1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2002 Richard Henderson 4 * Copyright (C) 2001 Rusty Russell, 2002, 2010 Rusty Russell IBM. 5 * Copyright (C) 2023 Luis Chamberlain <mcgrof@kernel.org> 6 */ 7 8 #define INCLUDE_VERMAGIC 9 10 #include <linux/export.h> 11 #include <linux/extable.h> 12 #include <linux/moduleloader.h> 13 #include <linux/module_signature.h> 14 #include <linux/trace_events.h> 15 #include <linux/init.h> 16 #include <linux/kallsyms.h> 17 #include <linux/buildid.h> 18 #include <linux/fs.h> 19 #include <linux/kernel.h> 20 #include <linux/kernel_read_file.h> 21 #include <linux/kstrtox.h> 22 #include <linux/slab.h> 23 #include <linux/vmalloc.h> 24 #include <linux/elf.h> 25 #include <linux/seq_file.h> 26 #include <linux/syscalls.h> 27 #include <linux/fcntl.h> 28 #include <linux/rcupdate.h> 29 #include <linux/capability.h> 30 #include <linux/cpu.h> 31 #include <linux/moduleparam.h> 32 #include <linux/errno.h> 33 #include <linux/err.h> 34 #include <linux/vermagic.h> 35 #include <linux/notifier.h> 36 #include <linux/sched.h> 37 #include <linux/device.h> 38 #include <linux/string.h> 39 #include <linux/mutex.h> 40 #include <linux/rculist.h> 41 #include <linux/uaccess.h> 42 #include <asm/cacheflush.h> 43 #include <linux/set_memory.h> 44 #include <asm/mmu_context.h> 45 #include <linux/license.h> 46 #include <asm/sections.h> 47 #include <linux/tracepoint.h> 48 #include <linux/ftrace.h> 49 #include <linux/livepatch.h> 50 #include <linux/async.h> 51 #include <linux/percpu.h> 52 #include <linux/kmemleak.h> 53 #include <linux/jump_label.h> 54 #include <linux/pfn.h> 55 #include <linux/bsearch.h> 56 #include <linux/dynamic_debug.h> 57 #include <linux/audit.h> 58 #include <linux/cfi.h> 59 #include <linux/codetag.h> 60 #include <linux/debugfs.h> 61 #include <linux/execmem.h> 62 #include <uapi/linux/module.h> 63 #include "internal.h" 64 65 #define CREATE_TRACE_POINTS 66 #include <trace/events/module.h> 67 68 /* 69 * Mutex protects: 70 * 1) List of modules (also safely readable within RCU read section), 71 * 2) module_use links, 72 * 3) mod_tree.addr_min/mod_tree.addr_max. 73 * (delete and add uses RCU list operations). 74 */ 75 DEFINE_MUTEX(module_mutex); 76 LIST_HEAD(modules); 77 78 /* Work queue for freeing init sections in success case */ 79 static void do_free_init(struct work_struct *w); 80 static DECLARE_WORK(init_free_wq, do_free_init); 81 static LLIST_HEAD(init_free_list); 82 83 struct mod_tree_root mod_tree __cacheline_aligned = { 84 .addr_min = -1UL, 85 }; 86 87 struct symsearch { 88 const struct kernel_symbol *start, *stop; 89 const u32 *crcs; 90 enum mod_license license; 91 }; 92 93 /* 94 * Bounds of module memory, for speeding up __module_address. 95 * Protected by module_mutex. 96 */ 97 static void __mod_update_bounds(enum mod_mem_type type __maybe_unused, void *base, 98 unsigned int size, struct mod_tree_root *tree) 99 { 100 unsigned long min = (unsigned long)base; 101 unsigned long max = min + size; 102 103 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 104 if (mod_mem_type_is_core_data(type)) { 105 if (min < tree->data_addr_min) 106 tree->data_addr_min = min; 107 if (max > tree->data_addr_max) 108 tree->data_addr_max = max; 109 return; 110 } 111 #endif 112 if (min < tree->addr_min) 113 tree->addr_min = min; 114 if (max > tree->addr_max) 115 tree->addr_max = max; 116 } 117 118 static void mod_update_bounds(struct module *mod) 119 { 120 for_each_mod_mem_type(type) { 121 struct module_memory *mod_mem = &mod->mem[type]; 122 123 if (mod_mem->size) 124 __mod_update_bounds(type, mod_mem->base, mod_mem->size, &mod_tree); 125 } 126 } 127 128 /* Block module loading/unloading? */ 129 static int modules_disabled; 130 core_param(nomodule, modules_disabled, bint, 0); 131 132 static const struct ctl_table module_sysctl_table[] = { 133 { 134 .procname = "modprobe", 135 .data = &modprobe_path, 136 .maxlen = KMOD_PATH_LEN, 137 .mode = 0644, 138 .proc_handler = proc_dostring, 139 }, 140 { 141 .procname = "modules_disabled", 142 .data = &modules_disabled, 143 .maxlen = sizeof(int), 144 .mode = 0644, 145 /* only handle a transition from default "0" to "1" */ 146 .proc_handler = proc_dointvec_minmax, 147 .extra1 = SYSCTL_ONE, 148 .extra2 = SYSCTL_ONE, 149 }, 150 }; 151 152 static int __init init_module_sysctl(void) 153 { 154 register_sysctl_init("kernel", module_sysctl_table); 155 return 0; 156 } 157 158 subsys_initcall(init_module_sysctl); 159 160 /* Waiting for a module to finish initializing? */ 161 static DECLARE_WAIT_QUEUE_HEAD(module_wq); 162 163 static BLOCKING_NOTIFIER_HEAD(module_notify_list); 164 165 int register_module_notifier(struct notifier_block *nb) 166 { 167 return blocking_notifier_chain_register(&module_notify_list, nb); 168 } 169 EXPORT_SYMBOL(register_module_notifier); 170 171 int unregister_module_notifier(struct notifier_block *nb) 172 { 173 return blocking_notifier_chain_unregister(&module_notify_list, nb); 174 } 175 EXPORT_SYMBOL(unregister_module_notifier); 176 177 /* 178 * We require a truly strong try_module_get(): 0 means success. 179 * Otherwise an error is returned due to ongoing or failed 180 * initialization etc. 181 */ 182 static inline int strong_try_module_get(struct module *mod) 183 { 184 BUG_ON(mod && mod->state == MODULE_STATE_UNFORMED); 185 if (mod && mod->state == MODULE_STATE_COMING) 186 return -EBUSY; 187 if (try_module_get(mod)) 188 return 0; 189 else 190 return -ENOENT; 191 } 192 193 static inline void add_taint_module(struct module *mod, unsigned flag, 194 enum lockdep_ok lockdep_ok) 195 { 196 add_taint(flag, lockdep_ok); 197 set_bit(flag, &mod->taints); 198 } 199 200 /* 201 * Like strncmp(), except s/-/_/g as per scripts/Makefile.lib:name-fix-token rule. 202 */ 203 static int mod_strncmp(const char *str_a, const char *str_b, size_t n) 204 { 205 for (int i = 0; i < n; i++) { 206 char a = str_a[i]; 207 char b = str_b[i]; 208 int d; 209 210 if (a == '-') a = '_'; 211 if (b == '-') b = '_'; 212 213 d = a - b; 214 if (d) 215 return d; 216 217 if (!a) 218 break; 219 } 220 221 return 0; 222 } 223 224 /* 225 * A thread that wants to hold a reference to a module only while it 226 * is running can call this to safely exit. 227 */ 228 void __noreturn __module_put_and_kthread_exit(struct module *mod, long code) 229 { 230 module_put(mod); 231 kthread_exit(code); 232 } 233 EXPORT_SYMBOL(__module_put_and_kthread_exit); 234 235 /* Find a module section: 0 means not found. */ 236 static unsigned int find_sec(const struct load_info *info, const char *name) 237 { 238 unsigned int i; 239 240 for (i = 1; i < info->hdr->e_shnum; i++) { 241 Elf_Shdr *shdr = &info->sechdrs[i]; 242 /* Alloc bit cleared means "ignore it." */ 243 if ((shdr->sh_flags & SHF_ALLOC) 244 && strcmp(info->secstrings + shdr->sh_name, name) == 0) 245 return i; 246 } 247 return 0; 248 } 249 250 /** 251 * find_any_unique_sec() - Find a unique section index by name 252 * @info: Load info for the module to scan 253 * @name: Name of the section we're looking for 254 * 255 * Locates a unique section by name. Ignores SHF_ALLOC. 256 * 257 * Return: Section index if found uniquely, zero if absent, negative count 258 * of total instances if multiple were found. 259 */ 260 static int find_any_unique_sec(const struct load_info *info, const char *name) 261 { 262 unsigned int idx; 263 unsigned int count = 0; 264 int i; 265 266 for (i = 1; i < info->hdr->e_shnum; i++) { 267 if (strcmp(info->secstrings + info->sechdrs[i].sh_name, 268 name) == 0) { 269 count++; 270 idx = i; 271 } 272 } 273 if (count == 1) { 274 return idx; 275 } else if (count == 0) { 276 return 0; 277 } else { 278 return -count; 279 } 280 } 281 282 /* Find a module section, or NULL. */ 283 static void *section_addr(const struct load_info *info, const char *name) 284 { 285 /* Section 0 has sh_addr 0. */ 286 return (void *)info->sechdrs[find_sec(info, name)].sh_addr; 287 } 288 289 /* Find a module section, or NULL. Fill in number of "objects" in section. */ 290 static void *section_objs(const struct load_info *info, 291 const char *name, 292 size_t object_size, 293 unsigned int *num) 294 { 295 unsigned int sec = find_sec(info, name); 296 297 /* Section 0 has sh_addr 0 and sh_size 0. */ 298 *num = info->sechdrs[sec].sh_size / object_size; 299 return (void *)info->sechdrs[sec].sh_addr; 300 } 301 302 /* Find a module section: 0 means not found. Ignores SHF_ALLOC flag. */ 303 static unsigned int find_any_sec(const struct load_info *info, const char *name) 304 { 305 unsigned int i; 306 307 for (i = 1; i < info->hdr->e_shnum; i++) { 308 Elf_Shdr *shdr = &info->sechdrs[i]; 309 if (strcmp(info->secstrings + shdr->sh_name, name) == 0) 310 return i; 311 } 312 return 0; 313 } 314 315 /* 316 * Find a module section, or NULL. Fill in number of "objects" in section. 317 * Ignores SHF_ALLOC flag. 318 */ 319 static __maybe_unused void *any_section_objs(const struct load_info *info, 320 const char *name, 321 size_t object_size, 322 unsigned int *num) 323 { 324 unsigned int sec = find_any_sec(info, name); 325 326 /* Section 0 has sh_addr 0 and sh_size 0. */ 327 *num = info->sechdrs[sec].sh_size / object_size; 328 return (void *)info->sechdrs[sec].sh_addr; 329 } 330 331 #ifndef CONFIG_MODVERSIONS 332 #define symversion(base, idx) NULL 333 #else 334 #define symversion(base, idx) ((base != NULL) ? ((base) + (idx)) : NULL) 335 #endif 336 337 static const char *kernel_symbol_name(const struct kernel_symbol *sym) 338 { 339 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 340 return offset_to_ptr(&sym->name_offset); 341 #else 342 return sym->name; 343 #endif 344 } 345 346 static const char *kernel_symbol_namespace(const struct kernel_symbol *sym) 347 { 348 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 349 if (!sym->namespace_offset) 350 return NULL; 351 return offset_to_ptr(&sym->namespace_offset); 352 #else 353 return sym->namespace; 354 #endif 355 } 356 357 int cmp_name(const void *name, const void *sym) 358 { 359 return strcmp(name, kernel_symbol_name(sym)); 360 } 361 362 static bool find_exported_symbol_in_section(const struct symsearch *syms, 363 struct module *owner, 364 struct find_symbol_arg *fsa) 365 { 366 struct kernel_symbol *sym; 367 368 if (!fsa->gplok && syms->license == GPL_ONLY) 369 return false; 370 371 sym = bsearch(fsa->name, syms->start, syms->stop - syms->start, 372 sizeof(struct kernel_symbol), cmp_name); 373 if (!sym) 374 return false; 375 376 fsa->owner = owner; 377 fsa->crc = symversion(syms->crcs, sym - syms->start); 378 fsa->sym = sym; 379 fsa->license = syms->license; 380 381 return true; 382 } 383 384 /* 385 * Find an exported symbol and return it, along with, (optional) crc and 386 * (optional) module which owns it. Needs RCU or module_mutex. 387 */ 388 bool find_symbol(struct find_symbol_arg *fsa) 389 { 390 static const struct symsearch arr[] = { 391 { __start___ksymtab, __stop___ksymtab, __start___kcrctab, 392 NOT_GPL_ONLY }, 393 { __start___ksymtab_gpl, __stop___ksymtab_gpl, 394 __start___kcrctab_gpl, 395 GPL_ONLY }, 396 }; 397 struct module *mod; 398 unsigned int i; 399 400 for (i = 0; i < ARRAY_SIZE(arr); i++) 401 if (find_exported_symbol_in_section(&arr[i], NULL, fsa)) 402 return true; 403 404 list_for_each_entry_rcu(mod, &modules, list, 405 lockdep_is_held(&module_mutex)) { 406 struct symsearch arr[] = { 407 { mod->syms, mod->syms + mod->num_syms, mod->crcs, 408 NOT_GPL_ONLY }, 409 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms, 410 mod->gpl_crcs, 411 GPL_ONLY }, 412 }; 413 414 if (mod->state == MODULE_STATE_UNFORMED) 415 continue; 416 417 for (i = 0; i < ARRAY_SIZE(arr); i++) 418 if (find_exported_symbol_in_section(&arr[i], mod, fsa)) 419 return true; 420 } 421 422 pr_debug("Failed to find symbol %s\n", fsa->name); 423 return false; 424 } 425 426 /* 427 * Search for module by name: must hold module_mutex (or RCU for read-only 428 * access). 429 */ 430 struct module *find_module_all(const char *name, size_t len, 431 bool even_unformed) 432 { 433 struct module *mod; 434 435 list_for_each_entry_rcu(mod, &modules, list, 436 lockdep_is_held(&module_mutex)) { 437 if (!even_unformed && mod->state == MODULE_STATE_UNFORMED) 438 continue; 439 if (strlen(mod->name) == len && !memcmp(mod->name, name, len)) 440 return mod; 441 } 442 return NULL; 443 } 444 445 struct module *find_module(const char *name) 446 { 447 return find_module_all(name, strlen(name), false); 448 } 449 450 #ifdef CONFIG_SMP 451 452 static inline void __percpu *mod_percpu(struct module *mod) 453 { 454 return mod->percpu; 455 } 456 457 static int percpu_modalloc(struct module *mod, struct load_info *info) 458 { 459 Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu]; 460 unsigned long align = pcpusec->sh_addralign; 461 462 if (!pcpusec->sh_size) 463 return 0; 464 465 if (align > PAGE_SIZE) { 466 pr_warn("%s: per-cpu alignment %li > %li\n", 467 mod->name, align, PAGE_SIZE); 468 align = PAGE_SIZE; 469 } 470 471 mod->percpu = __alloc_reserved_percpu(pcpusec->sh_size, align); 472 if (!mod->percpu) { 473 pr_warn("%s: Could not allocate %lu bytes percpu data\n", 474 mod->name, (unsigned long)pcpusec->sh_size); 475 return -ENOMEM; 476 } 477 mod->percpu_size = pcpusec->sh_size; 478 return 0; 479 } 480 481 static void percpu_modfree(struct module *mod) 482 { 483 free_percpu(mod->percpu); 484 } 485 486 static unsigned int find_pcpusec(struct load_info *info) 487 { 488 return find_sec(info, ".data..percpu"); 489 } 490 491 static void percpu_modcopy(struct module *mod, 492 const void *from, unsigned long size) 493 { 494 int cpu; 495 496 for_each_possible_cpu(cpu) 497 memcpy(per_cpu_ptr(mod->percpu, cpu), from, size); 498 } 499 500 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 501 { 502 struct module *mod; 503 unsigned int cpu; 504 505 guard(rcu)(); 506 list_for_each_entry_rcu(mod, &modules, list) { 507 if (mod->state == MODULE_STATE_UNFORMED) 508 continue; 509 if (!mod->percpu_size) 510 continue; 511 for_each_possible_cpu(cpu) { 512 void *start = per_cpu_ptr(mod->percpu, cpu); 513 void *va = (void *)addr; 514 515 if (va >= start && va < start + mod->percpu_size) { 516 if (can_addr) { 517 *can_addr = (unsigned long) (va - start); 518 *can_addr += (unsigned long) 519 per_cpu_ptr(mod->percpu, 520 get_boot_cpu_id()); 521 } 522 return true; 523 } 524 } 525 } 526 return false; 527 } 528 529 /** 530 * is_module_percpu_address() - test whether address is from module static percpu 531 * @addr: address to test 532 * 533 * Test whether @addr belongs to module static percpu area. 534 * 535 * Return: %true if @addr is from module static percpu area 536 */ 537 bool is_module_percpu_address(unsigned long addr) 538 { 539 return __is_module_percpu_address(addr, NULL); 540 } 541 542 #else /* ... !CONFIG_SMP */ 543 544 static inline void __percpu *mod_percpu(struct module *mod) 545 { 546 return NULL; 547 } 548 static int percpu_modalloc(struct module *mod, struct load_info *info) 549 { 550 /* UP modules shouldn't have this section: ENOMEM isn't quite right */ 551 if (info->sechdrs[info->index.pcpu].sh_size != 0) 552 return -ENOMEM; 553 return 0; 554 } 555 static inline void percpu_modfree(struct module *mod) 556 { 557 } 558 static unsigned int find_pcpusec(struct load_info *info) 559 { 560 return 0; 561 } 562 static inline void percpu_modcopy(struct module *mod, 563 const void *from, unsigned long size) 564 { 565 /* pcpusec should be 0, and size of that section should be 0. */ 566 BUG_ON(size != 0); 567 } 568 bool is_module_percpu_address(unsigned long addr) 569 { 570 return false; 571 } 572 573 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 574 { 575 return false; 576 } 577 578 #endif /* CONFIG_SMP */ 579 580 #define MODINFO_ATTR(field) \ 581 static void setup_modinfo_##field(struct module *mod, const char *s) \ 582 { \ 583 mod->field = kstrdup(s, GFP_KERNEL); \ 584 } \ 585 static ssize_t show_modinfo_##field(const struct module_attribute *mattr, \ 586 struct module_kobject *mk, char *buffer) \ 587 { \ 588 return scnprintf(buffer, PAGE_SIZE, "%s\n", mk->mod->field); \ 589 } \ 590 static int modinfo_##field##_exists(struct module *mod) \ 591 { \ 592 return mod->field != NULL; \ 593 } \ 594 static void free_modinfo_##field(struct module *mod) \ 595 { \ 596 kfree(mod->field); \ 597 mod->field = NULL; \ 598 } \ 599 static const struct module_attribute modinfo_##field = { \ 600 .attr = { .name = __stringify(field), .mode = 0444 }, \ 601 .show = show_modinfo_##field, \ 602 .setup = setup_modinfo_##field, \ 603 .test = modinfo_##field##_exists, \ 604 .free = free_modinfo_##field, \ 605 }; 606 607 MODINFO_ATTR(version); 608 MODINFO_ATTR(srcversion); 609 610 static struct { 611 char name[MODULE_NAME_LEN]; 612 char taints[MODULE_FLAGS_BUF_SIZE]; 613 } last_unloaded_module; 614 615 #ifdef CONFIG_MODULE_UNLOAD 616 617 EXPORT_TRACEPOINT_SYMBOL(module_get); 618 619 /* MODULE_REF_BASE is the base reference count by kmodule loader. */ 620 #define MODULE_REF_BASE 1 621 622 /* Init the unload section of the module. */ 623 static int module_unload_init(struct module *mod) 624 { 625 /* 626 * Initialize reference counter to MODULE_REF_BASE. 627 * refcnt == 0 means module is going. 628 */ 629 atomic_set(&mod->refcnt, MODULE_REF_BASE); 630 631 INIT_LIST_HEAD(&mod->source_list); 632 INIT_LIST_HEAD(&mod->target_list); 633 634 /* Hold reference count during initialization. */ 635 atomic_inc(&mod->refcnt); 636 637 return 0; 638 } 639 640 /* Does a already use b? */ 641 static int already_uses(struct module *a, struct module *b) 642 { 643 struct module_use *use; 644 645 list_for_each_entry(use, &b->source_list, source_list) { 646 if (use->source == a) 647 return 1; 648 } 649 pr_debug("%s does not use %s!\n", a->name, b->name); 650 return 0; 651 } 652 653 /* 654 * Module a uses b 655 * - we add 'a' as a "source", 'b' as a "target" of module use 656 * - the module_use is added to the list of 'b' sources (so 657 * 'b' can walk the list to see who sourced them), and of 'a' 658 * targets (so 'a' can see what modules it targets). 659 */ 660 static int add_module_usage(struct module *a, struct module *b) 661 { 662 struct module_use *use; 663 664 pr_debug("Allocating new usage for %s.\n", a->name); 665 use = kmalloc(sizeof(*use), GFP_ATOMIC); 666 if (!use) 667 return -ENOMEM; 668 669 use->source = a; 670 use->target = b; 671 list_add(&use->source_list, &b->source_list); 672 list_add(&use->target_list, &a->target_list); 673 return 0; 674 } 675 676 /* Module a uses b: caller needs module_mutex() */ 677 static int ref_module(struct module *a, struct module *b) 678 { 679 int err; 680 681 if (b == NULL || already_uses(a, b)) 682 return 0; 683 684 /* If module isn't available, we fail. */ 685 err = strong_try_module_get(b); 686 if (err) 687 return err; 688 689 err = add_module_usage(a, b); 690 if (err) { 691 module_put(b); 692 return err; 693 } 694 return 0; 695 } 696 697 /* Clear the unload stuff of the module. */ 698 static void module_unload_free(struct module *mod) 699 { 700 struct module_use *use, *tmp; 701 702 mutex_lock(&module_mutex); 703 list_for_each_entry_safe(use, tmp, &mod->target_list, target_list) { 704 struct module *i = use->target; 705 pr_debug("%s unusing %s\n", mod->name, i->name); 706 module_put(i); 707 list_del(&use->source_list); 708 list_del(&use->target_list); 709 kfree(use); 710 } 711 mutex_unlock(&module_mutex); 712 } 713 714 #ifdef CONFIG_MODULE_FORCE_UNLOAD 715 static inline int try_force_unload(unsigned int flags) 716 { 717 int ret = (flags & O_TRUNC); 718 if (ret) 719 add_taint(TAINT_FORCED_RMMOD, LOCKDEP_NOW_UNRELIABLE); 720 return ret; 721 } 722 #else 723 static inline int try_force_unload(unsigned int flags) 724 { 725 return 0; 726 } 727 #endif /* CONFIG_MODULE_FORCE_UNLOAD */ 728 729 /* Try to release refcount of module, 0 means success. */ 730 static int try_release_module_ref(struct module *mod) 731 { 732 int ret; 733 734 /* Try to decrement refcnt which we set at loading */ 735 ret = atomic_sub_return(MODULE_REF_BASE, &mod->refcnt); 736 BUG_ON(ret < 0); 737 if (ret) 738 /* Someone can put this right now, recover with checking */ 739 ret = atomic_add_unless(&mod->refcnt, MODULE_REF_BASE, 0); 740 741 return ret; 742 } 743 744 static int try_stop_module(struct module *mod, int flags, int *forced) 745 { 746 /* If it's not unused, quit unless we're forcing. */ 747 if (try_release_module_ref(mod) != 0) { 748 *forced = try_force_unload(flags); 749 if (!(*forced)) 750 return -EWOULDBLOCK; 751 } 752 753 /* Mark it as dying. */ 754 mod->state = MODULE_STATE_GOING; 755 756 return 0; 757 } 758 759 /** 760 * module_refcount() - return the refcount or -1 if unloading 761 * @mod: the module we're checking 762 * 763 * Return: 764 * -1 if the module is in the process of unloading 765 * otherwise the number of references in the kernel to the module 766 */ 767 int module_refcount(struct module *mod) 768 { 769 return atomic_read(&mod->refcnt) - MODULE_REF_BASE; 770 } 771 EXPORT_SYMBOL(module_refcount); 772 773 /* This exists whether we can unload or not */ 774 static void free_module(struct module *mod); 775 776 SYSCALL_DEFINE2(delete_module, const char __user *, name_user, 777 unsigned int, flags) 778 { 779 struct module *mod; 780 char name[MODULE_NAME_LEN]; 781 char buf[MODULE_FLAGS_BUF_SIZE]; 782 int ret, len, forced = 0; 783 784 if (!capable(CAP_SYS_MODULE) || modules_disabled) 785 return -EPERM; 786 787 len = strncpy_from_user(name, name_user, MODULE_NAME_LEN); 788 if (len == 0 || len == MODULE_NAME_LEN) 789 return -ENOENT; 790 if (len < 0) 791 return len; 792 793 audit_log_kern_module(name); 794 795 if (mutex_lock_interruptible(&module_mutex) != 0) 796 return -EINTR; 797 798 mod = find_module(name); 799 if (!mod) { 800 ret = -ENOENT; 801 goto out; 802 } 803 804 if (!list_empty(&mod->source_list)) { 805 /* Other modules depend on us: get rid of them first. */ 806 ret = -EWOULDBLOCK; 807 goto out; 808 } 809 810 /* Doing init or already dying? */ 811 if (mod->state != MODULE_STATE_LIVE) { 812 /* FIXME: if (force), slam module count damn the torpedoes */ 813 pr_debug("%s already dying\n", mod->name); 814 ret = -EBUSY; 815 goto out; 816 } 817 818 /* If it has an init func, it must have an exit func to unload */ 819 if (mod->init && !mod->exit) { 820 forced = try_force_unload(flags); 821 if (!forced) { 822 /* This module can't be removed */ 823 ret = -EBUSY; 824 goto out; 825 } 826 } 827 828 ret = try_stop_module(mod, flags, &forced); 829 if (ret != 0) 830 goto out; 831 832 mutex_unlock(&module_mutex); 833 /* Final destruction now no one is using it. */ 834 if (mod->exit != NULL) 835 mod->exit(); 836 blocking_notifier_call_chain(&module_notify_list, 837 MODULE_STATE_GOING, mod); 838 klp_module_going(mod); 839 ftrace_release_mod(mod); 840 841 async_synchronize_full(); 842 843 /* Store the name and taints of the last unloaded module for diagnostic purposes */ 844 strscpy(last_unloaded_module.name, mod->name); 845 strscpy(last_unloaded_module.taints, module_flags(mod, buf, false)); 846 847 free_module(mod); 848 /* someone could wait for the module in add_unformed_module() */ 849 wake_up_all(&module_wq); 850 return 0; 851 out: 852 mutex_unlock(&module_mutex); 853 return ret; 854 } 855 856 void __symbol_put(const char *symbol) 857 { 858 struct find_symbol_arg fsa = { 859 .name = symbol, 860 .gplok = true, 861 }; 862 863 guard(rcu)(); 864 BUG_ON(!find_symbol(&fsa)); 865 module_put(fsa.owner); 866 } 867 EXPORT_SYMBOL(__symbol_put); 868 869 /* Note this assumes addr is a function, which it currently always is. */ 870 void symbol_put_addr(void *addr) 871 { 872 struct module *modaddr; 873 unsigned long a = (unsigned long)dereference_function_descriptor(addr); 874 875 if (core_kernel_text(a)) 876 return; 877 878 /* 879 * Even though we hold a reference on the module; we still need to 880 * RCU read section in order to safely traverse the data structure. 881 */ 882 guard(rcu)(); 883 modaddr = __module_text_address(a); 884 BUG_ON(!modaddr); 885 module_put(modaddr); 886 } 887 EXPORT_SYMBOL_GPL(symbol_put_addr); 888 889 static ssize_t show_refcnt(const struct module_attribute *mattr, 890 struct module_kobject *mk, char *buffer) 891 { 892 return sprintf(buffer, "%i\n", module_refcount(mk->mod)); 893 } 894 895 static const struct module_attribute modinfo_refcnt = 896 __ATTR(refcnt, 0444, show_refcnt, NULL); 897 898 void __module_get(struct module *module) 899 { 900 if (module) { 901 atomic_inc(&module->refcnt); 902 trace_module_get(module, _RET_IP_); 903 } 904 } 905 EXPORT_SYMBOL(__module_get); 906 907 bool try_module_get(struct module *module) 908 { 909 bool ret = true; 910 911 if (module) { 912 /* Note: here, we can fail to get a reference */ 913 if (likely(module_is_live(module) && 914 atomic_inc_not_zero(&module->refcnt) != 0)) 915 trace_module_get(module, _RET_IP_); 916 else 917 ret = false; 918 } 919 return ret; 920 } 921 EXPORT_SYMBOL(try_module_get); 922 923 void module_put(struct module *module) 924 { 925 int ret; 926 927 if (module) { 928 ret = atomic_dec_if_positive(&module->refcnt); 929 WARN_ON(ret < 0); /* Failed to put refcount */ 930 trace_module_put(module, _RET_IP_); 931 } 932 } 933 EXPORT_SYMBOL(module_put); 934 935 #else /* !CONFIG_MODULE_UNLOAD */ 936 static inline void module_unload_free(struct module *mod) 937 { 938 } 939 940 static int ref_module(struct module *a, struct module *b) 941 { 942 return strong_try_module_get(b); 943 } 944 945 static inline int module_unload_init(struct module *mod) 946 { 947 return 0; 948 } 949 #endif /* CONFIG_MODULE_UNLOAD */ 950 951 size_t module_flags_taint(unsigned long taints, char *buf) 952 { 953 size_t l = 0; 954 int i; 955 956 for (i = 0; i < TAINT_FLAGS_COUNT; i++) { 957 if (taint_flags[i].module && test_bit(i, &taints)) 958 buf[l++] = taint_flags[i].c_true; 959 } 960 961 return l; 962 } 963 964 static ssize_t show_initstate(const struct module_attribute *mattr, 965 struct module_kobject *mk, char *buffer) 966 { 967 const char *state = "unknown"; 968 969 switch (mk->mod->state) { 970 case MODULE_STATE_LIVE: 971 state = "live"; 972 break; 973 case MODULE_STATE_COMING: 974 state = "coming"; 975 break; 976 case MODULE_STATE_GOING: 977 state = "going"; 978 break; 979 default: 980 BUG(); 981 } 982 return sprintf(buffer, "%s\n", state); 983 } 984 985 static const struct module_attribute modinfo_initstate = 986 __ATTR(initstate, 0444, show_initstate, NULL); 987 988 static ssize_t store_uevent(const struct module_attribute *mattr, 989 struct module_kobject *mk, 990 const char *buffer, size_t count) 991 { 992 int rc; 993 994 rc = kobject_synth_uevent(&mk->kobj, buffer, count); 995 return rc ? rc : count; 996 } 997 998 const struct module_attribute module_uevent = 999 __ATTR(uevent, 0200, NULL, store_uevent); 1000 1001 static ssize_t show_coresize(const struct module_attribute *mattr, 1002 struct module_kobject *mk, char *buffer) 1003 { 1004 unsigned int size = mk->mod->mem[MOD_TEXT].size; 1005 1006 if (!IS_ENABLED(CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC)) { 1007 for_class_mod_mem_type(type, core_data) 1008 size += mk->mod->mem[type].size; 1009 } 1010 return sprintf(buffer, "%u\n", size); 1011 } 1012 1013 static const struct module_attribute modinfo_coresize = 1014 __ATTR(coresize, 0444, show_coresize, NULL); 1015 1016 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 1017 static ssize_t show_datasize(const struct module_attribute *mattr, 1018 struct module_kobject *mk, char *buffer) 1019 { 1020 unsigned int size = 0; 1021 1022 for_class_mod_mem_type(type, core_data) 1023 size += mk->mod->mem[type].size; 1024 return sprintf(buffer, "%u\n", size); 1025 } 1026 1027 static const struct module_attribute modinfo_datasize = 1028 __ATTR(datasize, 0444, show_datasize, NULL); 1029 #endif 1030 1031 static ssize_t show_initsize(const struct module_attribute *mattr, 1032 struct module_kobject *mk, char *buffer) 1033 { 1034 unsigned int size = 0; 1035 1036 for_class_mod_mem_type(type, init) 1037 size += mk->mod->mem[type].size; 1038 return sprintf(buffer, "%u\n", size); 1039 } 1040 1041 static const struct module_attribute modinfo_initsize = 1042 __ATTR(initsize, 0444, show_initsize, NULL); 1043 1044 static ssize_t show_taint(const struct module_attribute *mattr, 1045 struct module_kobject *mk, char *buffer) 1046 { 1047 size_t l; 1048 1049 l = module_flags_taint(mk->mod->taints, buffer); 1050 buffer[l++] = '\n'; 1051 return l; 1052 } 1053 1054 static const struct module_attribute modinfo_taint = 1055 __ATTR(taint, 0444, show_taint, NULL); 1056 1057 const struct module_attribute *const modinfo_attrs[] = { 1058 &module_uevent, 1059 &modinfo_version, 1060 &modinfo_srcversion, 1061 &modinfo_initstate, 1062 &modinfo_coresize, 1063 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 1064 &modinfo_datasize, 1065 #endif 1066 &modinfo_initsize, 1067 &modinfo_taint, 1068 #ifdef CONFIG_MODULE_UNLOAD 1069 &modinfo_refcnt, 1070 #endif 1071 NULL, 1072 }; 1073 1074 const size_t modinfo_attrs_count = ARRAY_SIZE(modinfo_attrs); 1075 1076 static const char vermagic[] = VERMAGIC_STRING; 1077 1078 int try_to_force_load(struct module *mod, const char *reason) 1079 { 1080 #ifdef CONFIG_MODULE_FORCE_LOAD 1081 if (!test_taint(TAINT_FORCED_MODULE)) 1082 pr_warn("%s: %s: kernel tainted.\n", mod->name, reason); 1083 add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE); 1084 return 0; 1085 #else 1086 return -ENOEXEC; 1087 #endif 1088 } 1089 1090 /* Parse tag=value strings from .modinfo section */ 1091 char *module_next_tag_pair(char *string, unsigned long *secsize) 1092 { 1093 /* Skip non-zero chars */ 1094 while (string[0]) { 1095 string++; 1096 if ((*secsize)-- <= 1) 1097 return NULL; 1098 } 1099 1100 /* Skip any zero padding. */ 1101 while (!string[0]) { 1102 string++; 1103 if ((*secsize)-- <= 1) 1104 return NULL; 1105 } 1106 return string; 1107 } 1108 1109 static char *get_next_modinfo(const struct load_info *info, const char *tag, 1110 char *prev) 1111 { 1112 char *p; 1113 unsigned int taglen = strlen(tag); 1114 Elf_Shdr *infosec = &info->sechdrs[info->index.info]; 1115 unsigned long size = infosec->sh_size; 1116 1117 /* 1118 * get_modinfo() calls made before rewrite_section_headers() 1119 * must use sh_offset, as sh_addr isn't set! 1120 */ 1121 char *modinfo = (char *)info->hdr + infosec->sh_offset; 1122 1123 if (prev) { 1124 size -= prev - modinfo; 1125 modinfo = module_next_tag_pair(prev, &size); 1126 } 1127 1128 for (p = modinfo; p; p = module_next_tag_pair(p, &size)) { 1129 if (strncmp(p, tag, taglen) == 0 && p[taglen] == '=') 1130 return p + taglen + 1; 1131 } 1132 return NULL; 1133 } 1134 1135 static char *get_modinfo(const struct load_info *info, const char *tag) 1136 { 1137 return get_next_modinfo(info, tag, NULL); 1138 } 1139 1140 /** 1141 * verify_module_namespace() - does @modname have access to this symbol's @namespace 1142 * @namespace: export symbol namespace 1143 * @modname: module name 1144 * 1145 * If @namespace is prefixed with "module:" to indicate it is a module namespace 1146 * then test if @modname matches any of the comma separated patterns. 1147 * 1148 * The patterns only support tail-glob. 1149 */ 1150 static bool verify_module_namespace(const char *namespace, const char *modname) 1151 { 1152 size_t len, modlen = strlen(modname); 1153 const char *prefix = "module:"; 1154 const char *sep; 1155 bool glob; 1156 1157 if (!strstarts(namespace, prefix)) 1158 return false; 1159 1160 for (namespace += strlen(prefix); *namespace; namespace = sep) { 1161 sep = strchrnul(namespace, ','); 1162 len = sep - namespace; 1163 1164 glob = false; 1165 if (sep[-1] == '*') { 1166 len--; 1167 glob = true; 1168 } 1169 1170 if (*sep) 1171 sep++; 1172 1173 if (mod_strncmp(namespace, modname, len) == 0 && (glob || len == modlen)) 1174 return true; 1175 } 1176 1177 return false; 1178 } 1179 1180 static int verify_namespace_is_imported(const struct load_info *info, 1181 const struct kernel_symbol *sym, 1182 struct module *mod) 1183 { 1184 const char *namespace; 1185 char *imported_namespace; 1186 1187 namespace = kernel_symbol_namespace(sym); 1188 if (namespace && namespace[0]) { 1189 1190 if (verify_module_namespace(namespace, mod->name)) 1191 return 0; 1192 1193 for_each_modinfo_entry(imported_namespace, info, "import_ns") { 1194 if (strcmp(namespace, imported_namespace) == 0) 1195 return 0; 1196 } 1197 #ifdef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1198 pr_warn( 1199 #else 1200 pr_err( 1201 #endif 1202 "%s: module uses symbol (%s) from namespace %s, but does not import it.\n", 1203 mod->name, kernel_symbol_name(sym), namespace); 1204 #ifndef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1205 return -EINVAL; 1206 #endif 1207 } 1208 return 0; 1209 } 1210 1211 static bool inherit_taint(struct module *mod, struct module *owner, const char *name) 1212 { 1213 if (!owner || !test_bit(TAINT_PROPRIETARY_MODULE, &owner->taints)) 1214 return true; 1215 1216 if (mod->using_gplonly_symbols) { 1217 pr_err("%s: module using GPL-only symbols uses symbols %s from proprietary module %s.\n", 1218 mod->name, name, owner->name); 1219 return false; 1220 } 1221 1222 if (!test_bit(TAINT_PROPRIETARY_MODULE, &mod->taints)) { 1223 pr_warn("%s: module uses symbols %s from proprietary module %s, inheriting taint.\n", 1224 mod->name, name, owner->name); 1225 set_bit(TAINT_PROPRIETARY_MODULE, &mod->taints); 1226 } 1227 return true; 1228 } 1229 1230 /* Resolve a symbol for this module. I.e. if we find one, record usage. */ 1231 static const struct kernel_symbol *resolve_symbol(struct module *mod, 1232 const struct load_info *info, 1233 const char *name, 1234 char ownername[]) 1235 { 1236 struct find_symbol_arg fsa = { 1237 .name = name, 1238 .gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)), 1239 .warn = true, 1240 }; 1241 int err; 1242 1243 /* 1244 * The module_mutex should not be a heavily contended lock; 1245 * if we get the occasional sleep here, we'll go an extra iteration 1246 * in the wait_event_interruptible(), which is harmless. 1247 */ 1248 sched_annotate_sleep(); 1249 mutex_lock(&module_mutex); 1250 if (!find_symbol(&fsa)) 1251 goto unlock; 1252 1253 if (fsa.license == GPL_ONLY) 1254 mod->using_gplonly_symbols = true; 1255 1256 if (!inherit_taint(mod, fsa.owner, name)) { 1257 fsa.sym = NULL; 1258 goto getname; 1259 } 1260 1261 if (!check_version(info, name, mod, fsa.crc)) { 1262 fsa.sym = ERR_PTR(-EINVAL); 1263 goto getname; 1264 } 1265 1266 err = verify_namespace_is_imported(info, fsa.sym, mod); 1267 if (err) { 1268 fsa.sym = ERR_PTR(err); 1269 goto getname; 1270 } 1271 1272 err = ref_module(mod, fsa.owner); 1273 if (err) { 1274 fsa.sym = ERR_PTR(err); 1275 goto getname; 1276 } 1277 1278 getname: 1279 /* We must make copy under the lock if we failed to get ref. */ 1280 strscpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN); 1281 unlock: 1282 mutex_unlock(&module_mutex); 1283 return fsa.sym; 1284 } 1285 1286 static const struct kernel_symbol * 1287 resolve_symbol_wait(struct module *mod, 1288 const struct load_info *info, 1289 const char *name) 1290 { 1291 const struct kernel_symbol *ksym; 1292 char owner[MODULE_NAME_LEN]; 1293 1294 if (wait_event_interruptible_timeout(module_wq, 1295 !IS_ERR(ksym = resolve_symbol(mod, info, name, owner)) 1296 || PTR_ERR(ksym) != -EBUSY, 1297 30 * HZ) <= 0) { 1298 pr_warn("%s: gave up waiting for init of module %s.\n", 1299 mod->name, owner); 1300 } 1301 return ksym; 1302 } 1303 1304 void __weak module_arch_cleanup(struct module *mod) 1305 { 1306 } 1307 1308 void __weak module_arch_freeing_init(struct module *mod) 1309 { 1310 } 1311 1312 static int module_memory_alloc(struct module *mod, enum mod_mem_type type) 1313 { 1314 unsigned int size = PAGE_ALIGN(mod->mem[type].size); 1315 enum execmem_type execmem_type; 1316 void *ptr; 1317 1318 mod->mem[type].size = size; 1319 1320 if (mod_mem_type_is_data(type)) 1321 execmem_type = EXECMEM_MODULE_DATA; 1322 else 1323 execmem_type = EXECMEM_MODULE_TEXT; 1324 1325 ptr = execmem_alloc_rw(execmem_type, size); 1326 if (!ptr) 1327 return -ENOMEM; 1328 1329 mod->mem[type].is_rox = execmem_is_rox(execmem_type); 1330 1331 /* 1332 * The pointer to these blocks of memory are stored on the module 1333 * structure and we keep that around so long as the module is 1334 * around. We only free that memory when we unload the module. 1335 * Just mark them as not being a leak then. The .init* ELF 1336 * sections *do* get freed after boot so we *could* treat them 1337 * slightly differently with kmemleak_ignore() and only grey 1338 * them out as they work as typical memory allocations which 1339 * *do* eventually get freed, but let's just keep things simple 1340 * and avoid *any* false positives. 1341 */ 1342 if (!mod->mem[type].is_rox) 1343 kmemleak_not_leak(ptr); 1344 1345 memset(ptr, 0, size); 1346 mod->mem[type].base = ptr; 1347 1348 return 0; 1349 } 1350 1351 static void module_memory_restore_rox(struct module *mod) 1352 { 1353 for_class_mod_mem_type(type, text) { 1354 struct module_memory *mem = &mod->mem[type]; 1355 1356 if (mem->is_rox) 1357 execmem_restore_rox(mem->base, mem->size); 1358 } 1359 } 1360 1361 static void module_memory_free(struct module *mod, enum mod_mem_type type) 1362 { 1363 struct module_memory *mem = &mod->mem[type]; 1364 1365 execmem_free(mem->base); 1366 } 1367 1368 static void free_mod_mem(struct module *mod) 1369 { 1370 for_each_mod_mem_type(type) { 1371 struct module_memory *mod_mem = &mod->mem[type]; 1372 1373 if (type == MOD_DATA) 1374 continue; 1375 1376 /* Free lock-classes; relies on the preceding sync_rcu(). */ 1377 lockdep_free_key_range(mod_mem->base, mod_mem->size); 1378 if (mod_mem->size) 1379 module_memory_free(mod, type); 1380 } 1381 1382 /* MOD_DATA hosts mod, so free it at last */ 1383 lockdep_free_key_range(mod->mem[MOD_DATA].base, mod->mem[MOD_DATA].size); 1384 module_memory_free(mod, MOD_DATA); 1385 } 1386 1387 /* Free a module, remove from lists, etc. */ 1388 static void free_module(struct module *mod) 1389 { 1390 trace_module_free(mod); 1391 1392 codetag_unload_module(mod); 1393 1394 mod_sysfs_teardown(mod); 1395 1396 /* 1397 * We leave it in list to prevent duplicate loads, but make sure 1398 * that noone uses it while it's being deconstructed. 1399 */ 1400 mutex_lock(&module_mutex); 1401 mod->state = MODULE_STATE_UNFORMED; 1402 mutex_unlock(&module_mutex); 1403 1404 /* Arch-specific cleanup. */ 1405 module_arch_cleanup(mod); 1406 1407 /* Module unload stuff */ 1408 module_unload_free(mod); 1409 1410 /* Free any allocated parameters. */ 1411 destroy_params(mod->kp, mod->num_kp); 1412 1413 if (is_livepatch_module(mod)) 1414 free_module_elf(mod); 1415 1416 /* Now we can delete it from the lists */ 1417 mutex_lock(&module_mutex); 1418 /* Unlink carefully: kallsyms could be walking list. */ 1419 list_del_rcu(&mod->list); 1420 mod_tree_remove(mod); 1421 /* Remove this module from bug list, this uses list_del_rcu */ 1422 module_bug_cleanup(mod); 1423 /* Wait for RCU synchronizing before releasing mod->list and buglist. */ 1424 synchronize_rcu(); 1425 if (try_add_tainted_module(mod)) 1426 pr_err("%s: adding tainted module to the unloaded tainted modules list failed.\n", 1427 mod->name); 1428 mutex_unlock(&module_mutex); 1429 1430 /* This may be empty, but that's OK */ 1431 module_arch_freeing_init(mod); 1432 kfree(mod->args); 1433 percpu_modfree(mod); 1434 1435 free_mod_mem(mod); 1436 } 1437 1438 void *__symbol_get(const char *symbol) 1439 { 1440 struct find_symbol_arg fsa = { 1441 .name = symbol, 1442 .gplok = true, 1443 .warn = true, 1444 }; 1445 1446 scoped_guard(rcu) { 1447 if (!find_symbol(&fsa)) 1448 return NULL; 1449 if (fsa.license != GPL_ONLY) { 1450 pr_warn("failing symbol_get of non-GPLONLY symbol %s.\n", 1451 symbol); 1452 return NULL; 1453 } 1454 if (strong_try_module_get(fsa.owner)) 1455 return NULL; 1456 } 1457 return (void *)kernel_symbol_value(fsa.sym); 1458 } 1459 EXPORT_SYMBOL_GPL(__symbol_get); 1460 1461 /* 1462 * Ensure that an exported symbol [global namespace] does not already exist 1463 * in the kernel or in some other module's exported symbol table. 1464 * 1465 * You must hold the module_mutex. 1466 */ 1467 static int verify_exported_symbols(struct module *mod) 1468 { 1469 unsigned int i; 1470 const struct kernel_symbol *s; 1471 struct { 1472 const struct kernel_symbol *sym; 1473 unsigned int num; 1474 } arr[] = { 1475 { mod->syms, mod->num_syms }, 1476 { mod->gpl_syms, mod->num_gpl_syms }, 1477 }; 1478 1479 for (i = 0; i < ARRAY_SIZE(arr); i++) { 1480 for (s = arr[i].sym; s < arr[i].sym + arr[i].num; s++) { 1481 struct find_symbol_arg fsa = { 1482 .name = kernel_symbol_name(s), 1483 .gplok = true, 1484 }; 1485 if (find_symbol(&fsa)) { 1486 pr_err("%s: exports duplicate symbol %s" 1487 " (owned by %s)\n", 1488 mod->name, kernel_symbol_name(s), 1489 module_name(fsa.owner)); 1490 return -ENOEXEC; 1491 } 1492 } 1493 } 1494 return 0; 1495 } 1496 1497 static bool ignore_undef_symbol(Elf_Half emachine, const char *name) 1498 { 1499 /* 1500 * On x86, PIC code and Clang non-PIC code may have call foo@PLT. GNU as 1501 * before 2.37 produces an unreferenced _GLOBAL_OFFSET_TABLE_ on x86-64. 1502 * i386 has a similar problem but may not deserve a fix. 1503 * 1504 * If we ever have to ignore many symbols, consider refactoring the code to 1505 * only warn if referenced by a relocation. 1506 */ 1507 if (emachine == EM_386 || emachine == EM_X86_64) 1508 return !strcmp(name, "_GLOBAL_OFFSET_TABLE_"); 1509 return false; 1510 } 1511 1512 /* Change all symbols so that st_value encodes the pointer directly. */ 1513 static int simplify_symbols(struct module *mod, const struct load_info *info) 1514 { 1515 Elf_Shdr *symsec = &info->sechdrs[info->index.sym]; 1516 Elf_Sym *sym = (void *)symsec->sh_addr; 1517 unsigned long secbase; 1518 unsigned int i; 1519 int ret = 0; 1520 const struct kernel_symbol *ksym; 1521 1522 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { 1523 const char *name = info->strtab + sym[i].st_name; 1524 1525 switch (sym[i].st_shndx) { 1526 case SHN_COMMON: 1527 /* Ignore common symbols */ 1528 if (!strncmp(name, "__gnu_lto", 9)) 1529 break; 1530 1531 /* 1532 * We compiled with -fno-common. These are not 1533 * supposed to happen. 1534 */ 1535 pr_debug("Common symbol: %s\n", name); 1536 pr_warn("%s: please compile with -fno-common\n", 1537 mod->name); 1538 ret = -ENOEXEC; 1539 break; 1540 1541 case SHN_ABS: 1542 /* Don't need to do anything */ 1543 pr_debug("Absolute symbol: 0x%08lx %s\n", 1544 (long)sym[i].st_value, name); 1545 break; 1546 1547 case SHN_LIVEPATCH: 1548 /* Livepatch symbols are resolved by livepatch */ 1549 break; 1550 1551 case SHN_UNDEF: 1552 ksym = resolve_symbol_wait(mod, info, name); 1553 /* Ok if resolved. */ 1554 if (ksym && !IS_ERR(ksym)) { 1555 sym[i].st_value = kernel_symbol_value(ksym); 1556 break; 1557 } 1558 1559 /* Ok if weak or ignored. */ 1560 if (!ksym && 1561 (ELF_ST_BIND(sym[i].st_info) == STB_WEAK || 1562 ignore_undef_symbol(info->hdr->e_machine, name))) 1563 break; 1564 1565 ret = PTR_ERR(ksym) ?: -ENOENT; 1566 pr_warn("%s: Unknown symbol %s (err %d)\n", 1567 mod->name, name, ret); 1568 break; 1569 1570 default: 1571 /* Divert to percpu allocation if a percpu var. */ 1572 if (sym[i].st_shndx == info->index.pcpu) 1573 secbase = (unsigned long)mod_percpu(mod); 1574 else 1575 secbase = info->sechdrs[sym[i].st_shndx].sh_addr; 1576 sym[i].st_value += secbase; 1577 break; 1578 } 1579 } 1580 1581 return ret; 1582 } 1583 1584 static int apply_relocations(struct module *mod, const struct load_info *info) 1585 { 1586 unsigned int i; 1587 int err = 0; 1588 1589 /* Now do relocations. */ 1590 for (i = 1; i < info->hdr->e_shnum; i++) { 1591 unsigned int infosec = info->sechdrs[i].sh_info; 1592 1593 /* Not a valid relocation section? */ 1594 if (infosec >= info->hdr->e_shnum) 1595 continue; 1596 1597 /* 1598 * Don't bother with non-allocated sections. 1599 * An exception is the percpu section, which has separate allocations 1600 * for individual CPUs. We relocate the percpu section in the initial 1601 * ELF template and subsequently copy it to the per-CPU destinations. 1602 */ 1603 if (!(info->sechdrs[infosec].sh_flags & SHF_ALLOC) && 1604 (!infosec || infosec != info->index.pcpu)) 1605 continue; 1606 1607 if (info->sechdrs[i].sh_flags & SHF_RELA_LIVEPATCH) 1608 err = klp_apply_section_relocs(mod, info->sechdrs, 1609 info->secstrings, 1610 info->strtab, 1611 info->index.sym, i, 1612 NULL); 1613 else if (info->sechdrs[i].sh_type == SHT_REL) 1614 err = apply_relocate(info->sechdrs, info->strtab, 1615 info->index.sym, i, mod); 1616 else if (info->sechdrs[i].sh_type == SHT_RELA) 1617 err = apply_relocate_add(info->sechdrs, info->strtab, 1618 info->index.sym, i, mod); 1619 if (err < 0) 1620 break; 1621 } 1622 return err; 1623 } 1624 1625 /* Additional bytes needed by arch in front of individual sections */ 1626 unsigned int __weak arch_mod_section_prepend(struct module *mod, 1627 unsigned int section) 1628 { 1629 /* default implementation just returns zero */ 1630 return 0; 1631 } 1632 1633 long module_get_offset_and_type(struct module *mod, enum mod_mem_type type, 1634 Elf_Shdr *sechdr, unsigned int section) 1635 { 1636 long offset; 1637 long mask = ((unsigned long)(type) & SH_ENTSIZE_TYPE_MASK) << SH_ENTSIZE_TYPE_SHIFT; 1638 1639 mod->mem[type].size += arch_mod_section_prepend(mod, section); 1640 offset = ALIGN(mod->mem[type].size, sechdr->sh_addralign ?: 1); 1641 mod->mem[type].size = offset + sechdr->sh_size; 1642 1643 WARN_ON_ONCE(offset & mask); 1644 return offset | mask; 1645 } 1646 1647 bool module_init_layout_section(const char *sname) 1648 { 1649 #ifndef CONFIG_MODULE_UNLOAD 1650 if (module_exit_section(sname)) 1651 return true; 1652 #endif 1653 return module_init_section(sname); 1654 } 1655 1656 static void __layout_sections(struct module *mod, struct load_info *info, bool is_init) 1657 { 1658 unsigned int m, i; 1659 1660 /* 1661 * { Mask of required section header flags, 1662 * Mask of excluded section header flags } 1663 */ 1664 static const unsigned long masks[][2] = { 1665 { SHF_EXECINSTR | SHF_ALLOC, ARCH_SHF_SMALL }, 1666 { SHF_ALLOC, SHF_WRITE | ARCH_SHF_SMALL }, 1667 { SHF_RO_AFTER_INIT | SHF_ALLOC, ARCH_SHF_SMALL }, 1668 { SHF_WRITE | SHF_ALLOC, ARCH_SHF_SMALL }, 1669 { ARCH_SHF_SMALL | SHF_ALLOC, 0 } 1670 }; 1671 static const int core_m_to_mem_type[] = { 1672 MOD_TEXT, 1673 MOD_RODATA, 1674 MOD_RO_AFTER_INIT, 1675 MOD_DATA, 1676 MOD_DATA, 1677 }; 1678 static const int init_m_to_mem_type[] = { 1679 MOD_INIT_TEXT, 1680 MOD_INIT_RODATA, 1681 MOD_INVALID, 1682 MOD_INIT_DATA, 1683 MOD_INIT_DATA, 1684 }; 1685 1686 for (m = 0; m < ARRAY_SIZE(masks); ++m) { 1687 enum mod_mem_type type = is_init ? init_m_to_mem_type[m] : core_m_to_mem_type[m]; 1688 1689 for (i = 0; i < info->hdr->e_shnum; ++i) { 1690 Elf_Shdr *s = &info->sechdrs[i]; 1691 const char *sname = info->secstrings + s->sh_name; 1692 1693 if ((s->sh_flags & masks[m][0]) != masks[m][0] 1694 || (s->sh_flags & masks[m][1]) 1695 || s->sh_entsize != ~0UL 1696 || is_init != module_init_layout_section(sname)) 1697 continue; 1698 1699 if (WARN_ON_ONCE(type == MOD_INVALID)) 1700 continue; 1701 1702 /* 1703 * Do not allocate codetag memory as we load it into 1704 * preallocated contiguous memory. 1705 */ 1706 if (codetag_needs_module_section(mod, sname, s->sh_size)) { 1707 /* 1708 * s->sh_entsize won't be used but populate the 1709 * type field to avoid confusion. 1710 */ 1711 s->sh_entsize = ((unsigned long)(type) & SH_ENTSIZE_TYPE_MASK) 1712 << SH_ENTSIZE_TYPE_SHIFT; 1713 continue; 1714 } 1715 1716 s->sh_entsize = module_get_offset_and_type(mod, type, s, i); 1717 pr_debug("\t%s\n", sname); 1718 } 1719 } 1720 } 1721 1722 /* 1723 * Lay out the SHF_ALLOC sections in a way not dissimilar to how ld 1724 * might -- code, read-only data, read-write data, small data. Tally 1725 * sizes, and place the offsets into sh_entsize fields: high bit means it 1726 * belongs in init. 1727 */ 1728 static void layout_sections(struct module *mod, struct load_info *info) 1729 { 1730 unsigned int i; 1731 1732 for (i = 0; i < info->hdr->e_shnum; i++) 1733 info->sechdrs[i].sh_entsize = ~0UL; 1734 1735 pr_debug("Core section allocation order for %s:\n", mod->name); 1736 __layout_sections(mod, info, false); 1737 1738 pr_debug("Init section allocation order for %s:\n", mod->name); 1739 __layout_sections(mod, info, true); 1740 } 1741 1742 static void module_license_taint_check(struct module *mod, const char *license) 1743 { 1744 if (!license) 1745 license = "unspecified"; 1746 1747 if (!license_is_gpl_compatible(license)) { 1748 if (!test_taint(TAINT_PROPRIETARY_MODULE)) 1749 pr_warn("%s: module license '%s' taints kernel.\n", 1750 mod->name, license); 1751 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 1752 LOCKDEP_NOW_UNRELIABLE); 1753 } 1754 } 1755 1756 static int setup_modinfo(struct module *mod, struct load_info *info) 1757 { 1758 const struct module_attribute *attr; 1759 char *imported_namespace; 1760 int i; 1761 1762 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1763 if (attr->setup) 1764 attr->setup(mod, get_modinfo(info, attr->attr.name)); 1765 } 1766 1767 for_each_modinfo_entry(imported_namespace, info, "import_ns") { 1768 /* 1769 * 'module:' prefixed namespaces are implicit, disallow 1770 * explicit imports. 1771 */ 1772 if (strstarts(imported_namespace, "module:")) { 1773 pr_err("%s: module tries to import module namespace: %s\n", 1774 mod->name, imported_namespace); 1775 return -EPERM; 1776 } 1777 } 1778 1779 return 0; 1780 } 1781 1782 static void free_modinfo(struct module *mod) 1783 { 1784 const struct module_attribute *attr; 1785 int i; 1786 1787 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1788 if (attr->free) 1789 attr->free(mod); 1790 } 1791 } 1792 1793 bool __weak module_init_section(const char *name) 1794 { 1795 return strstarts(name, ".init"); 1796 } 1797 1798 bool __weak module_exit_section(const char *name) 1799 { 1800 return strstarts(name, ".exit"); 1801 } 1802 1803 static int validate_section_offset(const struct load_info *info, Elf_Shdr *shdr) 1804 { 1805 #if defined(CONFIG_64BIT) 1806 unsigned long long secend; 1807 #else 1808 unsigned long secend; 1809 #endif 1810 1811 /* 1812 * Check for both overflow and offset/size being 1813 * too large. 1814 */ 1815 secend = shdr->sh_offset + shdr->sh_size; 1816 if (secend < shdr->sh_offset || secend > info->len) 1817 return -ENOEXEC; 1818 1819 return 0; 1820 } 1821 1822 /** 1823 * elf_validity_ehdr() - Checks an ELF header for module validity 1824 * @info: Load info containing the ELF header to check 1825 * 1826 * Checks whether an ELF header could belong to a valid module. Checks: 1827 * 1828 * * ELF header is within the data the user provided 1829 * * ELF magic is present 1830 * * It is relocatable (not final linked, not core file, etc.) 1831 * * The header's machine type matches what the architecture expects. 1832 * * Optional arch-specific hook for other properties 1833 * - module_elf_check_arch() is currently only used by PPC to check 1834 * ELF ABI version, but may be used by others in the future. 1835 * 1836 * Return: %0 if valid, %-ENOEXEC on failure. 1837 */ 1838 static int elf_validity_ehdr(const struct load_info *info) 1839 { 1840 if (info->len < sizeof(*(info->hdr))) { 1841 pr_err("Invalid ELF header len %lu\n", info->len); 1842 return -ENOEXEC; 1843 } 1844 if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0) { 1845 pr_err("Invalid ELF header magic: != %s\n", ELFMAG); 1846 return -ENOEXEC; 1847 } 1848 if (info->hdr->e_type != ET_REL) { 1849 pr_err("Invalid ELF header type: %u != %u\n", 1850 info->hdr->e_type, ET_REL); 1851 return -ENOEXEC; 1852 } 1853 if (!elf_check_arch(info->hdr)) { 1854 pr_err("Invalid architecture in ELF header: %u\n", 1855 info->hdr->e_machine); 1856 return -ENOEXEC; 1857 } 1858 if (!module_elf_check_arch(info->hdr)) { 1859 pr_err("Invalid module architecture in ELF header: %u\n", 1860 info->hdr->e_machine); 1861 return -ENOEXEC; 1862 } 1863 return 0; 1864 } 1865 1866 /** 1867 * elf_validity_cache_sechdrs() - Cache section headers if valid 1868 * @info: Load info to compute section headers from 1869 * 1870 * Checks: 1871 * 1872 * * ELF header is valid (see elf_validity_ehdr()) 1873 * * Section headers are the size we expect 1874 * * Section array fits in the user provided data 1875 * * Section index 0 is NULL 1876 * * Section contents are inbounds 1877 * 1878 * Then updates @info with a &load_info->sechdrs pointer if valid. 1879 * 1880 * Return: %0 if valid, negative error code if validation failed. 1881 */ 1882 static int elf_validity_cache_sechdrs(struct load_info *info) 1883 { 1884 Elf_Shdr *sechdrs; 1885 Elf_Shdr *shdr; 1886 int i; 1887 int err; 1888 1889 err = elf_validity_ehdr(info); 1890 if (err < 0) 1891 return err; 1892 1893 if (info->hdr->e_shentsize != sizeof(Elf_Shdr)) { 1894 pr_err("Invalid ELF section header size\n"); 1895 return -ENOEXEC; 1896 } 1897 1898 /* 1899 * e_shnum is 16 bits, and sizeof(Elf_Shdr) is 1900 * known and small. So e_shnum * sizeof(Elf_Shdr) 1901 * will not overflow unsigned long on any platform. 1902 */ 1903 if (info->hdr->e_shoff >= info->len 1904 || (info->hdr->e_shnum * sizeof(Elf_Shdr) > 1905 info->len - info->hdr->e_shoff)) { 1906 pr_err("Invalid ELF section header overflow\n"); 1907 return -ENOEXEC; 1908 } 1909 1910 sechdrs = (void *)info->hdr + info->hdr->e_shoff; 1911 1912 /* 1913 * The code assumes that section 0 has a length of zero and 1914 * an addr of zero, so check for it. 1915 */ 1916 if (sechdrs[0].sh_type != SHT_NULL 1917 || sechdrs[0].sh_size != 0 1918 || sechdrs[0].sh_addr != 0) { 1919 pr_err("ELF Spec violation: section 0 type(%d)!=SH_NULL or non-zero len or addr\n", 1920 sechdrs[0].sh_type); 1921 return -ENOEXEC; 1922 } 1923 1924 /* Validate contents are inbounds */ 1925 for (i = 1; i < info->hdr->e_shnum; i++) { 1926 shdr = &sechdrs[i]; 1927 switch (shdr->sh_type) { 1928 case SHT_NULL: 1929 case SHT_NOBITS: 1930 /* No contents, offset/size don't mean anything */ 1931 continue; 1932 default: 1933 err = validate_section_offset(info, shdr); 1934 if (err < 0) { 1935 pr_err("Invalid ELF section in module (section %u type %u)\n", 1936 i, shdr->sh_type); 1937 return err; 1938 } 1939 } 1940 } 1941 1942 info->sechdrs = sechdrs; 1943 1944 return 0; 1945 } 1946 1947 /** 1948 * elf_validity_cache_secstrings() - Caches section names if valid 1949 * @info: Load info to cache section names from. Must have valid sechdrs. 1950 * 1951 * Specifically checks: 1952 * 1953 * * Section name table index is inbounds of section headers 1954 * * Section name table is not empty 1955 * * Section name table is NUL terminated 1956 * * All section name offsets are inbounds of the section 1957 * 1958 * Then updates @info with a &load_info->secstrings pointer if valid. 1959 * 1960 * Return: %0 if valid, negative error code if validation failed. 1961 */ 1962 static int elf_validity_cache_secstrings(struct load_info *info) 1963 { 1964 Elf_Shdr *strhdr, *shdr; 1965 char *secstrings; 1966 int i; 1967 1968 /* 1969 * Verify if the section name table index is valid. 1970 */ 1971 if (info->hdr->e_shstrndx == SHN_UNDEF 1972 || info->hdr->e_shstrndx >= info->hdr->e_shnum) { 1973 pr_err("Invalid ELF section name index: %d || e_shstrndx (%d) >= e_shnum (%d)\n", 1974 info->hdr->e_shstrndx, info->hdr->e_shstrndx, 1975 info->hdr->e_shnum); 1976 return -ENOEXEC; 1977 } 1978 1979 strhdr = &info->sechdrs[info->hdr->e_shstrndx]; 1980 1981 /* 1982 * The section name table must be NUL-terminated, as required 1983 * by the spec. This makes strcmp and pr_* calls that access 1984 * strings in the section safe. 1985 */ 1986 secstrings = (void *)info->hdr + strhdr->sh_offset; 1987 if (strhdr->sh_size == 0) { 1988 pr_err("empty section name table\n"); 1989 return -ENOEXEC; 1990 } 1991 if (secstrings[strhdr->sh_size - 1] != '\0') { 1992 pr_err("ELF Spec violation: section name table isn't null terminated\n"); 1993 return -ENOEXEC; 1994 } 1995 1996 for (i = 0; i < info->hdr->e_shnum; i++) { 1997 shdr = &info->sechdrs[i]; 1998 /* SHT_NULL means sh_name has an undefined value */ 1999 if (shdr->sh_type == SHT_NULL) 2000 continue; 2001 if (shdr->sh_name >= strhdr->sh_size) { 2002 pr_err("Invalid ELF section name in module (section %u type %u)\n", 2003 i, shdr->sh_type); 2004 return -ENOEXEC; 2005 } 2006 } 2007 2008 info->secstrings = secstrings; 2009 return 0; 2010 } 2011 2012 /** 2013 * elf_validity_cache_index_info() - Validate and cache modinfo section 2014 * @info: Load info to populate the modinfo index on. 2015 * Must have &load_info->sechdrs and &load_info->secstrings populated 2016 * 2017 * Checks that if there is a .modinfo section, it is unique. 2018 * Then, it caches its index in &load_info->index.info. 2019 * Finally, it tries to populate the name to improve error messages. 2020 * 2021 * Return: %0 if valid, %-ENOEXEC if multiple modinfo sections were found. 2022 */ 2023 static int elf_validity_cache_index_info(struct load_info *info) 2024 { 2025 int info_idx; 2026 2027 info_idx = find_any_unique_sec(info, ".modinfo"); 2028 2029 if (info_idx == 0) 2030 /* Early return, no .modinfo */ 2031 return 0; 2032 2033 if (info_idx < 0) { 2034 pr_err("Only one .modinfo section must exist.\n"); 2035 return -ENOEXEC; 2036 } 2037 2038 info->index.info = info_idx; 2039 /* Try to find a name early so we can log errors with a module name */ 2040 info->name = get_modinfo(info, "name"); 2041 2042 return 0; 2043 } 2044 2045 /** 2046 * elf_validity_cache_index_mod() - Validates and caches this_module section 2047 * @info: Load info to cache this_module on. 2048 * Must have &load_info->sechdrs and &load_info->secstrings populated 2049 * 2050 * The ".gnu.linkonce.this_module" ELF section is special. It is what modpost 2051 * uses to refer to __this_module and let's use rely on THIS_MODULE to point 2052 * to &__this_module properly. The kernel's modpost declares it on each 2053 * modules's *.mod.c file. If the struct module of the kernel changes a full 2054 * kernel rebuild is required. 2055 * 2056 * We have a few expectations for this special section, this function 2057 * validates all this for us: 2058 * 2059 * * The section has contents 2060 * * The section is unique 2061 * * We expect the kernel to always have to allocate it: SHF_ALLOC 2062 * * The section size must match the kernel's run time's struct module 2063 * size 2064 * 2065 * If all checks pass, the index will be cached in &load_info->index.mod 2066 * 2067 * Return: %0 on validation success, %-ENOEXEC on failure 2068 */ 2069 static int elf_validity_cache_index_mod(struct load_info *info) 2070 { 2071 Elf_Shdr *shdr; 2072 int mod_idx; 2073 2074 mod_idx = find_any_unique_sec(info, ".gnu.linkonce.this_module"); 2075 if (mod_idx <= 0) { 2076 pr_err("module %s: Exactly one .gnu.linkonce.this_module section must exist.\n", 2077 info->name ?: "(missing .modinfo section or name field)"); 2078 return -ENOEXEC; 2079 } 2080 2081 shdr = &info->sechdrs[mod_idx]; 2082 2083 if (shdr->sh_type == SHT_NOBITS) { 2084 pr_err("module %s: .gnu.linkonce.this_module section must have a size set\n", 2085 info->name ?: "(missing .modinfo section or name field)"); 2086 return -ENOEXEC; 2087 } 2088 2089 if (!(shdr->sh_flags & SHF_ALLOC)) { 2090 pr_err("module %s: .gnu.linkonce.this_module must occupy memory during process execution\n", 2091 info->name ?: "(missing .modinfo section or name field)"); 2092 return -ENOEXEC; 2093 } 2094 2095 if (shdr->sh_size != sizeof(struct module)) { 2096 pr_err("module %s: .gnu.linkonce.this_module section size must match the kernel's built struct module size at run time\n", 2097 info->name ?: "(missing .modinfo section or name field)"); 2098 return -ENOEXEC; 2099 } 2100 2101 info->index.mod = mod_idx; 2102 2103 return 0; 2104 } 2105 2106 /** 2107 * elf_validity_cache_index_sym() - Validate and cache symtab index 2108 * @info: Load info to cache symtab index in. 2109 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2110 * 2111 * Checks that there is exactly one symbol table, then caches its index in 2112 * &load_info->index.sym. 2113 * 2114 * Return: %0 if valid, %-ENOEXEC on failure. 2115 */ 2116 static int elf_validity_cache_index_sym(struct load_info *info) 2117 { 2118 unsigned int sym_idx; 2119 unsigned int num_sym_secs = 0; 2120 int i; 2121 2122 for (i = 1; i < info->hdr->e_shnum; i++) { 2123 if (info->sechdrs[i].sh_type == SHT_SYMTAB) { 2124 num_sym_secs++; 2125 sym_idx = i; 2126 } 2127 } 2128 2129 if (num_sym_secs != 1) { 2130 pr_warn("%s: module has no symbols (stripped?)\n", 2131 info->name ?: "(missing .modinfo section or name field)"); 2132 return -ENOEXEC; 2133 } 2134 2135 info->index.sym = sym_idx; 2136 2137 return 0; 2138 } 2139 2140 /** 2141 * elf_validity_cache_index_str() - Validate and cache strtab index 2142 * @info: Load info to cache strtab index in. 2143 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2144 * Must have &load_info->index.sym populated. 2145 * 2146 * Looks at the symbol table's associated string table, makes sure it is 2147 * in-bounds, and caches it. 2148 * 2149 * Return: %0 if valid, %-ENOEXEC on failure. 2150 */ 2151 static int elf_validity_cache_index_str(struct load_info *info) 2152 { 2153 unsigned int str_idx = info->sechdrs[info->index.sym].sh_link; 2154 2155 if (str_idx == SHN_UNDEF || str_idx >= info->hdr->e_shnum) { 2156 pr_err("Invalid ELF sh_link!=SHN_UNDEF(%d) or (sh_link(%d) >= hdr->e_shnum(%d)\n", 2157 str_idx, str_idx, info->hdr->e_shnum); 2158 return -ENOEXEC; 2159 } 2160 2161 info->index.str = str_idx; 2162 return 0; 2163 } 2164 2165 /** 2166 * elf_validity_cache_index_versions() - Validate and cache version indices 2167 * @info: Load info to cache version indices in. 2168 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2169 * @flags: Load flags, relevant to suppress version loading, see 2170 * uapi/linux/module.h 2171 * 2172 * If we're ignoring modversions based on @flags, zero all version indices 2173 * and return validity. Othewrise check: 2174 * 2175 * * If "__version_ext_crcs" is present, "__version_ext_names" is present 2176 * * There is a name present for every crc 2177 * 2178 * Then populate: 2179 * 2180 * * &load_info->index.vers 2181 * * &load_info->index.vers_ext_crc 2182 * * &load_info->index.vers_ext_names 2183 * 2184 * if present. 2185 * 2186 * Return: %0 if valid, %-ENOEXEC on failure. 2187 */ 2188 static int elf_validity_cache_index_versions(struct load_info *info, int flags) 2189 { 2190 unsigned int vers_ext_crc; 2191 unsigned int vers_ext_name; 2192 size_t crc_count; 2193 size_t remaining_len; 2194 size_t name_size; 2195 char *name; 2196 2197 /* If modversions were suppressed, pretend we didn't find any */ 2198 if (flags & MODULE_INIT_IGNORE_MODVERSIONS) { 2199 info->index.vers = 0; 2200 info->index.vers_ext_crc = 0; 2201 info->index.vers_ext_name = 0; 2202 return 0; 2203 } 2204 2205 vers_ext_crc = find_sec(info, "__version_ext_crcs"); 2206 vers_ext_name = find_sec(info, "__version_ext_names"); 2207 2208 /* If we have one field, we must have the other */ 2209 if (!!vers_ext_crc != !!vers_ext_name) { 2210 pr_err("extended version crc+name presence does not match"); 2211 return -ENOEXEC; 2212 } 2213 2214 /* 2215 * If we have extended version information, we should have the same 2216 * number of entries in every section. 2217 */ 2218 if (vers_ext_crc) { 2219 crc_count = info->sechdrs[vers_ext_crc].sh_size / sizeof(u32); 2220 name = (void *)info->hdr + 2221 info->sechdrs[vers_ext_name].sh_offset; 2222 remaining_len = info->sechdrs[vers_ext_name].sh_size; 2223 2224 while (crc_count--) { 2225 name_size = strnlen(name, remaining_len) + 1; 2226 if (name_size > remaining_len) { 2227 pr_err("more extended version crcs than names"); 2228 return -ENOEXEC; 2229 } 2230 remaining_len -= name_size; 2231 name += name_size; 2232 } 2233 } 2234 2235 info->index.vers = find_sec(info, "__versions"); 2236 info->index.vers_ext_crc = vers_ext_crc; 2237 info->index.vers_ext_name = vers_ext_name; 2238 return 0; 2239 } 2240 2241 /** 2242 * elf_validity_cache_index() - Resolve, validate, cache section indices 2243 * @info: Load info to read from and update. 2244 * &load_info->sechdrs and &load_info->secstrings must be populated. 2245 * @flags: Load flags, relevant to suppress version loading, see 2246 * uapi/linux/module.h 2247 * 2248 * Populates &load_info->index, validating as it goes. 2249 * See child functions for per-field validation: 2250 * 2251 * * elf_validity_cache_index_info() 2252 * * elf_validity_cache_index_mod() 2253 * * elf_validity_cache_index_sym() 2254 * * elf_validity_cache_index_str() 2255 * * elf_validity_cache_index_versions() 2256 * 2257 * If CONFIG_SMP is enabled, load the percpu section by name with no 2258 * validation. 2259 * 2260 * Return: 0 on success, negative error code if an index failed validation. 2261 */ 2262 static int elf_validity_cache_index(struct load_info *info, int flags) 2263 { 2264 int err; 2265 2266 err = elf_validity_cache_index_info(info); 2267 if (err < 0) 2268 return err; 2269 err = elf_validity_cache_index_mod(info); 2270 if (err < 0) 2271 return err; 2272 err = elf_validity_cache_index_sym(info); 2273 if (err < 0) 2274 return err; 2275 err = elf_validity_cache_index_str(info); 2276 if (err < 0) 2277 return err; 2278 err = elf_validity_cache_index_versions(info, flags); 2279 if (err < 0) 2280 return err; 2281 2282 info->index.pcpu = find_pcpusec(info); 2283 2284 return 0; 2285 } 2286 2287 /** 2288 * elf_validity_cache_strtab() - Validate and cache symbol string table 2289 * @info: Load info to read from and update. 2290 * Must have &load_info->sechdrs and &load_info->secstrings populated. 2291 * Must have &load_info->index populated. 2292 * 2293 * Checks: 2294 * 2295 * * The string table is not empty. 2296 * * The string table starts and ends with NUL (required by ELF spec). 2297 * * Every &Elf_Sym->st_name offset in the symbol table is inbounds of the 2298 * string table. 2299 * 2300 * And caches the pointer as &load_info->strtab in @info. 2301 * 2302 * Return: 0 on success, negative error code if a check failed. 2303 */ 2304 static int elf_validity_cache_strtab(struct load_info *info) 2305 { 2306 Elf_Shdr *str_shdr = &info->sechdrs[info->index.str]; 2307 Elf_Shdr *sym_shdr = &info->sechdrs[info->index.sym]; 2308 char *strtab = (char *)info->hdr + str_shdr->sh_offset; 2309 Elf_Sym *syms = (void *)info->hdr + sym_shdr->sh_offset; 2310 int i; 2311 2312 if (str_shdr->sh_size == 0) { 2313 pr_err("empty symbol string table\n"); 2314 return -ENOEXEC; 2315 } 2316 if (strtab[0] != '\0') { 2317 pr_err("symbol string table missing leading NUL\n"); 2318 return -ENOEXEC; 2319 } 2320 if (strtab[str_shdr->sh_size - 1] != '\0') { 2321 pr_err("symbol string table isn't NUL terminated\n"); 2322 return -ENOEXEC; 2323 } 2324 2325 /* 2326 * Now that we know strtab is correctly structured, check symbol 2327 * starts are inbounds before they're used later. 2328 */ 2329 for (i = 0; i < sym_shdr->sh_size / sizeof(*syms); i++) { 2330 if (syms[i].st_name >= str_shdr->sh_size) { 2331 pr_err("symbol name out of bounds in string table"); 2332 return -ENOEXEC; 2333 } 2334 } 2335 2336 info->strtab = strtab; 2337 return 0; 2338 } 2339 2340 /* 2341 * Check userspace passed ELF module against our expectations, and cache 2342 * useful variables for further processing as we go. 2343 * 2344 * This does basic validity checks against section offsets and sizes, the 2345 * section name string table, and the indices used for it (sh_name). 2346 * 2347 * As a last step, since we're already checking the ELF sections we cache 2348 * useful variables which will be used later for our convenience: 2349 * 2350 * o pointers to section headers 2351 * o cache the modinfo symbol section 2352 * o cache the string symbol section 2353 * o cache the module section 2354 * 2355 * As a last step we set info->mod to the temporary copy of the module in 2356 * info->hdr. The final one will be allocated in move_module(). Any 2357 * modifications we make to our copy of the module will be carried over 2358 * to the final minted module. 2359 */ 2360 static int elf_validity_cache_copy(struct load_info *info, int flags) 2361 { 2362 int err; 2363 2364 err = elf_validity_cache_sechdrs(info); 2365 if (err < 0) 2366 return err; 2367 err = elf_validity_cache_secstrings(info); 2368 if (err < 0) 2369 return err; 2370 err = elf_validity_cache_index(info, flags); 2371 if (err < 0) 2372 return err; 2373 err = elf_validity_cache_strtab(info); 2374 if (err < 0) 2375 return err; 2376 2377 /* This is temporary: point mod into copy of data. */ 2378 info->mod = (void *)info->hdr + info->sechdrs[info->index.mod].sh_offset; 2379 2380 /* 2381 * If we didn't load the .modinfo 'name' field earlier, fall back to 2382 * on-disk struct mod 'name' field. 2383 */ 2384 if (!info->name) 2385 info->name = info->mod->name; 2386 2387 return 0; 2388 } 2389 2390 #define COPY_CHUNK_SIZE (16*PAGE_SIZE) 2391 2392 static int copy_chunked_from_user(void *dst, const void __user *usrc, unsigned long len) 2393 { 2394 do { 2395 unsigned long n = min(len, COPY_CHUNK_SIZE); 2396 2397 if (copy_from_user(dst, usrc, n) != 0) 2398 return -EFAULT; 2399 cond_resched(); 2400 dst += n; 2401 usrc += n; 2402 len -= n; 2403 } while (len); 2404 return 0; 2405 } 2406 2407 static int check_modinfo_livepatch(struct module *mod, struct load_info *info) 2408 { 2409 if (!get_modinfo(info, "livepatch")) 2410 /* Nothing more to do */ 2411 return 0; 2412 2413 if (set_livepatch_module(mod)) 2414 return 0; 2415 2416 pr_err("%s: module is marked as livepatch module, but livepatch support is disabled", 2417 mod->name); 2418 return -ENOEXEC; 2419 } 2420 2421 static void check_modinfo_retpoline(struct module *mod, struct load_info *info) 2422 { 2423 if (retpoline_module_ok(get_modinfo(info, "retpoline"))) 2424 return; 2425 2426 pr_warn("%s: loading module not compiled with retpoline compiler.\n", 2427 mod->name); 2428 } 2429 2430 /* Sets info->hdr and info->len. */ 2431 static int copy_module_from_user(const void __user *umod, unsigned long len, 2432 struct load_info *info) 2433 { 2434 int err; 2435 2436 info->len = len; 2437 if (info->len < sizeof(*(info->hdr))) 2438 return -ENOEXEC; 2439 2440 err = security_kernel_load_data(LOADING_MODULE, true); 2441 if (err) 2442 return err; 2443 2444 /* Suck in entire file: we'll want most of it. */ 2445 info->hdr = __vmalloc(info->len, GFP_KERNEL | __GFP_NOWARN); 2446 if (!info->hdr) 2447 return -ENOMEM; 2448 2449 if (copy_chunked_from_user(info->hdr, umod, info->len) != 0) { 2450 err = -EFAULT; 2451 goto out; 2452 } 2453 2454 err = security_kernel_post_load_data((char *)info->hdr, info->len, 2455 LOADING_MODULE, "init_module"); 2456 out: 2457 if (err) 2458 vfree(info->hdr); 2459 2460 return err; 2461 } 2462 2463 static void free_copy(struct load_info *info, int flags) 2464 { 2465 if (flags & MODULE_INIT_COMPRESSED_FILE) 2466 module_decompress_cleanup(info); 2467 else 2468 vfree(info->hdr); 2469 } 2470 2471 static int rewrite_section_headers(struct load_info *info, int flags) 2472 { 2473 unsigned int i; 2474 2475 /* This should always be true, but let's be sure. */ 2476 info->sechdrs[0].sh_addr = 0; 2477 2478 for (i = 1; i < info->hdr->e_shnum; i++) { 2479 Elf_Shdr *shdr = &info->sechdrs[i]; 2480 2481 /* 2482 * Mark all sections sh_addr with their address in the 2483 * temporary image. 2484 */ 2485 shdr->sh_addr = (size_t)info->hdr + shdr->sh_offset; 2486 2487 } 2488 2489 /* Track but don't keep modinfo and version sections. */ 2490 info->sechdrs[info->index.vers].sh_flags &= ~(unsigned long)SHF_ALLOC; 2491 info->sechdrs[info->index.vers_ext_crc].sh_flags &= 2492 ~(unsigned long)SHF_ALLOC; 2493 info->sechdrs[info->index.vers_ext_name].sh_flags &= 2494 ~(unsigned long)SHF_ALLOC; 2495 info->sechdrs[info->index.info].sh_flags &= ~(unsigned long)SHF_ALLOC; 2496 2497 return 0; 2498 } 2499 2500 static const char *const module_license_offenders[] = { 2501 /* driverloader was caught wrongly pretending to be under GPL */ 2502 "driverloader", 2503 2504 /* lve claims to be GPL but upstream won't provide source */ 2505 "lve", 2506 }; 2507 2508 /* 2509 * These calls taint the kernel depending certain module circumstances */ 2510 static void module_augment_kernel_taints(struct module *mod, struct load_info *info) 2511 { 2512 int prev_taint = test_taint(TAINT_PROPRIETARY_MODULE); 2513 size_t i; 2514 2515 if (!get_modinfo(info, "intree")) { 2516 if (!test_taint(TAINT_OOT_MODULE)) 2517 pr_warn("%s: loading out-of-tree module taints kernel.\n", 2518 mod->name); 2519 add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK); 2520 } 2521 2522 check_modinfo_retpoline(mod, info); 2523 2524 if (get_modinfo(info, "staging")) { 2525 add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK); 2526 pr_warn("%s: module is from the staging directory, the quality " 2527 "is unknown, you have been warned.\n", mod->name); 2528 } 2529 2530 if (is_livepatch_module(mod)) { 2531 add_taint_module(mod, TAINT_LIVEPATCH, LOCKDEP_STILL_OK); 2532 pr_notice_once("%s: tainting kernel with TAINT_LIVEPATCH\n", 2533 mod->name); 2534 } 2535 2536 module_license_taint_check(mod, get_modinfo(info, "license")); 2537 2538 if (get_modinfo(info, "test")) { 2539 if (!test_taint(TAINT_TEST)) 2540 pr_warn("%s: loading test module taints kernel.\n", 2541 mod->name); 2542 add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK); 2543 } 2544 #ifdef CONFIG_MODULE_SIG 2545 mod->sig_ok = info->sig_ok; 2546 if (!mod->sig_ok) { 2547 pr_notice_once("%s: module verification failed: signature " 2548 "and/or required key missing - tainting " 2549 "kernel\n", mod->name); 2550 add_taint_module(mod, TAINT_UNSIGNED_MODULE, LOCKDEP_STILL_OK); 2551 } 2552 #endif 2553 2554 /* 2555 * ndiswrapper is under GPL by itself, but loads proprietary modules. 2556 * Don't use add_taint_module(), as it would prevent ndiswrapper from 2557 * using GPL-only symbols it needs. 2558 */ 2559 if (strcmp(mod->name, "ndiswrapper") == 0) 2560 add_taint(TAINT_PROPRIETARY_MODULE, LOCKDEP_NOW_UNRELIABLE); 2561 2562 for (i = 0; i < ARRAY_SIZE(module_license_offenders); ++i) { 2563 if (strcmp(mod->name, module_license_offenders[i]) == 0) 2564 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 2565 LOCKDEP_NOW_UNRELIABLE); 2566 } 2567 2568 if (!prev_taint && test_taint(TAINT_PROPRIETARY_MODULE)) 2569 pr_warn("%s: module license taints kernel.\n", mod->name); 2570 2571 } 2572 2573 static int check_modinfo(struct module *mod, struct load_info *info, int flags) 2574 { 2575 const char *modmagic = get_modinfo(info, "vermagic"); 2576 int err; 2577 2578 if (flags & MODULE_INIT_IGNORE_VERMAGIC) 2579 modmagic = NULL; 2580 2581 /* This is allowed: modprobe --force will invalidate it. */ 2582 if (!modmagic) { 2583 err = try_to_force_load(mod, "bad vermagic"); 2584 if (err) 2585 return err; 2586 } else if (!same_magic(modmagic, vermagic, info->index.vers)) { 2587 pr_err("%s: version magic '%s' should be '%s'\n", 2588 info->name, modmagic, vermagic); 2589 return -ENOEXEC; 2590 } 2591 2592 err = check_modinfo_livepatch(mod, info); 2593 if (err) 2594 return err; 2595 2596 return 0; 2597 } 2598 2599 static int find_module_sections(struct module *mod, struct load_info *info) 2600 { 2601 mod->kp = section_objs(info, "__param", 2602 sizeof(*mod->kp), &mod->num_kp); 2603 mod->syms = section_objs(info, "__ksymtab", 2604 sizeof(*mod->syms), &mod->num_syms); 2605 mod->crcs = section_addr(info, "__kcrctab"); 2606 mod->gpl_syms = section_objs(info, "__ksymtab_gpl", 2607 sizeof(*mod->gpl_syms), 2608 &mod->num_gpl_syms); 2609 mod->gpl_crcs = section_addr(info, "__kcrctab_gpl"); 2610 2611 #ifdef CONFIG_CONSTRUCTORS 2612 mod->ctors = section_objs(info, ".ctors", 2613 sizeof(*mod->ctors), &mod->num_ctors); 2614 if (!mod->ctors) 2615 mod->ctors = section_objs(info, ".init_array", 2616 sizeof(*mod->ctors), &mod->num_ctors); 2617 else if (find_sec(info, ".init_array")) { 2618 /* 2619 * This shouldn't happen with same compiler and binutils 2620 * building all parts of the module. 2621 */ 2622 pr_warn("%s: has both .ctors and .init_array.\n", 2623 mod->name); 2624 return -EINVAL; 2625 } 2626 #endif 2627 2628 mod->noinstr_text_start = section_objs(info, ".noinstr.text", 1, 2629 &mod->noinstr_text_size); 2630 2631 #ifdef CONFIG_TRACEPOINTS 2632 mod->tracepoints_ptrs = section_objs(info, "__tracepoints_ptrs", 2633 sizeof(*mod->tracepoints_ptrs), 2634 &mod->num_tracepoints); 2635 #endif 2636 #ifdef CONFIG_TREE_SRCU 2637 mod->srcu_struct_ptrs = section_objs(info, "___srcu_struct_ptrs", 2638 sizeof(*mod->srcu_struct_ptrs), 2639 &mod->num_srcu_structs); 2640 #endif 2641 #ifdef CONFIG_BPF_EVENTS 2642 mod->bpf_raw_events = section_objs(info, "__bpf_raw_tp_map", 2643 sizeof(*mod->bpf_raw_events), 2644 &mod->num_bpf_raw_events); 2645 #endif 2646 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 2647 mod->btf_data = any_section_objs(info, ".BTF", 1, &mod->btf_data_size); 2648 mod->btf_base_data = any_section_objs(info, ".BTF.base", 1, 2649 &mod->btf_base_data_size); 2650 #endif 2651 #ifdef CONFIG_JUMP_LABEL 2652 mod->jump_entries = section_objs(info, "__jump_table", 2653 sizeof(*mod->jump_entries), 2654 &mod->num_jump_entries); 2655 #endif 2656 #ifdef CONFIG_EVENT_TRACING 2657 mod->trace_events = section_objs(info, "_ftrace_events", 2658 sizeof(*mod->trace_events), 2659 &mod->num_trace_events); 2660 mod->trace_evals = section_objs(info, "_ftrace_eval_map", 2661 sizeof(*mod->trace_evals), 2662 &mod->num_trace_evals); 2663 #endif 2664 #ifdef CONFIG_TRACING 2665 mod->trace_bprintk_fmt_start = section_objs(info, "__trace_printk_fmt", 2666 sizeof(*mod->trace_bprintk_fmt_start), 2667 &mod->num_trace_bprintk_fmt); 2668 #endif 2669 #ifdef CONFIG_DYNAMIC_FTRACE 2670 /* sechdrs[0].sh_size is always zero */ 2671 mod->ftrace_callsites = section_objs(info, FTRACE_CALLSITE_SECTION, 2672 sizeof(*mod->ftrace_callsites), 2673 &mod->num_ftrace_callsites); 2674 #endif 2675 #ifdef CONFIG_FUNCTION_ERROR_INJECTION 2676 mod->ei_funcs = section_objs(info, "_error_injection_whitelist", 2677 sizeof(*mod->ei_funcs), 2678 &mod->num_ei_funcs); 2679 #endif 2680 #ifdef CONFIG_KPROBES 2681 mod->kprobes_text_start = section_objs(info, ".kprobes.text", 1, 2682 &mod->kprobes_text_size); 2683 mod->kprobe_blacklist = section_objs(info, "_kprobe_blacklist", 2684 sizeof(unsigned long), 2685 &mod->num_kprobe_blacklist); 2686 #endif 2687 #ifdef CONFIG_PRINTK_INDEX 2688 mod->printk_index_start = section_objs(info, ".printk_index", 2689 sizeof(*mod->printk_index_start), 2690 &mod->printk_index_size); 2691 #endif 2692 #ifdef CONFIG_HAVE_STATIC_CALL_INLINE 2693 mod->static_call_sites = section_objs(info, ".static_call_sites", 2694 sizeof(*mod->static_call_sites), 2695 &mod->num_static_call_sites); 2696 #endif 2697 #if IS_ENABLED(CONFIG_KUNIT) 2698 mod->kunit_suites = section_objs(info, ".kunit_test_suites", 2699 sizeof(*mod->kunit_suites), 2700 &mod->num_kunit_suites); 2701 mod->kunit_init_suites = section_objs(info, ".kunit_init_test_suites", 2702 sizeof(*mod->kunit_init_suites), 2703 &mod->num_kunit_init_suites); 2704 #endif 2705 2706 mod->extable = section_objs(info, "__ex_table", 2707 sizeof(*mod->extable), &mod->num_exentries); 2708 2709 if (section_addr(info, "__obsparm")) 2710 pr_warn("%s: Ignoring obsolete parameters\n", mod->name); 2711 2712 #ifdef CONFIG_DYNAMIC_DEBUG_CORE 2713 mod->dyndbg_info.descs = section_objs(info, "__dyndbg", 2714 sizeof(*mod->dyndbg_info.descs), 2715 &mod->dyndbg_info.num_descs); 2716 mod->dyndbg_info.classes = section_objs(info, "__dyndbg_classes", 2717 sizeof(*mod->dyndbg_info.classes), 2718 &mod->dyndbg_info.num_classes); 2719 #endif 2720 2721 return 0; 2722 } 2723 2724 static int move_module(struct module *mod, struct load_info *info) 2725 { 2726 int i, ret; 2727 enum mod_mem_type t = MOD_MEM_NUM_TYPES; 2728 bool codetag_section_found = false; 2729 2730 for_each_mod_mem_type(type) { 2731 if (!mod->mem[type].size) { 2732 mod->mem[type].base = NULL; 2733 continue; 2734 } 2735 2736 ret = module_memory_alloc(mod, type); 2737 if (ret) { 2738 t = type; 2739 goto out_err; 2740 } 2741 } 2742 2743 /* Transfer each section which specifies SHF_ALLOC */ 2744 pr_debug("Final section addresses for %s:\n", mod->name); 2745 for (i = 0; i < info->hdr->e_shnum; i++) { 2746 void *dest; 2747 Elf_Shdr *shdr = &info->sechdrs[i]; 2748 const char *sname; 2749 2750 if (!(shdr->sh_flags & SHF_ALLOC)) 2751 continue; 2752 2753 sname = info->secstrings + shdr->sh_name; 2754 /* 2755 * Load codetag sections separately as they might still be used 2756 * after module unload. 2757 */ 2758 if (codetag_needs_module_section(mod, sname, shdr->sh_size)) { 2759 dest = codetag_alloc_module_section(mod, sname, shdr->sh_size, 2760 arch_mod_section_prepend(mod, i), shdr->sh_addralign); 2761 if (WARN_ON(!dest)) { 2762 ret = -EINVAL; 2763 goto out_err; 2764 } 2765 if (IS_ERR(dest)) { 2766 ret = PTR_ERR(dest); 2767 goto out_err; 2768 } 2769 codetag_section_found = true; 2770 } else { 2771 enum mod_mem_type type = shdr->sh_entsize >> SH_ENTSIZE_TYPE_SHIFT; 2772 unsigned long offset = shdr->sh_entsize & SH_ENTSIZE_OFFSET_MASK; 2773 2774 dest = mod->mem[type].base + offset; 2775 } 2776 2777 if (shdr->sh_type != SHT_NOBITS) { 2778 /* 2779 * Our ELF checker already validated this, but let's 2780 * be pedantic and make the goal clearer. We actually 2781 * end up copying over all modifications made to the 2782 * userspace copy of the entire struct module. 2783 */ 2784 if (i == info->index.mod && 2785 (WARN_ON_ONCE(shdr->sh_size != sizeof(struct module)))) { 2786 ret = -ENOEXEC; 2787 goto out_err; 2788 } 2789 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size); 2790 } 2791 /* 2792 * Update the userspace copy's ELF section address to point to 2793 * our newly allocated memory as a pure convenience so that 2794 * users of info can keep taking advantage and using the newly 2795 * minted official memory area. 2796 */ 2797 shdr->sh_addr = (unsigned long)dest; 2798 pr_debug("\t0x%lx 0x%.8lx %s\n", (long)shdr->sh_addr, 2799 (long)shdr->sh_size, info->secstrings + shdr->sh_name); 2800 } 2801 2802 return 0; 2803 out_err: 2804 module_memory_restore_rox(mod); 2805 while (t--) 2806 module_memory_free(mod, t); 2807 if (codetag_section_found) 2808 codetag_free_module_sections(mod); 2809 2810 return ret; 2811 } 2812 2813 static int check_export_symbol_versions(struct module *mod) 2814 { 2815 #ifdef CONFIG_MODVERSIONS 2816 if ((mod->num_syms && !mod->crcs) || 2817 (mod->num_gpl_syms && !mod->gpl_crcs)) { 2818 return try_to_force_load(mod, 2819 "no versions for exported symbols"); 2820 } 2821 #endif 2822 return 0; 2823 } 2824 2825 static void flush_module_icache(const struct module *mod) 2826 { 2827 /* 2828 * Flush the instruction cache, since we've played with text. 2829 * Do it before processing of module parameters, so the module 2830 * can provide parameter accessor functions of its own. 2831 */ 2832 for_each_mod_mem_type(type) { 2833 const struct module_memory *mod_mem = &mod->mem[type]; 2834 2835 if (mod_mem->size) { 2836 flush_icache_range((unsigned long)mod_mem->base, 2837 (unsigned long)mod_mem->base + mod_mem->size); 2838 } 2839 } 2840 } 2841 2842 bool __weak module_elf_check_arch(Elf_Ehdr *hdr) 2843 { 2844 return true; 2845 } 2846 2847 int __weak module_frob_arch_sections(Elf_Ehdr *hdr, 2848 Elf_Shdr *sechdrs, 2849 char *secstrings, 2850 struct module *mod) 2851 { 2852 return 0; 2853 } 2854 2855 /* module_blacklist is a comma-separated list of module names */ 2856 static char *module_blacklist; 2857 static bool blacklisted(const char *module_name) 2858 { 2859 const char *p; 2860 size_t len; 2861 2862 if (!module_blacklist) 2863 return false; 2864 2865 for (p = module_blacklist; *p; p += len) { 2866 len = strcspn(p, ","); 2867 if (strlen(module_name) == len && !memcmp(module_name, p, len)) 2868 return true; 2869 if (p[len] == ',') 2870 len++; 2871 } 2872 return false; 2873 } 2874 core_param(module_blacklist, module_blacklist, charp, 0400); 2875 2876 static struct module *layout_and_allocate(struct load_info *info, int flags) 2877 { 2878 struct module *mod; 2879 int err; 2880 2881 /* Allow arches to frob section contents and sizes. */ 2882 err = module_frob_arch_sections(info->hdr, info->sechdrs, 2883 info->secstrings, info->mod); 2884 if (err < 0) 2885 return ERR_PTR(err); 2886 2887 err = module_enforce_rwx_sections(info->hdr, info->sechdrs, 2888 info->secstrings, info->mod); 2889 if (err < 0) 2890 return ERR_PTR(err); 2891 2892 /* We will do a special allocation for per-cpu sections later. */ 2893 info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; 2894 2895 /* 2896 * Mark relevant sections as SHF_RO_AFTER_INIT so layout_sections() can 2897 * put them in the right place. 2898 * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. 2899 */ 2900 module_mark_ro_after_init(info->hdr, info->sechdrs, info->secstrings); 2901 2902 /* 2903 * Determine total sizes, and put offsets in sh_entsize. For now 2904 * this is done generically; there doesn't appear to be any 2905 * special cases for the architectures. 2906 */ 2907 layout_sections(info->mod, info); 2908 layout_symtab(info->mod, info); 2909 2910 /* Allocate and move to the final place */ 2911 err = move_module(info->mod, info); 2912 if (err) 2913 return ERR_PTR(err); 2914 2915 /* Module has been copied to its final place now: return it. */ 2916 mod = (void *)info->sechdrs[info->index.mod].sh_addr; 2917 kmemleak_load_module(mod, info); 2918 codetag_module_replaced(info->mod, mod); 2919 2920 return mod; 2921 } 2922 2923 /* mod is no longer valid after this! */ 2924 static void module_deallocate(struct module *mod, struct load_info *info) 2925 { 2926 percpu_modfree(mod); 2927 module_arch_freeing_init(mod); 2928 codetag_free_module_sections(mod); 2929 2930 free_mod_mem(mod); 2931 } 2932 2933 int __weak module_finalize(const Elf_Ehdr *hdr, 2934 const Elf_Shdr *sechdrs, 2935 struct module *me) 2936 { 2937 return 0; 2938 } 2939 2940 static int post_relocation(struct module *mod, const struct load_info *info) 2941 { 2942 /* Sort exception table now relocations are done. */ 2943 sort_extable(mod->extable, mod->extable + mod->num_exentries); 2944 2945 /* Copy relocated percpu area over. */ 2946 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, 2947 info->sechdrs[info->index.pcpu].sh_size); 2948 2949 /* Setup kallsyms-specific fields. */ 2950 add_kallsyms(mod, info); 2951 2952 /* Arch-specific module finalizing. */ 2953 return module_finalize(info->hdr, info->sechdrs, mod); 2954 } 2955 2956 /* Call module constructors. */ 2957 static void do_mod_ctors(struct module *mod) 2958 { 2959 #ifdef CONFIG_CONSTRUCTORS 2960 unsigned long i; 2961 2962 for (i = 0; i < mod->num_ctors; i++) 2963 mod->ctors[i](); 2964 #endif 2965 } 2966 2967 /* For freeing module_init on success, in case kallsyms traversing */ 2968 struct mod_initfree { 2969 struct llist_node node; 2970 void *init_text; 2971 void *init_data; 2972 void *init_rodata; 2973 }; 2974 2975 static void do_free_init(struct work_struct *w) 2976 { 2977 struct llist_node *pos, *n, *list; 2978 struct mod_initfree *initfree; 2979 2980 list = llist_del_all(&init_free_list); 2981 2982 synchronize_rcu(); 2983 2984 llist_for_each_safe(pos, n, list) { 2985 initfree = container_of(pos, struct mod_initfree, node); 2986 execmem_free(initfree->init_text); 2987 execmem_free(initfree->init_data); 2988 execmem_free(initfree->init_rodata); 2989 kfree(initfree); 2990 } 2991 } 2992 2993 void flush_module_init_free_work(void) 2994 { 2995 flush_work(&init_free_wq); 2996 } 2997 2998 #undef MODULE_PARAM_PREFIX 2999 #define MODULE_PARAM_PREFIX "module." 3000 /* Default value for module->async_probe_requested */ 3001 static bool async_probe; 3002 module_param(async_probe, bool, 0644); 3003 3004 /* 3005 * This is where the real work happens. 3006 * 3007 * Keep it uninlined to provide a reliable breakpoint target, e.g. for the gdb 3008 * helper command 'lx-symbols'. 3009 */ 3010 static noinline int do_init_module(struct module *mod) 3011 { 3012 int ret = 0; 3013 struct mod_initfree *freeinit; 3014 #if defined(CONFIG_MODULE_STATS) 3015 unsigned int text_size = 0, total_size = 0; 3016 3017 for_each_mod_mem_type(type) { 3018 const struct module_memory *mod_mem = &mod->mem[type]; 3019 if (mod_mem->size) { 3020 total_size += mod_mem->size; 3021 if (type == MOD_TEXT || type == MOD_INIT_TEXT) 3022 text_size += mod_mem->size; 3023 } 3024 } 3025 #endif 3026 3027 freeinit = kmalloc(sizeof(*freeinit), GFP_KERNEL); 3028 if (!freeinit) { 3029 ret = -ENOMEM; 3030 goto fail; 3031 } 3032 freeinit->init_text = mod->mem[MOD_INIT_TEXT].base; 3033 freeinit->init_data = mod->mem[MOD_INIT_DATA].base; 3034 freeinit->init_rodata = mod->mem[MOD_INIT_RODATA].base; 3035 3036 do_mod_ctors(mod); 3037 /* Start the module */ 3038 if (mod->init != NULL) 3039 ret = do_one_initcall(mod->init); 3040 if (ret < 0) { 3041 goto fail_free_freeinit; 3042 } 3043 if (ret > 0) { 3044 pr_warn("%s: '%s'->init suspiciously returned %d, it should " 3045 "follow 0/-E convention\n" 3046 "%s: loading module anyway...\n", 3047 __func__, mod->name, ret, __func__); 3048 dump_stack(); 3049 } 3050 3051 /* Now it's a first class citizen! */ 3052 mod->state = MODULE_STATE_LIVE; 3053 blocking_notifier_call_chain(&module_notify_list, 3054 MODULE_STATE_LIVE, mod); 3055 3056 /* Delay uevent until module has finished its init routine */ 3057 kobject_uevent(&mod->mkobj.kobj, KOBJ_ADD); 3058 3059 /* 3060 * We need to finish all async code before the module init sequence 3061 * is done. This has potential to deadlock if synchronous module 3062 * loading is requested from async (which is not allowed!). 3063 * 3064 * See commit 0fdff3ec6d87 ("async, kmod: warn on synchronous 3065 * request_module() from async workers") for more details. 3066 */ 3067 if (!mod->async_probe_requested) 3068 async_synchronize_full(); 3069 3070 ftrace_free_mem(mod, mod->mem[MOD_INIT_TEXT].base, 3071 mod->mem[MOD_INIT_TEXT].base + mod->mem[MOD_INIT_TEXT].size); 3072 mutex_lock(&module_mutex); 3073 /* Drop initial reference. */ 3074 module_put(mod); 3075 trim_init_extable(mod); 3076 #ifdef CONFIG_KALLSYMS 3077 /* Switch to core kallsyms now init is done: kallsyms may be walking! */ 3078 rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); 3079 #endif 3080 ret = module_enable_rodata_ro_after_init(mod); 3081 if (ret) 3082 pr_warn("%s: module_enable_rodata_ro_after_init() returned %d, " 3083 "ro_after_init data might still be writable\n", 3084 mod->name, ret); 3085 3086 mod_tree_remove_init(mod); 3087 module_arch_freeing_init(mod); 3088 for_class_mod_mem_type(type, init) { 3089 mod->mem[type].base = NULL; 3090 mod->mem[type].size = 0; 3091 } 3092 3093 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 3094 /* .BTF is not SHF_ALLOC and will get removed, so sanitize pointers */ 3095 mod->btf_data = NULL; 3096 mod->btf_base_data = NULL; 3097 #endif 3098 /* 3099 * We want to free module_init, but be aware that kallsyms may be 3100 * walking this within an RCU read section. In all the failure paths, we 3101 * call synchronize_rcu(), but we don't want to slow down the success 3102 * path. execmem_free() cannot be called in an interrupt, so do the 3103 * work and call synchronize_rcu() in a work queue. 3104 * 3105 * Note that execmem_alloc() on most architectures creates W+X page 3106 * mappings which won't be cleaned up until do_free_init() runs. Any 3107 * code such as mark_rodata_ro() which depends on those mappings to 3108 * be cleaned up needs to sync with the queued work by invoking 3109 * flush_module_init_free_work(). 3110 */ 3111 if (llist_add(&freeinit->node, &init_free_list)) 3112 schedule_work(&init_free_wq); 3113 3114 mutex_unlock(&module_mutex); 3115 wake_up_all(&module_wq); 3116 3117 mod_stat_add_long(text_size, &total_text_size); 3118 mod_stat_add_long(total_size, &total_mod_size); 3119 3120 mod_stat_inc(&modcount); 3121 3122 return 0; 3123 3124 fail_free_freeinit: 3125 kfree(freeinit); 3126 fail: 3127 /* Try to protect us from buggy refcounters. */ 3128 mod->state = MODULE_STATE_GOING; 3129 synchronize_rcu(); 3130 module_put(mod); 3131 blocking_notifier_call_chain(&module_notify_list, 3132 MODULE_STATE_GOING, mod); 3133 klp_module_going(mod); 3134 ftrace_release_mod(mod); 3135 free_module(mod); 3136 wake_up_all(&module_wq); 3137 3138 return ret; 3139 } 3140 3141 static int may_init_module(void) 3142 { 3143 if (!capable(CAP_SYS_MODULE) || modules_disabled) 3144 return -EPERM; 3145 3146 return 0; 3147 } 3148 3149 /* Is this module of this name done loading? No locks held. */ 3150 static bool finished_loading(const char *name) 3151 { 3152 struct module *mod; 3153 bool ret; 3154 3155 /* 3156 * The module_mutex should not be a heavily contended lock; 3157 * if we get the occasional sleep here, we'll go an extra iteration 3158 * in the wait_event_interruptible(), which is harmless. 3159 */ 3160 sched_annotate_sleep(); 3161 mutex_lock(&module_mutex); 3162 mod = find_module_all(name, strlen(name), true); 3163 ret = !mod || mod->state == MODULE_STATE_LIVE 3164 || mod->state == MODULE_STATE_GOING; 3165 mutex_unlock(&module_mutex); 3166 3167 return ret; 3168 } 3169 3170 /* Must be called with module_mutex held */ 3171 static int module_patient_check_exists(const char *name, 3172 enum fail_dup_mod_reason reason) 3173 { 3174 struct module *old; 3175 int err = 0; 3176 3177 old = find_module_all(name, strlen(name), true); 3178 if (old == NULL) 3179 return 0; 3180 3181 if (old->state == MODULE_STATE_COMING || 3182 old->state == MODULE_STATE_UNFORMED) { 3183 /* Wait in case it fails to load. */ 3184 mutex_unlock(&module_mutex); 3185 err = wait_event_interruptible(module_wq, 3186 finished_loading(name)); 3187 mutex_lock(&module_mutex); 3188 if (err) 3189 return err; 3190 3191 /* The module might have gone in the meantime. */ 3192 old = find_module_all(name, strlen(name), true); 3193 } 3194 3195 if (try_add_failed_module(name, reason)) 3196 pr_warn("Could not add fail-tracking for module: %s\n", name); 3197 3198 /* 3199 * We are here only when the same module was being loaded. Do 3200 * not try to load it again right now. It prevents long delays 3201 * caused by serialized module load failures. It might happen 3202 * when more devices of the same type trigger load of 3203 * a particular module. 3204 */ 3205 if (old && old->state == MODULE_STATE_LIVE) 3206 return -EEXIST; 3207 return -EBUSY; 3208 } 3209 3210 /* 3211 * We try to place it in the list now to make sure it's unique before 3212 * we dedicate too many resources. In particular, temporary percpu 3213 * memory exhaustion. 3214 */ 3215 static int add_unformed_module(struct module *mod) 3216 { 3217 int err; 3218 3219 mod->state = MODULE_STATE_UNFORMED; 3220 3221 mutex_lock(&module_mutex); 3222 err = module_patient_check_exists(mod->name, FAIL_DUP_MOD_LOAD); 3223 if (err) 3224 goto out; 3225 3226 mod_update_bounds(mod); 3227 list_add_rcu(&mod->list, &modules); 3228 mod_tree_insert(mod); 3229 err = 0; 3230 3231 out: 3232 mutex_unlock(&module_mutex); 3233 return err; 3234 } 3235 3236 static int complete_formation(struct module *mod, struct load_info *info) 3237 { 3238 int err; 3239 3240 mutex_lock(&module_mutex); 3241 3242 /* Find duplicate symbols (must be called under lock). */ 3243 err = verify_exported_symbols(mod); 3244 if (err < 0) 3245 goto out; 3246 3247 /* These rely on module_mutex for list integrity. */ 3248 module_bug_finalize(info->hdr, info->sechdrs, mod); 3249 module_cfi_finalize(info->hdr, info->sechdrs, mod); 3250 3251 err = module_enable_rodata_ro(mod); 3252 if (err) 3253 goto out_strict_rwx; 3254 err = module_enable_data_nx(mod); 3255 if (err) 3256 goto out_strict_rwx; 3257 err = module_enable_text_rox(mod); 3258 if (err) 3259 goto out_strict_rwx; 3260 3261 /* 3262 * Mark state as coming so strong_try_module_get() ignores us, 3263 * but kallsyms etc. can see us. 3264 */ 3265 mod->state = MODULE_STATE_COMING; 3266 mutex_unlock(&module_mutex); 3267 3268 return 0; 3269 3270 out_strict_rwx: 3271 module_bug_cleanup(mod); 3272 out: 3273 mutex_unlock(&module_mutex); 3274 return err; 3275 } 3276 3277 static int prepare_coming_module(struct module *mod) 3278 { 3279 int err; 3280 3281 ftrace_module_enable(mod); 3282 err = klp_module_coming(mod); 3283 if (err) 3284 return err; 3285 3286 err = blocking_notifier_call_chain_robust(&module_notify_list, 3287 MODULE_STATE_COMING, MODULE_STATE_GOING, mod); 3288 err = notifier_to_errno(err); 3289 if (err) 3290 klp_module_going(mod); 3291 3292 return err; 3293 } 3294 3295 static int unknown_module_param_cb(char *param, char *val, const char *modname, 3296 void *arg) 3297 { 3298 struct module *mod = arg; 3299 int ret; 3300 3301 if (strcmp(param, "async_probe") == 0) { 3302 if (kstrtobool(val, &mod->async_probe_requested)) 3303 mod->async_probe_requested = true; 3304 return 0; 3305 } 3306 3307 /* Check for magic 'dyndbg' arg */ 3308 ret = ddebug_dyndbg_module_param_cb(param, val, modname); 3309 if (ret != 0) 3310 pr_warn("%s: unknown parameter '%s' ignored\n", modname, param); 3311 return 0; 3312 } 3313 3314 /* Module within temporary copy, this doesn't do any allocation */ 3315 static int early_mod_check(struct load_info *info, int flags) 3316 { 3317 int err; 3318 3319 /* 3320 * Now that we know we have the correct module name, check 3321 * if it's blacklisted. 3322 */ 3323 if (blacklisted(info->name)) { 3324 pr_err("Module %s is blacklisted\n", info->name); 3325 return -EPERM; 3326 } 3327 3328 err = rewrite_section_headers(info, flags); 3329 if (err) 3330 return err; 3331 3332 /* Check module struct version now, before we try to use module. */ 3333 if (!check_modstruct_version(info, info->mod)) 3334 return -ENOEXEC; 3335 3336 err = check_modinfo(info->mod, info, flags); 3337 if (err) 3338 return err; 3339 3340 mutex_lock(&module_mutex); 3341 err = module_patient_check_exists(info->mod->name, FAIL_DUP_MOD_BECOMING); 3342 mutex_unlock(&module_mutex); 3343 3344 return err; 3345 } 3346 3347 /* 3348 * Allocate and load the module: note that size of section 0 is always 3349 * zero, and we rely on this for optional sections. 3350 */ 3351 static int load_module(struct load_info *info, const char __user *uargs, 3352 int flags) 3353 { 3354 struct module *mod; 3355 bool module_allocated = false; 3356 long err = 0; 3357 char *after_dashes; 3358 3359 /* 3360 * Do the signature check (if any) first. All that 3361 * the signature check needs is info->len, it does 3362 * not need any of the section info. That can be 3363 * set up later. This will minimize the chances 3364 * of a corrupt module causing problems before 3365 * we even get to the signature check. 3366 * 3367 * The check will also adjust info->len by stripping 3368 * off the sig length at the end of the module, making 3369 * checks against info->len more correct. 3370 */ 3371 err = module_sig_check(info, flags); 3372 if (err) 3373 goto free_copy; 3374 3375 /* 3376 * Do basic sanity checks against the ELF header and 3377 * sections. Cache useful sections and set the 3378 * info->mod to the userspace passed struct module. 3379 */ 3380 err = elf_validity_cache_copy(info, flags); 3381 if (err) 3382 goto free_copy; 3383 3384 err = early_mod_check(info, flags); 3385 if (err) 3386 goto free_copy; 3387 3388 /* Figure out module layout, and allocate all the memory. */ 3389 mod = layout_and_allocate(info, flags); 3390 if (IS_ERR(mod)) { 3391 err = PTR_ERR(mod); 3392 goto free_copy; 3393 } 3394 3395 module_allocated = true; 3396 3397 audit_log_kern_module(info->name); 3398 3399 /* Reserve our place in the list. */ 3400 err = add_unformed_module(mod); 3401 if (err) 3402 goto free_module; 3403 3404 /* 3405 * We are tainting your kernel if your module gets into 3406 * the modules linked list somehow. 3407 */ 3408 module_augment_kernel_taints(mod, info); 3409 3410 /* To avoid stressing percpu allocator, do this once we're unique. */ 3411 err = percpu_modalloc(mod, info); 3412 if (err) 3413 goto unlink_mod; 3414 3415 /* Now module is in final location, initialize linked lists, etc. */ 3416 err = module_unload_init(mod); 3417 if (err) 3418 goto unlink_mod; 3419 3420 init_param_lock(mod); 3421 3422 /* 3423 * Now we've got everything in the final locations, we can 3424 * find optional sections. 3425 */ 3426 err = find_module_sections(mod, info); 3427 if (err) 3428 goto free_unload; 3429 3430 err = check_export_symbol_versions(mod); 3431 if (err) 3432 goto free_unload; 3433 3434 /* Set up MODINFO_ATTR fields */ 3435 err = setup_modinfo(mod, info); 3436 if (err) 3437 goto free_modinfo; 3438 3439 /* Fix up syms, so that st_value is a pointer to location. */ 3440 err = simplify_symbols(mod, info); 3441 if (err < 0) 3442 goto free_modinfo; 3443 3444 err = apply_relocations(mod, info); 3445 if (err < 0) 3446 goto free_modinfo; 3447 3448 err = post_relocation(mod, info); 3449 if (err < 0) 3450 goto free_modinfo; 3451 3452 flush_module_icache(mod); 3453 3454 /* Now copy in args */ 3455 mod->args = strndup_user(uargs, ~0UL >> 1); 3456 if (IS_ERR(mod->args)) { 3457 err = PTR_ERR(mod->args); 3458 goto free_arch_cleanup; 3459 } 3460 3461 init_build_id(mod, info); 3462 3463 /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */ 3464 ftrace_module_init(mod); 3465 3466 /* Finally it's fully formed, ready to start executing. */ 3467 err = complete_formation(mod, info); 3468 if (err) 3469 goto ddebug_cleanup; 3470 3471 err = prepare_coming_module(mod); 3472 if (err) 3473 goto bug_cleanup; 3474 3475 mod->async_probe_requested = async_probe; 3476 3477 /* Module is ready to execute: parsing args may do that. */ 3478 after_dashes = parse_args(mod->name, mod->args, mod->kp, mod->num_kp, 3479 -32768, 32767, mod, 3480 unknown_module_param_cb); 3481 if (IS_ERR(after_dashes)) { 3482 err = PTR_ERR(after_dashes); 3483 goto coming_cleanup; 3484 } else if (after_dashes) { 3485 pr_warn("%s: parameters '%s' after `--' ignored\n", 3486 mod->name, after_dashes); 3487 } 3488 3489 /* Link in to sysfs. */ 3490 err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); 3491 if (err < 0) 3492 goto coming_cleanup; 3493 3494 if (is_livepatch_module(mod)) { 3495 err = copy_module_elf(mod, info); 3496 if (err < 0) 3497 goto sysfs_cleanup; 3498 } 3499 3500 if (codetag_load_module(mod)) 3501 goto sysfs_cleanup; 3502 3503 /* Get rid of temporary copy. */ 3504 free_copy(info, flags); 3505 3506 /* Done! */ 3507 trace_module_load(mod); 3508 3509 return do_init_module(mod); 3510 3511 sysfs_cleanup: 3512 mod_sysfs_teardown(mod); 3513 coming_cleanup: 3514 mod->state = MODULE_STATE_GOING; 3515 destroy_params(mod->kp, mod->num_kp); 3516 blocking_notifier_call_chain(&module_notify_list, 3517 MODULE_STATE_GOING, mod); 3518 klp_module_going(mod); 3519 bug_cleanup: 3520 mod->state = MODULE_STATE_GOING; 3521 /* module_bug_cleanup needs module_mutex protection */ 3522 mutex_lock(&module_mutex); 3523 module_bug_cleanup(mod); 3524 mutex_unlock(&module_mutex); 3525 3526 ddebug_cleanup: 3527 ftrace_release_mod(mod); 3528 synchronize_rcu(); 3529 kfree(mod->args); 3530 free_arch_cleanup: 3531 module_arch_cleanup(mod); 3532 free_modinfo: 3533 free_modinfo(mod); 3534 free_unload: 3535 module_unload_free(mod); 3536 unlink_mod: 3537 mutex_lock(&module_mutex); 3538 /* Unlink carefully: kallsyms could be walking list. */ 3539 list_del_rcu(&mod->list); 3540 mod_tree_remove(mod); 3541 wake_up_all(&module_wq); 3542 /* Wait for RCU-sched synchronizing before releasing mod->list. */ 3543 synchronize_rcu(); 3544 mutex_unlock(&module_mutex); 3545 free_module: 3546 mod_stat_bump_invalid(info, flags); 3547 /* Free lock-classes; relies on the preceding sync_rcu() */ 3548 for_class_mod_mem_type(type, core_data) { 3549 lockdep_free_key_range(mod->mem[type].base, 3550 mod->mem[type].size); 3551 } 3552 3553 module_memory_restore_rox(mod); 3554 module_deallocate(mod, info); 3555 free_copy: 3556 /* 3557 * The info->len is always set. We distinguish between 3558 * failures once the proper module was allocated and 3559 * before that. 3560 */ 3561 if (!module_allocated) { 3562 audit_log_kern_module(info->name ? info->name : "?"); 3563 mod_stat_bump_becoming(info, flags); 3564 } 3565 free_copy(info, flags); 3566 return err; 3567 } 3568 3569 SYSCALL_DEFINE3(init_module, void __user *, umod, 3570 unsigned long, len, const char __user *, uargs) 3571 { 3572 int err; 3573 struct load_info info = { }; 3574 3575 err = may_init_module(); 3576 if (err) 3577 return err; 3578 3579 pr_debug("init_module: umod=%p, len=%lu, uargs=%p\n", 3580 umod, len, uargs); 3581 3582 err = copy_module_from_user(umod, len, &info); 3583 if (err) { 3584 mod_stat_inc(&failed_kreads); 3585 mod_stat_add_long(len, &invalid_kread_bytes); 3586 return err; 3587 } 3588 3589 return load_module(&info, uargs, 0); 3590 } 3591 3592 struct idempotent { 3593 const void *cookie; 3594 struct hlist_node entry; 3595 struct completion complete; 3596 int ret; 3597 }; 3598 3599 #define IDEM_HASH_BITS 8 3600 static struct hlist_head idem_hash[1 << IDEM_HASH_BITS]; 3601 static DEFINE_SPINLOCK(idem_lock); 3602 3603 static bool idempotent(struct idempotent *u, const void *cookie) 3604 { 3605 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3606 struct hlist_head *head = idem_hash + hash; 3607 struct idempotent *existing; 3608 bool first; 3609 3610 u->ret = -EINTR; 3611 u->cookie = cookie; 3612 init_completion(&u->complete); 3613 3614 spin_lock(&idem_lock); 3615 first = true; 3616 hlist_for_each_entry(existing, head, entry) { 3617 if (existing->cookie != cookie) 3618 continue; 3619 first = false; 3620 break; 3621 } 3622 hlist_add_head(&u->entry, idem_hash + hash); 3623 spin_unlock(&idem_lock); 3624 3625 return !first; 3626 } 3627 3628 /* 3629 * We were the first one with 'cookie' on the list, and we ended 3630 * up completing the operation. We now need to walk the list, 3631 * remove everybody - which includes ourselves - fill in the return 3632 * value, and then complete the operation. 3633 */ 3634 static int idempotent_complete(struct idempotent *u, int ret) 3635 { 3636 const void *cookie = u->cookie; 3637 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3638 struct hlist_head *head = idem_hash + hash; 3639 struct hlist_node *next; 3640 struct idempotent *pos; 3641 3642 spin_lock(&idem_lock); 3643 hlist_for_each_entry_safe(pos, next, head, entry) { 3644 if (pos->cookie != cookie) 3645 continue; 3646 hlist_del_init(&pos->entry); 3647 pos->ret = ret; 3648 complete(&pos->complete); 3649 } 3650 spin_unlock(&idem_lock); 3651 return ret; 3652 } 3653 3654 /* 3655 * Wait for the idempotent worker. 3656 * 3657 * If we get interrupted, we need to remove ourselves from the 3658 * the idempotent list, and the completion may still come in. 3659 * 3660 * The 'idem_lock' protects against the race, and 'idem.ret' was 3661 * initialized to -EINTR and is thus always the right return 3662 * value even if the idempotent work then completes between 3663 * the wait_for_completion and the cleanup. 3664 */ 3665 static int idempotent_wait_for_completion(struct idempotent *u) 3666 { 3667 if (wait_for_completion_interruptible(&u->complete)) { 3668 spin_lock(&idem_lock); 3669 if (!hlist_unhashed(&u->entry)) 3670 hlist_del(&u->entry); 3671 spin_unlock(&idem_lock); 3672 } 3673 return u->ret; 3674 } 3675 3676 static int init_module_from_file(struct file *f, const char __user * uargs, int flags) 3677 { 3678 struct load_info info = { }; 3679 void *buf = NULL; 3680 int len; 3681 3682 len = kernel_read_file(f, 0, &buf, INT_MAX, NULL, READING_MODULE); 3683 if (len < 0) { 3684 mod_stat_inc(&failed_kreads); 3685 return len; 3686 } 3687 3688 if (flags & MODULE_INIT_COMPRESSED_FILE) { 3689 int err = module_decompress(&info, buf, len); 3690 vfree(buf); /* compressed data is no longer needed */ 3691 if (err) { 3692 mod_stat_inc(&failed_decompress); 3693 mod_stat_add_long(len, &invalid_decompress_bytes); 3694 return err; 3695 } 3696 } else { 3697 info.hdr = buf; 3698 info.len = len; 3699 } 3700 3701 return load_module(&info, uargs, flags); 3702 } 3703 3704 static int idempotent_init_module(struct file *f, const char __user * uargs, int flags) 3705 { 3706 struct idempotent idem; 3707 3708 if (!(f->f_mode & FMODE_READ)) 3709 return -EBADF; 3710 3711 /* Are we the winners of the race and get to do this? */ 3712 if (!idempotent(&idem, file_inode(f))) { 3713 int ret = init_module_from_file(f, uargs, flags); 3714 return idempotent_complete(&idem, ret); 3715 } 3716 3717 /* 3718 * Somebody else won the race and is loading the module. 3719 */ 3720 return idempotent_wait_for_completion(&idem); 3721 } 3722 3723 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) 3724 { 3725 int err = may_init_module(); 3726 if (err) 3727 return err; 3728 3729 pr_debug("finit_module: fd=%d, uargs=%p, flags=%i\n", fd, uargs, flags); 3730 3731 if (flags & ~(MODULE_INIT_IGNORE_MODVERSIONS 3732 |MODULE_INIT_IGNORE_VERMAGIC 3733 |MODULE_INIT_COMPRESSED_FILE)) 3734 return -EINVAL; 3735 3736 CLASS(fd, f)(fd); 3737 if (fd_empty(f)) 3738 return -EBADF; 3739 return idempotent_init_module(fd_file(f), uargs, flags); 3740 } 3741 3742 /* Keep in sync with MODULE_FLAGS_BUF_SIZE !!! */ 3743 char *module_flags(struct module *mod, char *buf, bool show_state) 3744 { 3745 int bx = 0; 3746 3747 BUG_ON(mod->state == MODULE_STATE_UNFORMED); 3748 if (!mod->taints && !show_state) 3749 goto out; 3750 if (mod->taints || 3751 mod->state == MODULE_STATE_GOING || 3752 mod->state == MODULE_STATE_COMING) { 3753 buf[bx++] = '('; 3754 bx += module_flags_taint(mod->taints, buf + bx); 3755 /* Show a - for module-is-being-unloaded */ 3756 if (mod->state == MODULE_STATE_GOING && show_state) 3757 buf[bx++] = '-'; 3758 /* Show a + for module-is-being-loaded */ 3759 if (mod->state == MODULE_STATE_COMING && show_state) 3760 buf[bx++] = '+'; 3761 buf[bx++] = ')'; 3762 } 3763 out: 3764 buf[bx] = '\0'; 3765 3766 return buf; 3767 } 3768 3769 /* Given an address, look for it in the module exception tables. */ 3770 const struct exception_table_entry *search_module_extables(unsigned long addr) 3771 { 3772 struct module *mod; 3773 3774 guard(rcu)(); 3775 mod = __module_address(addr); 3776 if (!mod) 3777 return NULL; 3778 3779 if (!mod->num_exentries) 3780 return NULL; 3781 /* 3782 * The address passed here belongs to a module that is currently 3783 * invoked (we are running inside it). Therefore its module::refcnt 3784 * needs already be >0 to ensure that it is not removed at this stage. 3785 * All other user need to invoke this function within a RCU read 3786 * section. 3787 */ 3788 return search_extable(mod->extable, mod->num_exentries, addr); 3789 } 3790 3791 /** 3792 * is_module_address() - is this address inside a module? 3793 * @addr: the address to check. 3794 * 3795 * See is_module_text_address() if you simply want to see if the address 3796 * is code (not data). 3797 */ 3798 bool is_module_address(unsigned long addr) 3799 { 3800 guard(rcu)(); 3801 return __module_address(addr) != NULL; 3802 } 3803 3804 /** 3805 * __module_address() - get the module which contains an address. 3806 * @addr: the address. 3807 * 3808 * Must be called within RCU read section or module mutex held so that 3809 * module doesn't get freed during this. 3810 */ 3811 struct module *__module_address(unsigned long addr) 3812 { 3813 struct module *mod; 3814 3815 if (addr >= mod_tree.addr_min && addr <= mod_tree.addr_max) 3816 goto lookup; 3817 3818 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 3819 if (addr >= mod_tree.data_addr_min && addr <= mod_tree.data_addr_max) 3820 goto lookup; 3821 #endif 3822 3823 return NULL; 3824 3825 lookup: 3826 mod = mod_find(addr, &mod_tree); 3827 if (mod) { 3828 BUG_ON(!within_module(addr, mod)); 3829 if (mod->state == MODULE_STATE_UNFORMED) 3830 mod = NULL; 3831 } 3832 return mod; 3833 } 3834 3835 /** 3836 * is_module_text_address() - is this address inside module code? 3837 * @addr: the address to check. 3838 * 3839 * See is_module_address() if you simply want to see if the address is 3840 * anywhere in a module. See kernel_text_address() for testing if an 3841 * address corresponds to kernel or module code. 3842 */ 3843 bool is_module_text_address(unsigned long addr) 3844 { 3845 guard(rcu)(); 3846 return __module_text_address(addr) != NULL; 3847 } 3848 3849 void module_for_each_mod(int(*func)(struct module *mod, void *data), void *data) 3850 { 3851 struct module *mod; 3852 3853 guard(rcu)(); 3854 list_for_each_entry_rcu(mod, &modules, list) { 3855 if (mod->state == MODULE_STATE_UNFORMED) 3856 continue; 3857 if (func(mod, data)) 3858 break; 3859 } 3860 } 3861 3862 /** 3863 * __module_text_address() - get the module whose code contains an address. 3864 * @addr: the address. 3865 * 3866 * Must be called within RCU read section or module mutex held so that 3867 * module doesn't get freed during this. 3868 */ 3869 struct module *__module_text_address(unsigned long addr) 3870 { 3871 struct module *mod = __module_address(addr); 3872 if (mod) { 3873 /* Make sure it's within the text section. */ 3874 if (!within_module_mem_type(addr, mod, MOD_TEXT) && 3875 !within_module_mem_type(addr, mod, MOD_INIT_TEXT)) 3876 mod = NULL; 3877 } 3878 return mod; 3879 } 3880 3881 /* Don't grab lock, we're oopsing. */ 3882 void print_modules(void) 3883 { 3884 struct module *mod; 3885 char buf[MODULE_FLAGS_BUF_SIZE]; 3886 3887 printk(KERN_DEFAULT "Modules linked in:"); 3888 /* Most callers should already have preempt disabled, but make sure */ 3889 guard(rcu)(); 3890 list_for_each_entry_rcu(mod, &modules, list) { 3891 if (mod->state == MODULE_STATE_UNFORMED) 3892 continue; 3893 pr_cont(" %s%s", mod->name, module_flags(mod, buf, true)); 3894 } 3895 3896 print_unloaded_tainted_modules(); 3897 if (last_unloaded_module.name[0]) 3898 pr_cont(" [last unloaded: %s%s]", last_unloaded_module.name, 3899 last_unloaded_module.taints); 3900 pr_cont("\n"); 3901 } 3902 3903 #ifdef CONFIG_MODULE_DEBUGFS 3904 struct dentry *mod_debugfs_root; 3905 3906 static int module_debugfs_init(void) 3907 { 3908 mod_debugfs_root = debugfs_create_dir("modules", NULL); 3909 return 0; 3910 } 3911 module_init(module_debugfs_init); 3912 #endif 3913