1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2002 Richard Henderson 4 * Copyright (C) 2001 Rusty Russell, 2002, 2010 Rusty Russell IBM. 5 * Copyright (C) 2023 Luis Chamberlain <mcgrof@kernel.org> 6 */ 7 8 #define INCLUDE_VERMAGIC 9 10 #include <linux/export.h> 11 #include <linux/extable.h> 12 #include <linux/moduleloader.h> 13 #include <linux/module_signature.h> 14 #include <linux/trace_events.h> 15 #include <linux/init.h> 16 #include <linux/kallsyms.h> 17 #include <linux/buildid.h> 18 #include <linux/fs.h> 19 #include <linux/kernel.h> 20 #include <linux/kernel_read_file.h> 21 #include <linux/kstrtox.h> 22 #include <linux/slab.h> 23 #include <linux/vmalloc.h> 24 #include <linux/elf.h> 25 #include <linux/seq_file.h> 26 #include <linux/syscalls.h> 27 #include <linux/fcntl.h> 28 #include <linux/rcupdate.h> 29 #include <linux/capability.h> 30 #include <linux/cpu.h> 31 #include <linux/moduleparam.h> 32 #include <linux/errno.h> 33 #include <linux/err.h> 34 #include <linux/vermagic.h> 35 #include <linux/notifier.h> 36 #include <linux/sched.h> 37 #include <linux/device.h> 38 #include <linux/string.h> 39 #include <linux/mutex.h> 40 #include <linux/rculist.h> 41 #include <linux/uaccess.h> 42 #include <asm/cacheflush.h> 43 #include <linux/set_memory.h> 44 #include <asm/mmu_context.h> 45 #include <linux/license.h> 46 #include <asm/sections.h> 47 #include <linux/tracepoint.h> 48 #include <linux/ftrace.h> 49 #include <linux/livepatch.h> 50 #include <linux/async.h> 51 #include <linux/percpu.h> 52 #include <linux/kmemleak.h> 53 #include <linux/jump_label.h> 54 #include <linux/pfn.h> 55 #include <linux/bsearch.h> 56 #include <linux/dynamic_debug.h> 57 #include <linux/audit.h> 58 #include <linux/cfi.h> 59 #include <linux/codetag.h> 60 #include <linux/debugfs.h> 61 #include <linux/execmem.h> 62 #include <uapi/linux/module.h> 63 #include "internal.h" 64 65 #define CREATE_TRACE_POINTS 66 #include <trace/events/module.h> 67 68 /* 69 * Mutex protects: 70 * 1) List of modules (also safely readable with preempt_disable), 71 * 2) module_use links, 72 * 3) mod_tree.addr_min/mod_tree.addr_max. 73 * (delete and add uses RCU list operations). 74 */ 75 DEFINE_MUTEX(module_mutex); 76 LIST_HEAD(modules); 77 78 /* Work queue for freeing init sections in success case */ 79 static void do_free_init(struct work_struct *w); 80 static DECLARE_WORK(init_free_wq, do_free_init); 81 static LLIST_HEAD(init_free_list); 82 83 struct mod_tree_root mod_tree __cacheline_aligned = { 84 .addr_min = -1UL, 85 }; 86 87 struct symsearch { 88 const struct kernel_symbol *start, *stop; 89 const s32 *crcs; 90 enum mod_license license; 91 }; 92 93 /* 94 * Bounds of module memory, for speeding up __module_address. 95 * Protected by module_mutex. 96 */ 97 static void __mod_update_bounds(enum mod_mem_type type __maybe_unused, void *base, 98 unsigned int size, struct mod_tree_root *tree) 99 { 100 unsigned long min = (unsigned long)base; 101 unsigned long max = min + size; 102 103 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 104 if (mod_mem_type_is_core_data(type)) { 105 if (min < tree->data_addr_min) 106 tree->data_addr_min = min; 107 if (max > tree->data_addr_max) 108 tree->data_addr_max = max; 109 return; 110 } 111 #endif 112 if (min < tree->addr_min) 113 tree->addr_min = min; 114 if (max > tree->addr_max) 115 tree->addr_max = max; 116 } 117 118 static void mod_update_bounds(struct module *mod) 119 { 120 for_each_mod_mem_type(type) { 121 struct module_memory *mod_mem = &mod->mem[type]; 122 123 if (mod_mem->size) 124 __mod_update_bounds(type, mod_mem->base, mod_mem->size, &mod_tree); 125 } 126 } 127 128 /* Block module loading/unloading? */ 129 int modules_disabled; 130 core_param(nomodule, modules_disabled, bint, 0); 131 132 /* Waiting for a module to finish initializing? */ 133 static DECLARE_WAIT_QUEUE_HEAD(module_wq); 134 135 static BLOCKING_NOTIFIER_HEAD(module_notify_list); 136 137 int register_module_notifier(struct notifier_block *nb) 138 { 139 return blocking_notifier_chain_register(&module_notify_list, nb); 140 } 141 EXPORT_SYMBOL(register_module_notifier); 142 143 int unregister_module_notifier(struct notifier_block *nb) 144 { 145 return blocking_notifier_chain_unregister(&module_notify_list, nb); 146 } 147 EXPORT_SYMBOL(unregister_module_notifier); 148 149 /* 150 * We require a truly strong try_module_get(): 0 means success. 151 * Otherwise an error is returned due to ongoing or failed 152 * initialization etc. 153 */ 154 static inline int strong_try_module_get(struct module *mod) 155 { 156 BUG_ON(mod && mod->state == MODULE_STATE_UNFORMED); 157 if (mod && mod->state == MODULE_STATE_COMING) 158 return -EBUSY; 159 if (try_module_get(mod)) 160 return 0; 161 else 162 return -ENOENT; 163 } 164 165 static inline void add_taint_module(struct module *mod, unsigned flag, 166 enum lockdep_ok lockdep_ok) 167 { 168 add_taint(flag, lockdep_ok); 169 set_bit(flag, &mod->taints); 170 } 171 172 /* 173 * A thread that wants to hold a reference to a module only while it 174 * is running can call this to safely exit. 175 */ 176 void __noreturn __module_put_and_kthread_exit(struct module *mod, long code) 177 { 178 module_put(mod); 179 kthread_exit(code); 180 } 181 EXPORT_SYMBOL(__module_put_and_kthread_exit); 182 183 /* Find a module section: 0 means not found. */ 184 static unsigned int find_sec(const struct load_info *info, const char *name) 185 { 186 unsigned int i; 187 188 for (i = 1; i < info->hdr->e_shnum; i++) { 189 Elf_Shdr *shdr = &info->sechdrs[i]; 190 /* Alloc bit cleared means "ignore it." */ 191 if ((shdr->sh_flags & SHF_ALLOC) 192 && strcmp(info->secstrings + shdr->sh_name, name) == 0) 193 return i; 194 } 195 return 0; 196 } 197 198 /* Find a module section, or NULL. */ 199 static void *section_addr(const struct load_info *info, const char *name) 200 { 201 /* Section 0 has sh_addr 0. */ 202 return (void *)info->sechdrs[find_sec(info, name)].sh_addr; 203 } 204 205 /* Find a module section, or NULL. Fill in number of "objects" in section. */ 206 static void *section_objs(const struct load_info *info, 207 const char *name, 208 size_t object_size, 209 unsigned int *num) 210 { 211 unsigned int sec = find_sec(info, name); 212 213 /* Section 0 has sh_addr 0 and sh_size 0. */ 214 *num = info->sechdrs[sec].sh_size / object_size; 215 return (void *)info->sechdrs[sec].sh_addr; 216 } 217 218 /* Find a module section: 0 means not found. Ignores SHF_ALLOC flag. */ 219 static unsigned int find_any_sec(const struct load_info *info, const char *name) 220 { 221 unsigned int i; 222 223 for (i = 1; i < info->hdr->e_shnum; i++) { 224 Elf_Shdr *shdr = &info->sechdrs[i]; 225 if (strcmp(info->secstrings + shdr->sh_name, name) == 0) 226 return i; 227 } 228 return 0; 229 } 230 231 /* 232 * Find a module section, or NULL. Fill in number of "objects" in section. 233 * Ignores SHF_ALLOC flag. 234 */ 235 static __maybe_unused void *any_section_objs(const struct load_info *info, 236 const char *name, 237 size_t object_size, 238 unsigned int *num) 239 { 240 unsigned int sec = find_any_sec(info, name); 241 242 /* Section 0 has sh_addr 0 and sh_size 0. */ 243 *num = info->sechdrs[sec].sh_size / object_size; 244 return (void *)info->sechdrs[sec].sh_addr; 245 } 246 247 #ifndef CONFIG_MODVERSIONS 248 #define symversion(base, idx) NULL 249 #else 250 #define symversion(base, idx) ((base != NULL) ? ((base) + (idx)) : NULL) 251 #endif 252 253 static const char *kernel_symbol_name(const struct kernel_symbol *sym) 254 { 255 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 256 return offset_to_ptr(&sym->name_offset); 257 #else 258 return sym->name; 259 #endif 260 } 261 262 static const char *kernel_symbol_namespace(const struct kernel_symbol *sym) 263 { 264 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 265 if (!sym->namespace_offset) 266 return NULL; 267 return offset_to_ptr(&sym->namespace_offset); 268 #else 269 return sym->namespace; 270 #endif 271 } 272 273 int cmp_name(const void *name, const void *sym) 274 { 275 return strcmp(name, kernel_symbol_name(sym)); 276 } 277 278 static bool find_exported_symbol_in_section(const struct symsearch *syms, 279 struct module *owner, 280 struct find_symbol_arg *fsa) 281 { 282 struct kernel_symbol *sym; 283 284 if (!fsa->gplok && syms->license == GPL_ONLY) 285 return false; 286 287 sym = bsearch(fsa->name, syms->start, syms->stop - syms->start, 288 sizeof(struct kernel_symbol), cmp_name); 289 if (!sym) 290 return false; 291 292 fsa->owner = owner; 293 fsa->crc = symversion(syms->crcs, sym - syms->start); 294 fsa->sym = sym; 295 fsa->license = syms->license; 296 297 return true; 298 } 299 300 /* 301 * Find an exported symbol and return it, along with, (optional) crc and 302 * (optional) module which owns it. Needs preempt disabled or module_mutex. 303 */ 304 bool find_symbol(struct find_symbol_arg *fsa) 305 { 306 static const struct symsearch arr[] = { 307 { __start___ksymtab, __stop___ksymtab, __start___kcrctab, 308 NOT_GPL_ONLY }, 309 { __start___ksymtab_gpl, __stop___ksymtab_gpl, 310 __start___kcrctab_gpl, 311 GPL_ONLY }, 312 }; 313 struct module *mod; 314 unsigned int i; 315 316 module_assert_mutex_or_preempt(); 317 318 for (i = 0; i < ARRAY_SIZE(arr); i++) 319 if (find_exported_symbol_in_section(&arr[i], NULL, fsa)) 320 return true; 321 322 list_for_each_entry_rcu(mod, &modules, list, 323 lockdep_is_held(&module_mutex)) { 324 struct symsearch arr[] = { 325 { mod->syms, mod->syms + mod->num_syms, mod->crcs, 326 NOT_GPL_ONLY }, 327 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms, 328 mod->gpl_crcs, 329 GPL_ONLY }, 330 }; 331 332 if (mod->state == MODULE_STATE_UNFORMED) 333 continue; 334 335 for (i = 0; i < ARRAY_SIZE(arr); i++) 336 if (find_exported_symbol_in_section(&arr[i], mod, fsa)) 337 return true; 338 } 339 340 pr_debug("Failed to find symbol %s\n", fsa->name); 341 return false; 342 } 343 344 /* 345 * Search for module by name: must hold module_mutex (or preempt disabled 346 * for read-only access). 347 */ 348 struct module *find_module_all(const char *name, size_t len, 349 bool even_unformed) 350 { 351 struct module *mod; 352 353 module_assert_mutex_or_preempt(); 354 355 list_for_each_entry_rcu(mod, &modules, list, 356 lockdep_is_held(&module_mutex)) { 357 if (!even_unformed && mod->state == MODULE_STATE_UNFORMED) 358 continue; 359 if (strlen(mod->name) == len && !memcmp(mod->name, name, len)) 360 return mod; 361 } 362 return NULL; 363 } 364 365 struct module *find_module(const char *name) 366 { 367 return find_module_all(name, strlen(name), false); 368 } 369 370 #ifdef CONFIG_SMP 371 372 static inline void __percpu *mod_percpu(struct module *mod) 373 { 374 return mod->percpu; 375 } 376 377 static int percpu_modalloc(struct module *mod, struct load_info *info) 378 { 379 Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu]; 380 unsigned long align = pcpusec->sh_addralign; 381 382 if (!pcpusec->sh_size) 383 return 0; 384 385 if (align > PAGE_SIZE) { 386 pr_warn("%s: per-cpu alignment %li > %li\n", 387 mod->name, align, PAGE_SIZE); 388 align = PAGE_SIZE; 389 } 390 391 mod->percpu = __alloc_reserved_percpu(pcpusec->sh_size, align); 392 if (!mod->percpu) { 393 pr_warn("%s: Could not allocate %lu bytes percpu data\n", 394 mod->name, (unsigned long)pcpusec->sh_size); 395 return -ENOMEM; 396 } 397 mod->percpu_size = pcpusec->sh_size; 398 return 0; 399 } 400 401 static void percpu_modfree(struct module *mod) 402 { 403 free_percpu(mod->percpu); 404 } 405 406 static unsigned int find_pcpusec(struct load_info *info) 407 { 408 return find_sec(info, ".data..percpu"); 409 } 410 411 static void percpu_modcopy(struct module *mod, 412 const void *from, unsigned long size) 413 { 414 int cpu; 415 416 for_each_possible_cpu(cpu) 417 memcpy(per_cpu_ptr(mod->percpu, cpu), from, size); 418 } 419 420 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 421 { 422 struct module *mod; 423 unsigned int cpu; 424 425 preempt_disable(); 426 427 list_for_each_entry_rcu(mod, &modules, list) { 428 if (mod->state == MODULE_STATE_UNFORMED) 429 continue; 430 if (!mod->percpu_size) 431 continue; 432 for_each_possible_cpu(cpu) { 433 void *start = per_cpu_ptr(mod->percpu, cpu); 434 void *va = (void *)addr; 435 436 if (va >= start && va < start + mod->percpu_size) { 437 if (can_addr) { 438 *can_addr = (unsigned long) (va - start); 439 *can_addr += (unsigned long) 440 per_cpu_ptr(mod->percpu, 441 get_boot_cpu_id()); 442 } 443 preempt_enable(); 444 return true; 445 } 446 } 447 } 448 449 preempt_enable(); 450 return false; 451 } 452 453 /** 454 * is_module_percpu_address() - test whether address is from module static percpu 455 * @addr: address to test 456 * 457 * Test whether @addr belongs to module static percpu area. 458 * 459 * Return: %true if @addr is from module static percpu area 460 */ 461 bool is_module_percpu_address(unsigned long addr) 462 { 463 return __is_module_percpu_address(addr, NULL); 464 } 465 466 #else /* ... !CONFIG_SMP */ 467 468 static inline void __percpu *mod_percpu(struct module *mod) 469 { 470 return NULL; 471 } 472 static int percpu_modalloc(struct module *mod, struct load_info *info) 473 { 474 /* UP modules shouldn't have this section: ENOMEM isn't quite right */ 475 if (info->sechdrs[info->index.pcpu].sh_size != 0) 476 return -ENOMEM; 477 return 0; 478 } 479 static inline void percpu_modfree(struct module *mod) 480 { 481 } 482 static unsigned int find_pcpusec(struct load_info *info) 483 { 484 return 0; 485 } 486 static inline void percpu_modcopy(struct module *mod, 487 const void *from, unsigned long size) 488 { 489 /* pcpusec should be 0, and size of that section should be 0. */ 490 BUG_ON(size != 0); 491 } 492 bool is_module_percpu_address(unsigned long addr) 493 { 494 return false; 495 } 496 497 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 498 { 499 return false; 500 } 501 502 #endif /* CONFIG_SMP */ 503 504 #define MODINFO_ATTR(field) \ 505 static void setup_modinfo_##field(struct module *mod, const char *s) \ 506 { \ 507 mod->field = kstrdup(s, GFP_KERNEL); \ 508 } \ 509 static ssize_t show_modinfo_##field(struct module_attribute *mattr, \ 510 struct module_kobject *mk, char *buffer) \ 511 { \ 512 return scnprintf(buffer, PAGE_SIZE, "%s\n", mk->mod->field); \ 513 } \ 514 static int modinfo_##field##_exists(struct module *mod) \ 515 { \ 516 return mod->field != NULL; \ 517 } \ 518 static void free_modinfo_##field(struct module *mod) \ 519 { \ 520 kfree(mod->field); \ 521 mod->field = NULL; \ 522 } \ 523 static struct module_attribute modinfo_##field = { \ 524 .attr = { .name = __stringify(field), .mode = 0444 }, \ 525 .show = show_modinfo_##field, \ 526 .setup = setup_modinfo_##field, \ 527 .test = modinfo_##field##_exists, \ 528 .free = free_modinfo_##field, \ 529 }; 530 531 MODINFO_ATTR(version); 532 MODINFO_ATTR(srcversion); 533 534 static struct { 535 char name[MODULE_NAME_LEN + 1]; 536 char taints[MODULE_FLAGS_BUF_SIZE]; 537 } last_unloaded_module; 538 539 #ifdef CONFIG_MODULE_UNLOAD 540 541 EXPORT_TRACEPOINT_SYMBOL(module_get); 542 543 /* MODULE_REF_BASE is the base reference count by kmodule loader. */ 544 #define MODULE_REF_BASE 1 545 546 /* Init the unload section of the module. */ 547 static int module_unload_init(struct module *mod) 548 { 549 /* 550 * Initialize reference counter to MODULE_REF_BASE. 551 * refcnt == 0 means module is going. 552 */ 553 atomic_set(&mod->refcnt, MODULE_REF_BASE); 554 555 INIT_LIST_HEAD(&mod->source_list); 556 INIT_LIST_HEAD(&mod->target_list); 557 558 /* Hold reference count during initialization. */ 559 atomic_inc(&mod->refcnt); 560 561 return 0; 562 } 563 564 /* Does a already use b? */ 565 static int already_uses(struct module *a, struct module *b) 566 { 567 struct module_use *use; 568 569 list_for_each_entry(use, &b->source_list, source_list) { 570 if (use->source == a) 571 return 1; 572 } 573 pr_debug("%s does not use %s!\n", a->name, b->name); 574 return 0; 575 } 576 577 /* 578 * Module a uses b 579 * - we add 'a' as a "source", 'b' as a "target" of module use 580 * - the module_use is added to the list of 'b' sources (so 581 * 'b' can walk the list to see who sourced them), and of 'a' 582 * targets (so 'a' can see what modules it targets). 583 */ 584 static int add_module_usage(struct module *a, struct module *b) 585 { 586 struct module_use *use; 587 588 pr_debug("Allocating new usage for %s.\n", a->name); 589 use = kmalloc(sizeof(*use), GFP_ATOMIC); 590 if (!use) 591 return -ENOMEM; 592 593 use->source = a; 594 use->target = b; 595 list_add(&use->source_list, &b->source_list); 596 list_add(&use->target_list, &a->target_list); 597 return 0; 598 } 599 600 /* Module a uses b: caller needs module_mutex() */ 601 static int ref_module(struct module *a, struct module *b) 602 { 603 int err; 604 605 if (b == NULL || already_uses(a, b)) 606 return 0; 607 608 /* If module isn't available, we fail. */ 609 err = strong_try_module_get(b); 610 if (err) 611 return err; 612 613 err = add_module_usage(a, b); 614 if (err) { 615 module_put(b); 616 return err; 617 } 618 return 0; 619 } 620 621 /* Clear the unload stuff of the module. */ 622 static void module_unload_free(struct module *mod) 623 { 624 struct module_use *use, *tmp; 625 626 mutex_lock(&module_mutex); 627 list_for_each_entry_safe(use, tmp, &mod->target_list, target_list) { 628 struct module *i = use->target; 629 pr_debug("%s unusing %s\n", mod->name, i->name); 630 module_put(i); 631 list_del(&use->source_list); 632 list_del(&use->target_list); 633 kfree(use); 634 } 635 mutex_unlock(&module_mutex); 636 } 637 638 #ifdef CONFIG_MODULE_FORCE_UNLOAD 639 static inline int try_force_unload(unsigned int flags) 640 { 641 int ret = (flags & O_TRUNC); 642 if (ret) 643 add_taint(TAINT_FORCED_RMMOD, LOCKDEP_NOW_UNRELIABLE); 644 return ret; 645 } 646 #else 647 static inline int try_force_unload(unsigned int flags) 648 { 649 return 0; 650 } 651 #endif /* CONFIG_MODULE_FORCE_UNLOAD */ 652 653 /* Try to release refcount of module, 0 means success. */ 654 static int try_release_module_ref(struct module *mod) 655 { 656 int ret; 657 658 /* Try to decrement refcnt which we set at loading */ 659 ret = atomic_sub_return(MODULE_REF_BASE, &mod->refcnt); 660 BUG_ON(ret < 0); 661 if (ret) 662 /* Someone can put this right now, recover with checking */ 663 ret = atomic_add_unless(&mod->refcnt, MODULE_REF_BASE, 0); 664 665 return ret; 666 } 667 668 static int try_stop_module(struct module *mod, int flags, int *forced) 669 { 670 /* If it's not unused, quit unless we're forcing. */ 671 if (try_release_module_ref(mod) != 0) { 672 *forced = try_force_unload(flags); 673 if (!(*forced)) 674 return -EWOULDBLOCK; 675 } 676 677 /* Mark it as dying. */ 678 mod->state = MODULE_STATE_GOING; 679 680 return 0; 681 } 682 683 /** 684 * module_refcount() - return the refcount or -1 if unloading 685 * @mod: the module we're checking 686 * 687 * Return: 688 * -1 if the module is in the process of unloading 689 * otherwise the number of references in the kernel to the module 690 */ 691 int module_refcount(struct module *mod) 692 { 693 return atomic_read(&mod->refcnt) - MODULE_REF_BASE; 694 } 695 EXPORT_SYMBOL(module_refcount); 696 697 /* This exists whether we can unload or not */ 698 static void free_module(struct module *mod); 699 700 SYSCALL_DEFINE2(delete_module, const char __user *, name_user, 701 unsigned int, flags) 702 { 703 struct module *mod; 704 char name[MODULE_NAME_LEN]; 705 char buf[MODULE_FLAGS_BUF_SIZE]; 706 int ret, forced = 0; 707 708 if (!capable(CAP_SYS_MODULE) || modules_disabled) 709 return -EPERM; 710 711 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) 712 return -EFAULT; 713 name[MODULE_NAME_LEN-1] = '\0'; 714 715 audit_log_kern_module(name); 716 717 if (mutex_lock_interruptible(&module_mutex) != 0) 718 return -EINTR; 719 720 mod = find_module(name); 721 if (!mod) { 722 ret = -ENOENT; 723 goto out; 724 } 725 726 if (!list_empty(&mod->source_list)) { 727 /* Other modules depend on us: get rid of them first. */ 728 ret = -EWOULDBLOCK; 729 goto out; 730 } 731 732 /* Doing init or already dying? */ 733 if (mod->state != MODULE_STATE_LIVE) { 734 /* FIXME: if (force), slam module count damn the torpedoes */ 735 pr_debug("%s already dying\n", mod->name); 736 ret = -EBUSY; 737 goto out; 738 } 739 740 /* If it has an init func, it must have an exit func to unload */ 741 if (mod->init && !mod->exit) { 742 forced = try_force_unload(flags); 743 if (!forced) { 744 /* This module can't be removed */ 745 ret = -EBUSY; 746 goto out; 747 } 748 } 749 750 ret = try_stop_module(mod, flags, &forced); 751 if (ret != 0) 752 goto out; 753 754 mutex_unlock(&module_mutex); 755 /* Final destruction now no one is using it. */ 756 if (mod->exit != NULL) 757 mod->exit(); 758 blocking_notifier_call_chain(&module_notify_list, 759 MODULE_STATE_GOING, mod); 760 klp_module_going(mod); 761 ftrace_release_mod(mod); 762 763 async_synchronize_full(); 764 765 /* Store the name and taints of the last unloaded module for diagnostic purposes */ 766 strscpy(last_unloaded_module.name, mod->name, sizeof(last_unloaded_module.name)); 767 strscpy(last_unloaded_module.taints, module_flags(mod, buf, false), sizeof(last_unloaded_module.taints)); 768 769 free_module(mod); 770 /* someone could wait for the module in add_unformed_module() */ 771 wake_up_all(&module_wq); 772 return 0; 773 out: 774 mutex_unlock(&module_mutex); 775 return ret; 776 } 777 778 void __symbol_put(const char *symbol) 779 { 780 struct find_symbol_arg fsa = { 781 .name = symbol, 782 .gplok = true, 783 }; 784 785 preempt_disable(); 786 BUG_ON(!find_symbol(&fsa)); 787 module_put(fsa.owner); 788 preempt_enable(); 789 } 790 EXPORT_SYMBOL(__symbol_put); 791 792 /* Note this assumes addr is a function, which it currently always is. */ 793 void symbol_put_addr(void *addr) 794 { 795 struct module *modaddr; 796 unsigned long a = (unsigned long)dereference_function_descriptor(addr); 797 798 if (core_kernel_text(a)) 799 return; 800 801 /* 802 * Even though we hold a reference on the module; we still need to 803 * disable preemption in order to safely traverse the data structure. 804 */ 805 preempt_disable(); 806 modaddr = __module_text_address(a); 807 BUG_ON(!modaddr); 808 module_put(modaddr); 809 preempt_enable(); 810 } 811 EXPORT_SYMBOL_GPL(symbol_put_addr); 812 813 static ssize_t show_refcnt(struct module_attribute *mattr, 814 struct module_kobject *mk, char *buffer) 815 { 816 return sprintf(buffer, "%i\n", module_refcount(mk->mod)); 817 } 818 819 static struct module_attribute modinfo_refcnt = 820 __ATTR(refcnt, 0444, show_refcnt, NULL); 821 822 void __module_get(struct module *module) 823 { 824 if (module) { 825 atomic_inc(&module->refcnt); 826 trace_module_get(module, _RET_IP_); 827 } 828 } 829 EXPORT_SYMBOL(__module_get); 830 831 bool try_module_get(struct module *module) 832 { 833 bool ret = true; 834 835 if (module) { 836 /* Note: here, we can fail to get a reference */ 837 if (likely(module_is_live(module) && 838 atomic_inc_not_zero(&module->refcnt) != 0)) 839 trace_module_get(module, _RET_IP_); 840 else 841 ret = false; 842 } 843 return ret; 844 } 845 EXPORT_SYMBOL(try_module_get); 846 847 void module_put(struct module *module) 848 { 849 int ret; 850 851 if (module) { 852 ret = atomic_dec_if_positive(&module->refcnt); 853 WARN_ON(ret < 0); /* Failed to put refcount */ 854 trace_module_put(module, _RET_IP_); 855 } 856 } 857 EXPORT_SYMBOL(module_put); 858 859 #else /* !CONFIG_MODULE_UNLOAD */ 860 static inline void module_unload_free(struct module *mod) 861 { 862 } 863 864 static int ref_module(struct module *a, struct module *b) 865 { 866 return strong_try_module_get(b); 867 } 868 869 static inline int module_unload_init(struct module *mod) 870 { 871 return 0; 872 } 873 #endif /* CONFIG_MODULE_UNLOAD */ 874 875 size_t module_flags_taint(unsigned long taints, char *buf) 876 { 877 size_t l = 0; 878 int i; 879 880 for (i = 0; i < TAINT_FLAGS_COUNT; i++) { 881 if (taint_flags[i].module && test_bit(i, &taints)) 882 buf[l++] = taint_flags[i].c_true; 883 } 884 885 return l; 886 } 887 888 static ssize_t show_initstate(struct module_attribute *mattr, 889 struct module_kobject *mk, char *buffer) 890 { 891 const char *state = "unknown"; 892 893 switch (mk->mod->state) { 894 case MODULE_STATE_LIVE: 895 state = "live"; 896 break; 897 case MODULE_STATE_COMING: 898 state = "coming"; 899 break; 900 case MODULE_STATE_GOING: 901 state = "going"; 902 break; 903 default: 904 BUG(); 905 } 906 return sprintf(buffer, "%s\n", state); 907 } 908 909 static struct module_attribute modinfo_initstate = 910 __ATTR(initstate, 0444, show_initstate, NULL); 911 912 static ssize_t store_uevent(struct module_attribute *mattr, 913 struct module_kobject *mk, 914 const char *buffer, size_t count) 915 { 916 int rc; 917 918 rc = kobject_synth_uevent(&mk->kobj, buffer, count); 919 return rc ? rc : count; 920 } 921 922 struct module_attribute module_uevent = 923 __ATTR(uevent, 0200, NULL, store_uevent); 924 925 static ssize_t show_coresize(struct module_attribute *mattr, 926 struct module_kobject *mk, char *buffer) 927 { 928 unsigned int size = mk->mod->mem[MOD_TEXT].size; 929 930 if (!IS_ENABLED(CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC)) { 931 for_class_mod_mem_type(type, core_data) 932 size += mk->mod->mem[type].size; 933 } 934 return sprintf(buffer, "%u\n", size); 935 } 936 937 static struct module_attribute modinfo_coresize = 938 __ATTR(coresize, 0444, show_coresize, NULL); 939 940 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 941 static ssize_t show_datasize(struct module_attribute *mattr, 942 struct module_kobject *mk, char *buffer) 943 { 944 unsigned int size = 0; 945 946 for_class_mod_mem_type(type, core_data) 947 size += mk->mod->mem[type].size; 948 return sprintf(buffer, "%u\n", size); 949 } 950 951 static struct module_attribute modinfo_datasize = 952 __ATTR(datasize, 0444, show_datasize, NULL); 953 #endif 954 955 static ssize_t show_initsize(struct module_attribute *mattr, 956 struct module_kobject *mk, char *buffer) 957 { 958 unsigned int size = 0; 959 960 for_class_mod_mem_type(type, init) 961 size += mk->mod->mem[type].size; 962 return sprintf(buffer, "%u\n", size); 963 } 964 965 static struct module_attribute modinfo_initsize = 966 __ATTR(initsize, 0444, show_initsize, NULL); 967 968 static ssize_t show_taint(struct module_attribute *mattr, 969 struct module_kobject *mk, char *buffer) 970 { 971 size_t l; 972 973 l = module_flags_taint(mk->mod->taints, buffer); 974 buffer[l++] = '\n'; 975 return l; 976 } 977 978 static struct module_attribute modinfo_taint = 979 __ATTR(taint, 0444, show_taint, NULL); 980 981 struct module_attribute *modinfo_attrs[] = { 982 &module_uevent, 983 &modinfo_version, 984 &modinfo_srcversion, 985 &modinfo_initstate, 986 &modinfo_coresize, 987 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 988 &modinfo_datasize, 989 #endif 990 &modinfo_initsize, 991 &modinfo_taint, 992 #ifdef CONFIG_MODULE_UNLOAD 993 &modinfo_refcnt, 994 #endif 995 NULL, 996 }; 997 998 size_t modinfo_attrs_count = ARRAY_SIZE(modinfo_attrs); 999 1000 static const char vermagic[] = VERMAGIC_STRING; 1001 1002 int try_to_force_load(struct module *mod, const char *reason) 1003 { 1004 #ifdef CONFIG_MODULE_FORCE_LOAD 1005 if (!test_taint(TAINT_FORCED_MODULE)) 1006 pr_warn("%s: %s: kernel tainted.\n", mod->name, reason); 1007 add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE); 1008 return 0; 1009 #else 1010 return -ENOEXEC; 1011 #endif 1012 } 1013 1014 /* Parse tag=value strings from .modinfo section */ 1015 char *module_next_tag_pair(char *string, unsigned long *secsize) 1016 { 1017 /* Skip non-zero chars */ 1018 while (string[0]) { 1019 string++; 1020 if ((*secsize)-- <= 1) 1021 return NULL; 1022 } 1023 1024 /* Skip any zero padding. */ 1025 while (!string[0]) { 1026 string++; 1027 if ((*secsize)-- <= 1) 1028 return NULL; 1029 } 1030 return string; 1031 } 1032 1033 static char *get_next_modinfo(const struct load_info *info, const char *tag, 1034 char *prev) 1035 { 1036 char *p; 1037 unsigned int taglen = strlen(tag); 1038 Elf_Shdr *infosec = &info->sechdrs[info->index.info]; 1039 unsigned long size = infosec->sh_size; 1040 1041 /* 1042 * get_modinfo() calls made before rewrite_section_headers() 1043 * must use sh_offset, as sh_addr isn't set! 1044 */ 1045 char *modinfo = (char *)info->hdr + infosec->sh_offset; 1046 1047 if (prev) { 1048 size -= prev - modinfo; 1049 modinfo = module_next_tag_pair(prev, &size); 1050 } 1051 1052 for (p = modinfo; p; p = module_next_tag_pair(p, &size)) { 1053 if (strncmp(p, tag, taglen) == 0 && p[taglen] == '=') 1054 return p + taglen + 1; 1055 } 1056 return NULL; 1057 } 1058 1059 static char *get_modinfo(const struct load_info *info, const char *tag) 1060 { 1061 return get_next_modinfo(info, tag, NULL); 1062 } 1063 1064 static int verify_namespace_is_imported(const struct load_info *info, 1065 const struct kernel_symbol *sym, 1066 struct module *mod) 1067 { 1068 const char *namespace; 1069 char *imported_namespace; 1070 1071 namespace = kernel_symbol_namespace(sym); 1072 if (namespace && namespace[0]) { 1073 for_each_modinfo_entry(imported_namespace, info, "import_ns") { 1074 if (strcmp(namespace, imported_namespace) == 0) 1075 return 0; 1076 } 1077 #ifdef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1078 pr_warn( 1079 #else 1080 pr_err( 1081 #endif 1082 "%s: module uses symbol (%s) from namespace %s, but does not import it.\n", 1083 mod->name, kernel_symbol_name(sym), namespace); 1084 #ifndef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1085 return -EINVAL; 1086 #endif 1087 } 1088 return 0; 1089 } 1090 1091 static bool inherit_taint(struct module *mod, struct module *owner, const char *name) 1092 { 1093 if (!owner || !test_bit(TAINT_PROPRIETARY_MODULE, &owner->taints)) 1094 return true; 1095 1096 if (mod->using_gplonly_symbols) { 1097 pr_err("%s: module using GPL-only symbols uses symbols %s from proprietary module %s.\n", 1098 mod->name, name, owner->name); 1099 return false; 1100 } 1101 1102 if (!test_bit(TAINT_PROPRIETARY_MODULE, &mod->taints)) { 1103 pr_warn("%s: module uses symbols %s from proprietary module %s, inheriting taint.\n", 1104 mod->name, name, owner->name); 1105 set_bit(TAINT_PROPRIETARY_MODULE, &mod->taints); 1106 } 1107 return true; 1108 } 1109 1110 /* Resolve a symbol for this module. I.e. if we find one, record usage. */ 1111 static const struct kernel_symbol *resolve_symbol(struct module *mod, 1112 const struct load_info *info, 1113 const char *name, 1114 char ownername[]) 1115 { 1116 struct find_symbol_arg fsa = { 1117 .name = name, 1118 .gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)), 1119 .warn = true, 1120 }; 1121 int err; 1122 1123 /* 1124 * The module_mutex should not be a heavily contended lock; 1125 * if we get the occasional sleep here, we'll go an extra iteration 1126 * in the wait_event_interruptible(), which is harmless. 1127 */ 1128 sched_annotate_sleep(); 1129 mutex_lock(&module_mutex); 1130 if (!find_symbol(&fsa)) 1131 goto unlock; 1132 1133 if (fsa.license == GPL_ONLY) 1134 mod->using_gplonly_symbols = true; 1135 1136 if (!inherit_taint(mod, fsa.owner, name)) { 1137 fsa.sym = NULL; 1138 goto getname; 1139 } 1140 1141 if (!check_version(info, name, mod, fsa.crc)) { 1142 fsa.sym = ERR_PTR(-EINVAL); 1143 goto getname; 1144 } 1145 1146 err = verify_namespace_is_imported(info, fsa.sym, mod); 1147 if (err) { 1148 fsa.sym = ERR_PTR(err); 1149 goto getname; 1150 } 1151 1152 err = ref_module(mod, fsa.owner); 1153 if (err) { 1154 fsa.sym = ERR_PTR(err); 1155 goto getname; 1156 } 1157 1158 getname: 1159 /* We must make copy under the lock if we failed to get ref. */ 1160 strncpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN); 1161 unlock: 1162 mutex_unlock(&module_mutex); 1163 return fsa.sym; 1164 } 1165 1166 static const struct kernel_symbol * 1167 resolve_symbol_wait(struct module *mod, 1168 const struct load_info *info, 1169 const char *name) 1170 { 1171 const struct kernel_symbol *ksym; 1172 char owner[MODULE_NAME_LEN]; 1173 1174 if (wait_event_interruptible_timeout(module_wq, 1175 !IS_ERR(ksym = resolve_symbol(mod, info, name, owner)) 1176 || PTR_ERR(ksym) != -EBUSY, 1177 30 * HZ) <= 0) { 1178 pr_warn("%s: gave up waiting for init of module %s.\n", 1179 mod->name, owner); 1180 } 1181 return ksym; 1182 } 1183 1184 void __weak module_arch_cleanup(struct module *mod) 1185 { 1186 } 1187 1188 void __weak module_arch_freeing_init(struct module *mod) 1189 { 1190 } 1191 1192 void *__module_writable_address(struct module *mod, void *loc) 1193 { 1194 for_class_mod_mem_type(type, text) { 1195 struct module_memory *mem = &mod->mem[type]; 1196 1197 if (loc >= mem->base && loc < mem->base + mem->size) 1198 return loc + (mem->rw_copy - mem->base); 1199 } 1200 1201 return loc; 1202 } 1203 1204 static int module_memory_alloc(struct module *mod, enum mod_mem_type type) 1205 { 1206 unsigned int size = PAGE_ALIGN(mod->mem[type].size); 1207 enum execmem_type execmem_type; 1208 void *ptr; 1209 1210 mod->mem[type].size = size; 1211 1212 if (mod_mem_type_is_data(type)) 1213 execmem_type = EXECMEM_MODULE_DATA; 1214 else 1215 execmem_type = EXECMEM_MODULE_TEXT; 1216 1217 ptr = execmem_alloc(execmem_type, size); 1218 if (!ptr) 1219 return -ENOMEM; 1220 1221 mod->mem[type].base = ptr; 1222 1223 if (execmem_is_rox(execmem_type)) { 1224 ptr = vzalloc(size); 1225 1226 if (!ptr) { 1227 execmem_free(mod->mem[type].base); 1228 return -ENOMEM; 1229 } 1230 1231 mod->mem[type].rw_copy = ptr; 1232 mod->mem[type].is_rox = true; 1233 } else { 1234 mod->mem[type].rw_copy = mod->mem[type].base; 1235 memset(mod->mem[type].base, 0, size); 1236 } 1237 1238 /* 1239 * The pointer to these blocks of memory are stored on the module 1240 * structure and we keep that around so long as the module is 1241 * around. We only free that memory when we unload the module. 1242 * Just mark them as not being a leak then. The .init* ELF 1243 * sections *do* get freed after boot so we *could* treat them 1244 * slightly differently with kmemleak_ignore() and only grey 1245 * them out as they work as typical memory allocations which 1246 * *do* eventually get freed, but let's just keep things simple 1247 * and avoid *any* false positives. 1248 */ 1249 kmemleak_not_leak(ptr); 1250 1251 return 0; 1252 } 1253 1254 static void module_memory_free(struct module *mod, enum mod_mem_type type) 1255 { 1256 struct module_memory *mem = &mod->mem[type]; 1257 1258 if (mem->is_rox) 1259 vfree(mem->rw_copy); 1260 1261 execmem_free(mem->base); 1262 } 1263 1264 static void free_mod_mem(struct module *mod) 1265 { 1266 for_each_mod_mem_type(type) { 1267 struct module_memory *mod_mem = &mod->mem[type]; 1268 1269 if (type == MOD_DATA) 1270 continue; 1271 1272 /* Free lock-classes; relies on the preceding sync_rcu(). */ 1273 lockdep_free_key_range(mod_mem->base, mod_mem->size); 1274 if (mod_mem->size) 1275 module_memory_free(mod, type); 1276 } 1277 1278 /* MOD_DATA hosts mod, so free it at last */ 1279 lockdep_free_key_range(mod->mem[MOD_DATA].base, mod->mem[MOD_DATA].size); 1280 module_memory_free(mod, MOD_DATA); 1281 } 1282 1283 /* Free a module, remove from lists, etc. */ 1284 static void free_module(struct module *mod) 1285 { 1286 trace_module_free(mod); 1287 1288 codetag_unload_module(mod); 1289 1290 mod_sysfs_teardown(mod); 1291 1292 /* 1293 * We leave it in list to prevent duplicate loads, but make sure 1294 * that noone uses it while it's being deconstructed. 1295 */ 1296 mutex_lock(&module_mutex); 1297 mod->state = MODULE_STATE_UNFORMED; 1298 mutex_unlock(&module_mutex); 1299 1300 /* Arch-specific cleanup. */ 1301 module_arch_cleanup(mod); 1302 1303 /* Module unload stuff */ 1304 module_unload_free(mod); 1305 1306 /* Free any allocated parameters. */ 1307 destroy_params(mod->kp, mod->num_kp); 1308 1309 if (is_livepatch_module(mod)) 1310 free_module_elf(mod); 1311 1312 /* Now we can delete it from the lists */ 1313 mutex_lock(&module_mutex); 1314 /* Unlink carefully: kallsyms could be walking list. */ 1315 list_del_rcu(&mod->list); 1316 mod_tree_remove(mod); 1317 /* Remove this module from bug list, this uses list_del_rcu */ 1318 module_bug_cleanup(mod); 1319 /* Wait for RCU-sched synchronizing before releasing mod->list and buglist. */ 1320 synchronize_rcu(); 1321 if (try_add_tainted_module(mod)) 1322 pr_err("%s: adding tainted module to the unloaded tainted modules list failed.\n", 1323 mod->name); 1324 mutex_unlock(&module_mutex); 1325 1326 /* This may be empty, but that's OK */ 1327 module_arch_freeing_init(mod); 1328 kfree(mod->args); 1329 percpu_modfree(mod); 1330 1331 free_mod_mem(mod); 1332 } 1333 1334 void *__symbol_get(const char *symbol) 1335 { 1336 struct find_symbol_arg fsa = { 1337 .name = symbol, 1338 .gplok = true, 1339 .warn = true, 1340 }; 1341 1342 preempt_disable(); 1343 if (!find_symbol(&fsa)) 1344 goto fail; 1345 if (fsa.license != GPL_ONLY) { 1346 pr_warn("failing symbol_get of non-GPLONLY symbol %s.\n", 1347 symbol); 1348 goto fail; 1349 } 1350 if (strong_try_module_get(fsa.owner)) 1351 goto fail; 1352 preempt_enable(); 1353 return (void *)kernel_symbol_value(fsa.sym); 1354 fail: 1355 preempt_enable(); 1356 return NULL; 1357 } 1358 EXPORT_SYMBOL_GPL(__symbol_get); 1359 1360 /* 1361 * Ensure that an exported symbol [global namespace] does not already exist 1362 * in the kernel or in some other module's exported symbol table. 1363 * 1364 * You must hold the module_mutex. 1365 */ 1366 static int verify_exported_symbols(struct module *mod) 1367 { 1368 unsigned int i; 1369 const struct kernel_symbol *s; 1370 struct { 1371 const struct kernel_symbol *sym; 1372 unsigned int num; 1373 } arr[] = { 1374 { mod->syms, mod->num_syms }, 1375 { mod->gpl_syms, mod->num_gpl_syms }, 1376 }; 1377 1378 for (i = 0; i < ARRAY_SIZE(arr); i++) { 1379 for (s = arr[i].sym; s < arr[i].sym + arr[i].num; s++) { 1380 struct find_symbol_arg fsa = { 1381 .name = kernel_symbol_name(s), 1382 .gplok = true, 1383 }; 1384 if (find_symbol(&fsa)) { 1385 pr_err("%s: exports duplicate symbol %s" 1386 " (owned by %s)\n", 1387 mod->name, kernel_symbol_name(s), 1388 module_name(fsa.owner)); 1389 return -ENOEXEC; 1390 } 1391 } 1392 } 1393 return 0; 1394 } 1395 1396 static bool ignore_undef_symbol(Elf_Half emachine, const char *name) 1397 { 1398 /* 1399 * On x86, PIC code and Clang non-PIC code may have call foo@PLT. GNU as 1400 * before 2.37 produces an unreferenced _GLOBAL_OFFSET_TABLE_ on x86-64. 1401 * i386 has a similar problem but may not deserve a fix. 1402 * 1403 * If we ever have to ignore many symbols, consider refactoring the code to 1404 * only warn if referenced by a relocation. 1405 */ 1406 if (emachine == EM_386 || emachine == EM_X86_64) 1407 return !strcmp(name, "_GLOBAL_OFFSET_TABLE_"); 1408 return false; 1409 } 1410 1411 /* Change all symbols so that st_value encodes the pointer directly. */ 1412 static int simplify_symbols(struct module *mod, const struct load_info *info) 1413 { 1414 Elf_Shdr *symsec = &info->sechdrs[info->index.sym]; 1415 Elf_Sym *sym = (void *)symsec->sh_addr; 1416 unsigned long secbase; 1417 unsigned int i; 1418 int ret = 0; 1419 const struct kernel_symbol *ksym; 1420 1421 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { 1422 const char *name = info->strtab + sym[i].st_name; 1423 1424 switch (sym[i].st_shndx) { 1425 case SHN_COMMON: 1426 /* Ignore common symbols */ 1427 if (!strncmp(name, "__gnu_lto", 9)) 1428 break; 1429 1430 /* 1431 * We compiled with -fno-common. These are not 1432 * supposed to happen. 1433 */ 1434 pr_debug("Common symbol: %s\n", name); 1435 pr_warn("%s: please compile with -fno-common\n", 1436 mod->name); 1437 ret = -ENOEXEC; 1438 break; 1439 1440 case SHN_ABS: 1441 /* Don't need to do anything */ 1442 pr_debug("Absolute symbol: 0x%08lx %s\n", 1443 (long)sym[i].st_value, name); 1444 break; 1445 1446 case SHN_LIVEPATCH: 1447 /* Livepatch symbols are resolved by livepatch */ 1448 break; 1449 1450 case SHN_UNDEF: 1451 ksym = resolve_symbol_wait(mod, info, name); 1452 /* Ok if resolved. */ 1453 if (ksym && !IS_ERR(ksym)) { 1454 sym[i].st_value = kernel_symbol_value(ksym); 1455 break; 1456 } 1457 1458 /* Ok if weak or ignored. */ 1459 if (!ksym && 1460 (ELF_ST_BIND(sym[i].st_info) == STB_WEAK || 1461 ignore_undef_symbol(info->hdr->e_machine, name))) 1462 break; 1463 1464 ret = PTR_ERR(ksym) ?: -ENOENT; 1465 pr_warn("%s: Unknown symbol %s (err %d)\n", 1466 mod->name, name, ret); 1467 break; 1468 1469 default: 1470 /* Divert to percpu allocation if a percpu var. */ 1471 if (sym[i].st_shndx == info->index.pcpu) 1472 secbase = (unsigned long)mod_percpu(mod); 1473 else 1474 secbase = info->sechdrs[sym[i].st_shndx].sh_addr; 1475 sym[i].st_value += secbase; 1476 break; 1477 } 1478 } 1479 1480 return ret; 1481 } 1482 1483 static int apply_relocations(struct module *mod, const struct load_info *info) 1484 { 1485 unsigned int i; 1486 int err = 0; 1487 1488 /* Now do relocations. */ 1489 for (i = 1; i < info->hdr->e_shnum; i++) { 1490 unsigned int infosec = info->sechdrs[i].sh_info; 1491 1492 /* Not a valid relocation section? */ 1493 if (infosec >= info->hdr->e_shnum) 1494 continue; 1495 1496 /* Don't bother with non-allocated sections */ 1497 if (!(info->sechdrs[infosec].sh_flags & SHF_ALLOC)) 1498 continue; 1499 1500 if (info->sechdrs[i].sh_flags & SHF_RELA_LIVEPATCH) 1501 err = klp_apply_section_relocs(mod, info->sechdrs, 1502 info->secstrings, 1503 info->strtab, 1504 info->index.sym, i, 1505 NULL); 1506 else if (info->sechdrs[i].sh_type == SHT_REL) 1507 err = apply_relocate(info->sechdrs, info->strtab, 1508 info->index.sym, i, mod); 1509 else if (info->sechdrs[i].sh_type == SHT_RELA) 1510 err = apply_relocate_add(info->sechdrs, info->strtab, 1511 info->index.sym, i, mod); 1512 if (err < 0) 1513 break; 1514 } 1515 return err; 1516 } 1517 1518 /* Additional bytes needed by arch in front of individual sections */ 1519 unsigned int __weak arch_mod_section_prepend(struct module *mod, 1520 unsigned int section) 1521 { 1522 /* default implementation just returns zero */ 1523 return 0; 1524 } 1525 1526 long module_get_offset_and_type(struct module *mod, enum mod_mem_type type, 1527 Elf_Shdr *sechdr, unsigned int section) 1528 { 1529 long offset; 1530 long mask = ((unsigned long)(type) & SH_ENTSIZE_TYPE_MASK) << SH_ENTSIZE_TYPE_SHIFT; 1531 1532 mod->mem[type].size += arch_mod_section_prepend(mod, section); 1533 offset = ALIGN(mod->mem[type].size, sechdr->sh_addralign ?: 1); 1534 mod->mem[type].size = offset + sechdr->sh_size; 1535 1536 WARN_ON_ONCE(offset & mask); 1537 return offset | mask; 1538 } 1539 1540 bool module_init_layout_section(const char *sname) 1541 { 1542 #ifndef CONFIG_MODULE_UNLOAD 1543 if (module_exit_section(sname)) 1544 return true; 1545 #endif 1546 return module_init_section(sname); 1547 } 1548 1549 static void __layout_sections(struct module *mod, struct load_info *info, bool is_init) 1550 { 1551 unsigned int m, i; 1552 1553 static const unsigned long masks[][2] = { 1554 /* 1555 * NOTE: all executable code must be the first section 1556 * in this array; otherwise modify the text_size 1557 * finder in the two loops below 1558 */ 1559 { SHF_EXECINSTR | SHF_ALLOC, ARCH_SHF_SMALL }, 1560 { SHF_ALLOC, SHF_WRITE | ARCH_SHF_SMALL }, 1561 { SHF_RO_AFTER_INIT | SHF_ALLOC, ARCH_SHF_SMALL }, 1562 { SHF_WRITE | SHF_ALLOC, ARCH_SHF_SMALL }, 1563 { ARCH_SHF_SMALL | SHF_ALLOC, 0 } 1564 }; 1565 static const int core_m_to_mem_type[] = { 1566 MOD_TEXT, 1567 MOD_RODATA, 1568 MOD_RO_AFTER_INIT, 1569 MOD_DATA, 1570 MOD_DATA, 1571 }; 1572 static const int init_m_to_mem_type[] = { 1573 MOD_INIT_TEXT, 1574 MOD_INIT_RODATA, 1575 MOD_INVALID, 1576 MOD_INIT_DATA, 1577 MOD_INIT_DATA, 1578 }; 1579 1580 for (m = 0; m < ARRAY_SIZE(masks); ++m) { 1581 enum mod_mem_type type = is_init ? init_m_to_mem_type[m] : core_m_to_mem_type[m]; 1582 1583 for (i = 0; i < info->hdr->e_shnum; ++i) { 1584 Elf_Shdr *s = &info->sechdrs[i]; 1585 const char *sname = info->secstrings + s->sh_name; 1586 1587 if ((s->sh_flags & masks[m][0]) != masks[m][0] 1588 || (s->sh_flags & masks[m][1]) 1589 || s->sh_entsize != ~0UL 1590 || is_init != module_init_layout_section(sname)) 1591 continue; 1592 1593 if (WARN_ON_ONCE(type == MOD_INVALID)) 1594 continue; 1595 1596 /* 1597 * Do not allocate codetag memory as we load it into 1598 * preallocated contiguous memory. 1599 */ 1600 if (codetag_needs_module_section(mod, sname, s->sh_size)) { 1601 /* 1602 * s->sh_entsize won't be used but populate the 1603 * type field to avoid confusion. 1604 */ 1605 s->sh_entsize = ((unsigned long)(type) & SH_ENTSIZE_TYPE_MASK) 1606 << SH_ENTSIZE_TYPE_SHIFT; 1607 continue; 1608 } 1609 1610 s->sh_entsize = module_get_offset_and_type(mod, type, s, i); 1611 pr_debug("\t%s\n", sname); 1612 } 1613 } 1614 } 1615 1616 /* 1617 * Lay out the SHF_ALLOC sections in a way not dissimilar to how ld 1618 * might -- code, read-only data, read-write data, small data. Tally 1619 * sizes, and place the offsets into sh_entsize fields: high bit means it 1620 * belongs in init. 1621 */ 1622 static void layout_sections(struct module *mod, struct load_info *info) 1623 { 1624 unsigned int i; 1625 1626 for (i = 0; i < info->hdr->e_shnum; i++) 1627 info->sechdrs[i].sh_entsize = ~0UL; 1628 1629 pr_debug("Core section allocation order for %s:\n", mod->name); 1630 __layout_sections(mod, info, false); 1631 1632 pr_debug("Init section allocation order for %s:\n", mod->name); 1633 __layout_sections(mod, info, true); 1634 } 1635 1636 static void module_license_taint_check(struct module *mod, const char *license) 1637 { 1638 if (!license) 1639 license = "unspecified"; 1640 1641 if (!license_is_gpl_compatible(license)) { 1642 if (!test_taint(TAINT_PROPRIETARY_MODULE)) 1643 pr_warn("%s: module license '%s' taints kernel.\n", 1644 mod->name, license); 1645 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 1646 LOCKDEP_NOW_UNRELIABLE); 1647 } 1648 } 1649 1650 static void setup_modinfo(struct module *mod, struct load_info *info) 1651 { 1652 struct module_attribute *attr; 1653 int i; 1654 1655 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1656 if (attr->setup) 1657 attr->setup(mod, get_modinfo(info, attr->attr.name)); 1658 } 1659 } 1660 1661 static void free_modinfo(struct module *mod) 1662 { 1663 struct module_attribute *attr; 1664 int i; 1665 1666 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1667 if (attr->free) 1668 attr->free(mod); 1669 } 1670 } 1671 1672 bool __weak module_init_section(const char *name) 1673 { 1674 return strstarts(name, ".init"); 1675 } 1676 1677 bool __weak module_exit_section(const char *name) 1678 { 1679 return strstarts(name, ".exit"); 1680 } 1681 1682 static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr) 1683 { 1684 #if defined(CONFIG_64BIT) 1685 unsigned long long secend; 1686 #else 1687 unsigned long secend; 1688 #endif 1689 1690 /* 1691 * Check for both overflow and offset/size being 1692 * too large. 1693 */ 1694 secend = shdr->sh_offset + shdr->sh_size; 1695 if (secend < shdr->sh_offset || secend > info->len) 1696 return -ENOEXEC; 1697 1698 return 0; 1699 } 1700 1701 /* 1702 * Check userspace passed ELF module against our expectations, and cache 1703 * useful variables for further processing as we go. 1704 * 1705 * This does basic validity checks against section offsets and sizes, the 1706 * section name string table, and the indices used for it (sh_name). 1707 * 1708 * As a last step, since we're already checking the ELF sections we cache 1709 * useful variables which will be used later for our convenience: 1710 * 1711 * o pointers to section headers 1712 * o cache the modinfo symbol section 1713 * o cache the string symbol section 1714 * o cache the module section 1715 * 1716 * As a last step we set info->mod to the temporary copy of the module in 1717 * info->hdr. The final one will be allocated in move_module(). Any 1718 * modifications we make to our copy of the module will be carried over 1719 * to the final minted module. 1720 */ 1721 static int elf_validity_cache_copy(struct load_info *info, int flags) 1722 { 1723 unsigned int i; 1724 Elf_Shdr *shdr, *strhdr; 1725 int err; 1726 unsigned int num_mod_secs = 0, mod_idx; 1727 unsigned int num_info_secs = 0, info_idx; 1728 unsigned int num_sym_secs = 0, sym_idx; 1729 1730 if (info->len < sizeof(*(info->hdr))) { 1731 pr_err("Invalid ELF header len %lu\n", info->len); 1732 goto no_exec; 1733 } 1734 1735 if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0) { 1736 pr_err("Invalid ELF header magic: != %s\n", ELFMAG); 1737 goto no_exec; 1738 } 1739 if (info->hdr->e_type != ET_REL) { 1740 pr_err("Invalid ELF header type: %u != %u\n", 1741 info->hdr->e_type, ET_REL); 1742 goto no_exec; 1743 } 1744 if (!elf_check_arch(info->hdr)) { 1745 pr_err("Invalid architecture in ELF header: %u\n", 1746 info->hdr->e_machine); 1747 goto no_exec; 1748 } 1749 if (!module_elf_check_arch(info->hdr)) { 1750 pr_err("Invalid module architecture in ELF header: %u\n", 1751 info->hdr->e_machine); 1752 goto no_exec; 1753 } 1754 if (info->hdr->e_shentsize != sizeof(Elf_Shdr)) { 1755 pr_err("Invalid ELF section header size\n"); 1756 goto no_exec; 1757 } 1758 1759 /* 1760 * e_shnum is 16 bits, and sizeof(Elf_Shdr) is 1761 * known and small. So e_shnum * sizeof(Elf_Shdr) 1762 * will not overflow unsigned long on any platform. 1763 */ 1764 if (info->hdr->e_shoff >= info->len 1765 || (info->hdr->e_shnum * sizeof(Elf_Shdr) > 1766 info->len - info->hdr->e_shoff)) { 1767 pr_err("Invalid ELF section header overflow\n"); 1768 goto no_exec; 1769 } 1770 1771 info->sechdrs = (void *)info->hdr + info->hdr->e_shoff; 1772 1773 /* 1774 * Verify if the section name table index is valid. 1775 */ 1776 if (info->hdr->e_shstrndx == SHN_UNDEF 1777 || info->hdr->e_shstrndx >= info->hdr->e_shnum) { 1778 pr_err("Invalid ELF section name index: %d || e_shstrndx (%d) >= e_shnum (%d)\n", 1779 info->hdr->e_shstrndx, info->hdr->e_shstrndx, 1780 info->hdr->e_shnum); 1781 goto no_exec; 1782 } 1783 1784 strhdr = &info->sechdrs[info->hdr->e_shstrndx]; 1785 err = validate_section_offset(info, strhdr); 1786 if (err < 0) { 1787 pr_err("Invalid ELF section hdr(type %u)\n", strhdr->sh_type); 1788 return err; 1789 } 1790 1791 /* 1792 * The section name table must be NUL-terminated, as required 1793 * by the spec. This makes strcmp and pr_* calls that access 1794 * strings in the section safe. 1795 */ 1796 info->secstrings = (void *)info->hdr + strhdr->sh_offset; 1797 if (strhdr->sh_size == 0) { 1798 pr_err("empty section name table\n"); 1799 goto no_exec; 1800 } 1801 if (info->secstrings[strhdr->sh_size - 1] != '\0') { 1802 pr_err("ELF Spec violation: section name table isn't null terminated\n"); 1803 goto no_exec; 1804 } 1805 1806 /* 1807 * The code assumes that section 0 has a length of zero and 1808 * an addr of zero, so check for it. 1809 */ 1810 if (info->sechdrs[0].sh_type != SHT_NULL 1811 || info->sechdrs[0].sh_size != 0 1812 || info->sechdrs[0].sh_addr != 0) { 1813 pr_err("ELF Spec violation: section 0 type(%d)!=SH_NULL or non-zero len or addr\n", 1814 info->sechdrs[0].sh_type); 1815 goto no_exec; 1816 } 1817 1818 for (i = 1; i < info->hdr->e_shnum; i++) { 1819 shdr = &info->sechdrs[i]; 1820 switch (shdr->sh_type) { 1821 case SHT_NULL: 1822 case SHT_NOBITS: 1823 continue; 1824 case SHT_SYMTAB: 1825 if (shdr->sh_link == SHN_UNDEF 1826 || shdr->sh_link >= info->hdr->e_shnum) { 1827 pr_err("Invalid ELF sh_link!=SHN_UNDEF(%d) or (sh_link(%d) >= hdr->e_shnum(%d)\n", 1828 shdr->sh_link, shdr->sh_link, 1829 info->hdr->e_shnum); 1830 goto no_exec; 1831 } 1832 num_sym_secs++; 1833 sym_idx = i; 1834 fallthrough; 1835 default: 1836 err = validate_section_offset(info, shdr); 1837 if (err < 0) { 1838 pr_err("Invalid ELF section in module (section %u type %u)\n", 1839 i, shdr->sh_type); 1840 return err; 1841 } 1842 if (strcmp(info->secstrings + shdr->sh_name, 1843 ".gnu.linkonce.this_module") == 0) { 1844 num_mod_secs++; 1845 mod_idx = i; 1846 } else if (strcmp(info->secstrings + shdr->sh_name, 1847 ".modinfo") == 0) { 1848 num_info_secs++; 1849 info_idx = i; 1850 } 1851 1852 if (shdr->sh_flags & SHF_ALLOC) { 1853 if (shdr->sh_name >= strhdr->sh_size) { 1854 pr_err("Invalid ELF section name in module (section %u type %u)\n", 1855 i, shdr->sh_type); 1856 return -ENOEXEC; 1857 } 1858 } 1859 break; 1860 } 1861 } 1862 1863 if (num_info_secs > 1) { 1864 pr_err("Only one .modinfo section must exist.\n"); 1865 goto no_exec; 1866 } else if (num_info_secs == 1) { 1867 /* Try to find a name early so we can log errors with a module name */ 1868 info->index.info = info_idx; 1869 info->name = get_modinfo(info, "name"); 1870 } 1871 1872 if (num_sym_secs != 1) { 1873 pr_warn("%s: module has no symbols (stripped?)\n", 1874 info->name ?: "(missing .modinfo section or name field)"); 1875 goto no_exec; 1876 } 1877 1878 /* Sets internal symbols and strings. */ 1879 info->index.sym = sym_idx; 1880 shdr = &info->sechdrs[sym_idx]; 1881 info->index.str = shdr->sh_link; 1882 info->strtab = (char *)info->hdr + info->sechdrs[info->index.str].sh_offset; 1883 1884 /* 1885 * The ".gnu.linkonce.this_module" ELF section is special. It is 1886 * what modpost uses to refer to __this_module and let's use rely 1887 * on THIS_MODULE to point to &__this_module properly. The kernel's 1888 * modpost declares it on each modules's *.mod.c file. If the struct 1889 * module of the kernel changes a full kernel rebuild is required. 1890 * 1891 * We have a few expectaions for this special section, the following 1892 * code validates all this for us: 1893 * 1894 * o Only one section must exist 1895 * o We expect the kernel to always have to allocate it: SHF_ALLOC 1896 * o The section size must match the kernel's run time's struct module 1897 * size 1898 */ 1899 if (num_mod_secs != 1) { 1900 pr_err("module %s: Only one .gnu.linkonce.this_module section must exist.\n", 1901 info->name ?: "(missing .modinfo section or name field)"); 1902 goto no_exec; 1903 } 1904 1905 shdr = &info->sechdrs[mod_idx]; 1906 1907 /* 1908 * This is already implied on the switch above, however let's be 1909 * pedantic about it. 1910 */ 1911 if (shdr->sh_type == SHT_NOBITS) { 1912 pr_err("module %s: .gnu.linkonce.this_module section must have a size set\n", 1913 info->name ?: "(missing .modinfo section or name field)"); 1914 goto no_exec; 1915 } 1916 1917 if (!(shdr->sh_flags & SHF_ALLOC)) { 1918 pr_err("module %s: .gnu.linkonce.this_module must occupy memory during process execution\n", 1919 info->name ?: "(missing .modinfo section or name field)"); 1920 goto no_exec; 1921 } 1922 1923 if (shdr->sh_size != sizeof(struct module)) { 1924 pr_err("module %s: .gnu.linkonce.this_module section size must match the kernel's built struct module size at run time\n", 1925 info->name ?: "(missing .modinfo section or name field)"); 1926 goto no_exec; 1927 } 1928 1929 info->index.mod = mod_idx; 1930 1931 /* This is temporary: point mod into copy of data. */ 1932 info->mod = (void *)info->hdr + shdr->sh_offset; 1933 1934 /* 1935 * If we didn't load the .modinfo 'name' field earlier, fall back to 1936 * on-disk struct mod 'name' field. 1937 */ 1938 if (!info->name) 1939 info->name = info->mod->name; 1940 1941 if (flags & MODULE_INIT_IGNORE_MODVERSIONS) 1942 info->index.vers = 0; /* Pretend no __versions section! */ 1943 else 1944 info->index.vers = find_sec(info, "__versions"); 1945 1946 info->index.pcpu = find_pcpusec(info); 1947 1948 return 0; 1949 1950 no_exec: 1951 return -ENOEXEC; 1952 } 1953 1954 #define COPY_CHUNK_SIZE (16*PAGE_SIZE) 1955 1956 static int copy_chunked_from_user(void *dst, const void __user *usrc, unsigned long len) 1957 { 1958 do { 1959 unsigned long n = min(len, COPY_CHUNK_SIZE); 1960 1961 if (copy_from_user(dst, usrc, n) != 0) 1962 return -EFAULT; 1963 cond_resched(); 1964 dst += n; 1965 usrc += n; 1966 len -= n; 1967 } while (len); 1968 return 0; 1969 } 1970 1971 static int check_modinfo_livepatch(struct module *mod, struct load_info *info) 1972 { 1973 if (!get_modinfo(info, "livepatch")) 1974 /* Nothing more to do */ 1975 return 0; 1976 1977 if (set_livepatch_module(mod)) 1978 return 0; 1979 1980 pr_err("%s: module is marked as livepatch module, but livepatch support is disabled", 1981 mod->name); 1982 return -ENOEXEC; 1983 } 1984 1985 static void check_modinfo_retpoline(struct module *mod, struct load_info *info) 1986 { 1987 if (retpoline_module_ok(get_modinfo(info, "retpoline"))) 1988 return; 1989 1990 pr_warn("%s: loading module not compiled with retpoline compiler.\n", 1991 mod->name); 1992 } 1993 1994 /* Sets info->hdr and info->len. */ 1995 static int copy_module_from_user(const void __user *umod, unsigned long len, 1996 struct load_info *info) 1997 { 1998 int err; 1999 2000 info->len = len; 2001 if (info->len < sizeof(*(info->hdr))) 2002 return -ENOEXEC; 2003 2004 err = security_kernel_load_data(LOADING_MODULE, true); 2005 if (err) 2006 return err; 2007 2008 /* Suck in entire file: we'll want most of it. */ 2009 info->hdr = __vmalloc(info->len, GFP_KERNEL | __GFP_NOWARN); 2010 if (!info->hdr) 2011 return -ENOMEM; 2012 2013 if (copy_chunked_from_user(info->hdr, umod, info->len) != 0) { 2014 err = -EFAULT; 2015 goto out; 2016 } 2017 2018 err = security_kernel_post_load_data((char *)info->hdr, info->len, 2019 LOADING_MODULE, "init_module"); 2020 out: 2021 if (err) 2022 vfree(info->hdr); 2023 2024 return err; 2025 } 2026 2027 static void free_copy(struct load_info *info, int flags) 2028 { 2029 if (flags & MODULE_INIT_COMPRESSED_FILE) 2030 module_decompress_cleanup(info); 2031 else 2032 vfree(info->hdr); 2033 } 2034 2035 static int rewrite_section_headers(struct load_info *info, int flags) 2036 { 2037 unsigned int i; 2038 2039 /* This should always be true, but let's be sure. */ 2040 info->sechdrs[0].sh_addr = 0; 2041 2042 for (i = 1; i < info->hdr->e_shnum; i++) { 2043 Elf_Shdr *shdr = &info->sechdrs[i]; 2044 2045 /* 2046 * Mark all sections sh_addr with their address in the 2047 * temporary image. 2048 */ 2049 shdr->sh_addr = (size_t)info->hdr + shdr->sh_offset; 2050 2051 } 2052 2053 /* Track but don't keep modinfo and version sections. */ 2054 info->sechdrs[info->index.vers].sh_flags &= ~(unsigned long)SHF_ALLOC; 2055 info->sechdrs[info->index.info].sh_flags &= ~(unsigned long)SHF_ALLOC; 2056 2057 return 0; 2058 } 2059 2060 /* 2061 * These calls taint the kernel depending certain module circumstances */ 2062 static void module_augment_kernel_taints(struct module *mod, struct load_info *info) 2063 { 2064 int prev_taint = test_taint(TAINT_PROPRIETARY_MODULE); 2065 2066 if (!get_modinfo(info, "intree")) { 2067 if (!test_taint(TAINT_OOT_MODULE)) 2068 pr_warn("%s: loading out-of-tree module taints kernel.\n", 2069 mod->name); 2070 add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK); 2071 } 2072 2073 check_modinfo_retpoline(mod, info); 2074 2075 if (get_modinfo(info, "staging")) { 2076 add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK); 2077 pr_warn("%s: module is from the staging directory, the quality " 2078 "is unknown, you have been warned.\n", mod->name); 2079 } 2080 2081 if (is_livepatch_module(mod)) { 2082 add_taint_module(mod, TAINT_LIVEPATCH, LOCKDEP_STILL_OK); 2083 pr_notice_once("%s: tainting kernel with TAINT_LIVEPATCH\n", 2084 mod->name); 2085 } 2086 2087 module_license_taint_check(mod, get_modinfo(info, "license")); 2088 2089 if (get_modinfo(info, "test")) { 2090 if (!test_taint(TAINT_TEST)) 2091 pr_warn("%s: loading test module taints kernel.\n", 2092 mod->name); 2093 add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK); 2094 } 2095 #ifdef CONFIG_MODULE_SIG 2096 mod->sig_ok = info->sig_ok; 2097 if (!mod->sig_ok) { 2098 pr_notice_once("%s: module verification failed: signature " 2099 "and/or required key missing - tainting " 2100 "kernel\n", mod->name); 2101 add_taint_module(mod, TAINT_UNSIGNED_MODULE, LOCKDEP_STILL_OK); 2102 } 2103 #endif 2104 2105 /* 2106 * ndiswrapper is under GPL by itself, but loads proprietary modules. 2107 * Don't use add_taint_module(), as it would prevent ndiswrapper from 2108 * using GPL-only symbols it needs. 2109 */ 2110 if (strcmp(mod->name, "ndiswrapper") == 0) 2111 add_taint(TAINT_PROPRIETARY_MODULE, LOCKDEP_NOW_UNRELIABLE); 2112 2113 /* driverloader was caught wrongly pretending to be under GPL */ 2114 if (strcmp(mod->name, "driverloader") == 0) 2115 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 2116 LOCKDEP_NOW_UNRELIABLE); 2117 2118 /* lve claims to be GPL but upstream won't provide source */ 2119 if (strcmp(mod->name, "lve") == 0) 2120 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 2121 LOCKDEP_NOW_UNRELIABLE); 2122 2123 if (!prev_taint && test_taint(TAINT_PROPRIETARY_MODULE)) 2124 pr_warn("%s: module license taints kernel.\n", mod->name); 2125 2126 } 2127 2128 static int check_modinfo(struct module *mod, struct load_info *info, int flags) 2129 { 2130 const char *modmagic = get_modinfo(info, "vermagic"); 2131 int err; 2132 2133 if (flags & MODULE_INIT_IGNORE_VERMAGIC) 2134 modmagic = NULL; 2135 2136 /* This is allowed: modprobe --force will invalidate it. */ 2137 if (!modmagic) { 2138 err = try_to_force_load(mod, "bad vermagic"); 2139 if (err) 2140 return err; 2141 } else if (!same_magic(modmagic, vermagic, info->index.vers)) { 2142 pr_err("%s: version magic '%s' should be '%s'\n", 2143 info->name, modmagic, vermagic); 2144 return -ENOEXEC; 2145 } 2146 2147 err = check_modinfo_livepatch(mod, info); 2148 if (err) 2149 return err; 2150 2151 return 0; 2152 } 2153 2154 static int find_module_sections(struct module *mod, struct load_info *info) 2155 { 2156 mod->kp = section_objs(info, "__param", 2157 sizeof(*mod->kp), &mod->num_kp); 2158 mod->syms = section_objs(info, "__ksymtab", 2159 sizeof(*mod->syms), &mod->num_syms); 2160 mod->crcs = section_addr(info, "__kcrctab"); 2161 mod->gpl_syms = section_objs(info, "__ksymtab_gpl", 2162 sizeof(*mod->gpl_syms), 2163 &mod->num_gpl_syms); 2164 mod->gpl_crcs = section_addr(info, "__kcrctab_gpl"); 2165 2166 #ifdef CONFIG_CONSTRUCTORS 2167 mod->ctors = section_objs(info, ".ctors", 2168 sizeof(*mod->ctors), &mod->num_ctors); 2169 if (!mod->ctors) 2170 mod->ctors = section_objs(info, ".init_array", 2171 sizeof(*mod->ctors), &mod->num_ctors); 2172 else if (find_sec(info, ".init_array")) { 2173 /* 2174 * This shouldn't happen with same compiler and binutils 2175 * building all parts of the module. 2176 */ 2177 pr_warn("%s: has both .ctors and .init_array.\n", 2178 mod->name); 2179 return -EINVAL; 2180 } 2181 #endif 2182 2183 mod->noinstr_text_start = section_objs(info, ".noinstr.text", 1, 2184 &mod->noinstr_text_size); 2185 2186 #ifdef CONFIG_TRACEPOINTS 2187 mod->tracepoints_ptrs = section_objs(info, "__tracepoints_ptrs", 2188 sizeof(*mod->tracepoints_ptrs), 2189 &mod->num_tracepoints); 2190 #endif 2191 #ifdef CONFIG_TREE_SRCU 2192 mod->srcu_struct_ptrs = section_objs(info, "___srcu_struct_ptrs", 2193 sizeof(*mod->srcu_struct_ptrs), 2194 &mod->num_srcu_structs); 2195 #endif 2196 #ifdef CONFIG_BPF_EVENTS 2197 mod->bpf_raw_events = section_objs(info, "__bpf_raw_tp_map", 2198 sizeof(*mod->bpf_raw_events), 2199 &mod->num_bpf_raw_events); 2200 #endif 2201 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 2202 mod->btf_data = any_section_objs(info, ".BTF", 1, &mod->btf_data_size); 2203 mod->btf_base_data = any_section_objs(info, ".BTF.base", 1, 2204 &mod->btf_base_data_size); 2205 #endif 2206 #ifdef CONFIG_JUMP_LABEL 2207 mod->jump_entries = section_objs(info, "__jump_table", 2208 sizeof(*mod->jump_entries), 2209 &mod->num_jump_entries); 2210 #endif 2211 #ifdef CONFIG_EVENT_TRACING 2212 mod->trace_events = section_objs(info, "_ftrace_events", 2213 sizeof(*mod->trace_events), 2214 &mod->num_trace_events); 2215 mod->trace_evals = section_objs(info, "_ftrace_eval_map", 2216 sizeof(*mod->trace_evals), 2217 &mod->num_trace_evals); 2218 #endif 2219 #ifdef CONFIG_TRACING 2220 mod->trace_bprintk_fmt_start = section_objs(info, "__trace_printk_fmt", 2221 sizeof(*mod->trace_bprintk_fmt_start), 2222 &mod->num_trace_bprintk_fmt); 2223 #endif 2224 #ifdef CONFIG_FTRACE_MCOUNT_RECORD 2225 /* sechdrs[0].sh_size is always zero */ 2226 mod->ftrace_callsites = section_objs(info, FTRACE_CALLSITE_SECTION, 2227 sizeof(*mod->ftrace_callsites), 2228 &mod->num_ftrace_callsites); 2229 #endif 2230 #ifdef CONFIG_FUNCTION_ERROR_INJECTION 2231 mod->ei_funcs = section_objs(info, "_error_injection_whitelist", 2232 sizeof(*mod->ei_funcs), 2233 &mod->num_ei_funcs); 2234 #endif 2235 #ifdef CONFIG_KPROBES 2236 mod->kprobes_text_start = section_objs(info, ".kprobes.text", 1, 2237 &mod->kprobes_text_size); 2238 mod->kprobe_blacklist = section_objs(info, "_kprobe_blacklist", 2239 sizeof(unsigned long), 2240 &mod->num_kprobe_blacklist); 2241 #endif 2242 #ifdef CONFIG_PRINTK_INDEX 2243 mod->printk_index_start = section_objs(info, ".printk_index", 2244 sizeof(*mod->printk_index_start), 2245 &mod->printk_index_size); 2246 #endif 2247 #ifdef CONFIG_HAVE_STATIC_CALL_INLINE 2248 mod->static_call_sites = section_objs(info, ".static_call_sites", 2249 sizeof(*mod->static_call_sites), 2250 &mod->num_static_call_sites); 2251 #endif 2252 #if IS_ENABLED(CONFIG_KUNIT) 2253 mod->kunit_suites = section_objs(info, ".kunit_test_suites", 2254 sizeof(*mod->kunit_suites), 2255 &mod->num_kunit_suites); 2256 mod->kunit_init_suites = section_objs(info, ".kunit_init_test_suites", 2257 sizeof(*mod->kunit_init_suites), 2258 &mod->num_kunit_init_suites); 2259 #endif 2260 2261 mod->extable = section_objs(info, "__ex_table", 2262 sizeof(*mod->extable), &mod->num_exentries); 2263 2264 if (section_addr(info, "__obsparm")) 2265 pr_warn("%s: Ignoring obsolete parameters\n", mod->name); 2266 2267 #ifdef CONFIG_DYNAMIC_DEBUG_CORE 2268 mod->dyndbg_info.descs = section_objs(info, "__dyndbg", 2269 sizeof(*mod->dyndbg_info.descs), 2270 &mod->dyndbg_info.num_descs); 2271 mod->dyndbg_info.classes = section_objs(info, "__dyndbg_classes", 2272 sizeof(*mod->dyndbg_info.classes), 2273 &mod->dyndbg_info.num_classes); 2274 #endif 2275 2276 return 0; 2277 } 2278 2279 static int move_module(struct module *mod, struct load_info *info) 2280 { 2281 int i; 2282 enum mod_mem_type t = 0; 2283 int ret = -ENOMEM; 2284 bool codetag_section_found = false; 2285 2286 for_each_mod_mem_type(type) { 2287 if (!mod->mem[type].size) { 2288 mod->mem[type].base = NULL; 2289 mod->mem[type].rw_copy = NULL; 2290 continue; 2291 } 2292 2293 ret = module_memory_alloc(mod, type); 2294 if (ret) { 2295 t = type; 2296 goto out_err; 2297 } 2298 } 2299 2300 /* Transfer each section which specifies SHF_ALLOC */ 2301 pr_debug("Final section addresses for %s:\n", mod->name); 2302 for (i = 0; i < info->hdr->e_shnum; i++) { 2303 void *dest; 2304 Elf_Shdr *shdr = &info->sechdrs[i]; 2305 const char *sname; 2306 unsigned long addr; 2307 2308 if (!(shdr->sh_flags & SHF_ALLOC)) 2309 continue; 2310 2311 sname = info->secstrings + shdr->sh_name; 2312 /* 2313 * Load codetag sections separately as they might still be used 2314 * after module unload. 2315 */ 2316 if (codetag_needs_module_section(mod, sname, shdr->sh_size)) { 2317 dest = codetag_alloc_module_section(mod, sname, shdr->sh_size, 2318 arch_mod_section_prepend(mod, i), shdr->sh_addralign); 2319 if (WARN_ON(!dest)) { 2320 ret = -EINVAL; 2321 goto out_err; 2322 } 2323 if (IS_ERR(dest)) { 2324 ret = PTR_ERR(dest); 2325 goto out_err; 2326 } 2327 addr = (unsigned long)dest; 2328 codetag_section_found = true; 2329 } else { 2330 enum mod_mem_type type = shdr->sh_entsize >> SH_ENTSIZE_TYPE_SHIFT; 2331 unsigned long offset = shdr->sh_entsize & SH_ENTSIZE_OFFSET_MASK; 2332 2333 addr = (unsigned long)mod->mem[type].base + offset; 2334 dest = mod->mem[type].rw_copy + offset; 2335 } 2336 2337 if (shdr->sh_type != SHT_NOBITS) { 2338 /* 2339 * Our ELF checker already validated this, but let's 2340 * be pedantic and make the goal clearer. We actually 2341 * end up copying over all modifications made to the 2342 * userspace copy of the entire struct module. 2343 */ 2344 if (i == info->index.mod && 2345 (WARN_ON_ONCE(shdr->sh_size != sizeof(struct module)))) { 2346 ret = -ENOEXEC; 2347 goto out_err; 2348 } 2349 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size); 2350 } 2351 /* 2352 * Update the userspace copy's ELF section address to point to 2353 * our newly allocated memory as a pure convenience so that 2354 * users of info can keep taking advantage and using the newly 2355 * minted official memory area. 2356 */ 2357 shdr->sh_addr = addr; 2358 pr_debug("\t0x%lx 0x%.8lx %s\n", (long)shdr->sh_addr, 2359 (long)shdr->sh_size, info->secstrings + shdr->sh_name); 2360 } 2361 2362 return 0; 2363 out_err: 2364 for (t--; t >= 0; t--) 2365 module_memory_free(mod, t); 2366 if (codetag_section_found) 2367 codetag_free_module_sections(mod); 2368 2369 return ret; 2370 } 2371 2372 static int check_export_symbol_versions(struct module *mod) 2373 { 2374 #ifdef CONFIG_MODVERSIONS 2375 if ((mod->num_syms && !mod->crcs) || 2376 (mod->num_gpl_syms && !mod->gpl_crcs)) { 2377 return try_to_force_load(mod, 2378 "no versions for exported symbols"); 2379 } 2380 #endif 2381 return 0; 2382 } 2383 2384 static void flush_module_icache(const struct module *mod) 2385 { 2386 /* 2387 * Flush the instruction cache, since we've played with text. 2388 * Do it before processing of module parameters, so the module 2389 * can provide parameter accessor functions of its own. 2390 */ 2391 for_each_mod_mem_type(type) { 2392 const struct module_memory *mod_mem = &mod->mem[type]; 2393 2394 if (mod_mem->size) { 2395 flush_icache_range((unsigned long)mod_mem->base, 2396 (unsigned long)mod_mem->base + mod_mem->size); 2397 } 2398 } 2399 } 2400 2401 bool __weak module_elf_check_arch(Elf_Ehdr *hdr) 2402 { 2403 return true; 2404 } 2405 2406 int __weak module_frob_arch_sections(Elf_Ehdr *hdr, 2407 Elf_Shdr *sechdrs, 2408 char *secstrings, 2409 struct module *mod) 2410 { 2411 return 0; 2412 } 2413 2414 /* module_blacklist is a comma-separated list of module names */ 2415 static char *module_blacklist; 2416 static bool blacklisted(const char *module_name) 2417 { 2418 const char *p; 2419 size_t len; 2420 2421 if (!module_blacklist) 2422 return false; 2423 2424 for (p = module_blacklist; *p; p += len) { 2425 len = strcspn(p, ","); 2426 if (strlen(module_name) == len && !memcmp(module_name, p, len)) 2427 return true; 2428 if (p[len] == ',') 2429 len++; 2430 } 2431 return false; 2432 } 2433 core_param(module_blacklist, module_blacklist, charp, 0400); 2434 2435 static struct module *layout_and_allocate(struct load_info *info, int flags) 2436 { 2437 struct module *mod; 2438 unsigned int ndx; 2439 int err; 2440 2441 /* Allow arches to frob section contents and sizes. */ 2442 err = module_frob_arch_sections(info->hdr, info->sechdrs, 2443 info->secstrings, info->mod); 2444 if (err < 0) 2445 return ERR_PTR(err); 2446 2447 err = module_enforce_rwx_sections(info->hdr, info->sechdrs, 2448 info->secstrings, info->mod); 2449 if (err < 0) 2450 return ERR_PTR(err); 2451 2452 /* We will do a special allocation for per-cpu sections later. */ 2453 info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; 2454 2455 /* 2456 * Mark ro_after_init section with SHF_RO_AFTER_INIT so that 2457 * layout_sections() can put it in the right place. 2458 * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. 2459 */ 2460 ndx = find_sec(info, ".data..ro_after_init"); 2461 if (ndx) 2462 info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; 2463 /* 2464 * Mark the __jump_table section as ro_after_init as well: these data 2465 * structures are never modified, with the exception of entries that 2466 * refer to code in the __init section, which are annotated as such 2467 * at module load time. 2468 */ 2469 ndx = find_sec(info, "__jump_table"); 2470 if (ndx) 2471 info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; 2472 2473 /* 2474 * Determine total sizes, and put offsets in sh_entsize. For now 2475 * this is done generically; there doesn't appear to be any 2476 * special cases for the architectures. 2477 */ 2478 layout_sections(info->mod, info); 2479 layout_symtab(info->mod, info); 2480 2481 /* Allocate and move to the final place */ 2482 err = move_module(info->mod, info); 2483 if (err) 2484 return ERR_PTR(err); 2485 2486 /* Module has been copied to its final place now: return it. */ 2487 mod = (void *)info->sechdrs[info->index.mod].sh_addr; 2488 kmemleak_load_module(mod, info); 2489 codetag_module_replaced(info->mod, mod); 2490 2491 return mod; 2492 } 2493 2494 /* mod is no longer valid after this! */ 2495 static void module_deallocate(struct module *mod, struct load_info *info) 2496 { 2497 percpu_modfree(mod); 2498 module_arch_freeing_init(mod); 2499 2500 free_mod_mem(mod); 2501 } 2502 2503 int __weak module_finalize(const Elf_Ehdr *hdr, 2504 const Elf_Shdr *sechdrs, 2505 struct module *me) 2506 { 2507 return 0; 2508 } 2509 2510 int __weak module_post_finalize(const Elf_Ehdr *hdr, 2511 const Elf_Shdr *sechdrs, 2512 struct module *me) 2513 { 2514 return 0; 2515 } 2516 2517 static int post_relocation(struct module *mod, const struct load_info *info) 2518 { 2519 int ret; 2520 2521 /* Sort exception table now relocations are done. */ 2522 sort_extable(mod->extable, mod->extable + mod->num_exentries); 2523 2524 /* Copy relocated percpu area over. */ 2525 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, 2526 info->sechdrs[info->index.pcpu].sh_size); 2527 2528 /* Setup kallsyms-specific fields. */ 2529 add_kallsyms(mod, info); 2530 2531 /* Arch-specific module finalizing. */ 2532 ret = module_finalize(info->hdr, info->sechdrs, mod); 2533 if (ret) 2534 return ret; 2535 2536 for_each_mod_mem_type(type) { 2537 struct module_memory *mem = &mod->mem[type]; 2538 2539 if (mem->is_rox) { 2540 if (!execmem_update_copy(mem->base, mem->rw_copy, 2541 mem->size)) 2542 return -ENOMEM; 2543 2544 vfree(mem->rw_copy); 2545 mem->rw_copy = NULL; 2546 } 2547 } 2548 2549 return module_post_finalize(info->hdr, info->sechdrs, mod); 2550 } 2551 2552 /* Call module constructors. */ 2553 static void do_mod_ctors(struct module *mod) 2554 { 2555 #ifdef CONFIG_CONSTRUCTORS 2556 unsigned long i; 2557 2558 for (i = 0; i < mod->num_ctors; i++) 2559 mod->ctors[i](); 2560 #endif 2561 } 2562 2563 /* For freeing module_init on success, in case kallsyms traversing */ 2564 struct mod_initfree { 2565 struct llist_node node; 2566 void *init_text; 2567 void *init_data; 2568 void *init_rodata; 2569 }; 2570 2571 static void do_free_init(struct work_struct *w) 2572 { 2573 struct llist_node *pos, *n, *list; 2574 struct mod_initfree *initfree; 2575 2576 list = llist_del_all(&init_free_list); 2577 2578 synchronize_rcu(); 2579 2580 llist_for_each_safe(pos, n, list) { 2581 initfree = container_of(pos, struct mod_initfree, node); 2582 execmem_free(initfree->init_text); 2583 execmem_free(initfree->init_data); 2584 execmem_free(initfree->init_rodata); 2585 kfree(initfree); 2586 } 2587 } 2588 2589 void flush_module_init_free_work(void) 2590 { 2591 flush_work(&init_free_wq); 2592 } 2593 2594 #undef MODULE_PARAM_PREFIX 2595 #define MODULE_PARAM_PREFIX "module." 2596 /* Default value for module->async_probe_requested */ 2597 static bool async_probe; 2598 module_param(async_probe, bool, 0644); 2599 2600 /* 2601 * This is where the real work happens. 2602 * 2603 * Keep it uninlined to provide a reliable breakpoint target, e.g. for the gdb 2604 * helper command 'lx-symbols'. 2605 */ 2606 static noinline int do_init_module(struct module *mod) 2607 { 2608 int ret = 0; 2609 struct mod_initfree *freeinit; 2610 #if defined(CONFIG_MODULE_STATS) 2611 unsigned int text_size = 0, total_size = 0; 2612 2613 for_each_mod_mem_type(type) { 2614 const struct module_memory *mod_mem = &mod->mem[type]; 2615 if (mod_mem->size) { 2616 total_size += mod_mem->size; 2617 if (type == MOD_TEXT || type == MOD_INIT_TEXT) 2618 text_size += mod_mem->size; 2619 } 2620 } 2621 #endif 2622 2623 freeinit = kmalloc(sizeof(*freeinit), GFP_KERNEL); 2624 if (!freeinit) { 2625 ret = -ENOMEM; 2626 goto fail; 2627 } 2628 freeinit->init_text = mod->mem[MOD_INIT_TEXT].base; 2629 freeinit->init_data = mod->mem[MOD_INIT_DATA].base; 2630 freeinit->init_rodata = mod->mem[MOD_INIT_RODATA].base; 2631 2632 do_mod_ctors(mod); 2633 /* Start the module */ 2634 if (mod->init != NULL) 2635 ret = do_one_initcall(mod->init); 2636 if (ret < 0) { 2637 goto fail_free_freeinit; 2638 } 2639 if (ret > 0) { 2640 pr_warn("%s: '%s'->init suspiciously returned %d, it should " 2641 "follow 0/-E convention\n" 2642 "%s: loading module anyway...\n", 2643 __func__, mod->name, ret, __func__); 2644 dump_stack(); 2645 } 2646 2647 /* Now it's a first class citizen! */ 2648 mod->state = MODULE_STATE_LIVE; 2649 blocking_notifier_call_chain(&module_notify_list, 2650 MODULE_STATE_LIVE, mod); 2651 2652 /* Delay uevent until module has finished its init routine */ 2653 kobject_uevent(&mod->mkobj.kobj, KOBJ_ADD); 2654 2655 /* 2656 * We need to finish all async code before the module init sequence 2657 * is done. This has potential to deadlock if synchronous module 2658 * loading is requested from async (which is not allowed!). 2659 * 2660 * See commit 0fdff3ec6d87 ("async, kmod: warn on synchronous 2661 * request_module() from async workers") for more details. 2662 */ 2663 if (!mod->async_probe_requested) 2664 async_synchronize_full(); 2665 2666 ftrace_free_mem(mod, mod->mem[MOD_INIT_TEXT].base, 2667 mod->mem[MOD_INIT_TEXT].base + mod->mem[MOD_INIT_TEXT].size); 2668 mutex_lock(&module_mutex); 2669 /* Drop initial reference. */ 2670 module_put(mod); 2671 trim_init_extable(mod); 2672 #ifdef CONFIG_KALLSYMS 2673 /* Switch to core kallsyms now init is done: kallsyms may be walking! */ 2674 rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); 2675 #endif 2676 ret = module_enable_rodata_ro(mod, true); 2677 if (ret) 2678 goto fail_mutex_unlock; 2679 mod_tree_remove_init(mod); 2680 module_arch_freeing_init(mod); 2681 for_class_mod_mem_type(type, init) { 2682 mod->mem[type].base = NULL; 2683 mod->mem[type].size = 0; 2684 } 2685 2686 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 2687 /* .BTF is not SHF_ALLOC and will get removed, so sanitize pointers */ 2688 mod->btf_data = NULL; 2689 mod->btf_base_data = NULL; 2690 #endif 2691 /* 2692 * We want to free module_init, but be aware that kallsyms may be 2693 * walking this with preempt disabled. In all the failure paths, we 2694 * call synchronize_rcu(), but we don't want to slow down the success 2695 * path. execmem_free() cannot be called in an interrupt, so do the 2696 * work and call synchronize_rcu() in a work queue. 2697 * 2698 * Note that execmem_alloc() on most architectures creates W+X page 2699 * mappings which won't be cleaned up until do_free_init() runs. Any 2700 * code such as mark_rodata_ro() which depends on those mappings to 2701 * be cleaned up needs to sync with the queued work by invoking 2702 * flush_module_init_free_work(). 2703 */ 2704 if (llist_add(&freeinit->node, &init_free_list)) 2705 schedule_work(&init_free_wq); 2706 2707 mutex_unlock(&module_mutex); 2708 wake_up_all(&module_wq); 2709 2710 mod_stat_add_long(text_size, &total_text_size); 2711 mod_stat_add_long(total_size, &total_mod_size); 2712 2713 mod_stat_inc(&modcount); 2714 2715 return 0; 2716 2717 fail_mutex_unlock: 2718 mutex_unlock(&module_mutex); 2719 fail_free_freeinit: 2720 kfree(freeinit); 2721 fail: 2722 /* Try to protect us from buggy refcounters. */ 2723 mod->state = MODULE_STATE_GOING; 2724 synchronize_rcu(); 2725 module_put(mod); 2726 blocking_notifier_call_chain(&module_notify_list, 2727 MODULE_STATE_GOING, mod); 2728 klp_module_going(mod); 2729 ftrace_release_mod(mod); 2730 free_module(mod); 2731 wake_up_all(&module_wq); 2732 2733 return ret; 2734 } 2735 2736 static int may_init_module(void) 2737 { 2738 if (!capable(CAP_SYS_MODULE) || modules_disabled) 2739 return -EPERM; 2740 2741 return 0; 2742 } 2743 2744 /* Is this module of this name done loading? No locks held. */ 2745 static bool finished_loading(const char *name) 2746 { 2747 struct module *mod; 2748 bool ret; 2749 2750 /* 2751 * The module_mutex should not be a heavily contended lock; 2752 * if we get the occasional sleep here, we'll go an extra iteration 2753 * in the wait_event_interruptible(), which is harmless. 2754 */ 2755 sched_annotate_sleep(); 2756 mutex_lock(&module_mutex); 2757 mod = find_module_all(name, strlen(name), true); 2758 ret = !mod || mod->state == MODULE_STATE_LIVE 2759 || mod->state == MODULE_STATE_GOING; 2760 mutex_unlock(&module_mutex); 2761 2762 return ret; 2763 } 2764 2765 /* Must be called with module_mutex held */ 2766 static int module_patient_check_exists(const char *name, 2767 enum fail_dup_mod_reason reason) 2768 { 2769 struct module *old; 2770 int err = 0; 2771 2772 old = find_module_all(name, strlen(name), true); 2773 if (old == NULL) 2774 return 0; 2775 2776 if (old->state == MODULE_STATE_COMING || 2777 old->state == MODULE_STATE_UNFORMED) { 2778 /* Wait in case it fails to load. */ 2779 mutex_unlock(&module_mutex); 2780 err = wait_event_interruptible(module_wq, 2781 finished_loading(name)); 2782 mutex_lock(&module_mutex); 2783 if (err) 2784 return err; 2785 2786 /* The module might have gone in the meantime. */ 2787 old = find_module_all(name, strlen(name), true); 2788 } 2789 2790 if (try_add_failed_module(name, reason)) 2791 pr_warn("Could not add fail-tracking for module: %s\n", name); 2792 2793 /* 2794 * We are here only when the same module was being loaded. Do 2795 * not try to load it again right now. It prevents long delays 2796 * caused by serialized module load failures. It might happen 2797 * when more devices of the same type trigger load of 2798 * a particular module. 2799 */ 2800 if (old && old->state == MODULE_STATE_LIVE) 2801 return -EEXIST; 2802 return -EBUSY; 2803 } 2804 2805 /* 2806 * We try to place it in the list now to make sure it's unique before 2807 * we dedicate too many resources. In particular, temporary percpu 2808 * memory exhaustion. 2809 */ 2810 static int add_unformed_module(struct module *mod) 2811 { 2812 int err; 2813 2814 mod->state = MODULE_STATE_UNFORMED; 2815 2816 mutex_lock(&module_mutex); 2817 err = module_patient_check_exists(mod->name, FAIL_DUP_MOD_LOAD); 2818 if (err) 2819 goto out; 2820 2821 mod_update_bounds(mod); 2822 list_add_rcu(&mod->list, &modules); 2823 mod_tree_insert(mod); 2824 err = 0; 2825 2826 out: 2827 mutex_unlock(&module_mutex); 2828 return err; 2829 } 2830 2831 static int complete_formation(struct module *mod, struct load_info *info) 2832 { 2833 int err; 2834 2835 mutex_lock(&module_mutex); 2836 2837 /* Find duplicate symbols (must be called under lock). */ 2838 err = verify_exported_symbols(mod); 2839 if (err < 0) 2840 goto out; 2841 2842 /* These rely on module_mutex for list integrity. */ 2843 module_bug_finalize(info->hdr, info->sechdrs, mod); 2844 module_cfi_finalize(info->hdr, info->sechdrs, mod); 2845 2846 err = module_enable_rodata_ro(mod, false); 2847 if (err) 2848 goto out_strict_rwx; 2849 err = module_enable_data_nx(mod); 2850 if (err) 2851 goto out_strict_rwx; 2852 err = module_enable_text_rox(mod); 2853 if (err) 2854 goto out_strict_rwx; 2855 2856 /* 2857 * Mark state as coming so strong_try_module_get() ignores us, 2858 * but kallsyms etc. can see us. 2859 */ 2860 mod->state = MODULE_STATE_COMING; 2861 mutex_unlock(&module_mutex); 2862 2863 return 0; 2864 2865 out_strict_rwx: 2866 module_bug_cleanup(mod); 2867 out: 2868 mutex_unlock(&module_mutex); 2869 return err; 2870 } 2871 2872 static int prepare_coming_module(struct module *mod) 2873 { 2874 int err; 2875 2876 ftrace_module_enable(mod); 2877 err = klp_module_coming(mod); 2878 if (err) 2879 return err; 2880 2881 err = blocking_notifier_call_chain_robust(&module_notify_list, 2882 MODULE_STATE_COMING, MODULE_STATE_GOING, mod); 2883 err = notifier_to_errno(err); 2884 if (err) 2885 klp_module_going(mod); 2886 2887 return err; 2888 } 2889 2890 static int unknown_module_param_cb(char *param, char *val, const char *modname, 2891 void *arg) 2892 { 2893 struct module *mod = arg; 2894 int ret; 2895 2896 if (strcmp(param, "async_probe") == 0) { 2897 if (kstrtobool(val, &mod->async_probe_requested)) 2898 mod->async_probe_requested = true; 2899 return 0; 2900 } 2901 2902 /* Check for magic 'dyndbg' arg */ 2903 ret = ddebug_dyndbg_module_param_cb(param, val, modname); 2904 if (ret != 0) 2905 pr_warn("%s: unknown parameter '%s' ignored\n", modname, param); 2906 return 0; 2907 } 2908 2909 /* Module within temporary copy, this doesn't do any allocation */ 2910 static int early_mod_check(struct load_info *info, int flags) 2911 { 2912 int err; 2913 2914 /* 2915 * Now that we know we have the correct module name, check 2916 * if it's blacklisted. 2917 */ 2918 if (blacklisted(info->name)) { 2919 pr_err("Module %s is blacklisted\n", info->name); 2920 return -EPERM; 2921 } 2922 2923 err = rewrite_section_headers(info, flags); 2924 if (err) 2925 return err; 2926 2927 /* Check module struct version now, before we try to use module. */ 2928 if (!check_modstruct_version(info, info->mod)) 2929 return -ENOEXEC; 2930 2931 err = check_modinfo(info->mod, info, flags); 2932 if (err) 2933 return err; 2934 2935 mutex_lock(&module_mutex); 2936 err = module_patient_check_exists(info->mod->name, FAIL_DUP_MOD_BECOMING); 2937 mutex_unlock(&module_mutex); 2938 2939 return err; 2940 } 2941 2942 /* 2943 * Allocate and load the module: note that size of section 0 is always 2944 * zero, and we rely on this for optional sections. 2945 */ 2946 static int load_module(struct load_info *info, const char __user *uargs, 2947 int flags) 2948 { 2949 struct module *mod; 2950 bool module_allocated = false; 2951 long err = 0; 2952 char *after_dashes; 2953 2954 /* 2955 * Do the signature check (if any) first. All that 2956 * the signature check needs is info->len, it does 2957 * not need any of the section info. That can be 2958 * set up later. This will minimize the chances 2959 * of a corrupt module causing problems before 2960 * we even get to the signature check. 2961 * 2962 * The check will also adjust info->len by stripping 2963 * off the sig length at the end of the module, making 2964 * checks against info->len more correct. 2965 */ 2966 err = module_sig_check(info, flags); 2967 if (err) 2968 goto free_copy; 2969 2970 /* 2971 * Do basic sanity checks against the ELF header and 2972 * sections. Cache useful sections and set the 2973 * info->mod to the userspace passed struct module. 2974 */ 2975 err = elf_validity_cache_copy(info, flags); 2976 if (err) 2977 goto free_copy; 2978 2979 err = early_mod_check(info, flags); 2980 if (err) 2981 goto free_copy; 2982 2983 /* Figure out module layout, and allocate all the memory. */ 2984 mod = layout_and_allocate(info, flags); 2985 if (IS_ERR(mod)) { 2986 err = PTR_ERR(mod); 2987 goto free_copy; 2988 } 2989 2990 module_allocated = true; 2991 2992 audit_log_kern_module(mod->name); 2993 2994 /* Reserve our place in the list. */ 2995 err = add_unformed_module(mod); 2996 if (err) 2997 goto free_module; 2998 2999 /* 3000 * We are tainting your kernel if your module gets into 3001 * the modules linked list somehow. 3002 */ 3003 module_augment_kernel_taints(mod, info); 3004 3005 /* To avoid stressing percpu allocator, do this once we're unique. */ 3006 err = percpu_modalloc(mod, info); 3007 if (err) 3008 goto unlink_mod; 3009 3010 /* Now module is in final location, initialize linked lists, etc. */ 3011 err = module_unload_init(mod); 3012 if (err) 3013 goto unlink_mod; 3014 3015 init_param_lock(mod); 3016 3017 /* 3018 * Now we've got everything in the final locations, we can 3019 * find optional sections. 3020 */ 3021 err = find_module_sections(mod, info); 3022 if (err) 3023 goto free_unload; 3024 3025 err = check_export_symbol_versions(mod); 3026 if (err) 3027 goto free_unload; 3028 3029 /* Set up MODINFO_ATTR fields */ 3030 setup_modinfo(mod, info); 3031 3032 /* Fix up syms, so that st_value is a pointer to location. */ 3033 err = simplify_symbols(mod, info); 3034 if (err < 0) 3035 goto free_modinfo; 3036 3037 err = apply_relocations(mod, info); 3038 if (err < 0) 3039 goto free_modinfo; 3040 3041 err = post_relocation(mod, info); 3042 if (err < 0) 3043 goto free_modinfo; 3044 3045 flush_module_icache(mod); 3046 3047 /* Now copy in args */ 3048 mod->args = strndup_user(uargs, ~0UL >> 1); 3049 if (IS_ERR(mod->args)) { 3050 err = PTR_ERR(mod->args); 3051 goto free_arch_cleanup; 3052 } 3053 3054 init_build_id(mod, info); 3055 3056 /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */ 3057 ftrace_module_init(mod); 3058 3059 /* Finally it's fully formed, ready to start executing. */ 3060 err = complete_formation(mod, info); 3061 if (err) 3062 goto ddebug_cleanup; 3063 3064 err = prepare_coming_module(mod); 3065 if (err) 3066 goto bug_cleanup; 3067 3068 mod->async_probe_requested = async_probe; 3069 3070 /* Module is ready to execute: parsing args may do that. */ 3071 after_dashes = parse_args(mod->name, mod->args, mod->kp, mod->num_kp, 3072 -32768, 32767, mod, 3073 unknown_module_param_cb); 3074 if (IS_ERR(after_dashes)) { 3075 err = PTR_ERR(after_dashes); 3076 goto coming_cleanup; 3077 } else if (after_dashes) { 3078 pr_warn("%s: parameters '%s' after `--' ignored\n", 3079 mod->name, after_dashes); 3080 } 3081 3082 /* Link in to sysfs. */ 3083 err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); 3084 if (err < 0) 3085 goto coming_cleanup; 3086 3087 if (is_livepatch_module(mod)) { 3088 err = copy_module_elf(mod, info); 3089 if (err < 0) 3090 goto sysfs_cleanup; 3091 } 3092 3093 /* Get rid of temporary copy. */ 3094 free_copy(info, flags); 3095 3096 codetag_load_module(mod); 3097 3098 /* Done! */ 3099 trace_module_load(mod); 3100 3101 return do_init_module(mod); 3102 3103 sysfs_cleanup: 3104 mod_sysfs_teardown(mod); 3105 coming_cleanup: 3106 mod->state = MODULE_STATE_GOING; 3107 destroy_params(mod->kp, mod->num_kp); 3108 blocking_notifier_call_chain(&module_notify_list, 3109 MODULE_STATE_GOING, mod); 3110 klp_module_going(mod); 3111 bug_cleanup: 3112 mod->state = MODULE_STATE_GOING; 3113 /* module_bug_cleanup needs module_mutex protection */ 3114 mutex_lock(&module_mutex); 3115 module_bug_cleanup(mod); 3116 mutex_unlock(&module_mutex); 3117 3118 ddebug_cleanup: 3119 ftrace_release_mod(mod); 3120 synchronize_rcu(); 3121 kfree(mod->args); 3122 free_arch_cleanup: 3123 module_arch_cleanup(mod); 3124 free_modinfo: 3125 free_modinfo(mod); 3126 free_unload: 3127 module_unload_free(mod); 3128 unlink_mod: 3129 mutex_lock(&module_mutex); 3130 /* Unlink carefully: kallsyms could be walking list. */ 3131 list_del_rcu(&mod->list); 3132 mod_tree_remove(mod); 3133 wake_up_all(&module_wq); 3134 /* Wait for RCU-sched synchronizing before releasing mod->list. */ 3135 synchronize_rcu(); 3136 mutex_unlock(&module_mutex); 3137 free_module: 3138 mod_stat_bump_invalid(info, flags); 3139 /* Free lock-classes; relies on the preceding sync_rcu() */ 3140 for_class_mod_mem_type(type, core_data) { 3141 lockdep_free_key_range(mod->mem[type].base, 3142 mod->mem[type].size); 3143 } 3144 3145 module_deallocate(mod, info); 3146 free_copy: 3147 /* 3148 * The info->len is always set. We distinguish between 3149 * failures once the proper module was allocated and 3150 * before that. 3151 */ 3152 if (!module_allocated) 3153 mod_stat_bump_becoming(info, flags); 3154 free_copy(info, flags); 3155 return err; 3156 } 3157 3158 SYSCALL_DEFINE3(init_module, void __user *, umod, 3159 unsigned long, len, const char __user *, uargs) 3160 { 3161 int err; 3162 struct load_info info = { }; 3163 3164 err = may_init_module(); 3165 if (err) 3166 return err; 3167 3168 pr_debug("init_module: umod=%p, len=%lu, uargs=%p\n", 3169 umod, len, uargs); 3170 3171 err = copy_module_from_user(umod, len, &info); 3172 if (err) { 3173 mod_stat_inc(&failed_kreads); 3174 mod_stat_add_long(len, &invalid_kread_bytes); 3175 return err; 3176 } 3177 3178 return load_module(&info, uargs, 0); 3179 } 3180 3181 struct idempotent { 3182 const void *cookie; 3183 struct hlist_node entry; 3184 struct completion complete; 3185 int ret; 3186 }; 3187 3188 #define IDEM_HASH_BITS 8 3189 static struct hlist_head idem_hash[1 << IDEM_HASH_BITS]; 3190 static DEFINE_SPINLOCK(idem_lock); 3191 3192 static bool idempotent(struct idempotent *u, const void *cookie) 3193 { 3194 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3195 struct hlist_head *head = idem_hash + hash; 3196 struct idempotent *existing; 3197 bool first; 3198 3199 u->ret = -EINTR; 3200 u->cookie = cookie; 3201 init_completion(&u->complete); 3202 3203 spin_lock(&idem_lock); 3204 first = true; 3205 hlist_for_each_entry(existing, head, entry) { 3206 if (existing->cookie != cookie) 3207 continue; 3208 first = false; 3209 break; 3210 } 3211 hlist_add_head(&u->entry, idem_hash + hash); 3212 spin_unlock(&idem_lock); 3213 3214 return !first; 3215 } 3216 3217 /* 3218 * We were the first one with 'cookie' on the list, and we ended 3219 * up completing the operation. We now need to walk the list, 3220 * remove everybody - which includes ourselves - fill in the return 3221 * value, and then complete the operation. 3222 */ 3223 static int idempotent_complete(struct idempotent *u, int ret) 3224 { 3225 const void *cookie = u->cookie; 3226 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3227 struct hlist_head *head = idem_hash + hash; 3228 struct hlist_node *next; 3229 struct idempotent *pos; 3230 3231 spin_lock(&idem_lock); 3232 hlist_for_each_entry_safe(pos, next, head, entry) { 3233 if (pos->cookie != cookie) 3234 continue; 3235 hlist_del_init(&pos->entry); 3236 pos->ret = ret; 3237 complete(&pos->complete); 3238 } 3239 spin_unlock(&idem_lock); 3240 return ret; 3241 } 3242 3243 /* 3244 * Wait for the idempotent worker. 3245 * 3246 * If we get interrupted, we need to remove ourselves from the 3247 * the idempotent list, and the completion may still come in. 3248 * 3249 * The 'idem_lock' protects against the race, and 'idem.ret' was 3250 * initialized to -EINTR and is thus always the right return 3251 * value even if the idempotent work then completes between 3252 * the wait_for_completion and the cleanup. 3253 */ 3254 static int idempotent_wait_for_completion(struct idempotent *u) 3255 { 3256 if (wait_for_completion_interruptible(&u->complete)) { 3257 spin_lock(&idem_lock); 3258 if (!hlist_unhashed(&u->entry)) 3259 hlist_del(&u->entry); 3260 spin_unlock(&idem_lock); 3261 } 3262 return u->ret; 3263 } 3264 3265 static int init_module_from_file(struct file *f, const char __user * uargs, int flags) 3266 { 3267 struct load_info info = { }; 3268 void *buf = NULL; 3269 int len; 3270 3271 len = kernel_read_file(f, 0, &buf, INT_MAX, NULL, READING_MODULE); 3272 if (len < 0) { 3273 mod_stat_inc(&failed_kreads); 3274 return len; 3275 } 3276 3277 if (flags & MODULE_INIT_COMPRESSED_FILE) { 3278 int err = module_decompress(&info, buf, len); 3279 vfree(buf); /* compressed data is no longer needed */ 3280 if (err) { 3281 mod_stat_inc(&failed_decompress); 3282 mod_stat_add_long(len, &invalid_decompress_bytes); 3283 return err; 3284 } 3285 } else { 3286 info.hdr = buf; 3287 info.len = len; 3288 } 3289 3290 return load_module(&info, uargs, flags); 3291 } 3292 3293 static int idempotent_init_module(struct file *f, const char __user * uargs, int flags) 3294 { 3295 struct idempotent idem; 3296 3297 if (!(f->f_mode & FMODE_READ)) 3298 return -EBADF; 3299 3300 /* Are we the winners of the race and get to do this? */ 3301 if (!idempotent(&idem, file_inode(f))) { 3302 int ret = init_module_from_file(f, uargs, flags); 3303 return idempotent_complete(&idem, ret); 3304 } 3305 3306 /* 3307 * Somebody else won the race and is loading the module. 3308 */ 3309 return idempotent_wait_for_completion(&idem); 3310 } 3311 3312 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) 3313 { 3314 int err = may_init_module(); 3315 if (err) 3316 return err; 3317 3318 pr_debug("finit_module: fd=%d, uargs=%p, flags=%i\n", fd, uargs, flags); 3319 3320 if (flags & ~(MODULE_INIT_IGNORE_MODVERSIONS 3321 |MODULE_INIT_IGNORE_VERMAGIC 3322 |MODULE_INIT_COMPRESSED_FILE)) 3323 return -EINVAL; 3324 3325 CLASS(fd, f)(fd); 3326 if (fd_empty(f)) 3327 return -EBADF; 3328 return idempotent_init_module(fd_file(f), uargs, flags); 3329 } 3330 3331 /* Keep in sync with MODULE_FLAGS_BUF_SIZE !!! */ 3332 char *module_flags(struct module *mod, char *buf, bool show_state) 3333 { 3334 int bx = 0; 3335 3336 BUG_ON(mod->state == MODULE_STATE_UNFORMED); 3337 if (!mod->taints && !show_state) 3338 goto out; 3339 if (mod->taints || 3340 mod->state == MODULE_STATE_GOING || 3341 mod->state == MODULE_STATE_COMING) { 3342 buf[bx++] = '('; 3343 bx += module_flags_taint(mod->taints, buf + bx); 3344 /* Show a - for module-is-being-unloaded */ 3345 if (mod->state == MODULE_STATE_GOING && show_state) 3346 buf[bx++] = '-'; 3347 /* Show a + for module-is-being-loaded */ 3348 if (mod->state == MODULE_STATE_COMING && show_state) 3349 buf[bx++] = '+'; 3350 buf[bx++] = ')'; 3351 } 3352 out: 3353 buf[bx] = '\0'; 3354 3355 return buf; 3356 } 3357 3358 /* Given an address, look for it in the module exception tables. */ 3359 const struct exception_table_entry *search_module_extables(unsigned long addr) 3360 { 3361 const struct exception_table_entry *e = NULL; 3362 struct module *mod; 3363 3364 preempt_disable(); 3365 mod = __module_address(addr); 3366 if (!mod) 3367 goto out; 3368 3369 if (!mod->num_exentries) 3370 goto out; 3371 3372 e = search_extable(mod->extable, 3373 mod->num_exentries, 3374 addr); 3375 out: 3376 preempt_enable(); 3377 3378 /* 3379 * Now, if we found one, we are running inside it now, hence 3380 * we cannot unload the module, hence no refcnt needed. 3381 */ 3382 return e; 3383 } 3384 3385 /** 3386 * is_module_address() - is this address inside a module? 3387 * @addr: the address to check. 3388 * 3389 * See is_module_text_address() if you simply want to see if the address 3390 * is code (not data). 3391 */ 3392 bool is_module_address(unsigned long addr) 3393 { 3394 bool ret; 3395 3396 preempt_disable(); 3397 ret = __module_address(addr) != NULL; 3398 preempt_enable(); 3399 3400 return ret; 3401 } 3402 3403 /** 3404 * __module_address() - get the module which contains an address. 3405 * @addr: the address. 3406 * 3407 * Must be called with preempt disabled or module mutex held so that 3408 * module doesn't get freed during this. 3409 */ 3410 struct module *__module_address(unsigned long addr) 3411 { 3412 struct module *mod; 3413 3414 if (addr >= mod_tree.addr_min && addr <= mod_tree.addr_max) 3415 goto lookup; 3416 3417 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 3418 if (addr >= mod_tree.data_addr_min && addr <= mod_tree.data_addr_max) 3419 goto lookup; 3420 #endif 3421 3422 return NULL; 3423 3424 lookup: 3425 module_assert_mutex_or_preempt(); 3426 3427 mod = mod_find(addr, &mod_tree); 3428 if (mod) { 3429 BUG_ON(!within_module(addr, mod)); 3430 if (mod->state == MODULE_STATE_UNFORMED) 3431 mod = NULL; 3432 } 3433 return mod; 3434 } 3435 3436 /** 3437 * is_module_text_address() - is this address inside module code? 3438 * @addr: the address to check. 3439 * 3440 * See is_module_address() if you simply want to see if the address is 3441 * anywhere in a module. See kernel_text_address() for testing if an 3442 * address corresponds to kernel or module code. 3443 */ 3444 bool is_module_text_address(unsigned long addr) 3445 { 3446 bool ret; 3447 3448 preempt_disable(); 3449 ret = __module_text_address(addr) != NULL; 3450 preempt_enable(); 3451 3452 return ret; 3453 } 3454 3455 /** 3456 * __module_text_address() - get the module whose code contains an address. 3457 * @addr: the address. 3458 * 3459 * Must be called with preempt disabled or module mutex held so that 3460 * module doesn't get freed during this. 3461 */ 3462 struct module *__module_text_address(unsigned long addr) 3463 { 3464 struct module *mod = __module_address(addr); 3465 if (mod) { 3466 /* Make sure it's within the text section. */ 3467 if (!within_module_mem_type(addr, mod, MOD_TEXT) && 3468 !within_module_mem_type(addr, mod, MOD_INIT_TEXT)) 3469 mod = NULL; 3470 } 3471 return mod; 3472 } 3473 3474 /* Don't grab lock, we're oopsing. */ 3475 void print_modules(void) 3476 { 3477 struct module *mod; 3478 char buf[MODULE_FLAGS_BUF_SIZE]; 3479 3480 printk(KERN_DEFAULT "Modules linked in:"); 3481 /* Most callers should already have preempt disabled, but make sure */ 3482 preempt_disable(); 3483 list_for_each_entry_rcu(mod, &modules, list) { 3484 if (mod->state == MODULE_STATE_UNFORMED) 3485 continue; 3486 pr_cont(" %s%s", mod->name, module_flags(mod, buf, true)); 3487 } 3488 3489 print_unloaded_tainted_modules(); 3490 preempt_enable(); 3491 if (last_unloaded_module.name[0]) 3492 pr_cont(" [last unloaded: %s%s]", last_unloaded_module.name, 3493 last_unloaded_module.taints); 3494 pr_cont("\n"); 3495 } 3496 3497 #ifdef CONFIG_MODULE_DEBUGFS 3498 struct dentry *mod_debugfs_root; 3499 3500 static int module_debugfs_init(void) 3501 { 3502 mod_debugfs_root = debugfs_create_dir("modules", NULL); 3503 return 0; 3504 } 3505 module_init(module_debugfs_init); 3506 #endif 3507