1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2002 Richard Henderson 4 * Copyright (C) 2001 Rusty Russell, 2002, 2010 Rusty Russell IBM. 5 * Copyright (C) 2023 Luis Chamberlain <[email protected]> 6 */ 7 8 #define INCLUDE_VERMAGIC 9 10 #include <linux/export.h> 11 #include <linux/extable.h> 12 #include <linux/moduleloader.h> 13 #include <linux/module_signature.h> 14 #include <linux/trace_events.h> 15 #include <linux/init.h> 16 #include <linux/kallsyms.h> 17 #include <linux/buildid.h> 18 #include <linux/fs.h> 19 #include <linux/kernel.h> 20 #include <linux/kernel_read_file.h> 21 #include <linux/kstrtox.h> 22 #include <linux/slab.h> 23 #include <linux/vmalloc.h> 24 #include <linux/elf.h> 25 #include <linux/seq_file.h> 26 #include <linux/syscalls.h> 27 #include <linux/fcntl.h> 28 #include <linux/rcupdate.h> 29 #include <linux/capability.h> 30 #include <linux/cpu.h> 31 #include <linux/moduleparam.h> 32 #include <linux/errno.h> 33 #include <linux/err.h> 34 #include <linux/vermagic.h> 35 #include <linux/notifier.h> 36 #include <linux/sched.h> 37 #include <linux/device.h> 38 #include <linux/string.h> 39 #include <linux/mutex.h> 40 #include <linux/rculist.h> 41 #include <linux/uaccess.h> 42 #include <asm/cacheflush.h> 43 #include <linux/set_memory.h> 44 #include <asm/mmu_context.h> 45 #include <linux/license.h> 46 #include <asm/sections.h> 47 #include <linux/tracepoint.h> 48 #include <linux/ftrace.h> 49 #include <linux/livepatch.h> 50 #include <linux/async.h> 51 #include <linux/percpu.h> 52 #include <linux/kmemleak.h> 53 #include <linux/jump_label.h> 54 #include <linux/pfn.h> 55 #include <linux/bsearch.h> 56 #include <linux/dynamic_debug.h> 57 #include <linux/audit.h> 58 #include <linux/cfi.h> 59 #include <linux/codetag.h> 60 #include <linux/debugfs.h> 61 #include <linux/execmem.h> 62 #include <uapi/linux/module.h> 63 #include "internal.h" 64 65 #define CREATE_TRACE_POINTS 66 #include <trace/events/module.h> 67 68 /* 69 * Mutex protects: 70 * 1) List of modules (also safely readable with preempt_disable), 71 * 2) module_use links, 72 * 3) mod_tree.addr_min/mod_tree.addr_max. 73 * (delete and add uses RCU list operations). 74 */ 75 DEFINE_MUTEX(module_mutex); 76 LIST_HEAD(modules); 77 78 /* Work queue for freeing init sections in success case */ 79 static void do_free_init(struct work_struct *w); 80 static DECLARE_WORK(init_free_wq, do_free_init); 81 static LLIST_HEAD(init_free_list); 82 83 struct mod_tree_root mod_tree __cacheline_aligned = { 84 .addr_min = -1UL, 85 }; 86 87 struct symsearch { 88 const struct kernel_symbol *start, *stop; 89 const s32 *crcs; 90 enum mod_license license; 91 }; 92 93 /* 94 * Bounds of module memory, for speeding up __module_address. 95 * Protected by module_mutex. 96 */ 97 static void __mod_update_bounds(enum mod_mem_type type __maybe_unused, void *base, 98 unsigned int size, struct mod_tree_root *tree) 99 { 100 unsigned long min = (unsigned long)base; 101 unsigned long max = min + size; 102 103 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 104 if (mod_mem_type_is_core_data(type)) { 105 if (min < tree->data_addr_min) 106 tree->data_addr_min = min; 107 if (max > tree->data_addr_max) 108 tree->data_addr_max = max; 109 return; 110 } 111 #endif 112 if (min < tree->addr_min) 113 tree->addr_min = min; 114 if (max > tree->addr_max) 115 tree->addr_max = max; 116 } 117 118 static void mod_update_bounds(struct module *mod) 119 { 120 for_each_mod_mem_type(type) { 121 struct module_memory *mod_mem = &mod->mem[type]; 122 123 if (mod_mem->size) 124 __mod_update_bounds(type, mod_mem->base, mod_mem->size, &mod_tree); 125 } 126 } 127 128 /* Block module loading/unloading? */ 129 int modules_disabled; 130 core_param(nomodule, modules_disabled, bint, 0); 131 132 /* Waiting for a module to finish initializing? */ 133 static DECLARE_WAIT_QUEUE_HEAD(module_wq); 134 135 static BLOCKING_NOTIFIER_HEAD(module_notify_list); 136 137 int register_module_notifier(struct notifier_block *nb) 138 { 139 return blocking_notifier_chain_register(&module_notify_list, nb); 140 } 141 EXPORT_SYMBOL(register_module_notifier); 142 143 int unregister_module_notifier(struct notifier_block *nb) 144 { 145 return blocking_notifier_chain_unregister(&module_notify_list, nb); 146 } 147 EXPORT_SYMBOL(unregister_module_notifier); 148 149 /* 150 * We require a truly strong try_module_get(): 0 means success. 151 * Otherwise an error is returned due to ongoing or failed 152 * initialization etc. 153 */ 154 static inline int strong_try_module_get(struct module *mod) 155 { 156 BUG_ON(mod && mod->state == MODULE_STATE_UNFORMED); 157 if (mod && mod->state == MODULE_STATE_COMING) 158 return -EBUSY; 159 if (try_module_get(mod)) 160 return 0; 161 else 162 return -ENOENT; 163 } 164 165 static inline void add_taint_module(struct module *mod, unsigned flag, 166 enum lockdep_ok lockdep_ok) 167 { 168 add_taint(flag, lockdep_ok); 169 set_bit(flag, &mod->taints); 170 } 171 172 /* 173 * A thread that wants to hold a reference to a module only while it 174 * is running can call this to safely exit. 175 */ 176 void __noreturn __module_put_and_kthread_exit(struct module *mod, long code) 177 { 178 module_put(mod); 179 kthread_exit(code); 180 } 181 EXPORT_SYMBOL(__module_put_and_kthread_exit); 182 183 /* Find a module section: 0 means not found. */ 184 static unsigned int find_sec(const struct load_info *info, const char *name) 185 { 186 unsigned int i; 187 188 for (i = 1; i < info->hdr->e_shnum; i++) { 189 Elf_Shdr *shdr = &info->sechdrs[i]; 190 /* Alloc bit cleared means "ignore it." */ 191 if ((shdr->sh_flags & SHF_ALLOC) 192 && strcmp(info->secstrings + shdr->sh_name, name) == 0) 193 return i; 194 } 195 return 0; 196 } 197 198 /* Find a module section, or NULL. */ 199 static void *section_addr(const struct load_info *info, const char *name) 200 { 201 /* Section 0 has sh_addr 0. */ 202 return (void *)info->sechdrs[find_sec(info, name)].sh_addr; 203 } 204 205 /* Find a module section, or NULL. Fill in number of "objects" in section. */ 206 static void *section_objs(const struct load_info *info, 207 const char *name, 208 size_t object_size, 209 unsigned int *num) 210 { 211 unsigned int sec = find_sec(info, name); 212 213 /* Section 0 has sh_addr 0 and sh_size 0. */ 214 *num = info->sechdrs[sec].sh_size / object_size; 215 return (void *)info->sechdrs[sec].sh_addr; 216 } 217 218 /* Find a module section: 0 means not found. Ignores SHF_ALLOC flag. */ 219 static unsigned int find_any_sec(const struct load_info *info, const char *name) 220 { 221 unsigned int i; 222 223 for (i = 1; i < info->hdr->e_shnum; i++) { 224 Elf_Shdr *shdr = &info->sechdrs[i]; 225 if (strcmp(info->secstrings + shdr->sh_name, name) == 0) 226 return i; 227 } 228 return 0; 229 } 230 231 /* 232 * Find a module section, or NULL. Fill in number of "objects" in section. 233 * Ignores SHF_ALLOC flag. 234 */ 235 static __maybe_unused void *any_section_objs(const struct load_info *info, 236 const char *name, 237 size_t object_size, 238 unsigned int *num) 239 { 240 unsigned int sec = find_any_sec(info, name); 241 242 /* Section 0 has sh_addr 0 and sh_size 0. */ 243 *num = info->sechdrs[sec].sh_size / object_size; 244 return (void *)info->sechdrs[sec].sh_addr; 245 } 246 247 #ifndef CONFIG_MODVERSIONS 248 #define symversion(base, idx) NULL 249 #else 250 #define symversion(base, idx) ((base != NULL) ? ((base) + (idx)) : NULL) 251 #endif 252 253 static const char *kernel_symbol_name(const struct kernel_symbol *sym) 254 { 255 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 256 return offset_to_ptr(&sym->name_offset); 257 #else 258 return sym->name; 259 #endif 260 } 261 262 static const char *kernel_symbol_namespace(const struct kernel_symbol *sym) 263 { 264 #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS 265 if (!sym->namespace_offset) 266 return NULL; 267 return offset_to_ptr(&sym->namespace_offset); 268 #else 269 return sym->namespace; 270 #endif 271 } 272 273 int cmp_name(const void *name, const void *sym) 274 { 275 return strcmp(name, kernel_symbol_name(sym)); 276 } 277 278 static bool find_exported_symbol_in_section(const struct symsearch *syms, 279 struct module *owner, 280 struct find_symbol_arg *fsa) 281 { 282 struct kernel_symbol *sym; 283 284 if (!fsa->gplok && syms->license == GPL_ONLY) 285 return false; 286 287 sym = bsearch(fsa->name, syms->start, syms->stop - syms->start, 288 sizeof(struct kernel_symbol), cmp_name); 289 if (!sym) 290 return false; 291 292 fsa->owner = owner; 293 fsa->crc = symversion(syms->crcs, sym - syms->start); 294 fsa->sym = sym; 295 fsa->license = syms->license; 296 297 return true; 298 } 299 300 /* 301 * Find an exported symbol and return it, along with, (optional) crc and 302 * (optional) module which owns it. Needs preempt disabled or module_mutex. 303 */ 304 bool find_symbol(struct find_symbol_arg *fsa) 305 { 306 static const struct symsearch arr[] = { 307 { __start___ksymtab, __stop___ksymtab, __start___kcrctab, 308 NOT_GPL_ONLY }, 309 { __start___ksymtab_gpl, __stop___ksymtab_gpl, 310 __start___kcrctab_gpl, 311 GPL_ONLY }, 312 }; 313 struct module *mod; 314 unsigned int i; 315 316 module_assert_mutex_or_preempt(); 317 318 for (i = 0; i < ARRAY_SIZE(arr); i++) 319 if (find_exported_symbol_in_section(&arr[i], NULL, fsa)) 320 return true; 321 322 list_for_each_entry_rcu(mod, &modules, list, 323 lockdep_is_held(&module_mutex)) { 324 struct symsearch arr[] = { 325 { mod->syms, mod->syms + mod->num_syms, mod->crcs, 326 NOT_GPL_ONLY }, 327 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms, 328 mod->gpl_crcs, 329 GPL_ONLY }, 330 }; 331 332 if (mod->state == MODULE_STATE_UNFORMED) 333 continue; 334 335 for (i = 0; i < ARRAY_SIZE(arr); i++) 336 if (find_exported_symbol_in_section(&arr[i], mod, fsa)) 337 return true; 338 } 339 340 pr_debug("Failed to find symbol %s\n", fsa->name); 341 return false; 342 } 343 344 /* 345 * Search for module by name: must hold module_mutex (or preempt disabled 346 * for read-only access). 347 */ 348 struct module *find_module_all(const char *name, size_t len, 349 bool even_unformed) 350 { 351 struct module *mod; 352 353 module_assert_mutex_or_preempt(); 354 355 list_for_each_entry_rcu(mod, &modules, list, 356 lockdep_is_held(&module_mutex)) { 357 if (!even_unformed && mod->state == MODULE_STATE_UNFORMED) 358 continue; 359 if (strlen(mod->name) == len && !memcmp(mod->name, name, len)) 360 return mod; 361 } 362 return NULL; 363 } 364 365 struct module *find_module(const char *name) 366 { 367 return find_module_all(name, strlen(name), false); 368 } 369 370 #ifdef CONFIG_SMP 371 372 static inline void __percpu *mod_percpu(struct module *mod) 373 { 374 return mod->percpu; 375 } 376 377 static int percpu_modalloc(struct module *mod, struct load_info *info) 378 { 379 Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu]; 380 unsigned long align = pcpusec->sh_addralign; 381 382 if (!pcpusec->sh_size) 383 return 0; 384 385 if (align > PAGE_SIZE) { 386 pr_warn("%s: per-cpu alignment %li > %li\n", 387 mod->name, align, PAGE_SIZE); 388 align = PAGE_SIZE; 389 } 390 391 mod->percpu = __alloc_reserved_percpu(pcpusec->sh_size, align); 392 if (!mod->percpu) { 393 pr_warn("%s: Could not allocate %lu bytes percpu data\n", 394 mod->name, (unsigned long)pcpusec->sh_size); 395 return -ENOMEM; 396 } 397 mod->percpu_size = pcpusec->sh_size; 398 return 0; 399 } 400 401 static void percpu_modfree(struct module *mod) 402 { 403 free_percpu(mod->percpu); 404 } 405 406 static unsigned int find_pcpusec(struct load_info *info) 407 { 408 return find_sec(info, ".data..percpu"); 409 } 410 411 static void percpu_modcopy(struct module *mod, 412 const void *from, unsigned long size) 413 { 414 int cpu; 415 416 for_each_possible_cpu(cpu) 417 memcpy(per_cpu_ptr(mod->percpu, cpu), from, size); 418 } 419 420 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 421 { 422 struct module *mod; 423 unsigned int cpu; 424 425 preempt_disable(); 426 427 list_for_each_entry_rcu(mod, &modules, list) { 428 if (mod->state == MODULE_STATE_UNFORMED) 429 continue; 430 if (!mod->percpu_size) 431 continue; 432 for_each_possible_cpu(cpu) { 433 void *start = per_cpu_ptr(mod->percpu, cpu); 434 void *va = (void *)addr; 435 436 if (va >= start && va < start + mod->percpu_size) { 437 if (can_addr) { 438 *can_addr = (unsigned long) (va - start); 439 *can_addr += (unsigned long) 440 per_cpu_ptr(mod->percpu, 441 get_boot_cpu_id()); 442 } 443 preempt_enable(); 444 return true; 445 } 446 } 447 } 448 449 preempt_enable(); 450 return false; 451 } 452 453 /** 454 * is_module_percpu_address() - test whether address is from module static percpu 455 * @addr: address to test 456 * 457 * Test whether @addr belongs to module static percpu area. 458 * 459 * Return: %true if @addr is from module static percpu area 460 */ 461 bool is_module_percpu_address(unsigned long addr) 462 { 463 return __is_module_percpu_address(addr, NULL); 464 } 465 466 #else /* ... !CONFIG_SMP */ 467 468 static inline void __percpu *mod_percpu(struct module *mod) 469 { 470 return NULL; 471 } 472 static int percpu_modalloc(struct module *mod, struct load_info *info) 473 { 474 /* UP modules shouldn't have this section: ENOMEM isn't quite right */ 475 if (info->sechdrs[info->index.pcpu].sh_size != 0) 476 return -ENOMEM; 477 return 0; 478 } 479 static inline void percpu_modfree(struct module *mod) 480 { 481 } 482 static unsigned int find_pcpusec(struct load_info *info) 483 { 484 return 0; 485 } 486 static inline void percpu_modcopy(struct module *mod, 487 const void *from, unsigned long size) 488 { 489 /* pcpusec should be 0, and size of that section should be 0. */ 490 BUG_ON(size != 0); 491 } 492 bool is_module_percpu_address(unsigned long addr) 493 { 494 return false; 495 } 496 497 bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr) 498 { 499 return false; 500 } 501 502 #endif /* CONFIG_SMP */ 503 504 #define MODINFO_ATTR(field) \ 505 static void setup_modinfo_##field(struct module *mod, const char *s) \ 506 { \ 507 mod->field = kstrdup(s, GFP_KERNEL); \ 508 } \ 509 static ssize_t show_modinfo_##field(struct module_attribute *mattr, \ 510 struct module_kobject *mk, char *buffer) \ 511 { \ 512 return scnprintf(buffer, PAGE_SIZE, "%s\n", mk->mod->field); \ 513 } \ 514 static int modinfo_##field##_exists(struct module *mod) \ 515 { \ 516 return mod->field != NULL; \ 517 } \ 518 static void free_modinfo_##field(struct module *mod) \ 519 { \ 520 kfree(mod->field); \ 521 mod->field = NULL; \ 522 } \ 523 static struct module_attribute modinfo_##field = { \ 524 .attr = { .name = __stringify(field), .mode = 0444 }, \ 525 .show = show_modinfo_##field, \ 526 .setup = setup_modinfo_##field, \ 527 .test = modinfo_##field##_exists, \ 528 .free = free_modinfo_##field, \ 529 }; 530 531 MODINFO_ATTR(version); 532 MODINFO_ATTR(srcversion); 533 534 static struct { 535 char name[MODULE_NAME_LEN + 1]; 536 char taints[MODULE_FLAGS_BUF_SIZE]; 537 } last_unloaded_module; 538 539 #ifdef CONFIG_MODULE_UNLOAD 540 541 EXPORT_TRACEPOINT_SYMBOL(module_get); 542 543 /* MODULE_REF_BASE is the base reference count by kmodule loader. */ 544 #define MODULE_REF_BASE 1 545 546 /* Init the unload section of the module. */ 547 static int module_unload_init(struct module *mod) 548 { 549 /* 550 * Initialize reference counter to MODULE_REF_BASE. 551 * refcnt == 0 means module is going. 552 */ 553 atomic_set(&mod->refcnt, MODULE_REF_BASE); 554 555 INIT_LIST_HEAD(&mod->source_list); 556 INIT_LIST_HEAD(&mod->target_list); 557 558 /* Hold reference count during initialization. */ 559 atomic_inc(&mod->refcnt); 560 561 return 0; 562 } 563 564 /* Does a already use b? */ 565 static int already_uses(struct module *a, struct module *b) 566 { 567 struct module_use *use; 568 569 list_for_each_entry(use, &b->source_list, source_list) { 570 if (use->source == a) 571 return 1; 572 } 573 pr_debug("%s does not use %s!\n", a->name, b->name); 574 return 0; 575 } 576 577 /* 578 * Module a uses b 579 * - we add 'a' as a "source", 'b' as a "target" of module use 580 * - the module_use is added to the list of 'b' sources (so 581 * 'b' can walk the list to see who sourced them), and of 'a' 582 * targets (so 'a' can see what modules it targets). 583 */ 584 static int add_module_usage(struct module *a, struct module *b) 585 { 586 struct module_use *use; 587 588 pr_debug("Allocating new usage for %s.\n", a->name); 589 use = kmalloc(sizeof(*use), GFP_ATOMIC); 590 if (!use) 591 return -ENOMEM; 592 593 use->source = a; 594 use->target = b; 595 list_add(&use->source_list, &b->source_list); 596 list_add(&use->target_list, &a->target_list); 597 return 0; 598 } 599 600 /* Module a uses b: caller needs module_mutex() */ 601 static int ref_module(struct module *a, struct module *b) 602 { 603 int err; 604 605 if (b == NULL || already_uses(a, b)) 606 return 0; 607 608 /* If module isn't available, we fail. */ 609 err = strong_try_module_get(b); 610 if (err) 611 return err; 612 613 err = add_module_usage(a, b); 614 if (err) { 615 module_put(b); 616 return err; 617 } 618 return 0; 619 } 620 621 /* Clear the unload stuff of the module. */ 622 static void module_unload_free(struct module *mod) 623 { 624 struct module_use *use, *tmp; 625 626 mutex_lock(&module_mutex); 627 list_for_each_entry_safe(use, tmp, &mod->target_list, target_list) { 628 struct module *i = use->target; 629 pr_debug("%s unusing %s\n", mod->name, i->name); 630 module_put(i); 631 list_del(&use->source_list); 632 list_del(&use->target_list); 633 kfree(use); 634 } 635 mutex_unlock(&module_mutex); 636 } 637 638 #ifdef CONFIG_MODULE_FORCE_UNLOAD 639 static inline int try_force_unload(unsigned int flags) 640 { 641 int ret = (flags & O_TRUNC); 642 if (ret) 643 add_taint(TAINT_FORCED_RMMOD, LOCKDEP_NOW_UNRELIABLE); 644 return ret; 645 } 646 #else 647 static inline int try_force_unload(unsigned int flags) 648 { 649 return 0; 650 } 651 #endif /* CONFIG_MODULE_FORCE_UNLOAD */ 652 653 /* Try to release refcount of module, 0 means success. */ 654 static int try_release_module_ref(struct module *mod) 655 { 656 int ret; 657 658 /* Try to decrement refcnt which we set at loading */ 659 ret = atomic_sub_return(MODULE_REF_BASE, &mod->refcnt); 660 BUG_ON(ret < 0); 661 if (ret) 662 /* Someone can put this right now, recover with checking */ 663 ret = atomic_add_unless(&mod->refcnt, MODULE_REF_BASE, 0); 664 665 return ret; 666 } 667 668 static int try_stop_module(struct module *mod, int flags, int *forced) 669 { 670 /* If it's not unused, quit unless we're forcing. */ 671 if (try_release_module_ref(mod) != 0) { 672 *forced = try_force_unload(flags); 673 if (!(*forced)) 674 return -EWOULDBLOCK; 675 } 676 677 /* Mark it as dying. */ 678 mod->state = MODULE_STATE_GOING; 679 680 return 0; 681 } 682 683 /** 684 * module_refcount() - return the refcount or -1 if unloading 685 * @mod: the module we're checking 686 * 687 * Return: 688 * -1 if the module is in the process of unloading 689 * otherwise the number of references in the kernel to the module 690 */ 691 int module_refcount(struct module *mod) 692 { 693 return atomic_read(&mod->refcnt) - MODULE_REF_BASE; 694 } 695 EXPORT_SYMBOL(module_refcount); 696 697 /* This exists whether we can unload or not */ 698 static void free_module(struct module *mod); 699 700 SYSCALL_DEFINE2(delete_module, const char __user *, name_user, 701 unsigned int, flags) 702 { 703 struct module *mod; 704 char name[MODULE_NAME_LEN]; 705 char buf[MODULE_FLAGS_BUF_SIZE]; 706 int ret, forced = 0; 707 708 if (!capable(CAP_SYS_MODULE) || modules_disabled) 709 return -EPERM; 710 711 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) 712 return -EFAULT; 713 name[MODULE_NAME_LEN-1] = '\0'; 714 715 audit_log_kern_module(name); 716 717 if (mutex_lock_interruptible(&module_mutex) != 0) 718 return -EINTR; 719 720 mod = find_module(name); 721 if (!mod) { 722 ret = -ENOENT; 723 goto out; 724 } 725 726 if (!list_empty(&mod->source_list)) { 727 /* Other modules depend on us: get rid of them first. */ 728 ret = -EWOULDBLOCK; 729 goto out; 730 } 731 732 /* Doing init or already dying? */ 733 if (mod->state != MODULE_STATE_LIVE) { 734 /* FIXME: if (force), slam module count damn the torpedoes */ 735 pr_debug("%s already dying\n", mod->name); 736 ret = -EBUSY; 737 goto out; 738 } 739 740 /* If it has an init func, it must have an exit func to unload */ 741 if (mod->init && !mod->exit) { 742 forced = try_force_unload(flags); 743 if (!forced) { 744 /* This module can't be removed */ 745 ret = -EBUSY; 746 goto out; 747 } 748 } 749 750 ret = try_stop_module(mod, flags, &forced); 751 if (ret != 0) 752 goto out; 753 754 mutex_unlock(&module_mutex); 755 /* Final destruction now no one is using it. */ 756 if (mod->exit != NULL) 757 mod->exit(); 758 blocking_notifier_call_chain(&module_notify_list, 759 MODULE_STATE_GOING, mod); 760 klp_module_going(mod); 761 ftrace_release_mod(mod); 762 763 async_synchronize_full(); 764 765 /* Store the name and taints of the last unloaded module for diagnostic purposes */ 766 strscpy(last_unloaded_module.name, mod->name, sizeof(last_unloaded_module.name)); 767 strscpy(last_unloaded_module.taints, module_flags(mod, buf, false), sizeof(last_unloaded_module.taints)); 768 769 free_module(mod); 770 /* someone could wait for the module in add_unformed_module() */ 771 wake_up_all(&module_wq); 772 return 0; 773 out: 774 mutex_unlock(&module_mutex); 775 return ret; 776 } 777 778 void __symbol_put(const char *symbol) 779 { 780 struct find_symbol_arg fsa = { 781 .name = symbol, 782 .gplok = true, 783 }; 784 785 preempt_disable(); 786 BUG_ON(!find_symbol(&fsa)); 787 module_put(fsa.owner); 788 preempt_enable(); 789 } 790 EXPORT_SYMBOL(__symbol_put); 791 792 /* Note this assumes addr is a function, which it currently always is. */ 793 void symbol_put_addr(void *addr) 794 { 795 struct module *modaddr; 796 unsigned long a = (unsigned long)dereference_function_descriptor(addr); 797 798 if (core_kernel_text(a)) 799 return; 800 801 /* 802 * Even though we hold a reference on the module; we still need to 803 * disable preemption in order to safely traverse the data structure. 804 */ 805 preempt_disable(); 806 modaddr = __module_text_address(a); 807 BUG_ON(!modaddr); 808 module_put(modaddr); 809 preempt_enable(); 810 } 811 EXPORT_SYMBOL_GPL(symbol_put_addr); 812 813 static ssize_t show_refcnt(struct module_attribute *mattr, 814 struct module_kobject *mk, char *buffer) 815 { 816 return sprintf(buffer, "%i\n", module_refcount(mk->mod)); 817 } 818 819 static struct module_attribute modinfo_refcnt = 820 __ATTR(refcnt, 0444, show_refcnt, NULL); 821 822 void __module_get(struct module *module) 823 { 824 if (module) { 825 atomic_inc(&module->refcnt); 826 trace_module_get(module, _RET_IP_); 827 } 828 } 829 EXPORT_SYMBOL(__module_get); 830 831 bool try_module_get(struct module *module) 832 { 833 bool ret = true; 834 835 if (module) { 836 /* Note: here, we can fail to get a reference */ 837 if (likely(module_is_live(module) && 838 atomic_inc_not_zero(&module->refcnt) != 0)) 839 trace_module_get(module, _RET_IP_); 840 else 841 ret = false; 842 } 843 return ret; 844 } 845 EXPORT_SYMBOL(try_module_get); 846 847 void module_put(struct module *module) 848 { 849 int ret; 850 851 if (module) { 852 ret = atomic_dec_if_positive(&module->refcnt); 853 WARN_ON(ret < 0); /* Failed to put refcount */ 854 trace_module_put(module, _RET_IP_); 855 } 856 } 857 EXPORT_SYMBOL(module_put); 858 859 #else /* !CONFIG_MODULE_UNLOAD */ 860 static inline void module_unload_free(struct module *mod) 861 { 862 } 863 864 static int ref_module(struct module *a, struct module *b) 865 { 866 return strong_try_module_get(b); 867 } 868 869 static inline int module_unload_init(struct module *mod) 870 { 871 return 0; 872 } 873 #endif /* CONFIG_MODULE_UNLOAD */ 874 875 size_t module_flags_taint(unsigned long taints, char *buf) 876 { 877 size_t l = 0; 878 int i; 879 880 for (i = 0; i < TAINT_FLAGS_COUNT; i++) { 881 if (taint_flags[i].module && test_bit(i, &taints)) 882 buf[l++] = taint_flags[i].c_true; 883 } 884 885 return l; 886 } 887 888 static ssize_t show_initstate(struct module_attribute *mattr, 889 struct module_kobject *mk, char *buffer) 890 { 891 const char *state = "unknown"; 892 893 switch (mk->mod->state) { 894 case MODULE_STATE_LIVE: 895 state = "live"; 896 break; 897 case MODULE_STATE_COMING: 898 state = "coming"; 899 break; 900 case MODULE_STATE_GOING: 901 state = "going"; 902 break; 903 default: 904 BUG(); 905 } 906 return sprintf(buffer, "%s\n", state); 907 } 908 909 static struct module_attribute modinfo_initstate = 910 __ATTR(initstate, 0444, show_initstate, NULL); 911 912 static ssize_t store_uevent(struct module_attribute *mattr, 913 struct module_kobject *mk, 914 const char *buffer, size_t count) 915 { 916 int rc; 917 918 rc = kobject_synth_uevent(&mk->kobj, buffer, count); 919 return rc ? rc : count; 920 } 921 922 struct module_attribute module_uevent = 923 __ATTR(uevent, 0200, NULL, store_uevent); 924 925 static ssize_t show_coresize(struct module_attribute *mattr, 926 struct module_kobject *mk, char *buffer) 927 { 928 unsigned int size = mk->mod->mem[MOD_TEXT].size; 929 930 if (!IS_ENABLED(CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC)) { 931 for_class_mod_mem_type(type, core_data) 932 size += mk->mod->mem[type].size; 933 } 934 return sprintf(buffer, "%u\n", size); 935 } 936 937 static struct module_attribute modinfo_coresize = 938 __ATTR(coresize, 0444, show_coresize, NULL); 939 940 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 941 static ssize_t show_datasize(struct module_attribute *mattr, 942 struct module_kobject *mk, char *buffer) 943 { 944 unsigned int size = 0; 945 946 for_class_mod_mem_type(type, core_data) 947 size += mk->mod->mem[type].size; 948 return sprintf(buffer, "%u\n", size); 949 } 950 951 static struct module_attribute modinfo_datasize = 952 __ATTR(datasize, 0444, show_datasize, NULL); 953 #endif 954 955 static ssize_t show_initsize(struct module_attribute *mattr, 956 struct module_kobject *mk, char *buffer) 957 { 958 unsigned int size = 0; 959 960 for_class_mod_mem_type(type, init) 961 size += mk->mod->mem[type].size; 962 return sprintf(buffer, "%u\n", size); 963 } 964 965 static struct module_attribute modinfo_initsize = 966 __ATTR(initsize, 0444, show_initsize, NULL); 967 968 static ssize_t show_taint(struct module_attribute *mattr, 969 struct module_kobject *mk, char *buffer) 970 { 971 size_t l; 972 973 l = module_flags_taint(mk->mod->taints, buffer); 974 buffer[l++] = '\n'; 975 return l; 976 } 977 978 static struct module_attribute modinfo_taint = 979 __ATTR(taint, 0444, show_taint, NULL); 980 981 struct module_attribute *modinfo_attrs[] = { 982 &module_uevent, 983 &modinfo_version, 984 &modinfo_srcversion, 985 &modinfo_initstate, 986 &modinfo_coresize, 987 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 988 &modinfo_datasize, 989 #endif 990 &modinfo_initsize, 991 &modinfo_taint, 992 #ifdef CONFIG_MODULE_UNLOAD 993 &modinfo_refcnt, 994 #endif 995 NULL, 996 }; 997 998 size_t modinfo_attrs_count = ARRAY_SIZE(modinfo_attrs); 999 1000 static const char vermagic[] = VERMAGIC_STRING; 1001 1002 int try_to_force_load(struct module *mod, const char *reason) 1003 { 1004 #ifdef CONFIG_MODULE_FORCE_LOAD 1005 if (!test_taint(TAINT_FORCED_MODULE)) 1006 pr_warn("%s: %s: kernel tainted.\n", mod->name, reason); 1007 add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE); 1008 return 0; 1009 #else 1010 return -ENOEXEC; 1011 #endif 1012 } 1013 1014 /* Parse tag=value strings from .modinfo section */ 1015 char *module_next_tag_pair(char *string, unsigned long *secsize) 1016 { 1017 /* Skip non-zero chars */ 1018 while (string[0]) { 1019 string++; 1020 if ((*secsize)-- <= 1) 1021 return NULL; 1022 } 1023 1024 /* Skip any zero padding. */ 1025 while (!string[0]) { 1026 string++; 1027 if ((*secsize)-- <= 1) 1028 return NULL; 1029 } 1030 return string; 1031 } 1032 1033 static char *get_next_modinfo(const struct load_info *info, const char *tag, 1034 char *prev) 1035 { 1036 char *p; 1037 unsigned int taglen = strlen(tag); 1038 Elf_Shdr *infosec = &info->sechdrs[info->index.info]; 1039 unsigned long size = infosec->sh_size; 1040 1041 /* 1042 * get_modinfo() calls made before rewrite_section_headers() 1043 * must use sh_offset, as sh_addr isn't set! 1044 */ 1045 char *modinfo = (char *)info->hdr + infosec->sh_offset; 1046 1047 if (prev) { 1048 size -= prev - modinfo; 1049 modinfo = module_next_tag_pair(prev, &size); 1050 } 1051 1052 for (p = modinfo; p; p = module_next_tag_pair(p, &size)) { 1053 if (strncmp(p, tag, taglen) == 0 && p[taglen] == '=') 1054 return p + taglen + 1; 1055 } 1056 return NULL; 1057 } 1058 1059 static char *get_modinfo(const struct load_info *info, const char *tag) 1060 { 1061 return get_next_modinfo(info, tag, NULL); 1062 } 1063 1064 static int verify_namespace_is_imported(const struct load_info *info, 1065 const struct kernel_symbol *sym, 1066 struct module *mod) 1067 { 1068 const char *namespace; 1069 char *imported_namespace; 1070 1071 namespace = kernel_symbol_namespace(sym); 1072 if (namespace && namespace[0]) { 1073 for_each_modinfo_entry(imported_namespace, info, "import_ns") { 1074 if (strcmp(namespace, imported_namespace) == 0) 1075 return 0; 1076 } 1077 #ifdef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1078 pr_warn( 1079 #else 1080 pr_err( 1081 #endif 1082 "%s: module uses symbol (%s) from namespace %s, but does not import it.\n", 1083 mod->name, kernel_symbol_name(sym), namespace); 1084 #ifndef CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 1085 return -EINVAL; 1086 #endif 1087 } 1088 return 0; 1089 } 1090 1091 static bool inherit_taint(struct module *mod, struct module *owner, const char *name) 1092 { 1093 if (!owner || !test_bit(TAINT_PROPRIETARY_MODULE, &owner->taints)) 1094 return true; 1095 1096 if (mod->using_gplonly_symbols) { 1097 pr_err("%s: module using GPL-only symbols uses symbols %s from proprietary module %s.\n", 1098 mod->name, name, owner->name); 1099 return false; 1100 } 1101 1102 if (!test_bit(TAINT_PROPRIETARY_MODULE, &mod->taints)) { 1103 pr_warn("%s: module uses symbols %s from proprietary module %s, inheriting taint.\n", 1104 mod->name, name, owner->name); 1105 set_bit(TAINT_PROPRIETARY_MODULE, &mod->taints); 1106 } 1107 return true; 1108 } 1109 1110 /* Resolve a symbol for this module. I.e. if we find one, record usage. */ 1111 static const struct kernel_symbol *resolve_symbol(struct module *mod, 1112 const struct load_info *info, 1113 const char *name, 1114 char ownername[]) 1115 { 1116 struct find_symbol_arg fsa = { 1117 .name = name, 1118 .gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)), 1119 .warn = true, 1120 }; 1121 int err; 1122 1123 /* 1124 * The module_mutex should not be a heavily contended lock; 1125 * if we get the occasional sleep here, we'll go an extra iteration 1126 * in the wait_event_interruptible(), which is harmless. 1127 */ 1128 sched_annotate_sleep(); 1129 mutex_lock(&module_mutex); 1130 if (!find_symbol(&fsa)) 1131 goto unlock; 1132 1133 if (fsa.license == GPL_ONLY) 1134 mod->using_gplonly_symbols = true; 1135 1136 if (!inherit_taint(mod, fsa.owner, name)) { 1137 fsa.sym = NULL; 1138 goto getname; 1139 } 1140 1141 if (!check_version(info, name, mod, fsa.crc)) { 1142 fsa.sym = ERR_PTR(-EINVAL); 1143 goto getname; 1144 } 1145 1146 err = verify_namespace_is_imported(info, fsa.sym, mod); 1147 if (err) { 1148 fsa.sym = ERR_PTR(err); 1149 goto getname; 1150 } 1151 1152 err = ref_module(mod, fsa.owner); 1153 if (err) { 1154 fsa.sym = ERR_PTR(err); 1155 goto getname; 1156 } 1157 1158 getname: 1159 /* We must make copy under the lock if we failed to get ref. */ 1160 strncpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN); 1161 unlock: 1162 mutex_unlock(&module_mutex); 1163 return fsa.sym; 1164 } 1165 1166 static const struct kernel_symbol * 1167 resolve_symbol_wait(struct module *mod, 1168 const struct load_info *info, 1169 const char *name) 1170 { 1171 const struct kernel_symbol *ksym; 1172 char owner[MODULE_NAME_LEN]; 1173 1174 if (wait_event_interruptible_timeout(module_wq, 1175 !IS_ERR(ksym = resolve_symbol(mod, info, name, owner)) 1176 || PTR_ERR(ksym) != -EBUSY, 1177 30 * HZ) <= 0) { 1178 pr_warn("%s: gave up waiting for init of module %s.\n", 1179 mod->name, owner); 1180 } 1181 return ksym; 1182 } 1183 1184 void __weak module_arch_cleanup(struct module *mod) 1185 { 1186 } 1187 1188 void __weak module_arch_freeing_init(struct module *mod) 1189 { 1190 } 1191 1192 void *__module_writable_address(struct module *mod, void *loc) 1193 { 1194 for_class_mod_mem_type(type, text) { 1195 struct module_memory *mem = &mod->mem[type]; 1196 1197 if (loc >= mem->base && loc < mem->base + mem->size) 1198 return loc + (mem->rw_copy - mem->base); 1199 } 1200 1201 return loc; 1202 } 1203 1204 static int module_memory_alloc(struct module *mod, enum mod_mem_type type) 1205 { 1206 unsigned int size = PAGE_ALIGN(mod->mem[type].size); 1207 enum execmem_type execmem_type; 1208 void *ptr; 1209 1210 mod->mem[type].size = size; 1211 1212 if (mod_mem_type_is_data(type)) 1213 execmem_type = EXECMEM_MODULE_DATA; 1214 else 1215 execmem_type = EXECMEM_MODULE_TEXT; 1216 1217 ptr = execmem_alloc(execmem_type, size); 1218 if (!ptr) 1219 return -ENOMEM; 1220 1221 mod->mem[type].base = ptr; 1222 1223 if (execmem_is_rox(execmem_type)) { 1224 ptr = vzalloc(size); 1225 1226 if (!ptr) { 1227 execmem_free(mod->mem[type].base); 1228 return -ENOMEM; 1229 } 1230 1231 mod->mem[type].rw_copy = ptr; 1232 mod->mem[type].is_rox = true; 1233 } else { 1234 mod->mem[type].rw_copy = mod->mem[type].base; 1235 memset(mod->mem[type].base, 0, size); 1236 } 1237 1238 /* 1239 * The pointer to these blocks of memory are stored on the module 1240 * structure and we keep that around so long as the module is 1241 * around. We only free that memory when we unload the module. 1242 * Just mark them as not being a leak then. The .init* ELF 1243 * sections *do* get freed after boot so we *could* treat them 1244 * slightly differently with kmemleak_ignore() and only grey 1245 * them out as they work as typical memory allocations which 1246 * *do* eventually get freed, but let's just keep things simple 1247 * and avoid *any* false positives. 1248 */ 1249 kmemleak_not_leak(ptr); 1250 1251 return 0; 1252 } 1253 1254 static void module_memory_free(struct module *mod, enum mod_mem_type type, 1255 bool unload_codetags) 1256 { 1257 struct module_memory *mem = &mod->mem[type]; 1258 void *ptr = mem->base; 1259 1260 if (mem->is_rox) 1261 vfree(mem->rw_copy); 1262 1263 if (!unload_codetags && mod_mem_type_is_core_data(type)) 1264 return; 1265 1266 execmem_free(ptr); 1267 } 1268 1269 static void free_mod_mem(struct module *mod, bool unload_codetags) 1270 { 1271 for_each_mod_mem_type(type) { 1272 struct module_memory *mod_mem = &mod->mem[type]; 1273 1274 if (type == MOD_DATA) 1275 continue; 1276 1277 /* Free lock-classes; relies on the preceding sync_rcu(). */ 1278 lockdep_free_key_range(mod_mem->base, mod_mem->size); 1279 if (mod_mem->size) 1280 module_memory_free(mod, type, unload_codetags); 1281 } 1282 1283 /* MOD_DATA hosts mod, so free it at last */ 1284 lockdep_free_key_range(mod->mem[MOD_DATA].base, mod->mem[MOD_DATA].size); 1285 module_memory_free(mod, MOD_DATA, unload_codetags); 1286 } 1287 1288 /* Free a module, remove from lists, etc. */ 1289 static void free_module(struct module *mod) 1290 { 1291 bool unload_codetags; 1292 1293 trace_module_free(mod); 1294 1295 unload_codetags = codetag_unload_module(mod); 1296 if (!unload_codetags) 1297 pr_warn("%s: memory allocation(s) from the module still alive, cannot unload cleanly\n", 1298 mod->name); 1299 1300 mod_sysfs_teardown(mod); 1301 1302 /* 1303 * We leave it in list to prevent duplicate loads, but make sure 1304 * that noone uses it while it's being deconstructed. 1305 */ 1306 mutex_lock(&module_mutex); 1307 mod->state = MODULE_STATE_UNFORMED; 1308 mutex_unlock(&module_mutex); 1309 1310 /* Arch-specific cleanup. */ 1311 module_arch_cleanup(mod); 1312 1313 /* Module unload stuff */ 1314 module_unload_free(mod); 1315 1316 /* Free any allocated parameters. */ 1317 destroy_params(mod->kp, mod->num_kp); 1318 1319 if (is_livepatch_module(mod)) 1320 free_module_elf(mod); 1321 1322 /* Now we can delete it from the lists */ 1323 mutex_lock(&module_mutex); 1324 /* Unlink carefully: kallsyms could be walking list. */ 1325 list_del_rcu(&mod->list); 1326 mod_tree_remove(mod); 1327 /* Remove this module from bug list, this uses list_del_rcu */ 1328 module_bug_cleanup(mod); 1329 /* Wait for RCU-sched synchronizing before releasing mod->list and buglist. */ 1330 synchronize_rcu(); 1331 if (try_add_tainted_module(mod)) 1332 pr_err("%s: adding tainted module to the unloaded tainted modules list failed.\n", 1333 mod->name); 1334 mutex_unlock(&module_mutex); 1335 1336 /* This may be empty, but that's OK */ 1337 module_arch_freeing_init(mod); 1338 kfree(mod->args); 1339 percpu_modfree(mod); 1340 1341 free_mod_mem(mod, unload_codetags); 1342 } 1343 1344 void *__symbol_get(const char *symbol) 1345 { 1346 struct find_symbol_arg fsa = { 1347 .name = symbol, 1348 .gplok = true, 1349 .warn = true, 1350 }; 1351 1352 preempt_disable(); 1353 if (!find_symbol(&fsa)) 1354 goto fail; 1355 if (fsa.license != GPL_ONLY) { 1356 pr_warn("failing symbol_get of non-GPLONLY symbol %s.\n", 1357 symbol); 1358 goto fail; 1359 } 1360 if (strong_try_module_get(fsa.owner)) 1361 goto fail; 1362 preempt_enable(); 1363 return (void *)kernel_symbol_value(fsa.sym); 1364 fail: 1365 preempt_enable(); 1366 return NULL; 1367 } 1368 EXPORT_SYMBOL_GPL(__symbol_get); 1369 1370 /* 1371 * Ensure that an exported symbol [global namespace] does not already exist 1372 * in the kernel or in some other module's exported symbol table. 1373 * 1374 * You must hold the module_mutex. 1375 */ 1376 static int verify_exported_symbols(struct module *mod) 1377 { 1378 unsigned int i; 1379 const struct kernel_symbol *s; 1380 struct { 1381 const struct kernel_symbol *sym; 1382 unsigned int num; 1383 } arr[] = { 1384 { mod->syms, mod->num_syms }, 1385 { mod->gpl_syms, mod->num_gpl_syms }, 1386 }; 1387 1388 for (i = 0; i < ARRAY_SIZE(arr); i++) { 1389 for (s = arr[i].sym; s < arr[i].sym + arr[i].num; s++) { 1390 struct find_symbol_arg fsa = { 1391 .name = kernel_symbol_name(s), 1392 .gplok = true, 1393 }; 1394 if (find_symbol(&fsa)) { 1395 pr_err("%s: exports duplicate symbol %s" 1396 " (owned by %s)\n", 1397 mod->name, kernel_symbol_name(s), 1398 module_name(fsa.owner)); 1399 return -ENOEXEC; 1400 } 1401 } 1402 } 1403 return 0; 1404 } 1405 1406 static bool ignore_undef_symbol(Elf_Half emachine, const char *name) 1407 { 1408 /* 1409 * On x86, PIC code and Clang non-PIC code may have call foo@PLT. GNU as 1410 * before 2.37 produces an unreferenced _GLOBAL_OFFSET_TABLE_ on x86-64. 1411 * i386 has a similar problem but may not deserve a fix. 1412 * 1413 * If we ever have to ignore many symbols, consider refactoring the code to 1414 * only warn if referenced by a relocation. 1415 */ 1416 if (emachine == EM_386 || emachine == EM_X86_64) 1417 return !strcmp(name, "_GLOBAL_OFFSET_TABLE_"); 1418 return false; 1419 } 1420 1421 /* Change all symbols so that st_value encodes the pointer directly. */ 1422 static int simplify_symbols(struct module *mod, const struct load_info *info) 1423 { 1424 Elf_Shdr *symsec = &info->sechdrs[info->index.sym]; 1425 Elf_Sym *sym = (void *)symsec->sh_addr; 1426 unsigned long secbase; 1427 unsigned int i; 1428 int ret = 0; 1429 const struct kernel_symbol *ksym; 1430 1431 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { 1432 const char *name = info->strtab + sym[i].st_name; 1433 1434 switch (sym[i].st_shndx) { 1435 case SHN_COMMON: 1436 /* Ignore common symbols */ 1437 if (!strncmp(name, "__gnu_lto", 9)) 1438 break; 1439 1440 /* 1441 * We compiled with -fno-common. These are not 1442 * supposed to happen. 1443 */ 1444 pr_debug("Common symbol: %s\n", name); 1445 pr_warn("%s: please compile with -fno-common\n", 1446 mod->name); 1447 ret = -ENOEXEC; 1448 break; 1449 1450 case SHN_ABS: 1451 /* Don't need to do anything */ 1452 pr_debug("Absolute symbol: 0x%08lx %s\n", 1453 (long)sym[i].st_value, name); 1454 break; 1455 1456 case SHN_LIVEPATCH: 1457 /* Livepatch symbols are resolved by livepatch */ 1458 break; 1459 1460 case SHN_UNDEF: 1461 ksym = resolve_symbol_wait(mod, info, name); 1462 /* Ok if resolved. */ 1463 if (ksym && !IS_ERR(ksym)) { 1464 sym[i].st_value = kernel_symbol_value(ksym); 1465 break; 1466 } 1467 1468 /* Ok if weak or ignored. */ 1469 if (!ksym && 1470 (ELF_ST_BIND(sym[i].st_info) == STB_WEAK || 1471 ignore_undef_symbol(info->hdr->e_machine, name))) 1472 break; 1473 1474 ret = PTR_ERR(ksym) ?: -ENOENT; 1475 pr_warn("%s: Unknown symbol %s (err %d)\n", 1476 mod->name, name, ret); 1477 break; 1478 1479 default: 1480 /* Divert to percpu allocation if a percpu var. */ 1481 if (sym[i].st_shndx == info->index.pcpu) 1482 secbase = (unsigned long)mod_percpu(mod); 1483 else 1484 secbase = info->sechdrs[sym[i].st_shndx].sh_addr; 1485 sym[i].st_value += secbase; 1486 break; 1487 } 1488 } 1489 1490 return ret; 1491 } 1492 1493 static int apply_relocations(struct module *mod, const struct load_info *info) 1494 { 1495 unsigned int i; 1496 int err = 0; 1497 1498 /* Now do relocations. */ 1499 for (i = 1; i < info->hdr->e_shnum; i++) { 1500 unsigned int infosec = info->sechdrs[i].sh_info; 1501 1502 /* Not a valid relocation section? */ 1503 if (infosec >= info->hdr->e_shnum) 1504 continue; 1505 1506 /* Don't bother with non-allocated sections */ 1507 if (!(info->sechdrs[infosec].sh_flags & SHF_ALLOC)) 1508 continue; 1509 1510 if (info->sechdrs[i].sh_flags & SHF_RELA_LIVEPATCH) 1511 err = klp_apply_section_relocs(mod, info->sechdrs, 1512 info->secstrings, 1513 info->strtab, 1514 info->index.sym, i, 1515 NULL); 1516 else if (info->sechdrs[i].sh_type == SHT_REL) 1517 err = apply_relocate(info->sechdrs, info->strtab, 1518 info->index.sym, i, mod); 1519 else if (info->sechdrs[i].sh_type == SHT_RELA) 1520 err = apply_relocate_add(info->sechdrs, info->strtab, 1521 info->index.sym, i, mod); 1522 if (err < 0) 1523 break; 1524 } 1525 return err; 1526 } 1527 1528 /* Additional bytes needed by arch in front of individual sections */ 1529 unsigned int __weak arch_mod_section_prepend(struct module *mod, 1530 unsigned int section) 1531 { 1532 /* default implementation just returns zero */ 1533 return 0; 1534 } 1535 1536 long module_get_offset_and_type(struct module *mod, enum mod_mem_type type, 1537 Elf_Shdr *sechdr, unsigned int section) 1538 { 1539 long offset; 1540 long mask = ((unsigned long)(type) & SH_ENTSIZE_TYPE_MASK) << SH_ENTSIZE_TYPE_SHIFT; 1541 1542 mod->mem[type].size += arch_mod_section_prepend(mod, section); 1543 offset = ALIGN(mod->mem[type].size, sechdr->sh_addralign ?: 1); 1544 mod->mem[type].size = offset + sechdr->sh_size; 1545 1546 WARN_ON_ONCE(offset & mask); 1547 return offset | mask; 1548 } 1549 1550 bool module_init_layout_section(const char *sname) 1551 { 1552 #ifndef CONFIG_MODULE_UNLOAD 1553 if (module_exit_section(sname)) 1554 return true; 1555 #endif 1556 return module_init_section(sname); 1557 } 1558 1559 static void __layout_sections(struct module *mod, struct load_info *info, bool is_init) 1560 { 1561 unsigned int m, i; 1562 1563 static const unsigned long masks[][2] = { 1564 /* 1565 * NOTE: all executable code must be the first section 1566 * in this array; otherwise modify the text_size 1567 * finder in the two loops below 1568 */ 1569 { SHF_EXECINSTR | SHF_ALLOC, ARCH_SHF_SMALL }, 1570 { SHF_ALLOC, SHF_WRITE | ARCH_SHF_SMALL }, 1571 { SHF_RO_AFTER_INIT | SHF_ALLOC, ARCH_SHF_SMALL }, 1572 { SHF_WRITE | SHF_ALLOC, ARCH_SHF_SMALL }, 1573 { ARCH_SHF_SMALL | SHF_ALLOC, 0 } 1574 }; 1575 static const int core_m_to_mem_type[] = { 1576 MOD_TEXT, 1577 MOD_RODATA, 1578 MOD_RO_AFTER_INIT, 1579 MOD_DATA, 1580 MOD_DATA, 1581 }; 1582 static const int init_m_to_mem_type[] = { 1583 MOD_INIT_TEXT, 1584 MOD_INIT_RODATA, 1585 MOD_INVALID, 1586 MOD_INIT_DATA, 1587 MOD_INIT_DATA, 1588 }; 1589 1590 for (m = 0; m < ARRAY_SIZE(masks); ++m) { 1591 enum mod_mem_type type = is_init ? init_m_to_mem_type[m] : core_m_to_mem_type[m]; 1592 1593 for (i = 0; i < info->hdr->e_shnum; ++i) { 1594 Elf_Shdr *s = &info->sechdrs[i]; 1595 const char *sname = info->secstrings + s->sh_name; 1596 1597 if ((s->sh_flags & masks[m][0]) != masks[m][0] 1598 || (s->sh_flags & masks[m][1]) 1599 || s->sh_entsize != ~0UL 1600 || is_init != module_init_layout_section(sname)) 1601 continue; 1602 1603 if (WARN_ON_ONCE(type == MOD_INVALID)) 1604 continue; 1605 1606 s->sh_entsize = module_get_offset_and_type(mod, type, s, i); 1607 pr_debug("\t%s\n", sname); 1608 } 1609 } 1610 } 1611 1612 /* 1613 * Lay out the SHF_ALLOC sections in a way not dissimilar to how ld 1614 * might -- code, read-only data, read-write data, small data. Tally 1615 * sizes, and place the offsets into sh_entsize fields: high bit means it 1616 * belongs in init. 1617 */ 1618 static void layout_sections(struct module *mod, struct load_info *info) 1619 { 1620 unsigned int i; 1621 1622 for (i = 0; i < info->hdr->e_shnum; i++) 1623 info->sechdrs[i].sh_entsize = ~0UL; 1624 1625 pr_debug("Core section allocation order for %s:\n", mod->name); 1626 __layout_sections(mod, info, false); 1627 1628 pr_debug("Init section allocation order for %s:\n", mod->name); 1629 __layout_sections(mod, info, true); 1630 } 1631 1632 static void module_license_taint_check(struct module *mod, const char *license) 1633 { 1634 if (!license) 1635 license = "unspecified"; 1636 1637 if (!license_is_gpl_compatible(license)) { 1638 if (!test_taint(TAINT_PROPRIETARY_MODULE)) 1639 pr_warn("%s: module license '%s' taints kernel.\n", 1640 mod->name, license); 1641 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 1642 LOCKDEP_NOW_UNRELIABLE); 1643 } 1644 } 1645 1646 static void setup_modinfo(struct module *mod, struct load_info *info) 1647 { 1648 struct module_attribute *attr; 1649 int i; 1650 1651 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1652 if (attr->setup) 1653 attr->setup(mod, get_modinfo(info, attr->attr.name)); 1654 } 1655 } 1656 1657 static void free_modinfo(struct module *mod) 1658 { 1659 struct module_attribute *attr; 1660 int i; 1661 1662 for (i = 0; (attr = modinfo_attrs[i]); i++) { 1663 if (attr->free) 1664 attr->free(mod); 1665 } 1666 } 1667 1668 bool __weak module_init_section(const char *name) 1669 { 1670 return strstarts(name, ".init"); 1671 } 1672 1673 bool __weak module_exit_section(const char *name) 1674 { 1675 return strstarts(name, ".exit"); 1676 } 1677 1678 static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr) 1679 { 1680 #if defined(CONFIG_64BIT) 1681 unsigned long long secend; 1682 #else 1683 unsigned long secend; 1684 #endif 1685 1686 /* 1687 * Check for both overflow and offset/size being 1688 * too large. 1689 */ 1690 secend = shdr->sh_offset + shdr->sh_size; 1691 if (secend < shdr->sh_offset || secend > info->len) 1692 return -ENOEXEC; 1693 1694 return 0; 1695 } 1696 1697 /* 1698 * Check userspace passed ELF module against our expectations, and cache 1699 * useful variables for further processing as we go. 1700 * 1701 * This does basic validity checks against section offsets and sizes, the 1702 * section name string table, and the indices used for it (sh_name). 1703 * 1704 * As a last step, since we're already checking the ELF sections we cache 1705 * useful variables which will be used later for our convenience: 1706 * 1707 * o pointers to section headers 1708 * o cache the modinfo symbol section 1709 * o cache the string symbol section 1710 * o cache the module section 1711 * 1712 * As a last step we set info->mod to the temporary copy of the module in 1713 * info->hdr. The final one will be allocated in move_module(). Any 1714 * modifications we make to our copy of the module will be carried over 1715 * to the final minted module. 1716 */ 1717 static int elf_validity_cache_copy(struct load_info *info, int flags) 1718 { 1719 unsigned int i; 1720 Elf_Shdr *shdr, *strhdr; 1721 int err; 1722 unsigned int num_mod_secs = 0, mod_idx; 1723 unsigned int num_info_secs = 0, info_idx; 1724 unsigned int num_sym_secs = 0, sym_idx; 1725 1726 if (info->len < sizeof(*(info->hdr))) { 1727 pr_err("Invalid ELF header len %lu\n", info->len); 1728 goto no_exec; 1729 } 1730 1731 if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0) { 1732 pr_err("Invalid ELF header magic: != %s\n", ELFMAG); 1733 goto no_exec; 1734 } 1735 if (info->hdr->e_type != ET_REL) { 1736 pr_err("Invalid ELF header type: %u != %u\n", 1737 info->hdr->e_type, ET_REL); 1738 goto no_exec; 1739 } 1740 if (!elf_check_arch(info->hdr)) { 1741 pr_err("Invalid architecture in ELF header: %u\n", 1742 info->hdr->e_machine); 1743 goto no_exec; 1744 } 1745 if (!module_elf_check_arch(info->hdr)) { 1746 pr_err("Invalid module architecture in ELF header: %u\n", 1747 info->hdr->e_machine); 1748 goto no_exec; 1749 } 1750 if (info->hdr->e_shentsize != sizeof(Elf_Shdr)) { 1751 pr_err("Invalid ELF section header size\n"); 1752 goto no_exec; 1753 } 1754 1755 /* 1756 * e_shnum is 16 bits, and sizeof(Elf_Shdr) is 1757 * known and small. So e_shnum * sizeof(Elf_Shdr) 1758 * will not overflow unsigned long on any platform. 1759 */ 1760 if (info->hdr->e_shoff >= info->len 1761 || (info->hdr->e_shnum * sizeof(Elf_Shdr) > 1762 info->len - info->hdr->e_shoff)) { 1763 pr_err("Invalid ELF section header overflow\n"); 1764 goto no_exec; 1765 } 1766 1767 info->sechdrs = (void *)info->hdr + info->hdr->e_shoff; 1768 1769 /* 1770 * Verify if the section name table index is valid. 1771 */ 1772 if (info->hdr->e_shstrndx == SHN_UNDEF 1773 || info->hdr->e_shstrndx >= info->hdr->e_shnum) { 1774 pr_err("Invalid ELF section name index: %d || e_shstrndx (%d) >= e_shnum (%d)\n", 1775 info->hdr->e_shstrndx, info->hdr->e_shstrndx, 1776 info->hdr->e_shnum); 1777 goto no_exec; 1778 } 1779 1780 strhdr = &info->sechdrs[info->hdr->e_shstrndx]; 1781 err = validate_section_offset(info, strhdr); 1782 if (err < 0) { 1783 pr_err("Invalid ELF section hdr(type %u)\n", strhdr->sh_type); 1784 return err; 1785 } 1786 1787 /* 1788 * The section name table must be NUL-terminated, as required 1789 * by the spec. This makes strcmp and pr_* calls that access 1790 * strings in the section safe. 1791 */ 1792 info->secstrings = (void *)info->hdr + strhdr->sh_offset; 1793 if (strhdr->sh_size == 0) { 1794 pr_err("empty section name table\n"); 1795 goto no_exec; 1796 } 1797 if (info->secstrings[strhdr->sh_size - 1] != '\0') { 1798 pr_err("ELF Spec violation: section name table isn't null terminated\n"); 1799 goto no_exec; 1800 } 1801 1802 /* 1803 * The code assumes that section 0 has a length of zero and 1804 * an addr of zero, so check for it. 1805 */ 1806 if (info->sechdrs[0].sh_type != SHT_NULL 1807 || info->sechdrs[0].sh_size != 0 1808 || info->sechdrs[0].sh_addr != 0) { 1809 pr_err("ELF Spec violation: section 0 type(%d)!=SH_NULL or non-zero len or addr\n", 1810 info->sechdrs[0].sh_type); 1811 goto no_exec; 1812 } 1813 1814 for (i = 1; i < info->hdr->e_shnum; i++) { 1815 shdr = &info->sechdrs[i]; 1816 switch (shdr->sh_type) { 1817 case SHT_NULL: 1818 case SHT_NOBITS: 1819 continue; 1820 case SHT_SYMTAB: 1821 if (shdr->sh_link == SHN_UNDEF 1822 || shdr->sh_link >= info->hdr->e_shnum) { 1823 pr_err("Invalid ELF sh_link!=SHN_UNDEF(%d) or (sh_link(%d) >= hdr->e_shnum(%d)\n", 1824 shdr->sh_link, shdr->sh_link, 1825 info->hdr->e_shnum); 1826 goto no_exec; 1827 } 1828 num_sym_secs++; 1829 sym_idx = i; 1830 fallthrough; 1831 default: 1832 err = validate_section_offset(info, shdr); 1833 if (err < 0) { 1834 pr_err("Invalid ELF section in module (section %u type %u)\n", 1835 i, shdr->sh_type); 1836 return err; 1837 } 1838 if (strcmp(info->secstrings + shdr->sh_name, 1839 ".gnu.linkonce.this_module") == 0) { 1840 num_mod_secs++; 1841 mod_idx = i; 1842 } else if (strcmp(info->secstrings + shdr->sh_name, 1843 ".modinfo") == 0) { 1844 num_info_secs++; 1845 info_idx = i; 1846 } 1847 1848 if (shdr->sh_flags & SHF_ALLOC) { 1849 if (shdr->sh_name >= strhdr->sh_size) { 1850 pr_err("Invalid ELF section name in module (section %u type %u)\n", 1851 i, shdr->sh_type); 1852 return -ENOEXEC; 1853 } 1854 } 1855 break; 1856 } 1857 } 1858 1859 if (num_info_secs > 1) { 1860 pr_err("Only one .modinfo section must exist.\n"); 1861 goto no_exec; 1862 } else if (num_info_secs == 1) { 1863 /* Try to find a name early so we can log errors with a module name */ 1864 info->index.info = info_idx; 1865 info->name = get_modinfo(info, "name"); 1866 } 1867 1868 if (num_sym_secs != 1) { 1869 pr_warn("%s: module has no symbols (stripped?)\n", 1870 info->name ?: "(missing .modinfo section or name field)"); 1871 goto no_exec; 1872 } 1873 1874 /* Sets internal symbols and strings. */ 1875 info->index.sym = sym_idx; 1876 shdr = &info->sechdrs[sym_idx]; 1877 info->index.str = shdr->sh_link; 1878 info->strtab = (char *)info->hdr + info->sechdrs[info->index.str].sh_offset; 1879 1880 /* 1881 * The ".gnu.linkonce.this_module" ELF section is special. It is 1882 * what modpost uses to refer to __this_module and let's use rely 1883 * on THIS_MODULE to point to &__this_module properly. The kernel's 1884 * modpost declares it on each modules's *.mod.c file. If the struct 1885 * module of the kernel changes a full kernel rebuild is required. 1886 * 1887 * We have a few expectaions for this special section, the following 1888 * code validates all this for us: 1889 * 1890 * o Only one section must exist 1891 * o We expect the kernel to always have to allocate it: SHF_ALLOC 1892 * o The section size must match the kernel's run time's struct module 1893 * size 1894 */ 1895 if (num_mod_secs != 1) { 1896 pr_err("module %s: Only one .gnu.linkonce.this_module section must exist.\n", 1897 info->name ?: "(missing .modinfo section or name field)"); 1898 goto no_exec; 1899 } 1900 1901 shdr = &info->sechdrs[mod_idx]; 1902 1903 /* 1904 * This is already implied on the switch above, however let's be 1905 * pedantic about it. 1906 */ 1907 if (shdr->sh_type == SHT_NOBITS) { 1908 pr_err("module %s: .gnu.linkonce.this_module section must have a size set\n", 1909 info->name ?: "(missing .modinfo section or name field)"); 1910 goto no_exec; 1911 } 1912 1913 if (!(shdr->sh_flags & SHF_ALLOC)) { 1914 pr_err("module %s: .gnu.linkonce.this_module must occupy memory during process execution\n", 1915 info->name ?: "(missing .modinfo section or name field)"); 1916 goto no_exec; 1917 } 1918 1919 if (shdr->sh_size != sizeof(struct module)) { 1920 pr_err("module %s: .gnu.linkonce.this_module section size must match the kernel's built struct module size at run time\n", 1921 info->name ?: "(missing .modinfo section or name field)"); 1922 goto no_exec; 1923 } 1924 1925 info->index.mod = mod_idx; 1926 1927 /* This is temporary: point mod into copy of data. */ 1928 info->mod = (void *)info->hdr + shdr->sh_offset; 1929 1930 /* 1931 * If we didn't load the .modinfo 'name' field earlier, fall back to 1932 * on-disk struct mod 'name' field. 1933 */ 1934 if (!info->name) 1935 info->name = info->mod->name; 1936 1937 if (flags & MODULE_INIT_IGNORE_MODVERSIONS) 1938 info->index.vers = 0; /* Pretend no __versions section! */ 1939 else 1940 info->index.vers = find_sec(info, "__versions"); 1941 1942 info->index.pcpu = find_pcpusec(info); 1943 1944 return 0; 1945 1946 no_exec: 1947 return -ENOEXEC; 1948 } 1949 1950 #define COPY_CHUNK_SIZE (16*PAGE_SIZE) 1951 1952 static int copy_chunked_from_user(void *dst, const void __user *usrc, unsigned long len) 1953 { 1954 do { 1955 unsigned long n = min(len, COPY_CHUNK_SIZE); 1956 1957 if (copy_from_user(dst, usrc, n) != 0) 1958 return -EFAULT; 1959 cond_resched(); 1960 dst += n; 1961 usrc += n; 1962 len -= n; 1963 } while (len); 1964 return 0; 1965 } 1966 1967 static int check_modinfo_livepatch(struct module *mod, struct load_info *info) 1968 { 1969 if (!get_modinfo(info, "livepatch")) 1970 /* Nothing more to do */ 1971 return 0; 1972 1973 if (set_livepatch_module(mod)) 1974 return 0; 1975 1976 pr_err("%s: module is marked as livepatch module, but livepatch support is disabled", 1977 mod->name); 1978 return -ENOEXEC; 1979 } 1980 1981 static void check_modinfo_retpoline(struct module *mod, struct load_info *info) 1982 { 1983 if (retpoline_module_ok(get_modinfo(info, "retpoline"))) 1984 return; 1985 1986 pr_warn("%s: loading module not compiled with retpoline compiler.\n", 1987 mod->name); 1988 } 1989 1990 /* Sets info->hdr and info->len. */ 1991 static int copy_module_from_user(const void __user *umod, unsigned long len, 1992 struct load_info *info) 1993 { 1994 int err; 1995 1996 info->len = len; 1997 if (info->len < sizeof(*(info->hdr))) 1998 return -ENOEXEC; 1999 2000 err = security_kernel_load_data(LOADING_MODULE, true); 2001 if (err) 2002 return err; 2003 2004 /* Suck in entire file: we'll want most of it. */ 2005 info->hdr = __vmalloc(info->len, GFP_KERNEL | __GFP_NOWARN); 2006 if (!info->hdr) 2007 return -ENOMEM; 2008 2009 if (copy_chunked_from_user(info->hdr, umod, info->len) != 0) { 2010 err = -EFAULT; 2011 goto out; 2012 } 2013 2014 err = security_kernel_post_load_data((char *)info->hdr, info->len, 2015 LOADING_MODULE, "init_module"); 2016 out: 2017 if (err) 2018 vfree(info->hdr); 2019 2020 return err; 2021 } 2022 2023 static void free_copy(struct load_info *info, int flags) 2024 { 2025 if (flags & MODULE_INIT_COMPRESSED_FILE) 2026 module_decompress_cleanup(info); 2027 else 2028 vfree(info->hdr); 2029 } 2030 2031 static int rewrite_section_headers(struct load_info *info, int flags) 2032 { 2033 unsigned int i; 2034 2035 /* This should always be true, but let's be sure. */ 2036 info->sechdrs[0].sh_addr = 0; 2037 2038 for (i = 1; i < info->hdr->e_shnum; i++) { 2039 Elf_Shdr *shdr = &info->sechdrs[i]; 2040 2041 /* 2042 * Mark all sections sh_addr with their address in the 2043 * temporary image. 2044 */ 2045 shdr->sh_addr = (size_t)info->hdr + shdr->sh_offset; 2046 2047 } 2048 2049 /* Track but don't keep modinfo and version sections. */ 2050 info->sechdrs[info->index.vers].sh_flags &= ~(unsigned long)SHF_ALLOC; 2051 info->sechdrs[info->index.info].sh_flags &= ~(unsigned long)SHF_ALLOC; 2052 2053 return 0; 2054 } 2055 2056 /* 2057 * These calls taint the kernel depending certain module circumstances */ 2058 static void module_augment_kernel_taints(struct module *mod, struct load_info *info) 2059 { 2060 int prev_taint = test_taint(TAINT_PROPRIETARY_MODULE); 2061 2062 if (!get_modinfo(info, "intree")) { 2063 if (!test_taint(TAINT_OOT_MODULE)) 2064 pr_warn("%s: loading out-of-tree module taints kernel.\n", 2065 mod->name); 2066 add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK); 2067 } 2068 2069 check_modinfo_retpoline(mod, info); 2070 2071 if (get_modinfo(info, "staging")) { 2072 add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK); 2073 pr_warn("%s: module is from the staging directory, the quality " 2074 "is unknown, you have been warned.\n", mod->name); 2075 } 2076 2077 if (is_livepatch_module(mod)) { 2078 add_taint_module(mod, TAINT_LIVEPATCH, LOCKDEP_STILL_OK); 2079 pr_notice_once("%s: tainting kernel with TAINT_LIVEPATCH\n", 2080 mod->name); 2081 } 2082 2083 module_license_taint_check(mod, get_modinfo(info, "license")); 2084 2085 if (get_modinfo(info, "test")) { 2086 if (!test_taint(TAINT_TEST)) 2087 pr_warn("%s: loading test module taints kernel.\n", 2088 mod->name); 2089 add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK); 2090 } 2091 #ifdef CONFIG_MODULE_SIG 2092 mod->sig_ok = info->sig_ok; 2093 if (!mod->sig_ok) { 2094 pr_notice_once("%s: module verification failed: signature " 2095 "and/or required key missing - tainting " 2096 "kernel\n", mod->name); 2097 add_taint_module(mod, TAINT_UNSIGNED_MODULE, LOCKDEP_STILL_OK); 2098 } 2099 #endif 2100 2101 /* 2102 * ndiswrapper is under GPL by itself, but loads proprietary modules. 2103 * Don't use add_taint_module(), as it would prevent ndiswrapper from 2104 * using GPL-only symbols it needs. 2105 */ 2106 if (strcmp(mod->name, "ndiswrapper") == 0) 2107 add_taint(TAINT_PROPRIETARY_MODULE, LOCKDEP_NOW_UNRELIABLE); 2108 2109 /* driverloader was caught wrongly pretending to be under GPL */ 2110 if (strcmp(mod->name, "driverloader") == 0) 2111 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 2112 LOCKDEP_NOW_UNRELIABLE); 2113 2114 /* lve claims to be GPL but upstream won't provide source */ 2115 if (strcmp(mod->name, "lve") == 0) 2116 add_taint_module(mod, TAINT_PROPRIETARY_MODULE, 2117 LOCKDEP_NOW_UNRELIABLE); 2118 2119 if (!prev_taint && test_taint(TAINT_PROPRIETARY_MODULE)) 2120 pr_warn("%s: module license taints kernel.\n", mod->name); 2121 2122 } 2123 2124 static int check_modinfo(struct module *mod, struct load_info *info, int flags) 2125 { 2126 const char *modmagic = get_modinfo(info, "vermagic"); 2127 int err; 2128 2129 if (flags & MODULE_INIT_IGNORE_VERMAGIC) 2130 modmagic = NULL; 2131 2132 /* This is allowed: modprobe --force will invalidate it. */ 2133 if (!modmagic) { 2134 err = try_to_force_load(mod, "bad vermagic"); 2135 if (err) 2136 return err; 2137 } else if (!same_magic(modmagic, vermagic, info->index.vers)) { 2138 pr_err("%s: version magic '%s' should be '%s'\n", 2139 info->name, modmagic, vermagic); 2140 return -ENOEXEC; 2141 } 2142 2143 err = check_modinfo_livepatch(mod, info); 2144 if (err) 2145 return err; 2146 2147 return 0; 2148 } 2149 2150 static int find_module_sections(struct module *mod, struct load_info *info) 2151 { 2152 mod->kp = section_objs(info, "__param", 2153 sizeof(*mod->kp), &mod->num_kp); 2154 mod->syms = section_objs(info, "__ksymtab", 2155 sizeof(*mod->syms), &mod->num_syms); 2156 mod->crcs = section_addr(info, "__kcrctab"); 2157 mod->gpl_syms = section_objs(info, "__ksymtab_gpl", 2158 sizeof(*mod->gpl_syms), 2159 &mod->num_gpl_syms); 2160 mod->gpl_crcs = section_addr(info, "__kcrctab_gpl"); 2161 2162 #ifdef CONFIG_CONSTRUCTORS 2163 mod->ctors = section_objs(info, ".ctors", 2164 sizeof(*mod->ctors), &mod->num_ctors); 2165 if (!mod->ctors) 2166 mod->ctors = section_objs(info, ".init_array", 2167 sizeof(*mod->ctors), &mod->num_ctors); 2168 else if (find_sec(info, ".init_array")) { 2169 /* 2170 * This shouldn't happen with same compiler and binutils 2171 * building all parts of the module. 2172 */ 2173 pr_warn("%s: has both .ctors and .init_array.\n", 2174 mod->name); 2175 return -EINVAL; 2176 } 2177 #endif 2178 2179 mod->noinstr_text_start = section_objs(info, ".noinstr.text", 1, 2180 &mod->noinstr_text_size); 2181 2182 #ifdef CONFIG_TRACEPOINTS 2183 mod->tracepoints_ptrs = section_objs(info, "__tracepoints_ptrs", 2184 sizeof(*mod->tracepoints_ptrs), 2185 &mod->num_tracepoints); 2186 #endif 2187 #ifdef CONFIG_TREE_SRCU 2188 mod->srcu_struct_ptrs = section_objs(info, "___srcu_struct_ptrs", 2189 sizeof(*mod->srcu_struct_ptrs), 2190 &mod->num_srcu_structs); 2191 #endif 2192 #ifdef CONFIG_BPF_EVENTS 2193 mod->bpf_raw_events = section_objs(info, "__bpf_raw_tp_map", 2194 sizeof(*mod->bpf_raw_events), 2195 &mod->num_bpf_raw_events); 2196 #endif 2197 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 2198 mod->btf_data = any_section_objs(info, ".BTF", 1, &mod->btf_data_size); 2199 mod->btf_base_data = any_section_objs(info, ".BTF.base", 1, 2200 &mod->btf_base_data_size); 2201 #endif 2202 #ifdef CONFIG_JUMP_LABEL 2203 mod->jump_entries = section_objs(info, "__jump_table", 2204 sizeof(*mod->jump_entries), 2205 &mod->num_jump_entries); 2206 #endif 2207 #ifdef CONFIG_EVENT_TRACING 2208 mod->trace_events = section_objs(info, "_ftrace_events", 2209 sizeof(*mod->trace_events), 2210 &mod->num_trace_events); 2211 mod->trace_evals = section_objs(info, "_ftrace_eval_map", 2212 sizeof(*mod->trace_evals), 2213 &mod->num_trace_evals); 2214 #endif 2215 #ifdef CONFIG_TRACING 2216 mod->trace_bprintk_fmt_start = section_objs(info, "__trace_printk_fmt", 2217 sizeof(*mod->trace_bprintk_fmt_start), 2218 &mod->num_trace_bprintk_fmt); 2219 #endif 2220 #ifdef CONFIG_FTRACE_MCOUNT_RECORD 2221 /* sechdrs[0].sh_size is always zero */ 2222 mod->ftrace_callsites = section_objs(info, FTRACE_CALLSITE_SECTION, 2223 sizeof(*mod->ftrace_callsites), 2224 &mod->num_ftrace_callsites); 2225 #endif 2226 #ifdef CONFIG_FUNCTION_ERROR_INJECTION 2227 mod->ei_funcs = section_objs(info, "_error_injection_whitelist", 2228 sizeof(*mod->ei_funcs), 2229 &mod->num_ei_funcs); 2230 #endif 2231 #ifdef CONFIG_KPROBES 2232 mod->kprobes_text_start = section_objs(info, ".kprobes.text", 1, 2233 &mod->kprobes_text_size); 2234 mod->kprobe_blacklist = section_objs(info, "_kprobe_blacklist", 2235 sizeof(unsigned long), 2236 &mod->num_kprobe_blacklist); 2237 #endif 2238 #ifdef CONFIG_PRINTK_INDEX 2239 mod->printk_index_start = section_objs(info, ".printk_index", 2240 sizeof(*mod->printk_index_start), 2241 &mod->printk_index_size); 2242 #endif 2243 #ifdef CONFIG_HAVE_STATIC_CALL_INLINE 2244 mod->static_call_sites = section_objs(info, ".static_call_sites", 2245 sizeof(*mod->static_call_sites), 2246 &mod->num_static_call_sites); 2247 #endif 2248 #if IS_ENABLED(CONFIG_KUNIT) 2249 mod->kunit_suites = section_objs(info, ".kunit_test_suites", 2250 sizeof(*mod->kunit_suites), 2251 &mod->num_kunit_suites); 2252 mod->kunit_init_suites = section_objs(info, ".kunit_init_test_suites", 2253 sizeof(*mod->kunit_init_suites), 2254 &mod->num_kunit_init_suites); 2255 #endif 2256 2257 mod->extable = section_objs(info, "__ex_table", 2258 sizeof(*mod->extable), &mod->num_exentries); 2259 2260 if (section_addr(info, "__obsparm")) 2261 pr_warn("%s: Ignoring obsolete parameters\n", mod->name); 2262 2263 #ifdef CONFIG_DYNAMIC_DEBUG_CORE 2264 mod->dyndbg_info.descs = section_objs(info, "__dyndbg", 2265 sizeof(*mod->dyndbg_info.descs), 2266 &mod->dyndbg_info.num_descs); 2267 mod->dyndbg_info.classes = section_objs(info, "__dyndbg_classes", 2268 sizeof(*mod->dyndbg_info.classes), 2269 &mod->dyndbg_info.num_classes); 2270 #endif 2271 2272 return 0; 2273 } 2274 2275 static int move_module(struct module *mod, struct load_info *info) 2276 { 2277 int i; 2278 enum mod_mem_type t = 0; 2279 int ret = -ENOMEM; 2280 2281 for_each_mod_mem_type(type) { 2282 if (!mod->mem[type].size) { 2283 mod->mem[type].base = NULL; 2284 mod->mem[type].rw_copy = NULL; 2285 continue; 2286 } 2287 2288 ret = module_memory_alloc(mod, type); 2289 if (ret) { 2290 t = type; 2291 goto out_enomem; 2292 } 2293 } 2294 2295 /* Transfer each section which specifies SHF_ALLOC */ 2296 pr_debug("Final section addresses for %s:\n", mod->name); 2297 for (i = 0; i < info->hdr->e_shnum; i++) { 2298 void *dest; 2299 Elf_Shdr *shdr = &info->sechdrs[i]; 2300 enum mod_mem_type type = shdr->sh_entsize >> SH_ENTSIZE_TYPE_SHIFT; 2301 unsigned long offset = shdr->sh_entsize & SH_ENTSIZE_OFFSET_MASK; 2302 unsigned long addr; 2303 2304 if (!(shdr->sh_flags & SHF_ALLOC)) 2305 continue; 2306 2307 addr = (unsigned long)mod->mem[type].base + offset; 2308 dest = mod->mem[type].rw_copy + offset; 2309 2310 if (shdr->sh_type != SHT_NOBITS) { 2311 /* 2312 * Our ELF checker already validated this, but let's 2313 * be pedantic and make the goal clearer. We actually 2314 * end up copying over all modifications made to the 2315 * userspace copy of the entire struct module. 2316 */ 2317 if (i == info->index.mod && 2318 (WARN_ON_ONCE(shdr->sh_size != sizeof(struct module)))) { 2319 ret = -ENOEXEC; 2320 goto out_enomem; 2321 } 2322 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size); 2323 } 2324 /* 2325 * Update the userspace copy's ELF section address to point to 2326 * our newly allocated memory as a pure convenience so that 2327 * users of info can keep taking advantage and using the newly 2328 * minted official memory area. 2329 */ 2330 shdr->sh_addr = addr; 2331 pr_debug("\t0x%lx 0x%.8lx %s\n", (long)shdr->sh_addr, 2332 (long)shdr->sh_size, info->secstrings + shdr->sh_name); 2333 } 2334 2335 return 0; 2336 out_enomem: 2337 for (t--; t >= 0; t--) 2338 module_memory_free(mod, t, true); 2339 return ret; 2340 } 2341 2342 static int check_export_symbol_versions(struct module *mod) 2343 { 2344 #ifdef CONFIG_MODVERSIONS 2345 if ((mod->num_syms && !mod->crcs) || 2346 (mod->num_gpl_syms && !mod->gpl_crcs)) { 2347 return try_to_force_load(mod, 2348 "no versions for exported symbols"); 2349 } 2350 #endif 2351 return 0; 2352 } 2353 2354 static void flush_module_icache(const struct module *mod) 2355 { 2356 /* 2357 * Flush the instruction cache, since we've played with text. 2358 * Do it before processing of module parameters, so the module 2359 * can provide parameter accessor functions of its own. 2360 */ 2361 for_each_mod_mem_type(type) { 2362 const struct module_memory *mod_mem = &mod->mem[type]; 2363 2364 if (mod_mem->size) { 2365 flush_icache_range((unsigned long)mod_mem->base, 2366 (unsigned long)mod_mem->base + mod_mem->size); 2367 } 2368 } 2369 } 2370 2371 bool __weak module_elf_check_arch(Elf_Ehdr *hdr) 2372 { 2373 return true; 2374 } 2375 2376 int __weak module_frob_arch_sections(Elf_Ehdr *hdr, 2377 Elf_Shdr *sechdrs, 2378 char *secstrings, 2379 struct module *mod) 2380 { 2381 return 0; 2382 } 2383 2384 /* module_blacklist is a comma-separated list of module names */ 2385 static char *module_blacklist; 2386 static bool blacklisted(const char *module_name) 2387 { 2388 const char *p; 2389 size_t len; 2390 2391 if (!module_blacklist) 2392 return false; 2393 2394 for (p = module_blacklist; *p; p += len) { 2395 len = strcspn(p, ","); 2396 if (strlen(module_name) == len && !memcmp(module_name, p, len)) 2397 return true; 2398 if (p[len] == ',') 2399 len++; 2400 } 2401 return false; 2402 } 2403 core_param(module_blacklist, module_blacklist, charp, 0400); 2404 2405 static struct module *layout_and_allocate(struct load_info *info, int flags) 2406 { 2407 struct module *mod; 2408 unsigned int ndx; 2409 int err; 2410 2411 /* Allow arches to frob section contents and sizes. */ 2412 err = module_frob_arch_sections(info->hdr, info->sechdrs, 2413 info->secstrings, info->mod); 2414 if (err < 0) 2415 return ERR_PTR(err); 2416 2417 err = module_enforce_rwx_sections(info->hdr, info->sechdrs, 2418 info->secstrings, info->mod); 2419 if (err < 0) 2420 return ERR_PTR(err); 2421 2422 /* We will do a special allocation for per-cpu sections later. */ 2423 info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; 2424 2425 /* 2426 * Mark ro_after_init section with SHF_RO_AFTER_INIT so that 2427 * layout_sections() can put it in the right place. 2428 * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. 2429 */ 2430 ndx = find_sec(info, ".data..ro_after_init"); 2431 if (ndx) 2432 info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; 2433 /* 2434 * Mark the __jump_table section as ro_after_init as well: these data 2435 * structures are never modified, with the exception of entries that 2436 * refer to code in the __init section, which are annotated as such 2437 * at module load time. 2438 */ 2439 ndx = find_sec(info, "__jump_table"); 2440 if (ndx) 2441 info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; 2442 2443 /* 2444 * Determine total sizes, and put offsets in sh_entsize. For now 2445 * this is done generically; there doesn't appear to be any 2446 * special cases for the architectures. 2447 */ 2448 layout_sections(info->mod, info); 2449 layout_symtab(info->mod, info); 2450 2451 /* Allocate and move to the final place */ 2452 err = move_module(info->mod, info); 2453 if (err) 2454 return ERR_PTR(err); 2455 2456 /* Module has been copied to its final place now: return it. */ 2457 mod = (void *)info->sechdrs[info->index.mod].sh_addr; 2458 kmemleak_load_module(mod, info); 2459 return mod; 2460 } 2461 2462 /* mod is no longer valid after this! */ 2463 static void module_deallocate(struct module *mod, struct load_info *info) 2464 { 2465 percpu_modfree(mod); 2466 module_arch_freeing_init(mod); 2467 2468 free_mod_mem(mod, true); 2469 } 2470 2471 int __weak module_finalize(const Elf_Ehdr *hdr, 2472 const Elf_Shdr *sechdrs, 2473 struct module *me) 2474 { 2475 return 0; 2476 } 2477 2478 int __weak module_post_finalize(const Elf_Ehdr *hdr, 2479 const Elf_Shdr *sechdrs, 2480 struct module *me) 2481 { 2482 return 0; 2483 } 2484 2485 static int post_relocation(struct module *mod, const struct load_info *info) 2486 { 2487 int ret; 2488 2489 /* Sort exception table now relocations are done. */ 2490 sort_extable(mod->extable, mod->extable + mod->num_exentries); 2491 2492 /* Copy relocated percpu area over. */ 2493 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, 2494 info->sechdrs[info->index.pcpu].sh_size); 2495 2496 /* Setup kallsyms-specific fields. */ 2497 add_kallsyms(mod, info); 2498 2499 /* Arch-specific module finalizing. */ 2500 ret = module_finalize(info->hdr, info->sechdrs, mod); 2501 if (ret) 2502 return ret; 2503 2504 for_each_mod_mem_type(type) { 2505 struct module_memory *mem = &mod->mem[type]; 2506 2507 if (mem->is_rox) { 2508 if (!execmem_update_copy(mem->base, mem->rw_copy, 2509 mem->size)) 2510 return -ENOMEM; 2511 2512 vfree(mem->rw_copy); 2513 mem->rw_copy = NULL; 2514 } 2515 } 2516 2517 return module_post_finalize(info->hdr, info->sechdrs, mod); 2518 } 2519 2520 /* Call module constructors. */ 2521 static void do_mod_ctors(struct module *mod) 2522 { 2523 #ifdef CONFIG_CONSTRUCTORS 2524 unsigned long i; 2525 2526 for (i = 0; i < mod->num_ctors; i++) 2527 mod->ctors[i](); 2528 #endif 2529 } 2530 2531 /* For freeing module_init on success, in case kallsyms traversing */ 2532 struct mod_initfree { 2533 struct llist_node node; 2534 void *init_text; 2535 void *init_data; 2536 void *init_rodata; 2537 }; 2538 2539 static void do_free_init(struct work_struct *w) 2540 { 2541 struct llist_node *pos, *n, *list; 2542 struct mod_initfree *initfree; 2543 2544 list = llist_del_all(&init_free_list); 2545 2546 synchronize_rcu(); 2547 2548 llist_for_each_safe(pos, n, list) { 2549 initfree = container_of(pos, struct mod_initfree, node); 2550 execmem_free(initfree->init_text); 2551 execmem_free(initfree->init_data); 2552 execmem_free(initfree->init_rodata); 2553 kfree(initfree); 2554 } 2555 } 2556 2557 void flush_module_init_free_work(void) 2558 { 2559 flush_work(&init_free_wq); 2560 } 2561 2562 #undef MODULE_PARAM_PREFIX 2563 #define MODULE_PARAM_PREFIX "module." 2564 /* Default value for module->async_probe_requested */ 2565 static bool async_probe; 2566 module_param(async_probe, bool, 0644); 2567 2568 /* 2569 * This is where the real work happens. 2570 * 2571 * Keep it uninlined to provide a reliable breakpoint target, e.g. for the gdb 2572 * helper command 'lx-symbols'. 2573 */ 2574 static noinline int do_init_module(struct module *mod) 2575 { 2576 int ret = 0; 2577 struct mod_initfree *freeinit; 2578 #if defined(CONFIG_MODULE_STATS) 2579 unsigned int text_size = 0, total_size = 0; 2580 2581 for_each_mod_mem_type(type) { 2582 const struct module_memory *mod_mem = &mod->mem[type]; 2583 if (mod_mem->size) { 2584 total_size += mod_mem->size; 2585 if (type == MOD_TEXT || type == MOD_INIT_TEXT) 2586 text_size += mod_mem->size; 2587 } 2588 } 2589 #endif 2590 2591 freeinit = kmalloc(sizeof(*freeinit), GFP_KERNEL); 2592 if (!freeinit) { 2593 ret = -ENOMEM; 2594 goto fail; 2595 } 2596 freeinit->init_text = mod->mem[MOD_INIT_TEXT].base; 2597 freeinit->init_data = mod->mem[MOD_INIT_DATA].base; 2598 freeinit->init_rodata = mod->mem[MOD_INIT_RODATA].base; 2599 2600 do_mod_ctors(mod); 2601 /* Start the module */ 2602 if (mod->init != NULL) 2603 ret = do_one_initcall(mod->init); 2604 if (ret < 0) { 2605 goto fail_free_freeinit; 2606 } 2607 if (ret > 0) { 2608 pr_warn("%s: '%s'->init suspiciously returned %d, it should " 2609 "follow 0/-E convention\n" 2610 "%s: loading module anyway...\n", 2611 __func__, mod->name, ret, __func__); 2612 dump_stack(); 2613 } 2614 2615 /* Now it's a first class citizen! */ 2616 mod->state = MODULE_STATE_LIVE; 2617 blocking_notifier_call_chain(&module_notify_list, 2618 MODULE_STATE_LIVE, mod); 2619 2620 /* Delay uevent until module has finished its init routine */ 2621 kobject_uevent(&mod->mkobj.kobj, KOBJ_ADD); 2622 2623 /* 2624 * We need to finish all async code before the module init sequence 2625 * is done. This has potential to deadlock if synchronous module 2626 * loading is requested from async (which is not allowed!). 2627 * 2628 * See commit 0fdff3ec6d87 ("async, kmod: warn on synchronous 2629 * request_module() from async workers") for more details. 2630 */ 2631 if (!mod->async_probe_requested) 2632 async_synchronize_full(); 2633 2634 ftrace_free_mem(mod, mod->mem[MOD_INIT_TEXT].base, 2635 mod->mem[MOD_INIT_TEXT].base + mod->mem[MOD_INIT_TEXT].size); 2636 mutex_lock(&module_mutex); 2637 /* Drop initial reference. */ 2638 module_put(mod); 2639 trim_init_extable(mod); 2640 #ifdef CONFIG_KALLSYMS 2641 /* Switch to core kallsyms now init is done: kallsyms may be walking! */ 2642 rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); 2643 #endif 2644 ret = module_enable_rodata_ro(mod, true); 2645 if (ret) 2646 goto fail_mutex_unlock; 2647 mod_tree_remove_init(mod); 2648 module_arch_freeing_init(mod); 2649 for_class_mod_mem_type(type, init) { 2650 mod->mem[type].base = NULL; 2651 mod->mem[type].size = 0; 2652 } 2653 2654 #ifdef CONFIG_DEBUG_INFO_BTF_MODULES 2655 /* .BTF is not SHF_ALLOC and will get removed, so sanitize pointers */ 2656 mod->btf_data = NULL; 2657 mod->btf_base_data = NULL; 2658 #endif 2659 /* 2660 * We want to free module_init, but be aware that kallsyms may be 2661 * walking this with preempt disabled. In all the failure paths, we 2662 * call synchronize_rcu(), but we don't want to slow down the success 2663 * path. execmem_free() cannot be called in an interrupt, so do the 2664 * work and call synchronize_rcu() in a work queue. 2665 * 2666 * Note that execmem_alloc() on most architectures creates W+X page 2667 * mappings which won't be cleaned up until do_free_init() runs. Any 2668 * code such as mark_rodata_ro() which depends on those mappings to 2669 * be cleaned up needs to sync with the queued work by invoking 2670 * flush_module_init_free_work(). 2671 */ 2672 if (llist_add(&freeinit->node, &init_free_list)) 2673 schedule_work(&init_free_wq); 2674 2675 mutex_unlock(&module_mutex); 2676 wake_up_all(&module_wq); 2677 2678 mod_stat_add_long(text_size, &total_text_size); 2679 mod_stat_add_long(total_size, &total_mod_size); 2680 2681 mod_stat_inc(&modcount); 2682 2683 return 0; 2684 2685 fail_mutex_unlock: 2686 mutex_unlock(&module_mutex); 2687 fail_free_freeinit: 2688 kfree(freeinit); 2689 fail: 2690 /* Try to protect us from buggy refcounters. */ 2691 mod->state = MODULE_STATE_GOING; 2692 synchronize_rcu(); 2693 module_put(mod); 2694 blocking_notifier_call_chain(&module_notify_list, 2695 MODULE_STATE_GOING, mod); 2696 klp_module_going(mod); 2697 ftrace_release_mod(mod); 2698 free_module(mod); 2699 wake_up_all(&module_wq); 2700 2701 return ret; 2702 } 2703 2704 static int may_init_module(void) 2705 { 2706 if (!capable(CAP_SYS_MODULE) || modules_disabled) 2707 return -EPERM; 2708 2709 return 0; 2710 } 2711 2712 /* Is this module of this name done loading? No locks held. */ 2713 static bool finished_loading(const char *name) 2714 { 2715 struct module *mod; 2716 bool ret; 2717 2718 /* 2719 * The module_mutex should not be a heavily contended lock; 2720 * if we get the occasional sleep here, we'll go an extra iteration 2721 * in the wait_event_interruptible(), which is harmless. 2722 */ 2723 sched_annotate_sleep(); 2724 mutex_lock(&module_mutex); 2725 mod = find_module_all(name, strlen(name), true); 2726 ret = !mod || mod->state == MODULE_STATE_LIVE 2727 || mod->state == MODULE_STATE_GOING; 2728 mutex_unlock(&module_mutex); 2729 2730 return ret; 2731 } 2732 2733 /* Must be called with module_mutex held */ 2734 static int module_patient_check_exists(const char *name, 2735 enum fail_dup_mod_reason reason) 2736 { 2737 struct module *old; 2738 int err = 0; 2739 2740 old = find_module_all(name, strlen(name), true); 2741 if (old == NULL) 2742 return 0; 2743 2744 if (old->state == MODULE_STATE_COMING || 2745 old->state == MODULE_STATE_UNFORMED) { 2746 /* Wait in case it fails to load. */ 2747 mutex_unlock(&module_mutex); 2748 err = wait_event_interruptible(module_wq, 2749 finished_loading(name)); 2750 mutex_lock(&module_mutex); 2751 if (err) 2752 return err; 2753 2754 /* The module might have gone in the meantime. */ 2755 old = find_module_all(name, strlen(name), true); 2756 } 2757 2758 if (try_add_failed_module(name, reason)) 2759 pr_warn("Could not add fail-tracking for module: %s\n", name); 2760 2761 /* 2762 * We are here only when the same module was being loaded. Do 2763 * not try to load it again right now. It prevents long delays 2764 * caused by serialized module load failures. It might happen 2765 * when more devices of the same type trigger load of 2766 * a particular module. 2767 */ 2768 if (old && old->state == MODULE_STATE_LIVE) 2769 return -EEXIST; 2770 return -EBUSY; 2771 } 2772 2773 /* 2774 * We try to place it in the list now to make sure it's unique before 2775 * we dedicate too many resources. In particular, temporary percpu 2776 * memory exhaustion. 2777 */ 2778 static int add_unformed_module(struct module *mod) 2779 { 2780 int err; 2781 2782 mod->state = MODULE_STATE_UNFORMED; 2783 2784 mutex_lock(&module_mutex); 2785 err = module_patient_check_exists(mod->name, FAIL_DUP_MOD_LOAD); 2786 if (err) 2787 goto out; 2788 2789 mod_update_bounds(mod); 2790 list_add_rcu(&mod->list, &modules); 2791 mod_tree_insert(mod); 2792 err = 0; 2793 2794 out: 2795 mutex_unlock(&module_mutex); 2796 return err; 2797 } 2798 2799 static int complete_formation(struct module *mod, struct load_info *info) 2800 { 2801 int err; 2802 2803 mutex_lock(&module_mutex); 2804 2805 /* Find duplicate symbols (must be called under lock). */ 2806 err = verify_exported_symbols(mod); 2807 if (err < 0) 2808 goto out; 2809 2810 /* These rely on module_mutex for list integrity. */ 2811 module_bug_finalize(info->hdr, info->sechdrs, mod); 2812 module_cfi_finalize(info->hdr, info->sechdrs, mod); 2813 2814 err = module_enable_rodata_ro(mod, false); 2815 if (err) 2816 goto out_strict_rwx; 2817 err = module_enable_data_nx(mod); 2818 if (err) 2819 goto out_strict_rwx; 2820 err = module_enable_text_rox(mod); 2821 if (err) 2822 goto out_strict_rwx; 2823 2824 /* 2825 * Mark state as coming so strong_try_module_get() ignores us, 2826 * but kallsyms etc. can see us. 2827 */ 2828 mod->state = MODULE_STATE_COMING; 2829 mutex_unlock(&module_mutex); 2830 2831 return 0; 2832 2833 out_strict_rwx: 2834 module_bug_cleanup(mod); 2835 out: 2836 mutex_unlock(&module_mutex); 2837 return err; 2838 } 2839 2840 static int prepare_coming_module(struct module *mod) 2841 { 2842 int err; 2843 2844 ftrace_module_enable(mod); 2845 err = klp_module_coming(mod); 2846 if (err) 2847 return err; 2848 2849 err = blocking_notifier_call_chain_robust(&module_notify_list, 2850 MODULE_STATE_COMING, MODULE_STATE_GOING, mod); 2851 err = notifier_to_errno(err); 2852 if (err) 2853 klp_module_going(mod); 2854 2855 return err; 2856 } 2857 2858 static int unknown_module_param_cb(char *param, char *val, const char *modname, 2859 void *arg) 2860 { 2861 struct module *mod = arg; 2862 int ret; 2863 2864 if (strcmp(param, "async_probe") == 0) { 2865 if (kstrtobool(val, &mod->async_probe_requested)) 2866 mod->async_probe_requested = true; 2867 return 0; 2868 } 2869 2870 /* Check for magic 'dyndbg' arg */ 2871 ret = ddebug_dyndbg_module_param_cb(param, val, modname); 2872 if (ret != 0) 2873 pr_warn("%s: unknown parameter '%s' ignored\n", modname, param); 2874 return 0; 2875 } 2876 2877 /* Module within temporary copy, this doesn't do any allocation */ 2878 static int early_mod_check(struct load_info *info, int flags) 2879 { 2880 int err; 2881 2882 /* 2883 * Now that we know we have the correct module name, check 2884 * if it's blacklisted. 2885 */ 2886 if (blacklisted(info->name)) { 2887 pr_err("Module %s is blacklisted\n", info->name); 2888 return -EPERM; 2889 } 2890 2891 err = rewrite_section_headers(info, flags); 2892 if (err) 2893 return err; 2894 2895 /* Check module struct version now, before we try to use module. */ 2896 if (!check_modstruct_version(info, info->mod)) 2897 return -ENOEXEC; 2898 2899 err = check_modinfo(info->mod, info, flags); 2900 if (err) 2901 return err; 2902 2903 mutex_lock(&module_mutex); 2904 err = module_patient_check_exists(info->mod->name, FAIL_DUP_MOD_BECOMING); 2905 mutex_unlock(&module_mutex); 2906 2907 return err; 2908 } 2909 2910 /* 2911 * Allocate and load the module: note that size of section 0 is always 2912 * zero, and we rely on this for optional sections. 2913 */ 2914 static int load_module(struct load_info *info, const char __user *uargs, 2915 int flags) 2916 { 2917 struct module *mod; 2918 bool module_allocated = false; 2919 long err = 0; 2920 char *after_dashes; 2921 2922 /* 2923 * Do the signature check (if any) first. All that 2924 * the signature check needs is info->len, it does 2925 * not need any of the section info. That can be 2926 * set up later. This will minimize the chances 2927 * of a corrupt module causing problems before 2928 * we even get to the signature check. 2929 * 2930 * The check will also adjust info->len by stripping 2931 * off the sig length at the end of the module, making 2932 * checks against info->len more correct. 2933 */ 2934 err = module_sig_check(info, flags); 2935 if (err) 2936 goto free_copy; 2937 2938 /* 2939 * Do basic sanity checks against the ELF header and 2940 * sections. Cache useful sections and set the 2941 * info->mod to the userspace passed struct module. 2942 */ 2943 err = elf_validity_cache_copy(info, flags); 2944 if (err) 2945 goto free_copy; 2946 2947 err = early_mod_check(info, flags); 2948 if (err) 2949 goto free_copy; 2950 2951 /* Figure out module layout, and allocate all the memory. */ 2952 mod = layout_and_allocate(info, flags); 2953 if (IS_ERR(mod)) { 2954 err = PTR_ERR(mod); 2955 goto free_copy; 2956 } 2957 2958 module_allocated = true; 2959 2960 audit_log_kern_module(mod->name); 2961 2962 /* Reserve our place in the list. */ 2963 err = add_unformed_module(mod); 2964 if (err) 2965 goto free_module; 2966 2967 /* 2968 * We are tainting your kernel if your module gets into 2969 * the modules linked list somehow. 2970 */ 2971 module_augment_kernel_taints(mod, info); 2972 2973 /* To avoid stressing percpu allocator, do this once we're unique. */ 2974 err = percpu_modalloc(mod, info); 2975 if (err) 2976 goto unlink_mod; 2977 2978 /* Now module is in final location, initialize linked lists, etc. */ 2979 err = module_unload_init(mod); 2980 if (err) 2981 goto unlink_mod; 2982 2983 init_param_lock(mod); 2984 2985 /* 2986 * Now we've got everything in the final locations, we can 2987 * find optional sections. 2988 */ 2989 err = find_module_sections(mod, info); 2990 if (err) 2991 goto free_unload; 2992 2993 err = check_export_symbol_versions(mod); 2994 if (err) 2995 goto free_unload; 2996 2997 /* Set up MODINFO_ATTR fields */ 2998 setup_modinfo(mod, info); 2999 3000 /* Fix up syms, so that st_value is a pointer to location. */ 3001 err = simplify_symbols(mod, info); 3002 if (err < 0) 3003 goto free_modinfo; 3004 3005 err = apply_relocations(mod, info); 3006 if (err < 0) 3007 goto free_modinfo; 3008 3009 err = post_relocation(mod, info); 3010 if (err < 0) 3011 goto free_modinfo; 3012 3013 flush_module_icache(mod); 3014 3015 /* Now copy in args */ 3016 mod->args = strndup_user(uargs, ~0UL >> 1); 3017 if (IS_ERR(mod->args)) { 3018 err = PTR_ERR(mod->args); 3019 goto free_arch_cleanup; 3020 } 3021 3022 init_build_id(mod, info); 3023 3024 /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */ 3025 ftrace_module_init(mod); 3026 3027 /* Finally it's fully formed, ready to start executing. */ 3028 err = complete_formation(mod, info); 3029 if (err) 3030 goto ddebug_cleanup; 3031 3032 err = prepare_coming_module(mod); 3033 if (err) 3034 goto bug_cleanup; 3035 3036 mod->async_probe_requested = async_probe; 3037 3038 /* Module is ready to execute: parsing args may do that. */ 3039 after_dashes = parse_args(mod->name, mod->args, mod->kp, mod->num_kp, 3040 -32768, 32767, mod, 3041 unknown_module_param_cb); 3042 if (IS_ERR(after_dashes)) { 3043 err = PTR_ERR(after_dashes); 3044 goto coming_cleanup; 3045 } else if (after_dashes) { 3046 pr_warn("%s: parameters '%s' after `--' ignored\n", 3047 mod->name, after_dashes); 3048 } 3049 3050 /* Link in to sysfs. */ 3051 err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); 3052 if (err < 0) 3053 goto coming_cleanup; 3054 3055 if (is_livepatch_module(mod)) { 3056 err = copy_module_elf(mod, info); 3057 if (err < 0) 3058 goto sysfs_cleanup; 3059 } 3060 3061 /* Get rid of temporary copy. */ 3062 free_copy(info, flags); 3063 3064 codetag_load_module(mod); 3065 3066 /* Done! */ 3067 trace_module_load(mod); 3068 3069 return do_init_module(mod); 3070 3071 sysfs_cleanup: 3072 mod_sysfs_teardown(mod); 3073 coming_cleanup: 3074 mod->state = MODULE_STATE_GOING; 3075 destroy_params(mod->kp, mod->num_kp); 3076 blocking_notifier_call_chain(&module_notify_list, 3077 MODULE_STATE_GOING, mod); 3078 klp_module_going(mod); 3079 bug_cleanup: 3080 mod->state = MODULE_STATE_GOING; 3081 /* module_bug_cleanup needs module_mutex protection */ 3082 mutex_lock(&module_mutex); 3083 module_bug_cleanup(mod); 3084 mutex_unlock(&module_mutex); 3085 3086 ddebug_cleanup: 3087 ftrace_release_mod(mod); 3088 synchronize_rcu(); 3089 kfree(mod->args); 3090 free_arch_cleanup: 3091 module_arch_cleanup(mod); 3092 free_modinfo: 3093 free_modinfo(mod); 3094 free_unload: 3095 module_unload_free(mod); 3096 unlink_mod: 3097 mutex_lock(&module_mutex); 3098 /* Unlink carefully: kallsyms could be walking list. */ 3099 list_del_rcu(&mod->list); 3100 mod_tree_remove(mod); 3101 wake_up_all(&module_wq); 3102 /* Wait for RCU-sched synchronizing before releasing mod->list. */ 3103 synchronize_rcu(); 3104 mutex_unlock(&module_mutex); 3105 free_module: 3106 mod_stat_bump_invalid(info, flags); 3107 /* Free lock-classes; relies on the preceding sync_rcu() */ 3108 for_class_mod_mem_type(type, core_data) { 3109 lockdep_free_key_range(mod->mem[type].base, 3110 mod->mem[type].size); 3111 } 3112 3113 module_deallocate(mod, info); 3114 free_copy: 3115 /* 3116 * The info->len is always set. We distinguish between 3117 * failures once the proper module was allocated and 3118 * before that. 3119 */ 3120 if (!module_allocated) 3121 mod_stat_bump_becoming(info, flags); 3122 free_copy(info, flags); 3123 return err; 3124 } 3125 3126 SYSCALL_DEFINE3(init_module, void __user *, umod, 3127 unsigned long, len, const char __user *, uargs) 3128 { 3129 int err; 3130 struct load_info info = { }; 3131 3132 err = may_init_module(); 3133 if (err) 3134 return err; 3135 3136 pr_debug("init_module: umod=%p, len=%lu, uargs=%p\n", 3137 umod, len, uargs); 3138 3139 err = copy_module_from_user(umod, len, &info); 3140 if (err) { 3141 mod_stat_inc(&failed_kreads); 3142 mod_stat_add_long(len, &invalid_kread_bytes); 3143 return err; 3144 } 3145 3146 return load_module(&info, uargs, 0); 3147 } 3148 3149 struct idempotent { 3150 const void *cookie; 3151 struct hlist_node entry; 3152 struct completion complete; 3153 int ret; 3154 }; 3155 3156 #define IDEM_HASH_BITS 8 3157 static struct hlist_head idem_hash[1 << IDEM_HASH_BITS]; 3158 static DEFINE_SPINLOCK(idem_lock); 3159 3160 static bool idempotent(struct idempotent *u, const void *cookie) 3161 { 3162 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3163 struct hlist_head *head = idem_hash + hash; 3164 struct idempotent *existing; 3165 bool first; 3166 3167 u->ret = -EINTR; 3168 u->cookie = cookie; 3169 init_completion(&u->complete); 3170 3171 spin_lock(&idem_lock); 3172 first = true; 3173 hlist_for_each_entry(existing, head, entry) { 3174 if (existing->cookie != cookie) 3175 continue; 3176 first = false; 3177 break; 3178 } 3179 hlist_add_head(&u->entry, idem_hash + hash); 3180 spin_unlock(&idem_lock); 3181 3182 return !first; 3183 } 3184 3185 /* 3186 * We were the first one with 'cookie' on the list, and we ended 3187 * up completing the operation. We now need to walk the list, 3188 * remove everybody - which includes ourselves - fill in the return 3189 * value, and then complete the operation. 3190 */ 3191 static int idempotent_complete(struct idempotent *u, int ret) 3192 { 3193 const void *cookie = u->cookie; 3194 int hash = hash_ptr(cookie, IDEM_HASH_BITS); 3195 struct hlist_head *head = idem_hash + hash; 3196 struct hlist_node *next; 3197 struct idempotent *pos; 3198 3199 spin_lock(&idem_lock); 3200 hlist_for_each_entry_safe(pos, next, head, entry) { 3201 if (pos->cookie != cookie) 3202 continue; 3203 hlist_del_init(&pos->entry); 3204 pos->ret = ret; 3205 complete(&pos->complete); 3206 } 3207 spin_unlock(&idem_lock); 3208 return ret; 3209 } 3210 3211 /* 3212 * Wait for the idempotent worker. 3213 * 3214 * If we get interrupted, we need to remove ourselves from the 3215 * the idempotent list, and the completion may still come in. 3216 * 3217 * The 'idem_lock' protects against the race, and 'idem.ret' was 3218 * initialized to -EINTR and is thus always the right return 3219 * value even if the idempotent work then completes between 3220 * the wait_for_completion and the cleanup. 3221 */ 3222 static int idempotent_wait_for_completion(struct idempotent *u) 3223 { 3224 if (wait_for_completion_interruptible(&u->complete)) { 3225 spin_lock(&idem_lock); 3226 if (!hlist_unhashed(&u->entry)) 3227 hlist_del(&u->entry); 3228 spin_unlock(&idem_lock); 3229 } 3230 return u->ret; 3231 } 3232 3233 static int init_module_from_file(struct file *f, const char __user * uargs, int flags) 3234 { 3235 struct load_info info = { }; 3236 void *buf = NULL; 3237 int len; 3238 3239 len = kernel_read_file(f, 0, &buf, INT_MAX, NULL, READING_MODULE); 3240 if (len < 0) { 3241 mod_stat_inc(&failed_kreads); 3242 return len; 3243 } 3244 3245 if (flags & MODULE_INIT_COMPRESSED_FILE) { 3246 int err = module_decompress(&info, buf, len); 3247 vfree(buf); /* compressed data is no longer needed */ 3248 if (err) { 3249 mod_stat_inc(&failed_decompress); 3250 mod_stat_add_long(len, &invalid_decompress_bytes); 3251 return err; 3252 } 3253 } else { 3254 info.hdr = buf; 3255 info.len = len; 3256 } 3257 3258 return load_module(&info, uargs, flags); 3259 } 3260 3261 static int idempotent_init_module(struct file *f, const char __user * uargs, int flags) 3262 { 3263 struct idempotent idem; 3264 3265 if (!f || !(f->f_mode & FMODE_READ)) 3266 return -EBADF; 3267 3268 /* Are we the winners of the race and get to do this? */ 3269 if (!idempotent(&idem, file_inode(f))) { 3270 int ret = init_module_from_file(f, uargs, flags); 3271 return idempotent_complete(&idem, ret); 3272 } 3273 3274 /* 3275 * Somebody else won the race and is loading the module. 3276 */ 3277 return idempotent_wait_for_completion(&idem); 3278 } 3279 3280 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) 3281 { 3282 int err; 3283 struct fd f; 3284 3285 err = may_init_module(); 3286 if (err) 3287 return err; 3288 3289 pr_debug("finit_module: fd=%d, uargs=%p, flags=%i\n", fd, uargs, flags); 3290 3291 if (flags & ~(MODULE_INIT_IGNORE_MODVERSIONS 3292 |MODULE_INIT_IGNORE_VERMAGIC 3293 |MODULE_INIT_COMPRESSED_FILE)) 3294 return -EINVAL; 3295 3296 f = fdget(fd); 3297 err = idempotent_init_module(fd_file(f), uargs, flags); 3298 fdput(f); 3299 return err; 3300 } 3301 3302 /* Keep in sync with MODULE_FLAGS_BUF_SIZE !!! */ 3303 char *module_flags(struct module *mod, char *buf, bool show_state) 3304 { 3305 int bx = 0; 3306 3307 BUG_ON(mod->state == MODULE_STATE_UNFORMED); 3308 if (!mod->taints && !show_state) 3309 goto out; 3310 if (mod->taints || 3311 mod->state == MODULE_STATE_GOING || 3312 mod->state == MODULE_STATE_COMING) { 3313 buf[bx++] = '('; 3314 bx += module_flags_taint(mod->taints, buf + bx); 3315 /* Show a - for module-is-being-unloaded */ 3316 if (mod->state == MODULE_STATE_GOING && show_state) 3317 buf[bx++] = '-'; 3318 /* Show a + for module-is-being-loaded */ 3319 if (mod->state == MODULE_STATE_COMING && show_state) 3320 buf[bx++] = '+'; 3321 buf[bx++] = ')'; 3322 } 3323 out: 3324 buf[bx] = '\0'; 3325 3326 return buf; 3327 } 3328 3329 /* Given an address, look for it in the module exception tables. */ 3330 const struct exception_table_entry *search_module_extables(unsigned long addr) 3331 { 3332 const struct exception_table_entry *e = NULL; 3333 struct module *mod; 3334 3335 preempt_disable(); 3336 mod = __module_address(addr); 3337 if (!mod) 3338 goto out; 3339 3340 if (!mod->num_exentries) 3341 goto out; 3342 3343 e = search_extable(mod->extable, 3344 mod->num_exentries, 3345 addr); 3346 out: 3347 preempt_enable(); 3348 3349 /* 3350 * Now, if we found one, we are running inside it now, hence 3351 * we cannot unload the module, hence no refcnt needed. 3352 */ 3353 return e; 3354 } 3355 3356 /** 3357 * is_module_address() - is this address inside a module? 3358 * @addr: the address to check. 3359 * 3360 * See is_module_text_address() if you simply want to see if the address 3361 * is code (not data). 3362 */ 3363 bool is_module_address(unsigned long addr) 3364 { 3365 bool ret; 3366 3367 preempt_disable(); 3368 ret = __module_address(addr) != NULL; 3369 preempt_enable(); 3370 3371 return ret; 3372 } 3373 3374 /** 3375 * __module_address() - get the module which contains an address. 3376 * @addr: the address. 3377 * 3378 * Must be called with preempt disabled or module mutex held so that 3379 * module doesn't get freed during this. 3380 */ 3381 struct module *__module_address(unsigned long addr) 3382 { 3383 struct module *mod; 3384 3385 if (addr >= mod_tree.addr_min && addr <= mod_tree.addr_max) 3386 goto lookup; 3387 3388 #ifdef CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC 3389 if (addr >= mod_tree.data_addr_min && addr <= mod_tree.data_addr_max) 3390 goto lookup; 3391 #endif 3392 3393 return NULL; 3394 3395 lookup: 3396 module_assert_mutex_or_preempt(); 3397 3398 mod = mod_find(addr, &mod_tree); 3399 if (mod) { 3400 BUG_ON(!within_module(addr, mod)); 3401 if (mod->state == MODULE_STATE_UNFORMED) 3402 mod = NULL; 3403 } 3404 return mod; 3405 } 3406 3407 /** 3408 * is_module_text_address() - is this address inside module code? 3409 * @addr: the address to check. 3410 * 3411 * See is_module_address() if you simply want to see if the address is 3412 * anywhere in a module. See kernel_text_address() for testing if an 3413 * address corresponds to kernel or module code. 3414 */ 3415 bool is_module_text_address(unsigned long addr) 3416 { 3417 bool ret; 3418 3419 preempt_disable(); 3420 ret = __module_text_address(addr) != NULL; 3421 preempt_enable(); 3422 3423 return ret; 3424 } 3425 3426 /** 3427 * __module_text_address() - get the module whose code contains an address. 3428 * @addr: the address. 3429 * 3430 * Must be called with preempt disabled or module mutex held so that 3431 * module doesn't get freed during this. 3432 */ 3433 struct module *__module_text_address(unsigned long addr) 3434 { 3435 struct module *mod = __module_address(addr); 3436 if (mod) { 3437 /* Make sure it's within the text section. */ 3438 if (!within_module_mem_type(addr, mod, MOD_TEXT) && 3439 !within_module_mem_type(addr, mod, MOD_INIT_TEXT)) 3440 mod = NULL; 3441 } 3442 return mod; 3443 } 3444 3445 /* Don't grab lock, we're oopsing. */ 3446 void print_modules(void) 3447 { 3448 struct module *mod; 3449 char buf[MODULE_FLAGS_BUF_SIZE]; 3450 3451 printk(KERN_DEFAULT "Modules linked in:"); 3452 /* Most callers should already have preempt disabled, but make sure */ 3453 preempt_disable(); 3454 list_for_each_entry_rcu(mod, &modules, list) { 3455 if (mod->state == MODULE_STATE_UNFORMED) 3456 continue; 3457 pr_cont(" %s%s", mod->name, module_flags(mod, buf, true)); 3458 } 3459 3460 print_unloaded_tainted_modules(); 3461 preempt_enable(); 3462 if (last_unloaded_module.name[0]) 3463 pr_cont(" [last unloaded: %s%s]", last_unloaded_module.name, 3464 last_unloaded_module.taints); 3465 pr_cont("\n"); 3466 } 3467 3468 #ifdef CONFIG_MODULE_DEBUGFS 3469 struct dentry *mod_debugfs_root; 3470 3471 static int module_debugfs_init(void) 3472 { 3473 mod_debugfs_root = debugfs_create_dir("modules", NULL); 3474 return 0; 3475 } 3476 module_init(module_debugfs_init); 3477 #endif 3478