> On Jun 10, 2019, at 10:19 AM, Josh Poimboeuf <[email protected]> wrote: > > On Fri, Jun 07, 2019 at 10:37:56AM +0200, Peter Zijlstra wrote: >>>> +} >>>> + >>>> +static int static_call_module_notify(struct notifier_block *nb, >>>> + unsigned long val, void *data) >>>> +{ >>>> + struct module *mod = data; >>>> + int ret = 0; >>>> + >>>> + cpus_read_lock(); >>>> + static_call_lock(); >>>> + >>>> + switch (val) { >>>> + case MODULE_STATE_COMING: >>>> + module_disable_ro(mod); >>>> + ret = static_call_add_module(mod); >>>> + module_enable_ro(mod, false); >>> >>> Doesn’t it cause some pages to be W+X ? > > How so? > >>> Can it be avoided? >> >> I don't know why it does this, jump_labels doesn't seem to need this, >> and I'm not seeing what static_call needs differently. > > I forgot why I did this, but it's probably for the case where there's a > static call site in module init code. It deserves a comment. > > Theoretically, jump labels need this to. > > BTW, there's a change coming that will require the text_mutex before > calling module_{disable,enable}_ro().
I think that eventually, the most secure flow is for the module executable to be write-protected immediately after the module signature is checked and then use text_poke() to change the code without removing the write-protection in such manner. Ideally, these pieces of code (module signature check and static-key/call mechanisms) would somehow be isolated. I wonder whether static-calls in init-code cannot just be avoided. They would most likely introduce more overhead in patching than they would save in execution time.
