On Mon, Jun 10, 2019 at 06:33:26PM +0000, Nadav Amit wrote: > > On Jun 10, 2019, at 10:19 AM, Josh Poimboeuf <[email protected]> wrote: > > > > On Fri, Jun 07, 2019 at 10:37:56AM +0200, Peter Zijlstra wrote: > >>>> +} > >>>> + > >>>> +static int static_call_module_notify(struct notifier_block *nb, > >>>> + unsigned long val, void *data) > >>>> +{ > >>>> + struct module *mod = data; > >>>> + int ret = 0; > >>>> + > >>>> + cpus_read_lock(); > >>>> + static_call_lock(); > >>>> + > >>>> + switch (val) { > >>>> + case MODULE_STATE_COMING: > >>>> + module_disable_ro(mod); > >>>> + ret = static_call_add_module(mod); > >>>> + module_enable_ro(mod, false); > >>> > >>> Doesn’t it cause some pages to be W+X ? > > > > How so? > > > >>> Can it be avoided? > >> > >> I don't know why it does this, jump_labels doesn't seem to need this, > >> and I'm not seeing what static_call needs differently. > > > > I forgot why I did this, but it's probably for the case where there's a > > static call site in module init code. It deserves a comment. > > > > Theoretically, jump labels need this to. > > > > BTW, there's a change coming that will require the text_mutex before > > calling module_{disable,enable}_ro(). > > I think that eventually, the most secure flow is for the module executable > to be write-protected immediately after the module signature is checked and > then use text_poke() to change the code without removing the > write-protection in such manner. > > Ideally, these pieces of code (module signature check and static-key/call > mechanisms) would somehow be isolated. > > I wonder whether static-calls in init-code cannot just be avoided. They > would most likely introduce more overhead in patching than they would save > in execution time.
It's a valid question. Are any tracepoints called from module init? Or -- thinking ahead -- are there any pv calls from module init? That might be plausible. -- Josh
