Thread (3 messages) 3 messages, 2 authors, 3d ago

Re: [PATCH v3] module: Extend module_blacklist parameter to built-in modules

From: sashiko-bot@kernel.org
Date: 2026-07-06 05:16:26

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Iterating the `.initcall.modnames` array locklessly in `initcall_get_modname()` races with `free_initmem()`, causing a Use-After-Free for concurrently loaded modules.
- [High] The built-in module blacklisting functionality is completely disabled when CONFIG_MODULES=n.
--

commit aca1118f7ac6c8d2b798e7bb31a70a4f01638aee
Author: Aaron Tomlin [off-list ref]
Subject: module: Extend module_blacklist parameter to built-in modules

This patch extends the module_blacklist command-line parameter to apply
to built-in modules by checking them during early boot. It introduces a
new memory section to map initcalls to module names, allowing the kernel
to skip the initcall if the module name is present in the blacklist.
quoted hunk ↗ jump to hunk
diff --git a/include/linux/module.h b/include/linux/module.h
index 7566815fabbe8..b9b0dc419aeeb 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
[ ... ]
quoted hunk ↗ jump to hunk
@@ -756,6 +756,15 @@ void *dereference_module_function_descriptor(struct module *mod, void *ptr);
 int register_module_notifier(struct notifier_block *nb);
 int unregister_module_notifier(struct notifier_block *nb);
 
+#ifdef CONFIG_MODULES
+extern bool module_is_blacklisted(const char *module_name);
+#else
+static inline bool module_is_blacklisted(const char *module_name)
+{
+	return false;
+}
+#endif
[Severity: High]
Does this defeat the purpose of blacklisting built-in modules on kernels
built without loadable module support?

If a kernel is built with CONFIG_MODULES=n, the command-line parsing and
state variable in kernel/module/main.c are not compiled. This stub will then
unconditionally return false, meaning the module_blacklist parameter will be
silently ignored for built-in modules on non-modular kernels.

[ ... ]
quoted hunk ↗ jump to hunk
diff --git a/init/main.c b/init/main.c
index 96f93bb06c490..893b20ddcf658 100644
--- a/init/main.c
+++ b/init/main.c
[ ... ]
quoted hunk ↗ jump to hunk
@@ -1379,12 +1379,39 @@ static inline void do_trace_initcall_level(const char *level)
 }
 #endif /* !TRACEPOINTS_ENABLED */
 
+extern struct initcall_modname __start_initcall_modnames[];
+extern struct initcall_modname __stop_initcall_modnames[];
+
+static bool initmem_freed __ro_after_init = false;
+
+static const char *initcall_get_modname(initcall_t fn)
+{
+	struct initcall_modname *p;
+
+	if (initmem_freed)
+		return NULL;
+
+	for (p = __start_initcall_modnames; p < __stop_initcall_modnames; p++) {
+		if (p->initcall_fn == fn)
+			return p->modname;
+	}
[Severity: High]
Can this race with free_initmem() and cause a use-after-free if a module
is loaded concurrently?

In kernel_init(), free_initmem() is called just before setting initmem_freed
to true:

kernel_init()
    free_initmem();
    initmem_freed = true;

At this point in the boot sequence, the rootfs is mounted and user-mode
helpers are enabled. If a hardware interrupt triggers request_module()
concurrently, modprobe could execute and invoke the init_module syscall. 

When do_init_module() calls do_one_initcall(), it would end up in
initcall_get_modname(). Since initmem_freed is still false, it would
locklessly scan the .initcall.modnames section while it is actively being
freed by free_initmem().

[ ... ]
quoted hunk ↗ jump to hunk
@@ -1600,6 +1627,7 @@ static int __ref kernel_init(void *unused)
 	kgdb_free_init_mem();
 	exit_boot_config();
 	free_initmem();
+	initmem_freed = true;
 	mark_readonly();
 
 	/*
-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260706050337.7613-1-atomlin@atomlin.com?part=1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help