigned long)mod_percpu(mod); 1598 else 1599 secbase = info->sechdrs[sym[i].st_shndx].sh_addr; 1600 sym[i].st_value += secbase; 1601 break; 1602 } 1603 } 1604 1605 return ret; 1606 } 1607 1608 static int apply_relocations(struct module *mod, const struct load_info *info) 1609 { 1610 unsigned int i; 1611 int err = 0; 1612 1613 /* Now do relocations. */ 1614 for (i = 1; i < info->hdr->e_shnum; i++) { 1615 unsigned int infosec = info->sechdrs[i].sh_info; 1616 1617 /* Not a valid relocation section? */ 1618 if (infosec >= info->hdr->e_shnum) 1619 continue; 1620 1621 /* 1622 * Don't bother with non-allocated sections. 1623 * An exception is the percpu section, which has separate allocations 1624 * for individual CPUs. We relocate the percpu section in the initial 1625 * ELF template and subsequently copy it to the per-CPU destinations. 1626 */ 1627 if (!(info->sechdrs[infosec].sh_flags & SHF_ALLOC) && 1628 (!infosec || infosec != info->index.pcpu)) 1629 continue; 1630 1631 if (info->sechdrs[i].sh_flags & SHF_RELA_LIVEPATCH) 1632 err = klp_apply_section_relocs(mod, info->sechdrs, 1633 info->secstrings, 1634 info->strtab, 1635 info->index.sym, i, 1636 NULL); 1637 else if (info->sechdrs[i].sh_type == SHT_REL) 1638 err = apply_relocate(info->sechdrs, info->strtab, 1639 info->index.sym, i, mod); 1640 else if (info->sechdrs[i].sh_type == SHT_RELA) 1641 err = apply_relocate_add(info->sechdrs, info->strtab, 1642 info->index.sym, i, mod); 1643 if (err < 0) 1644 break; 1645 } 1646 return err; 1647 } 1648 1649 /* Additional bytes needed by arch in front of individual sections */ 1650 unsigned int __weak arch_mod_section_prepend(struct module *mod, 1651 unsigned int section) 1652 { 1653 /* default implementation just returns zero */ 1654 return 0; 1655 } 1656 1657 long module_get_offset_and_type(struct module *mod, enum mod_mem_type type, 1658 Elf_Shdr *sechdr, unsigned int section) 1659 { 1660 long offset; 1661 long mask = ((unsigned long)(type) & SH_ENTSIZE_TYPE_MASK) << SH_ENTSIZE_TYPE_SHIFT; 1662 1663 mod->mem[type].size += arch_mod_section_prepend(mod, section); 1664 offset = ALIGN(mod->mem[type].size, sechdr->sh_addralign ?: 1); 1665 mod->mem[type].size = offset + sechdr->sh_size; 1666 1667 WARN_ON_ONCE(offset & mask); 1668 return offset | mask; 1669 } 1670 1671 bool module_init_layout_section(const char *sname) 1672 { 1673 #ifndef CONFIG_MODULE_UNLOAD 1674 if (module_exit_section(sname)) 1675 return true; 1676 #endif 1677 return module_init_section(sname); 1678 } 1679 1680 static void __layout_sections(struct module *mod, struct load_info *info, bool is_init) 1681 { 1682 unsigned int m, i; 1683 1684 /* 1685 * { Mask of required section header flags, 1686 * Mask of excluded section header flags } 1687 */ 1688 static const unsigned long masks[][2] = { 1689 { SHF_EXECINSTR | SHF_ALLOC, ARCH_SHF_SMALL }, 1690 { SHF_ALLOC, SHF_WRITE | ARCH_SHF_SMALL }, 1691 { SHF_RO_AFTER_INIT | SHF_ALLOC, ARCH_SHF_SMALL }, 1692 { SHF_WRITE | SHF_ALLOC, ARCH_SHF_SMALL }, 1693 { ARCH_SHF_SMALL | SHF_ALLOC, 0 } 1694 }; 1695 static const int core_m_to_mem_type[] = { 1696 MOD_TEXT, 1697 MOD_RODATA, 1698 MOD_RO_AFTER_INIT, 1699 MOD_DATA, 1700 MOD_DATA, 1701 }; 1702 static const int init_m_to_mem_type[] = { 1703 MOD_INIT_TEXT, 1704 MOD_INIT_RODATA, 1705 MOD_INVALID, 1706 MOD_INIT_DATA, 1707 MOD_INIT_DATA, 1708 }; 1709 1710 for (m = 0; m < ARRAY_SIZE(masks); ++m) { 1711 enum mod_mem_type type = is_init ? init_m_to_mem_type[m] : core_m_to_mem_type[m]; 1712 1713 for (i = 0; i < info->hdr->e_shnum; ++i) { 1714 Elf_Shdr *s = &info->sechdrs[i]; 1715 const char *sname = info->secstrings + s->sh_name; 1716 1717 if ((s->sh_flags & masks[m][0]) != masks[m][0] 1718 || (s->sh_flags & masks[m][1]) 1719 || s->sh_entsize != ~0UL 1720 || is_init != module_init_layout_section(sname)) 1721 continue; 1722 1723 if (WARN_ON_ONCE(type == MOD_INVALID)) 1724 continue; 1725 1726 /* 1727 * Do not allocate codetag memory as we load it into 1728 * preallocated contiguous memory. 1729 */ 1730 if (codetag_needs_module_section(mod, sname, s->sh_size)) { 1731 /* 1732 * s->sh_entsize won't be used but populate the 1733 * type field to avoid confusion. 1734 */ 1735 s->sh_entsize = ((unsigned long)(type) & SH_ENTSIZE_TYPE_MASK) 1736 << SH_ENTSIZE_TYPE_SHIFT; 1737 continue; 1738 } 1739 1740 s->sh_entsize = module_get_offset_and_type(mod, type, s, i); 1741 pr_debug("\t%s\n", sname); 1742 } 1743 } 1744 } 1745 1746 /* 1747 * Lay out the SHF_ALLOC sections in a way not dissimilar to how ld 1748 * might -- code, read-only data, read-write data, small data. Tally 1749 * sizes, and place the offsets into sh_entsize fields: high bit means it 1750 * belongs in init. 1751 */ 1752 static void layout_sections(struct module *mod, struct load_info *info) 1753 { 1754 unsigned int i; 1755 1756 for (i = 0; i < info->hdr->e_shnum; i++) 1757 info->sechdrs[i].sh_entsize = ~0UL; 1758 1759 pr_debug("Core section allocation order for %s:\n", mod->name); 1760 __layout_sections(mod, info, false); 1761 1762 pr_debug("Init section allocation order for %s:\n", mod->name); 1763 __layout_sections(mod, info, true); 1764 } 1765 1766 static void module_license_taint_check(struct module *mod, const char *license) 1767 { 1768 if (!license) 1769 license = "unspecified"; 1770 1771 if (!license_is_gpl_compatible(license)) { 1772 if (!test_taint(TAINT_PROPRIETARY_MODULE)) 1773 pr_warn("%s: module license '%s' taints kernel.\n", 1774 mod->name, license); 1775 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 1776 LOCKDEP_NOW_UNRELIABLE); 1777 } 1778 } 1779 1780 static int copy_modinfo_import_ns(struct module *mod, struct load_info *info) 1781 { 1782 char *ns; 1783 size_t len, total_len = 0; 1784 char *buf, *p; 1785 1786 for_each_modinfo_entry(ns, info, "import_ns") 1787 total_len += strlen(ns) + 1; 1788 1789 if (!total_len) { 1790 mod->imported_namespaces = NULL; 1791 return 0; 1792 } 1793 1794 buf = kmalloc(total_len, GFP_KERNEL); 1795 if (!buf) 1796 return -ENOMEM; 1797 1798 p = buf; 1799 for_each_modinfo_entry(ns, info, "import_ns") { 1800 len = strlen(ns); 1801 memcpy(p, ns, len); 1802 p += len; 1803 *p++ = '\n'; 1804 } 1805 /* Replace trailing newline with null terminator. */ 1806 *(p - 1) = '\0'; 1807 1808 mod->imported_namespaces = buf; 1809 return 0; 1810 } 1811 1812 static int setup_modinfo(struct module *mod, struct load_info *info) 1813 { 1814 const struct module_attribute *attr; 1815 char *imported_namespace; 1816 int i, err; 1817 1818 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1819 if (attr->setup) 1820 attr->setup(mod, get_modinfo(info, attr->attr.name)); 1821 } 1822 1823 for_each_modinfo_entry(imported_namespace, info, "import_ns") { 1824 /* 1825 * 'module:' prefixed namespaces are implicit, disallow 1826 * explicit imports. 1827 */ 1828 if (strstarts(imported_namespace, "module:")) { 1829 pr_err("%s: module tries to import module namespace: %s\n", 1830 mod->name, imported_namespace); 1831 return -EPERM; 1832 } 1833 } 1834 1835 err = copy_modinfo_import_ns(mod, info); 1836 if (err) 1837 return err; 1838 1839 return 0; 1840 } 1841 1842 static void free_modinfo(struct module *mod) 1843 { 1844 const struct module_attribute *attr; 1845 int i; 1846 1847 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1848 if (attr->free) 1849 attr->free(mod); 1850 } 1851 } 1852 1853 bool __weak module_init_section(const char *name) 1854 { 1855 return strstarts(name, ".init"); 1856 } 1857 1858 bool __weak module_exit_section(const char *name) 1859 { 1860 return strstarts(name, ".exit"); 1861 } 1862 1863 static int validate_section_offset(const struct load_info *info, Elf_Shdr *shdr) 1864 { 1865 #if defined(CONFIG_64BIT) 1866 unsigned long long secend; 1867 #else 1868 unsigned long secend; 1869 #endif 1870 1871 /* 1872 * Check for both overflow and offset/size being 1873 * too large. 1874 */ 1875 secend = shdr->sh_offset + shdr->sh_size; 1876 if (secend < shdr->sh_offset || secend > info->len) 1877 return -ENOEXEC; 1878 1879 return 0; 1880 } 1881 1882 /** 1883 * elf_validity_ehdr() - Checks an ELF header for module validity 1884 * @info: Load info containing the ELF header to check 1885 * 1886 * Checks whether an ELF header could belong to a valid module. Checks: 1887 * 1888 * * ELF header is within the data the user provided 1889 * * ELF magic is present 1890 * * It is relocatable (not final linked, not core file, etc.) 1891 * * The header's machine type matches what the architecture expects. 1892 * * Optional arch-specific hook for other properties 1893 * - module_elf_check_arch() is currently only used by PPC to check 1894 * ELF ABI version, but may be used by others in the future. 1895 * 1896 * Return: %0 if valid, %-ENOEXEC on failure. 1897 */ 1898 static int elf_validity_ehdr(const struct load_info *info) 1899 { 1900 if (info->len < sizeof(*(info->hdr))) { 1901 pr_err("Invalid ELF header len %lu\n", info->len); 1902 return -ENOEXEC; 1903 } 1904 if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0) { 1905 pr_err("Invalid ELF header magic: != %s\n", ELFMAG); 1906 return -ENOEXEC; 1907 } 1908 if (info->hdr->e_type != ET_REL) { 1909 pr_err("Invalid ELF header type: %u != %u\n", 1910 info->hdr->e_type, ET_REL); 1911 return -ENOEXEC; 1912 } 1913 if (!elf_check_arch(info->hdr)) { 1914 pr_err("Invalid architecture in ELF header: %u\n", 1915 info->hdr->e_machine); 1916 return -ENOEXEC; 1917 } 1918 if (!module_elf_check_arch(info->hdr)) { 1919 pr_err("Invalid module architecture in ELF header: %u\n", 1920 info->hdr->e_machine); 1921 return -ENOEXEC; 1922 } 1923 return 0; 1924 } 1925 1926 /** 1927 * elf_validity_cache_sechdrs() - Cache section headers if valid 1928 * @info: Load info to compute section headers from 1929 * 1930 * Checks: 1931 * 1932 * * ELF header is valid (see elf_validity_ehdr()) 1933 * * Section headers are the size we expect 1934 * * Section array fits in the user provided data 1935 * * Section index 0 is NULL 1936 * * Section contents are inbounds 1937 * 1938 * Then updates @info with a &load_info->sechdrs pointer if valid. 1939 * 1940 * Return: %0 if valid, negative error code if validation failed. 1941 */ 1942 static int elf_validity_cache_sechdrs(struct load_info *info) 1943 { 1944 Elf_Shdr *sechdrs; 1945 Elf_Shdr *shdr; 1946 int i; 1947 int err; 1948 1949 err = elf_validity_ehdr(info); 1950 if (err < 0) 1951 return err; 1952 1953 if (info->hdr->e_shentsize != sizeof(Elf_Shdr)) { 1954 pr_err("Invalid ELF section header size\n"); 1955 return -ENOEXEC; 1956 } 1957 1958 /* 1959 * e_shnum is 16 bits, and sizeof(Elf_Shdr) is 1960 * known and small. So e_shnum * sizeof(Elf_Shdr) 1961 * will not overflow unsigned long on any platform. 1962 */ 1963 if (info->hdr->e_shoff >= info->len 1964 || (info->hdr->e_shnum * sizeof(Elf_Shdr) > 1965 info->len - info->hdr->e_shoff)) { 1966 pr_err("Invalid ELF section header overflow\n"); 1967 return -ENOEXEC; 1968 } 1969 1970 sechdrs = (void *)info->hdr + info->hdr->e_shoff; 1971 1972 /* 1973 * The code assumes that section 0 has a length of zero and 1974 * an addr of zero, so check for it. 1975 */ 1976 if (sechdrs[0].sh_type != SHT_NULL 1977 || sechdrs[0].sh_size != 0 1978 || sechdrs[0].sh_addr != 0) { 1979 pr_err("ELF Spec violation: section 0 type(%d)!=SH_NULL or non-zero len or addr\n", 1980 sechdrs[0].sh_type); 1981 return -ENOEXEC; 1982 } 1983 1984 /* Validate contents are inbounds */ 1985 for (i = 1; i < info->hdr->e_shnum; i++) { 1986 shdr = &sechdrs[i]; 1987 switch (shdr->sh_type) { 1988 case SHT_NULL: 1989 case SHT_NOBITS: 1990 /* No contents, offset/size don't mean anything */ 1991 continue; 1992 default: 1993 err = validate_section_offset(info, shdr); 1994 if (err < 0) { 1995 pr_err("Invalid ELF section in module (section %u type %u)\n", 1996 i, shdr->sh_type); 1997 return err; 1998 } 1999 } 2000 } 2001 2002 info->sechdrs = sechdrs; 2003 2004 return 0; 2005 } 2006 2007 /** 2008 * elf_validity_cache_secstrings() - Caches section names if valid 2009 * @info: Load info to cache section names from. Must have valid sechdrs. 2010 * 2011 * Specifically checks: 2012 * 2013 * * Section name table index is inbounds of section headers 2014 * * Section name table is not empty 2015 * * Section name table is NUL terminated 2016 * * All section name offsets are inbounds of the section 2017 * 2018 * Then updates @info with a &load_info->secstrings pointer if valid. 2019 * 2020 * Return: %0 if valid, negative error code if validation failed. 2021 */ 2022 static int elf_validity_cache_secstrings(struct load_info *info) 2023 { 2024 Elf_Shdr *strhdr, *shdr; 2025 char *secstrings; 2026 int i; 2027 2028 /* 2029 * Verify if the section name table index is valid. 2030 */ 2031 if (info->hdr->e_shstrndx == SHN_UNDEF 2032 || info->hdr->e_shstrndx >= info->hdr->e_shnum) { 2033 pr_err("Invalid ELF section name index: %d || e_shstrndx (%d) >= e_shnum (%d)\n", 2034 info->hdr->e_shstrndx, info->hdr->e_shstrndx, 2035 info->hdr->e_shnum); 2036 return -ENOEXEC; 2037 } 2038 2039 strhdr = &info->sechdrs[info->hdr->e_shstrndx]; 2040 2041 /* 2042 * The section name table must be NUL-terminated, as required 2043 * by the spec. This makes strcmp and pr_* calls that access 2044 * strings in the section safe. 2045 */ 2046 secstrings = (void *)info->hdr + strhdr->sh_offset; 2047 if (strhdr->sh_size == 0) { 2048 pr_err("empty section name table\n"); 2049 return -ENOEXEC; 2050 } 2051 if (secstrings[strhdr->sh_size - 1] != '\0') { 2052 pr_err("ELF Spec violation: section name table isn't null terminated\n"); 2053 return -ENOEXEC; 2054 } 2055 2056 for (i = 0; i < info->hdr->e_shnum; i++) { 2057 shdr = &info->sechdrs[i]; 2058 /* SHT_NULL means sh_name has an undefined value */ 2059 if (shdr->sh_type == SHT_NULL) 2060 continue; 2061 if (shdr->sh_name >= strhdr->sh_size) { 2062 pr_err("Invalid ELF section name in module (section %u type %u)\n", 2063 i, shdr->sh_type); 2064 return -ENOEXEC; 2065 } 2066 } 2067 2068 info->secstrings = secstrings; 2069 return 0; 2070 } 2071 2072 /** 2073 * elf_validity_cache_index_info() - Validate and cache modinfo section 2074 * @info: Load info to populate the modinfo index on. 2075 * Must have &load_info->sechdrs and &load_info->secstrings populated 2076 * 2077 * Checks that if there is a .modinfo section, it is unique. 2078 * Then, it caches its index in &load_info->index.info. 2079 * Finally, it tries to populate the name to improve error messages. 2080 * 2081 * Return: %0 if valid, %-ENOEXEC if multiple modinfo sections were found. 2082 */ 2083 static int elf_validity_cache_index_info(struct load_info *info) 2084 { 2085 int info_idx; 2086 2087 info_idx = find_any_unique_sec(info, ".modinfo"); 2088 2089 if (info_idx == 0) 2090 /* Early return, no .modinfo */ 2091 return 0; 2092 2093 if (info_idx < 0) { 2094 pr_err("Only one .modinfo section must exist.\n"); 2095 return -ENOEXEC; 2096 } 2097 2098 info->index.info = info_idx; 2099 /* Try to find a name early so we can log errors with a module name */ 2100 info->name = get_modinfo(info, "name"); 2101 2102 return 0; 2103 } 2104 2105 /** 2106 * elf_validity_cache_index_mod() - Validates and caches this_module section 2107 * @info: Load info to cache this_module on. 2108 * Must have &load_info->sechdrs and &load_info->secstrings populated 2109 * 2110 * The ".gnu.linkonce.this_module" ELF section is special. It is what modpost 2111 * uses to refer to __this_module and let's use rely on THIS_MODULE to point 2112 * to &__this_module properly. The kernel's modpost declares it on each 2113 * modules's *.mod.c file. If the struct module of the kernel changes a full 2114 * kernel rebuild is required. 2115 * 2116 * We have a few expectations for this special section, this function 2117 * validates all this for us: 2118 * 2119 * * The section has contents 2120 * * The section is unique 2121 * * We expect the kernel to always have to allocate it: SHF_ALLOC 2122 * * The section size must match the kernel's run time's struct module 2123 * size 2124 * 2125 * If all checks pass, the index will be cached in &load_info->index.mod 2126 * 2127 * Return: %0 on validation success, %-ENOEXEC on failure 2128 */ 2129 static int elf_validity_cache_index_mod(struct load_info *info) 2130 { 2131 Elf_Shdr *shdr; 2132 int mod_idx; 2133 2134 mod_idx = find_any_unique_sec(info, ".gnu.linkonce.this_module"); 2135 if (mod_idx <= 0) { 2136 pr_err("module %s: Exactly one .gnu.linkonce.this_module section must exist.\n", 2137 info->name ?: "(missing .modinfo section or name field)"); 2138 return -ENOEXEC; 2139 } 2140 2141 shdr = &info->sechdrs[mod_idx]; 2142 2143 if (shdr->sh_type == SHT_NOBITS) { 2144 pr_err("module %s: .gnu.linkonce.this_module section must have a size set\n", 2145 info->name ?: "(missing .modinfo section or name field)"); 2146 return -ENOEXEC; 2147 } 2148 2149 if (!(shdr->sh_flags & SHF_ALLOC)) { 2150 pr_err("module %s: .gnu.linkonce.this_module must occupy memory during process execution\n", 2151 info->name ?: "(missing .modinfo section or name field)"); 2152 return -ENOEXEC; 2153 } 2154 2155 if (shdr->sh_size != sizeof(struct module)) { 2156 pr_err("module %s: .gnu.linkonce.this_module section size must match the kernel's built struct module size at run time\n", 2157 info->name ?: "(missing .modinfo section or name field)"); 2158 return -ENOEXEC; 2159 } 2160 2161 info->index.mod = mod_idx; 2162 2163 return 0; 2164 } 2165 2166 /** 2167 * elf_validity_cache_index_sym() - Validate and cache symtab index 2168 * @info: Load info to cache symtab index in. 2169 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2170 * 2171 * Checks that there is exactly one symbol table, then caches its index in 2172 * &load_info->index.sym. 2173 * 2174 * Return: %0 if valid, %-ENOEXEC on failure. 2175 */ 2176 static int elf_validity_cache_index_sym(struct load_info *info) 2177 { 2178 unsigned int sym_idx; 2179 unsigned int num_sym_secs = 0; 2180 int i; 2181 2182 for (i = 1; i < info->hdr->e_shnum; i++) { 2183 if (info->sechdrs[i].sh_type == SHT_SYMTAB) { 2184 num_sym_secs++; 2185 sym_idx = i; 2186 } 2187 } 2188 2189 if (num_sym_secs != 1) { 2190 pr_warn("%s: module has no symbols (stripped?)\n", 2191 info->name ?: "(missing .modinfo section or name field)"); 2192 return -ENOEXEC; 2193 } 2194 2195 info->index.sym = sym_idx; 2196 2197 return 0; 2198 } 2199 2200 /** 2201 * elf_validity_cache_index_str() - Validate and cache strtab index 2202 * @info: Load info to cache strtab index in. 2203 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2204 * Must have &load_info->index.sym populated. 2205 * 2206 * Looks at the symbol table's associated string table, makes sure it is 2207 * in-bounds, and caches it. 2208 * 2209 * Return: %0 if valid, %-ENOEXEC on failure. 2210 */ 2211 static int elf_validity_cache_index_str(struct load_info *info) 2212 { 2213 unsigned int str_idx = info->sechdrs[info->index.sym].sh_link; 2214 2215 if (str_idx == SHN_UNDEF || str_idx >= info->hdr->e_shnum) { 2216 pr_err("Invalid ELF sh_link!=SHN_UNDEF(%d) or (sh_link(%d) >= hdr->e_shnum(%d)\n", 2217 str_idx, str_idx, info->hdr->e_shnum); 2218 return -ENOEXEC; 2219 } 2220 2221 info->index.str = str_idx; 2222 return 0; 2223 } 2224 2225 /** 2226 * elf_validity_cache_index_versions() - Validate and cache version indices 2227 * @info: Load info to cache version indices in. 2228 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2229 * @flags: Load flags, relevant to suppress version loading, see 2230 * uapi/linux/module.h 2231 * 2232 * If we're ignoring modversions based on @flags, zero all version indices 2233 * and return validity. Othewrise check: 2234 * 2235 * * If "__version_ext_crcs" is present, "__version_ext_names" is present 2236 * * There is a name present for every crc 2237 * 2238 * Then populate: 2239 * 2240 * * &load_info->index.vers 2241 * * &load_info->index.vers_ext_crc 2242 * * &load_info->index.vers_ext_names 2243 * 2244 * if present. 2245 * 2246 * Return: %0 if valid, %-ENOEXEC on failure. 2247 */ 2248 static int elf_validity_cache_index_versions(struct load_info *info, int flags) 2249 { 2250 unsigned int vers_ext_crc; 2251 unsigned int vers_ext_name; 2252 size_t crc_count; 2253 size_t remaining_len; 2254 size_t name_size; 2255 char *name; 2256 2257 /* If modversions were suppressed, pretend we didn't find any */ 2258 if (flags & MODULE_INIT_IGNORE_MODVERSIONS) { 2259 info->index.vers = 0; 2260 info->index.vers_ext_crc = 0; 2261 info->index.vers_ext_name = 0; 2262 return 0; 2263 } 2264 2265 vers_ext_crc = find_sec(info, "__version_ext_crcs"); 2266 vers_ext_name = find_sec(info, "__version_ext_names"); 2267 2268 /* If we have one field, we must have the other */ 2269 if (!!vers_ext_crc != !!vers_ext_name) { 2270 pr_err("extended version crc+name presence does not match"); 2271 return -ENOEXEC; 2272 } 2273 2274 /* 2275 * If we have extended version information, we should have the same 2276 * number of entries in every section. 2277 */ 2278 if (vers_ext_crc) { 2279 crc_count = info->sechdrs[vers_ext_crc].sh_size / sizeof(u32); 2280 name = (void *)info->hdr + 2281 info->sechdrs[vers_ext_name].sh_offset; 2282 remaining_len = info->sechdrs[vers_ext_name].sh_size; 2283 2284 while (crc_count--) { 2285 name_size = strnlen(name, remaining_len) + 1; 2286 if (name_size > remaining_len) { 2287 pr_err("more extended version crcs than names"); 2288 return -ENOEXEC; 2289 } 2290 remaining_len -= name_size; 2291 name += name_size; 2292 } 2293 } 2294 2295 info->index.vers = find_sec(info, "__versions"); 2296 info->index.vers_ext_crc = vers_ext_crc; 2297 info->index.vers_ext_name = vers_ext_name; 2298 return 0; 2299 } 2300 2301 /** 2302 * elf_validity_cache_index() - Resolve, validate, cache section indices 2303 * @info: Load info to read from and update. 2304 * &load_info->sechdrs and &load_info->secstrings must be populated. 2305 * @flags: Load flags, relevant to suppress version loading, see 2306 * uapi/linux/module.h 2307 * 2308 * Populates &load_info->index, validating as it goes. 2309 * See child functions for per-field validation: 2310 * 2311 * * elf_validity_cache_index_info() 2312 * * elf_validity_cache_index_mod() 2313 * * elf_validity_cache_index_sym() 2314 * * elf_validity_cache_index_str() 2315 * * elf_validity_cache_index_versions() 2316 * 2317 * If CONFIG_SMP is enabled, load the percpu section by name with no 2318 * validation. 2319 * 2320 * Return: 0 on success, negative error code if an index failed validation. 2321 */ 2322 static int elf_validity_cache_index(struct load_info *info, int flags) 2323 { 2324 int err; 2325 2326 err = elf_validity_cache_index_info(info); 2327 if (err < 0) 2328 return err; 2329 err = elf_validity_cache_index_mod(info); 2330 if (err < 0) 2331 return err; 2332 err = elf_validity_cache_index_sym(info); 2333 if (err < 0) 2334 return err; 2335 err = elf_validity_cache_index_str(info); 2336 if (err < 0) 2337 return err; 2338 err = elf_validity_cache_index_versions(info, flags); 2339 if (err < 0) 2340 return err; 2341 2342 info->index.pcpu = find_pcpusec(info); 2343 2344 return 0; 2345 } 2346 2347 /** 2348 * elf_validity_cache_strtab() - Validate and cache symbol string table 2349 * @info: Load info to read from and update. 2350 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2351 * Must have &load_info->index populated. 2352 * 2353 * Checks: 2354 * 2355 * * The string table is not empty. 2356 * * The string table starts and ends with NUL (required by ELF spec). 2357 * * Every &Elf_Sym->st_name offset in the symbol table is inbounds of the 2358 * string table. 2359 * 2360 * And caches the pointer as &load_info->strtab in @info. 2361 * 2362 * Return: 0 on success, negative error code if a check failed. 2363 */ 2364 static int elf_validity_cache_strtab(struct load_info *info) 2365 { 2366 Elf_Shdr *str_shdr = &info->sechdrs[info->index.str]; 2367 Elf_Shdr *sym_shdr = &info->sechdrs[info->index.sym]; 2368 char *strtab = (char *)info->hdr + str_shdr->sh_offset; 2369 Elf_Sym *syms = (void *)info->hdr + sym_shdr->sh_offset; 2370 int i; 2371 2372 if (str_shdr->sh_size == 0) { 2373 pr_err("empty symbol string table\n"); 2374 return -ENOEXEC; 2375 } 2376 if (strtab[0] != '\0') { 2377 pr_err("symbol string table missing leading NUL\n"); 2378 return -ENOEXEC; 2379 } 2380 if (strtab[str_shdr->sh_size - 1] != '\0') { 2381 pr_err("symbol string table isn't NUL terminated\n"); 2382 return -ENOEXEC; 2383 } 2384 2385 /* 2386 * Now that we know strtab is correctly structured, check symbol 2387 * starts are inbounds before they're used later. 2388 */ 2389 for (i = 0; i < sym_shdr->sh_size / sizeof(*syms); i++) { 2390 if (syms[i].st_name >= str_shdr->sh_size) { 2391 pr_err("symbol name out of bounds in string table"); 2392 return -ENOEXEC; 2393 } 2394 } 2395 2396 info->strtab = strtab; 2397 return 0; 2398 } 2399 2400 /* 2401 * Check userspace passed ELF module against our expectations, and cache 2402 * useful variables for further processing as we go. 2403 * 2404 * This does basic validity checks against section offsets and sizes, the 2405 * section name string table, and the indices used for it (sh_name). 2406 * 2407 * As a last step, since we're already checking the ELF sections we cache 2408 * useful variables which will be used later for our convenience: 2409 * 2410 * o pointers to section headers 2411 * o cache the modinfo symbol section 2412 * o cache the string symbol section 2413 * o cache the module section 2414 * 2415 * As a last step we set info->mod to the temporary copy of the module in 2416 * info->hdr. The final one will be allocated in move_module(). Any 2417 * modifications we make to our copy of the module will be carried over 2418 * to the final minted module. 2419 */ 2420 static int elf_validity_cache_copy(struct load_info *info, int flags) 2421 { 2422 int err; 2423 2424 err = elf_validity_cache_sechdrs(info); 2425 if (err < 0) 2426 return err; 2427 err = elf_validity_cache_secstrings(info); 2428 if (err < 0) 2429 return err; 2430 err = elf_validity_cache_index(info, flags); 2431 if (err < 0) 2432 return err; 2433 err = elf_validity_cache_strtab(info); 2434 if (err < 0) 2435 return err; 2436 2437 /* This is temporary: point mod into copy of data. */ 2438 info->mod = (void *)info->hdr + info->sechdrs[info->index.mod].sh_offset; 2439 2440 /* 2441 * If we didn't load the .modinfo 'name' field earlier, fall back to 2442 * on-disk struct mod 'name' field. 2443 */ 2444 if (!info->name) 2445 info->name = info->mod->name; 2446 2447 return 0; 2448 } 2449 2450 #define COPY_CHUNK_SIZE (16*PAGE_SIZE) 2451 2452 static int copy_chunked_from_user(void *dst, const void __user *usrc, unsigned long len) 2453 { 2454 do { 2455 unsigned long n = min(len, COPY_CHUNK_SIZE); 2456 2457 if (copy_from_user(dst, usrc, n) != 0) 2458 return -EFAULT; 2459 cond_resched(); 2460 dst += n; 2461 usrc += n; 2462 len -= n; 2463 } while (len); 2464 return 0; 2465 } 2466 2467 static int check_modinfo_livepatch(struct module *mod, struct load_info *info) 2468 { 2469 if (!get_modinfo(info, "livepatch")) 2470 /* Nothing more to do */ 2471 return 0; 2472 2473 if (set_livepatch_module(mod)) 2474 return 0; 2475 2476 pr_err("%s: module is marked as livepatch module, but livepatch support is disabled", 2477 mod->name); 2478 return -ENOEXEC; 2479 } 2480 2481 static void check_modinfo_retpoline(struct module *mod, struct load_info *info) 2482 { 2483 if (retpoline_module_ok(get_modinfo(info, "retpoline"))) 2484 return; 2485 2486 pr_warn("%s: loading module not compiled with retpoline compiler.\n", 2487 mod->name); 2488 } 2489 2490 /* Sets info->hdr and info->len. */ 2491 static int copy_module_from_user(const void __user *umod, unsigned long len, 2492 struct load_info *info) 2493 { 2494 int err; 2495 2496 info->len = len; 2497 if (info->len < sizeof(*(info->hdr))) 2498 return -ENOEXEC; 2499 2500 err = security_kernel_load_data(LOADING_MODULE, true); 2501 if (err) 2502 return err; 2503 2504 /* Suck in entire file: we'll want most of it. */ 2505 info->hdr = __vmalloc(info->len, GFP_KERNEL | __GFP_NOWARN); 2506 if (!info->hdr) 2507 return -ENOMEM; 2508 2509 if (copy_chunked_from_user(info->hdr, umod, info->len) != 0) { 2510 err = -EFAULT; 2511 goto out; 2512 } 2513 2514 err = security_kernel_post_load_data((char *)info->hdr, info->len, 2515 LOADING_MODULE, "init_module"); 2516 out: 2517 if (err) 2518 vfree(info->hdr); 2519 2520 return err; 2521 } 2522 2523 static void free_copy(struct load_info *info, int flags) 2524 { 2525 if (flags & MODULE_INIT_COMPRESSED_FILE) 2526 module_decompress_cleanup(info); 2527 else 2528 vfree(info->hdr); 2529 } 2530 2531 static int rewrite_section_headers(struct load_info *info, int flags) 2532 { 2533 unsigned int i; 2534 2535 /* This should always be true, but let's be sure. */ 2536 info->sechdrs[0].sh_addr = 0; 2537 2538 for (i = 1; i < info->hdr->e_shnum; i++) { 2539 Elf_Shdr *shdr = &info->sechdrs[i]; 2540 2541 /* 2542 * Mark all sections sh_addr with their address in the 2543 * temporary image. 2544 */ 2545 shdr->sh_addr = (size_t)info->hdr + shdr->sh_offset; 2546 2547 } 2548 2549 /* Track but don't keep modinfo and version sections. */ 2550 info->sechdrs[info->index.vers].sh_flags &= ~(unsigned long)SHF_ALLOC; 2551 info->sechdrs[info->index.vers_ext_crc].sh_flags &= 2552 ~(unsigned long)SHF_ALLOC; 2553 info->sechdrs[info->index.vers_ext_name].sh_flags &= 2554 ~(unsigned long)SHF_ALLOC; 2555 info->sechdrs[info->index.info].sh_flags &= ~(unsigned long)SHF_ALLOC; 2556 2557 return 0; 2558 } 2559 2560 static const char *const module_license_offenders[] = { 2561 /* driverloader was caught wrongly pretending to be under GPL */ 2562 "driverloader", 2563 2564 /* lve claims to be GPL but upstream won't provide source */ 2565 "lve", 2566 }; 2567 2568 /* 2569 * These calls taint the kernel depending certain module circumstances */ 2570 static void module_augment_kernel_taints(struct module *mod, struct load_info *info) 2571 { 2572 int prev_taint = test_taint(TAINT_PROPRIETARY_MODULE); 2573 size_t i; 2574 2575 if (!get_modinfo(info, "intree")) { 2576 if (!test_taint(TAINT_OOT_MODULE)) 2577 pr_warn("%s: loading out-of-tree module taints kernel.\n", 2578 mod->name); 2579 add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK); 2580 } 2581 2582 check_modinfo_retpoline(mod, info); 2583 2584 if (get_modinfo(info, "staging")) { 2585 add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK); 2586 pr_warn("%s: module is from the staging directory, the quality " 2587 "is unknown, you have been warned.\n", mod->name); 2588 } 2589 2590 if (is_livepatch_module(mod)) { 2591 add_taint_module(mod, TAINT_LIVEPATCH, LOCKDEP_STILL_OK); 2592 pr_notice_once("%s: tainting kernel with TAINT_LIVEPATCH\n", 2593 mod->name); 2594 } 2595 2596 module_license_taint_check(mod, get_modinfo(info, "license")); 2597 2598 if (get_modinfo(info, "test")) { 2599 if (!test_taint(TAINT_TEST)) 2600 pr_warn("%s: loading test module taints kernel.\n", 2601 mod->name); 2602 add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK); 2603 } 2604 #ifdef CONFIG_MODULE_SIG 2605 mod->sig_ok = info->sig_ok; 2606 if (!mod->sig_ok) { 2607 pr_notice_once("%s: module verification failed: signature " 2608 "and/or required key missing - tainting " 2609 "kernel\n", mod->name); 2610 add_taint_module(mod, TAINT_UNSIGNED_MODULE, LOCKDEP_STILL_OK); 2611 } 2612 #endif 2613 2614 /* 2615 * ndiswrapper is under GPL by itself, but loads proprietary modules. 2616 * Don't use add_taint_module(), as it would prevent ndiswrapper from 2617 * using GPL-only symbols it needs. 2618 */ 2619 if (strcmp(mod->name, "ndiswrapper") == 0) 2620 add_taint(TAINT_PROPRIETARY_MODULE, LOCKDEP_NOW_UNRELIABLE); 2621 2622 for (i = 0; i < ARRAY_SIZE(module_license_offenders); ++i) { 2623 if (strcmp(mod->name, module_license_offenders[i]) == 0) 2624 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 2625 LOCKDEP_NOW_UNRELIABLE); 2626 } 2627 2628 if (!prev_taint && test_taint(TAINT_PROPRIETARY_MODULE)) 2629 pr_warn("%s: module license taints kernel.\n", mod->name); 2630 2631 } 2632 2633 static int check_modinfo(struct module *mod, struct load_info *info, int flags) 2634 { 2635 const char *modmagic = get_modinfo(info, "vermagic"); 2636 int err; 2637 2638 if (flags & MODULE_INIT_IGNORE_VERMAGIC) 2639 modmagic = NULL; 2640 2641 /* This is allowed: modprobe --force will invalidate it. */ 2642 if (!modmagic) { 2643 err = try_to_force_load(mod, "bad vermagic"); 2644 if (err) 2645 return err; 2646 } else if (!same_magic(modmagic, vermagic, info->index.vers)) { 2647 pr_err("%s: version magic '%s' should be '%s'\n", 2648 info->name, modmagic, vermagic); 2649 return -ENOEXEC; 2650 } 2651 2652 err = check_modinfo_livepatch(mod, info); 2653 if (err) 2654 return err; 2655 2656 return 0; 2657 } 2658 2659 static int find_module_sections(struct module *mod, struct load_info *info) 2660 { 2661 mod->kp = section_objs(info, "__param", 2662 sizeof(*mod->kp), &mod->num_kp); 2663 mod->syms = section_objs(info, "__ksymtab", 2664 sizeof(*mod->syms), &mod->num_syms); 2665 mod->crcs = section_addr(info, "__kcrctab"); 2666 mod->flagstab = section_addr(info, "__kflagstab"); 2667 2668 if (section_addr(info, "__ksymtab_gpl")) 2669 pr_warn("%s: ignoring obsolete section __ksymtab_gpl\n", 2670 mod->name); 2671 if (section_addr(info, "__kcrctab_gpl")) 2672 pr_warn("%s: ignoring obsolete section __kcrctab_gpl\n", 2673 mod->name); 2674 2675 #ifdef CONFIG_CONSTRUCTORS 2676 mod->ctors = section_objs(info, ".ctors", 2677 sizeof(*mod->ctors), &mod->num_ctors); 2678 if (!mod->ctors) 2679 mod->ctors = section_objs(info, ".init_array", 2680 sizeof(*mod->ctors), &mod->num_ctors); 2681 else if (find_sec(info, ".init_array")) { 2682 /* 2683 * This shouldn't happen with same compiler and binutils 2684 * building all parts of the module. 2685 */ 2686 pr_warn("%s: has both .ctors and .init_array.\n", 2687 mod->name); 2688 return -EINVAL; 2689 } 2690 #endif 2691 2692 mod->noinstr_text_start = section_objs(info, ".noinstr.text", 1, 2693 &mod->noinstr_text_size); 2694 2695 #ifdef CONFIG_TRACEPOINTS 2696 mod->tracepoints_ptrs = section_objs(info, "__tracepoints_ptrs", 2697 sizeof(*mod->tracepoints_ptrs), 2698 &mod->num_tracepoints); 2699 #endif 2700 #ifdef CONFIG_TREE_SRCU 2701 mod->srcu_struct_ptrs = section_objs(info, "___srcu_struct_ptrs", 2702 sizeof(*mod->srcu_struct_ptrs), 2703 &mod->num_srcu_structs); 2704 #endif 2705 #ifdef CONFIG_BPF_EVENTS 2706 mod->bpf_raw_events = section_objs(info, "__bpf_raw_tp_map", 2707 sizeof(*mod->bpf_raw_events), 2708 &mod->num_bpf_raw_events); 2709 #endif 2710 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 2711 mod->btf_data = any_section_objs(info, ".BTF", 1, &mod->btf_data_size); 2712 mod->btf_base_data = any_section_objs(info, ".BTF.base", 1, 2713 &mod->btf_base_data_size); 2714 #endif 2715 #ifdef CONFIG_JUMP_LABEL 2716 mod->jump_entries = section_objs(info, "__jump_table", 2717 sizeof(*mod->jump_entries), 2718 &mod->num_jump_entries); 2719 #endif 2720 #ifdef CONFIG_EVENT_TRACING 2721 mod->trace_events = section_objs(info, "_ftrace_events", 2722 sizeof(*mod->trace_events), 2723 &mod->num_trace_events); 2724 mod->trace_evals = section_objs(info, "_ftrace_eval_map", 2725 sizeof(*mod->trace_evals), 2726 &mod->num_trace_evals); 2727 #endif 2728 #ifdef CONFIG_TRACING 2729 mod->trace_bprintk_fmt_start = section_objs(info, "__trace_printk_fmt", 2730 sizeof(*mod->trace_bprintk_fmt_start), 2731 &mod->num_trace_bprintk_fmt); 2732 #endif 2733 #ifdef CONFIG_DYNAMIC_FTRACE 2734 /* sechdrs[0].sh_size is always zero */ 2735 mod->ftrace_callsites = section_objs(info, FTRACE_CALLSITE_SECTION, 2736 sizeof(*mod->ftrace_callsites), 2737 &mod->num_ftrace_callsites); 2738 #endif 2739 #ifdef CONFIG_FUNCTION_ERROR_INJECTION 2740 mod->ei_funcs = section_objs(info, "_error_injection_whitelist", 2741 sizeof(*mod->ei_funcs), 2742 &mod->num_ei_funcs); 2743 #endif 2744 #ifdef CONFIG_KPROBES 2745 mod->kprobes_text_start = section_objs(info, ".kprobes.text", 1, 2746 &mod->kprobes_text_size); 2747 mod->kprobe_blacklist = section_objs(info, "_kprobe_blacklist", 2748 sizeof(unsigned long), 2749 &mod->num_kprobe_blacklist); 2750 #endif 2751 #ifdef CONFIG_PRINTK_INDEX 2752 mod->printk_index_start = section_objs(info, ".printk_index", 2753 sizeof(*mod->printk_index_start), 2754 &mod->printk_index_size); 2755 #endif 2756 #ifdef CONFIG_HAVE_STATIC_CALL_INLINE 2757 mod->static_call_sites = section_objs(info, ".static_call_sites", 2758 sizeof(*mod->static_call_sites), 2759 &mod->num_static_call_sites); 2760 #endif 2761 #if IS_ENABLED(CONFIG_KUNIT) 2762 mod->kunit_suites = section_objs(info, ".kunit_test_suites", 2763 sizeof(*mod->kunit_suites), 2764 &mod->num_kunit_suites); 2765 mod->kunit_init_suites = section_objs(info, ".kunit_init_test_suites", 2766 sizeof(*mod->kunit_init_suites), 2767 &mod->num_kunit_init_suites); 2768 #endif 2769 2770 mod->extable = section_objs(info, "__ex_table", 2771 sizeof(*mod->extable), &mod->num_exentries); 2772 2773 if (section_addr(info, "__obsparm")) 2774 pr_warn("%s: Ignoring obsolete parameters\n", mod->name); 2775 2776 #ifdef CONFIG_DYNAMIC_DEBUG_CORE 2777 mod->dyndbg_info.descs = section_objs(info, "__dyndbg", 2778 sizeof(*mod->dyndbg_info.descs), 2779 &mod->dyndbg_info.num_descs); 2780 mod->dyndbg_info.classes = section_objs(info, "__dyndbg_classes", 2781 sizeof(*mod->dyndbg_info.classes), 2782 &mod->dyndbg_info.num_classes); 2783 #endif 2784 2785 return 0; 2786 } 2787 2788 static int move_module(struct module *mod, struct load_info *info) 2789 { 2790 int i, ret; 2791 enum mod_mem_type t = MOD_MEM_NUM_TYPES; 2792 bool codetag_section_found = false; 2793 2794 for_each_mod_mem_type(type) { 2795 if (!mod->mem[type].size) { 2796 mod->mem[type].base = NULL; 2797 continue; 2798 } 2799 2800 ret = module_memory_alloc(mod, type); 2801 if (ret) { 2802 t = type; 2803 goto out_err; 2804 } 2805 } 2806 2807 /* Transfer each section which specifies SHF_ALLOC */ 2808 pr_debug("Final section addresses for %s:\n", mod->name); 2809 for (i = 0; i < info->hdr->e_shnum; i++) { 2810 void *dest; 2811 Elf_Shdr *shdr = &info->sechdrs[i]; 2812 const char *sname; 2813 2814 if (!(shdr->sh_flags & SHF_ALLOC)) 2815 continue; 2816 2817 sname = info->secstrings + shdr->sh_name; 2818 /* 2819 * Load codetag sections separately as they might still be used 2820 * after module unload. 2821 */ 2822 if (codetag_needs_module_section(mod, sname, shdr->sh_size)) { 2823 dest = codetag_alloc_module_section(mod, sname, shdr->sh_size, 2824 arch_mod_section_prepend(mod, i), shdr->sh_addralign); 2825 if (WARN_ON(!dest)) { 2826 ret = -EINVAL; 2827 goto out_err; 2828 } 2829 if (IS_ERR(dest)) { 2830 ret = PTR_ERR(dest); 2831 goto out_err; 2832 } 2833 codetag_section_found = true; 2834 } else { 2835 enum mod_mem_type type = shdr->sh_entsize >> SH_ENTSIZE_TYPE_SHIFT; 2836 unsigned long offset = shdr->sh_entsize & SH_ENTSIZE_OFFSET_MASK; 2837 2838 dest = mod->mem[type].base + offset; 2839 } 2840 2841 if (shdr->sh_type != SHT_NOBITS) { 2842 /* 2843 * Our ELF checker already validated this, but let's 2844 * be pedantic and make the goal clearer. We actually 2845 * end up copying over all modifications made to the 2846 * userspace copy of the entire struct module. 2847 */ 2848 if (i == info->index.mod && 2849 (WARN_ON_ONCE(shdr->sh_size != sizeof(struct module)))) { 2850 ret = -ENOEXEC; 2851 goto out_err; 2852 } 2853 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size); 2854 } 2855 /* 2856 * Update the userspace copy's ELF section address to point to 2857 * our newly allocated memory as a pure convenience so that 2858 * users of info can keep taking advantage and using the newly 2859 * minted official memory area. 2860 */ 2861 shdr->sh_addr = (unsigned long)dest; 2862 pr_debug("\t0x%lx 0x%.8lx %s\n", (long)shdr->sh_addr, 2863 (long)shdr->sh_size, info->secstrings + shdr->sh_name); 2864 } 2865 2866 return 0; 2867 out_err: 2868 module_memory_restore_rox(mod); 2869 while (t--) 2870 module_memory_free(mod, t); 2871 if (codetag_section_found) 2872 codetag_free_module_sections(mod); 2873 2874 return ret; 2875 } 2876 2877 static int check_export_symbol_sections(struct module *mod) 2878 { 2879 if (mod->num_syms && !mod->flagstab) { 2880 pr_err("%s: no flags for exported symbols\n", mod->name); 2881 return -ENOEXEC; 2882 } 2883 #ifdef CONFIG_MODVERSIONS 2884 if (mod->num_syms && !mod->crcs) { 2885 return try_to_force_load(mod, 2886 "no versions for exported symbols"); 2887 } 2888 #endif 2889 return 0; 2890 } 2891 2892 static void flush_module_icache(const struct module *mod) 2893 { 2894 /* 2895 * Flush the instruction cache, since we've played with text. 2896 * Do it before processing of module parameters, so the module 2897 * can provide parameter accessor functions of its own. 2898 */ 2899 for_each_mod_mem_type(type) { 2900 const struct module_memory *mod_mem = &mod->mem[type]; 2901 2902 if (mod_mem->size) { 2903 flush_icache_range((unsigned long)mod_mem->base, 2904 (unsigned long)mod_mem->base + mod_mem->size); 2905 } 2906 } 2907 } 2908 2909 bool __weak module_elf_check_arch(Elf_Ehdr *hdr) 2910 { 2911 return true; 2912 } 2913 2914 int __weak module_frob_arch_sections(Elf_Ehdr *hdr, 2915 Elf_Shdr *sechdrs, 2916 char *secstrings, 2917 struct module *mod) 2918 { 2919 return 0; 2920 } 2921 2922 /* module_blacklist is a comma-separated list of module names */ 2923 static char *module_blacklist; 2924 static bool blacklisted(const char *module_name) 2925 { 2926 const char *p; 2927 size_t len; 2928 2929 if (!module_blacklist) 2930 return false; 2931 2932 for (p = module_blacklist; *p; p += len) { 2933 len = strcspn(p, ","); 2934 if (strlen(module_name) == len && !memcmp(module_name, p, len)) 2935 return true; 2936 if (p[len] == ',') 2937 len++; 2938 } 2939 return false; 2940 } 2941 core_param(module_blacklist, module_blacklist, charp, 0400); 2942 2943 static struct module *layout_and_allocate(struct load_info *info, int flags) 2944 { 2945 struct module *mod; 2946 int err; 2947 2948 /* Allow arches to frob section contents and sizes. */ 2949 err = module_frob_arch_sections(info->hdr, info->sechdrs, 2950 info->secstrings, info->mod); 2951 if (err < 0) 2952 return ERR_PTR(err); 2953 2954 err = module_enforce_rwx_sections(info->hdr, info->sechdrs, 2955 info->secstrings, info->mod); 2956 if (err < 0) 2957 return ERR_PTR(err); 2958 2959 /* We will do a special allocation for per-cpu sections later. */ 2960 info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; 2961 2962 /* 2963 * Mark relevant sections as SHF_RO_AFTER_INIT so layout_sections() can 2964 * put them in the right place. 2965 * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. 2966 */ 2967 module_mark_ro_after_init(info->hdr, info->sechdrs, info->secstrings); 2968 2969 /* 2970 * Determine total sizes, and put offsets in sh_entsize. For now 2971 * this is done generically; there doesn't appear to be any 2972 * special cases for the architectures. 2973 */ 2974 layout_sections(info->mod, info); 2975 layout_symtab(info->mod, info); 2976 2977 /* Allocate and move to the final place */ 2978 err = move_module(info->mod, info); 2979 if (err) 2980 return ERR_PTR(err); 2981 2982 /* Module has been copied to its final place now: return it. */ 2983 mod = (void *)info->sechdrs[info->index.mod].sh_addr; 2984 kmemleak_load_module(mod, info); 2985 codetag_module_replaced(info->mod, mod); 2986 2987 return mod; 2988 } 2989 2990 /* mod is no longer valid after this! */ 2991 static void module_deallocate(struct module *mod, struct load_info *info) 2992 { 2993 percpu_modfree(mod); 2994 module_arch_freeing_init(mod); 2995 codetag_free_module_sections(mod); 2996 2997 free_mod_mem(mod); 2998 } 2999 3000 int __weak module_finalize(const Elf_Ehdr *hdr, 3001 const Elf_Shdr *sechdrs, 3002 struct module *me) 3003 { 3004 return 0; 3005 } 3006 3007 static int post_relocation(struct module *mod, const struct load_info *info) 3008 { 3009 /* Sort exception table now relocations are done. */ 3010 sort_extable(mod->extable, mod->extable + mod->num_exentries); 3011 3012 /* Copy relocated percpu area over. */ 3013 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, 3014 info->sechdrs[info->index.pcpu].sh_size); 3015 3016 /* Setup kallsyms-specific fields. */ 3017 add_kallsyms(mod, info); 3018 3019 /* Arch-specific module finalizing. */ 3020 return module_finalize(info->hdr, info->sechdrs, mod); 3021 } 3022 3023 /* Call module constructors. */ 3024 static void do_mod_ctors(struct module *mod) 3025 { 3026 #ifdef CONFIG_CONSTRUCTORS 3027 unsigned long i; 3028 3029 for (i = 0; i < mod->num_ctors; i++) 3030 mod->ctors[i](); 3031 #endif 3032 } 3033 3034 /* For freeing module_init on success, in case kallsyms traversing */ 3035 struct mod_initfree { 3036 struct llist_node node; 3037 void *init_text; 3038 void *init_data; 3039 void *init_rodata; 3040 }; 3041 3042 static void do_free_init(struct work_struct *w) 3043 { 3044 struct llist_node *pos, *n, *list; 3045 struct mod_initfree *initfree; 3046 3047 list = llist_del_all(&init_free_list); 3048 3049 synchronize_rcu(); 3050 3051 llist_for_each_safe(pos, n, list) { 3052 initfree = container_of(pos, struct mod_initfree, node); 3053 execmem_free(initfree->init_text); 3054 execmem_free(initfree->init_data); 3055 execmem_free(initfree->init_rodata); 3056 kfree(initfree); 3057 } 3058 } 3059 3060 void flush_module_init_free_work(void) 3061 { 3062 flush_work(&init_free_wq); 3063 } 3064 3065 #undef MODULE_PARAM_PREFIX 3066 #define MODULE_PARAM_PREFIX "module." 3067 /* Default value for module->async_probe_requested */ 3068 static bool async_probe; 3069 module_param(async_probe, bool, 0644); 3070 3071 /* 3072 * This is where the real work happens. 3073 * 3074 * Keep it uninlined to provide a reliable breakpoint target, e.g. for the gdb 3075 * helper command 'lx-symbols'. 3076 */ 3077 static noinline int do_init_module(struct module *mod) 3078 { 3079 int ret = 0; 3080 struct mod_initfree *freeinit; 3081 #if defined(CONFIG_MODULE_STATS) 3082 unsigned int text_size = 0, total_size = 0; 3083 3084 for_each_mod_mem_type(type) { 3085 const struct module_memory *mod_mem = &mod->mem[type]; 3086 if (mod_mem->size) { 3087 total_size += mod_mem->size; 3088 if (type == MOD_TEXT || type == MOD_INIT_TEXT) 3089 text_size += mod_mem->size; 3090 } 3091 } 3092 #endif 3093 3094 freeinit = kmalloc_obj(*freeinit); 3095 if (!freeinit) { 3096 ret = -ENOMEM; 3097 goto fail; 3098 } 3099 freeinit->init_text = mod->mem[MOD_INIT_TEXT].base; 3100 freeinit->init_data = mod->mem[MOD_INIT_DATA].base; 3101 freeinit->init_rodata = mod->mem[MOD_INIT_RODATA].base; 3102 3103 do_mod_ctors(mod); 3104 /* Start the module */ 3105 if (mod->init != NULL) 3106 ret = do_one_initcall(mod->init); 3107 if (ret < 0) { 3108 /* 3109 * -EEXIST is reserved by [f]init_module() to signal to userspace that 3110 * a module with this name is already loaded. Use something else if the 3111 * module itself is returning that. 3112 */ 3113 if (ret == -EEXIST) 3114 ret = -EBUSY; 3115 3116 goto fail_free_freeinit; 3117 } 3118 if (ret > 0) 3119 pr_warn("%s: init suspiciously returned %d, it should follow 0/-E convention\n", 3120 mod->name, ret); 3121 3122 /* Now it's a first class citizen! */ 3123 mod->state = MODULE_STATE_LIVE; 3124 blocking_notifier_call_chain(&module_notify_list, 3125 MODULE_STATE_LIVE, mod); 3126 3127 /* Delay uevent until module has finished its init routine */ 3128 kobject_uevent(&mod->mkobj.kobj, KOBJ_ADD); 3129 3130 /* 3131 * We need to finish all async code before the module init sequence 3132 * is done. This has potential to deadlock if synchronous module 3133 * loading is requested from async (which is not allowed!). 3134 * 3135 * See commit 0fdff3ec6d87 ("async, kmod: warn on synchronous 3136 * request_module() from async workers") for more details. 3137 */ 3138 if (!mod->async_probe_requested) 3139 async_synchronize_full(); 3140 3141 ftrace_free_mem(mod, mod->mem[MOD_INIT_TEXT].base, 3142 mod->mem[MOD_INIT_TEXT].base + mod->mem[MOD_INIT_TEXT].size); 3143 mutex_lock(&module_mutex); 3144 /* Drop initial reference. */ 3145 module_put(mod); 3146 trim_init_extable(mod); 3147 #ifdef CONFIG_KALLSYMS 3148 /* Switch to core kallsyms now init is done: kallsyms may be walking! */ 3149 rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); 3150 #endif 3151 ret = module_enable_rodata_ro_after_init(mod); 3152 if (ret) 3153 pr_warn("%s: module_enable_rodata_ro_after_init() returned %d, " 3154 "ro_after_init data might still be writable\n", 3155 mod->name, ret); 3156 3157 mod_tree_remove_init(mod); 3158 module_arch_freeing_init(mod); 3159 for_class_mod_mem_type(type, init) { 3160 mod->mem[type].base = NULL; 3161 mod->mem[type].size = 0; 3162 } 3163 3164 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 3165 /* .BTF is not SHF_ALLOC and will get removed, so sanitize pointers */ 3166 mod->btf_data = NULL; 3167 mod->btf_base_data = NULL; 3168 #endif 3169 /* 3170 * We want to free module_init, but be aware that kallsyms may be 3171 * walking this within an RCU read section. In all the failure paths, we 3172 * call synchronize_rcu(), but we don't want to slow down the success 3173 * path. execmem_free() cannot be called in an interrupt, so do the 3174 * work and call synchronize_rcu() in a work queue. 3175 * 3176 * Note that execmem_alloc() on most architectures creates W+X page 3177 * mappings which won't be cleaned up until do_free_init() runs. Any 3178 * code such as mark_rodata_ro() which depends on those mappings to 3179 * be cleaned up needs to sync with the queued work by invoking 3180 * flush_module_init_free_work(). 3181 */ 3182 if (llist_add(&freeinit->node, &init_free_list)) 3183 schedule_work(&init_free_wq); 3184 3185 mutex_unlock(&module_mutex); 3186 wake_up_all(&module_wq); 3187 3188 mod_stat_add_long(text_size, &total_text_size); 3189 mod_stat_add_long(total_size, &total_mod_size); 3190 3191 mod_stat_inc(&modcount); 3192 3193 return 0; 3194 3195 fail_free_freeinit: 3196 kfree(freeinit); 3197 fail: 3198 /* Try to protect us from buggy refcounters. */ 3199 mod->state = MODULE_STATE_GOING; 3200 synchronize_rcu(); 3201 module_put(mod); 3202 blocking_notifier_call_chain(&module_notify_list, 3203 MODULE_STATE_GOING, mod); 3204 klp_module_going(mod); 3205 ftrace_release_mod(mod); 3206 free_module(mod); 3207 wake_up_all(&module_wq); 3208 3209 return ret; 3210 } 3211 3212 static int may_init_module(void) 3213 { 3214 if (!capable(CAP_SYS_MODULE) || modules_disabled) 3215 return -EPERM; 3216 3217 return 0; 3218 } 3219 3220 /* Is this module of this name done loading? No locks held. */ 3221 static bool finished_loading(const char *name) 3222 { 3223 struct module *mod; 3224 bool ret; 3225 3226 /* 3227 * The module_mutex should not be a heavily contended lock; 3228 * if we get the occasional sleep here, we'll go an extra iteration 3229 * in the wait_event_interruptible(), which is harmless. 3230 */ 3231 sched_annotate_sleep(); 3232 mutex_lock(&module_mutex); 3233 mod = find_module_all(name, strlen(name), true); 3234 ret = !mod || mod->state == MODULE_STATE_LIVE 3235 || mod->state == MODULE_STATE_GOING; 3236 mutex_unlock(&module_mutex); 3237 3238 return ret; 3239 } 3240 3241 /* Must be called with module_mutex held */ 3242 static int module_patient_check_exists(const char *name, 3243 enum fail_dup_mod_reason reason) 3244 { 3245 struct module *old; 3246 int err = 0; 3247 3248 old = find_module_all(name, strlen(name), true); 3249 if (old == NULL) 3250 return 0; 3251 3252 if (old->state == MODULE_STATE_COMING || 3253 old->state == MODULE_STATE_UNFORMED) { 3254 /* Wait in case it fails to load. */ 3255 mutex_unlock(&module_mutex); 3256 err = wait_event_interruptible(module_wq, 3257 finished_loading(name)); 3258 mutex_lock(&module_mutex); 3259 if (err) 3260 return err; 3261 3262 /* The module might have gone in the meantime. */ 3263 old = find_module_all(name, strlen(name), true); 3264 } 3265 3266 if (try_add_failed_module(name, reason)) 3267 pr_warn("Could not add fail-tracking for module: %s\n", name); 3268 3269 /* 3270 * We are here only when the same module was being loaded. Do 3271 * not try to load it again right now. It prevents long delays 3272 * caused by serialized module load failures. It might happen 3273 * when more devices of the same type trigger load of 3274 * a particular module. 3275 */ 3276 if (old && old->state == MODULE_STATE_LIVE) 3277 return -EEXIST; 3278 return -EBUSY; 3279 } 3280 3281 /* 3282 * We try to place it in the list now to make sure it's unique before 3283 * we dedicate too many resources. In particular, temporary percpu 3284 * memory exhaustion. 3285 */ 3286 static int add_unformed_module(struct module *mod) 3287 { 3288 int err; 3289 3290 mod->state = MODULE_STATE_UNFORMED; 3291 3292 mutex_lock(&module_mutex); 3293 err = module_patient_check_exists(mod->name, FAIL_DUP_MOD_LOAD); 3294 if (err) 3295 goto out; 3296 3297 mod_update_bounds(mod); 3298 list_add_rcu(&mod->list, &modules); 3299 mod_tree_insert(mod); 3300 err = 0; 3301 3302 out: 3303 mutex_unlock(&module_mutex); 3304 return err; 3305 } 3306 3307 static int complete_formation(struct module *mod, struct load_info *info) 3308 { 3309 int err; 3310 3311 mutex_lock(&module_mutex); 3312 3313 /* Find duplicate symbols (must be called under lock). */ 3314 err = verify_exported_symbols(mod); 3315 if (err < 0) 3316 goto out; 3317 3318 /* These rely on module_mutex for list integrity. */ 3319 module_bug_finalize(info->hdr, info->sechdrs, mod); 3320 module_cfi_finalize(info->hdr, info->sechdrs, mod); 3321 3322 err = module_enable_rodata_ro(mod); 3323 if (err) 3324 goto out_strict_rwx; 3325 err = module_enable_data_nx(mod); 3326 if (err) 3327 goto out_strict_rwx; 3328 err = module_enable_text_rox(mod); 3329 if (err) 3330 goto out_strict_rwx; 3331 3332 /* 3333 * Mark state as coming so strong_try_module_get() ignores us, 3334 * but kallsyms etc. can see us. 3335 */ 3336 mod->state = MODULE_STATE_COMING; 3337 mutex_unlock(&module_mutex); 3338 3339 return 0; 3340 3341 out_strict_rwx: 3342 module_bug_cleanup(mod); 3343 out: 3344 mutex_unlock(&module_mutex); 3345 return err; 3346 } 3347 3348 static int prepare_coming_module(struct module *mod) 3349 { 3350 int err; 3351 3352 ftrace_module_enable(mod); 3353 err = klp_module_coming(mod); 3354 if (err) 3355 return err; 3356 3357 err = blocking_notifier_call_chain_robust(&module_notify_list, 3358 MODULE_STATE_COMING, MODULE_STATE_GOING, mod); 3359 err = notifier_to_errno(err); 3360 if (err) 3361 klp_module_going(mod); 3362 3363 return err; 3364 } 3365 3366 static int unknown_module_param_cb(char *param, char *val, const char *modname, 3367 void *arg) 3368 { 3369 struct module *mod = arg; 3370 int ret; 3371 3372 if (strcmp(param, "async_probe") == 0) { 3373 if (kstrtobool(val, &mod->async_probe_requested)) 3374 mod->async_probe_requested = true; 3375 return 0; 3376 } 3377 3378 /* Check for magic 'dyndbg' arg */ 3379 ret = ddebug_dyndbg_module_param_cb(param, val, modname); 3380 if (ret != 0) 3381 pr_warn("%s: unknown parameter '%s' ignored\n", modname, param); 3382 return 0; 3383 } 3384 3385 /* Module within temporary copy, this doesn't do any allocation */ 3386 static int early_mod_check(struct load_info *info, int flags) 3387 { 3388 int err; 3389 3390 /* 3391 * Now that we know we have the correct module name, check 3392 * if it's blacklisted. 3393 */ 3394 if (blacklisted(info->name)) { 3395 pr_err("Module %s is blacklisted\n", info->name); 3396 return -EPERM; 3397 } 3398 3399 err = rewrite_section_headers(info, flags); 3400 if (err) 3401 return err; 3402 3403 /* Check module struct version now, before we try to use module. */ 3404 if (!check_modstruct_version(info, info->mod)) 3405 return -ENOEXEC; 3406 3407 err = check_modinfo(info->mod, info, flags); 3408 if (err) 3409 return err; 3410 3411 mutex_lock(&module_mutex); 3412 err = module_patient_check_exists(info->mod->name, FAIL_DUP_MOD_BECOMING); 3413 mutex_unlock(&module_mutex); 3414 3415 return err; 3416 } 3417 3418 /* 3419 * Allocate and load the module: note that size of section 0 is always 3420 * zero, and we rely on this for optional sections. 3421 */ 3422 static int load_module(struct load_info *info, const char __user *uargs, 3423 int flags) 3424 { 3425 struct module *mod; 3426 bool module_allocated = false; 3427 long err = 0; 3428 char *after_dashes; 3429 3430 /* 3431 * Do the signature check (if any) first. All that 3432 * the signature check needs is info->len, it does 3433 * not need any of the section info. That can be 3434 * set up later. This will minimize the chances 3435 * of a corrupt module causing problems before 3436 * we even get to the signature check. 3437 * 3438 * The check will also adjust info->len by stripping 3439 * off the sig length at the end of the module, making 3440 * checks against info->len more correct. 3441 */ 3442 err = module_sig_check(info, flags); 3443 if (err) 3444 goto free_copy; 3445 3446 /* 3447 * Do basic sanity checks against the ELF header and 3448 * sections. Cache useful sections and set the 3449 * info->mod to the userspace passed struct module. 3450 */ 3451 err = elf_validity_cache_copy(info, flags); 3452 if (err) 3453 goto free_copy; 3454 3455 err = early_mod_check(info, flags); 3456 if (err) 3457 goto free_copy; 3458 3459 /* Figure out module layout, and allocate all the memory. */ 3460 mod = layout_and_allocate(info, flags); 3461 if (IS_ERR(mod)) { 3462 err = PTR_ERR(mod); 3463 goto free_copy; 3464 } 3465 3466 module_allocated = true; 3467 3468 audit_log_kern_module(info->name); 3469 3470 /* Reserve our place in the list. */ 3471 err = add_unformed_module(mod); 3472 if (err) 3473 goto free_module; 3474 3475 /* 3476 * We are tainting your kernel if your module gets into 3477 * the modules linked list somehow. 3478 */ 3479 module_augment_kernel_taints(mod, info); 3480 3481 /* To avoid stressing percpu allocator, do this once we're unique. */ 3482 err = percpu_modalloc(mod, info); 3483 if (err) 3484 goto unlink_mod; 3485 3486 /* Now module is in final location, initialize linked lists, etc. */ 3487 err = module_unload_init(mod); 3488 if (err) 3489 goto unlink_mod; 3490 3491 init_param_lock(mod); 3492 3493 /* 3494 * Now we've got everything in the final locations, we can 3495 * find optional sections. 3496 */ 3497 err = find_module_sections(mod, info); 3498 if (err) 3499 goto free_unload; 3500 3501 err = check_export_symbol_sections(mod); 3502 if (err) 3503 goto free_unload; 3504 3505 /* Set up MODINFO_ATTR fields */ 3506 err = setup_modinfo(mod, info); 3507 if (err) 3508 goto free_modinfo; 3509 3510 /* Fix up syms, so that st_value is a pointer to location. */ 3511 err = simplify_symbols(mod, info); 3512 if (err < 0) 3513 goto free_modinfo; 3514 3515 err = apply_relocations(mod, info); 3516 if (err < 0) 3517 goto free_modinfo; 3518 3519 err = post_relocation(mod, info); 3520 if (err < 0) 3521 goto free_modinfo; 3522 3523 flush_module_icache(mod); 3524 3525 /* Now copy in args */ 3526 mod->args = strndup_user(uargs, ~0UL >> 1); 3527 if (IS_ERR(mod->args)) { 3528 err = PTR_ERR(mod->args); 3529 goto free_arch_cleanup; 3530 } 3531 3532 init_build_id(mod, info); 3533 3534 /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */ 3535 ftrace_module_init(mod); 3536 3537 /* Finally it's fully formed, ready to start executing. */ 3538 err = complete_formation(mod, info); 3539 if (err) 3540 goto ddebug_cleanup; 3541 3542 err = prepare_coming_module(mod); 3543 if (err) 3544 goto bug_cleanup; 3545 3546 mod->async_probe_requested = async_probe; 3547 3548 /* Module is ready to execute: parsing args may do that. */ 3549 after_dashes = parse_args(mod->name, mod->args, mod->kp, mod->num_kp, 3550 -32768, 32767, mod, 3551 unknown_module_param_cb); 3552 if (IS_ERR(after_dashes)) { 3553 err = PTR_ERR(after_dashes); 3554 goto coming_cleanup; 3555 } else if (after_dashes) { 3556 pr_warn("%s: parameters '%s' after `--' ignored\n", 3557 mod->name, after_dashes); 3558 } 3559 3560 /* Link in to sysfs. */ 3561 err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); 3562 if (err < 0) 3563 goto coming_cleanup; 3564 3565 if (is_livepatch_module(mod)) { 3566 err = copy_module_elf(mod, info); 3567 if (err < 0) 3568 goto sysfs_cleanup; 3569 } 3570 3571 if (codetag_load_module(mod)) 3572 goto sysfs_cleanup; 3573 3574 /* Get rid of temporary copy. */ 3575 free_copy(info, flags); 3576 3577 /* Done! */ 3578 trace_module_load(mod); 3579 3580 return do_init_module(mod); 3581 3582 sysfs_cleanup: 3583 mod_sysfs_teardown(mod); 3584 coming_cleanup: 3585 mod->state = MODULE_STATE_GOING; 3586 module_destroy_params(mod->kp, mod->num_kp); 3587 blocking_notifier_call_chain(&module_notify_list, 3588 MODULE_STATE_GOING, mod); 3589 klp_module_going(mod); 3590 bug_cleanup: 3591 mod->state = MODULE_STATE_GOING; 3592 /* module_bug_cleanup needs module_mutex protection */ 3593 mutex_lock(&module_mutex); 3594 module_bug_cleanup(mod); 3595 mutex_unlock(&module_mutex); 3596 3597 ddebug_cleanup: 3598 ftrace_release_mod(mod); 3599 synchronize_rcu(); 3600 kfree(mod->args); 3601 free_arch_cleanup: 3602 module_arch_cleanup(mod); 3603 free_modinfo: 3604 free_modinfo(mod); 3605 free_unload: 3606 module_unload_free(mod); 3607 unlink_mod: 3608 mutex_lock(&module_mutex); 3609 /* Unlink carefully: kallsyms could be walking list. */ 3610 list_del_rcu(&mod->list); 3611 mod_tree_remove(mod); 3612 wake_up_all(&module_wq); 3613 /* Wait for RCU-sched synchronizing before releasing mod->list. */ 3614 synchronize_rcu(); 3615 mutex_unlock(&module_mutex); 3616 free_module: 3617 mod_stat_bump_invalid(info, flags); 3618 module_memory_restore_rox(mod); 3619 module_deallocate(mod, info); 3620 free_copy: 3621 /* 3622 * The info->len is always set. We distinguish between 3623 * failures once the proper module was allocated and 3624 * before that. 3625 */ 3626 if (!module_allocated) { 3627 audit_log_kern_module(info->name ? info->name : "?"); 3628 mod_stat_bump_becoming(info, flags); 3629 } 3630 free_copy(info, flags); 3631 return err; 3632 } 3633 3634 SYSCALL_DEFINE3(init_module, void __user *, umod, 3635 unsigned long, len, const char __user *, uargs) 3636 { 3637 int err; 3638 struct load_info info = { }; 3639 3640 err = may_init_module(); 3641 if (err) 3642 return err; 3643 3644 pr_debug("init_module: umod=%p, len=%lu, uargs=%p\n", 3645 umod, len, uargs); 3646 3647 err = copy_module_from_user(umod, len, &info); 3648 if (err) { 3649 mod_stat_inc(&failed_kreads); 3650 mod_stat_add_long(len, &invalid_kread_bytes); 3651 return err; 3652 } 3653 3654 return load_module(&info, uargs, 0); 3655 } 3656 3657 struct idempotent { 3658 const void *cookie; 3659 struct hlist_node entry; 3660 struct completion complete; 3661 int ret; 3662 }; 3663 3664 #define IDEM_HASH_BITS 8 3665 static struct hlist_head idem_hash[1 << IDEM_HASH_BITS]; 3666 static DEFINE_SPINLOCK(idem_lock); 3667 3668 static bool idempotent(struct idempotent *u, const void *cookie) 3669 { 3670 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3671 struct hlist_head *head = idem_hash + hash; 3672 struct idempotent *existing; 3673 bool first; 3674 3675 u->ret = -EINTR; 3676 u->cookie = cookie; 3677 init_completion(&u->complete); 3678 3679 spin_lock(&idem_lock); 3680 first = true; 3681 hlist_for_each_entry(existing, head, entry) { 3682 if (existing->cookie != cookie) 3683 continue; 3684 first = false; 3685 break; 3686 } 3687 hlist_add_head(&u->entry, idem_hash + hash); 3688 spin_unlock(&idem_lock); 3689 3690 return !first; 3691 } 3692 3693 /* 3694 * We were the first one with 'cookie' on the list, and we ended 3695 * up completing the operation. We now need to walk the list, 3696 * remove everybody - which includes ourselves - fill in the return 3697 * value, and then complete the operation. 3698 */ 3699 static int idempotent_complete(struct idempotent *u, int ret) 3700 { 3701 const void *cookie = u->cookie; 3702 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3703 struct hlist_head *head = idem_hash + hash; 3704 struct hlist_node *next; 3705 struct idempotent *pos; 3706 3707 spin_lock(&idem_lock); 3708 hlist_for_each_entry_safe(pos, next, head, entry) { 3709 if (pos->cookie != cookie) 3710 continue; 3711 hlist_del_init(&pos->entry); 3712 pos->ret = ret; 3713 complete(&pos->complete); 3714 } 3715 spin_unlock(&idem_lock); 3716 return ret; 3717 } 3718 3719 /* 3720 * Wait for the idempotent worker. 3721 * 3722 * If we get interrupted, we need to remove ourselves from the 3723 * the idempotent list, and the completion may still come in. 3724 * 3725 * The 'idem_lock' protects against the race, and 'idem.ret' was 3726 * initialized to -EINTR and is thus always the right return 3727 * value even if the idempotent work then completes between 3728 * the wait_for_completion and the cleanup. 3729 */ 3730 static int idempotent_wait_for_completion(struct idempotent *u) 3731 { 3732 if (wait_for_completion_interruptible(&u->complete)) { 3733 spin_lock(&idem_lock); 3734 if (!hlist_unhashed(&u->entry)) 3735 hlist_del(&u->entry); 3736 spin_unlock(&idem_lock); 3737 } 3738 return u->ret; 3739 } 3740 3741 static int init_module_from_file(struct file *f, const char __user * uargs, int flags) 3742 { 3743 bool compressed = !!(flags & MODULE_INIT_COMPRESSED_FILE); 3744 struct load_info info = { }; 3745 void *buf = NULL; 3746 int len; 3747 int err; 3748 3749 len = kernel_read_file(f, 0, &buf, INT_MAX, NULL, 3750 compressed ? READING_MODULE_COMPRESSED : 3751 READING_MODULE); 3752 if (len < 0) { 3753 mod_stat_inc(&failed_kreads); 3754 return len; 3755 } 3756 3757 if (compressed) { 3758 err = module_decompress(&info, buf, len); 3759 vfree(buf); /* compressed data is no longer needed */ 3760 if (err) { 3761 mod_stat_inc(&failed_decompress); 3762 mod_stat_add_long(len, &invalid_decompress_bytes); 3763 return err; 3764 } 3765 err = security_kernel_post_read_file(f, (char *)info.hdr, info.len, 3766 READING_MODULE); 3767 if (err) { 3768 mod_stat_inc(&failed_kreads); 3769 free_copy(&info, flags); 3770 return err; 3771 } 3772 } else { 3773 info.hdr = buf; 3774 info.len = len; 3775 } 3776 3777 return load_module(&info, uargs, flags); 3778 } 3779 3780 static int idempotent_init_module(struct file *f, const char __user * uargs, int flags) 3781 { 3782 struct idempotent idem; 3783 3784 if (!(f->f_mode & FMODE_READ)) 3785 return -EBADF; 3786 3787 /* Are we the winners of the race and get to do this? */ 3788 if (!idempotent(&idem, file_inode(f))) { 3789 int ret = init_module_from_file(f, uargs, flags); 3790 return idempotent_complete(&idem, ret); 3791 } 3792 3793 /* 3794 * Somebody else won the race and is loading the module. 3795 */ 3796 return idempotent_wait_for_completion(&idem); 3797 } 3798 3799 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) 3800 { 3801 int err = may_init_module(); 3802 if (err) 3803 return err; 3804 3805 pr_debug("finit_module: fd=%d, uargs=%p, flags=%i\n", fd, uargs, flags); 3806 3807 if (flags & ~(MODULE_INIT_IGNORE_MODVERSIONS 3808 |MODULE_INIT_IGNORE_VERMAGIC 3809 |MODULE_INIT_COMPRESSED_FILE)) 3810 return -EINVAL; 3811 3812 CLASS(fd, f)(fd); 3813 if (fd_empty(f)) 3814 return -EBADF; 3815 return idempotent_init_module(fd_file(f), uargs, flags); 3816 } 3817 3818 /* Keep in sync with MODULE_FLAGS_BUF_SIZE !!! */ 3819 char *module_flags(struct module *mod, char *buf, bool show_state) 3820 { 3821 int bx = 0; 3822 3823 BUG_ON(mod->state == MODULE_STATE_UNFORMED); 3824 if (!mod->taints && !show_state) 3825 goto out; 3826 if (mod->taints || 3827 mod->state == MODULE_STATE_GOING || 3828 mod->state == MODULE_STATE_COMING) { 3829 buf[bx++] = '('; 3830 bx += module_flags_taint(mod->taints, buf + bx); 3831 /* Show a - for module-is-being-unloaded */ 3832 if (mod->state == MODULE_STATE_GOING && show_state) 3833 buf[bx++] = '-'; 3834 /* Show a + for module-is-being-loaded */ 3835 if (mod->state == MODULE_STATE_COMING && show_state) 3836 buf[bx++] = '+'; 3837 buf[bx++] = ')'; 3838 } 3839 out: 3840 buf[bx] = '\0'; 3841 3842 return buf; 3843 } 3844 3845 /* Given an address, look for it in the module exception tables. */ 3846 const struct exception_table_entry *search_module_extables(unsigned long addr) 3847 { 3848 struct module *mod; 3849 3850 guard(rcu)(); 3851 mod = __module_address(addr); 3852 if (!mod) 3853 return NULL; 3854 3855 if (!mod->num_exentries) 3856 return NULL; 3857 /* 3858 * The address passed here belongs to a module that is currently 3859 * invoked (we are running inside it). Therefore its module::refcnt 3860 * needs already be >0 to ensure that it is not removed at this stage. 3861 * All other user need to invoke this function within a RCU read 3862 * section. 3863 */ 3864 return search_extable(mod->extable, mod->num_exentries, addr); 3865 } 3866 3867 /** 3868 * is_module_address() - is this address inside a module? 3869 * @addr: the address to check. 3870 * 3871 * See is_module_text_address() if you simply want to see if the address 3872 * is code (not data). 3873 */ 3874 bool is_module_address(unsigned long addr) 3875 { 3876 guard(rcu)(); 3877 return __module_address(addr) != NULL; 3878 } 3879 3880 /** 3881 * __module_address() - get the module which contains an address. 3882 * @addr: the address. 3883 * 3884 * Must be called within RCU read section or module mutex held so that 3885 * module doesn't get freed during this. 3886 */ 3887 struct module *__module_address(unsigned long addr) 3888 { 3889 struct module *mod; 3890 3891 if (addr >= mod_tree.addr_min && addr <= mod_tree.addr_max) 3892 goto lookup; 3893 3894 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 3895 if (addr >= mod_tree.data_addr_min && addr <= mod_tree.data_addr_max) 3896 goto lookup; 3897 #endif 3898 3899 return NULL; 3900 3901 lookup: 3902 mod = mod_find(addr, &mod_tree); 3903 if (mod) { 3904 BUG_ON(!within_module(addr, mod)); 3905 if (mod->state == MODULE_STATE_UNFORMED) 3906 mod = NULL; 3907 } 3908 return mod; 3909 } 3910 3911 /** 3912 * is_module_text_address() - is this address inside module code? 3913 * @addr: the address to check. 3914 * 3915 * See is_module_address() if you simply want to see if the address is 3916 * anywhere in a module. See kernel_text_address() for testing if an 3917 * address corresponds to kernel or module code. 3918 */ 3919 bool is_module_text_address(unsigned long addr) 3920 { 3921 guard(rcu)(); 3922 return __module_text_address(addr) != NULL; 3923 } 3924 3925 void module_for_each_mod(int(*func)(struct module *mod, void *data), void *data) 3926 { 3927 struct module *mod; 3928 3929 guard(rcu)(); 3930 list_for_each_entry_rcu(mod, &modules, list) { 3931 if (mod->state == MODULE_STATE_UNFORMED) 3932 continue; 3933 if (func(mod, data)) 3934 break; 3935 } 3936 } 3937 3938 /** 3939 * __module_text_address() - get the module whose code contains an address. 3940 * @addr: the address. 3941 * 3942 * Must be called within RCU read section or module mutex held so that 3943 * module doesn't get freed during this. 3944 */ 3945 struct module *__module_text_address(unsigned long addr) 3946 { 3947 struct module *mod = __module_address(addr); 3948 if (mod) { 3949 /* Make sure it's within the text section. */ 3950 if (!within_module_mem_type(addr, mod, MOD_TEXT) && 3951 !within_module_mem_type(addr, mod, MOD_INIT_TEXT)) 3952 mod = NULL; 3953 } 3954 return mod; 3955 } 3956 3957 /* Don't grab lock, we're oopsing. */ 3958 void print_modules(void) 3959 { 3960 struct module *mod; 3961 char buf[MODULE_FLAGS_BUF_SIZE]; 3962 3963 printk(KERN_DEFAULT "Modules linked in:"); 3964 /* Most callers should already have preempt disabled, but make sure */ 3965 guard(rcu)(); 3966 list_for_each_entry_rcu(mod, &modules, list) { 3967 if (mod->state == MODULE_STATE_UNFORMED) 3968 continue; 3969 pr_cont(" %s%s", mod->name, module_flags(mod, buf, true)); 3970 } 3971 3972 print_unloaded_tainted_modules(); 3973 if (last_unloaded_module.name[0]) 3974 pr_cont(" [last unloaded: %s%s]", last_unloaded_module.name, 3975 last_unloaded_module.taints); 3976 pr_cont("\n"); 3977 } 3978 3979 #ifdef CONFIG_MODULE_DEBUGFS 3980 struct dentry *mod_debugfs_root; 3981 3982 static int module_debugfs_init(void) 3983 { 3984 mod_debugfs_root = debugfs_create_dir("modules", NULL); 3985 return 0; 3986 } 3987 module_init(module_debugfs_init); 3988 #endif 3989