Re: [PATCH 11/15] static_call: Add inline static call infrastructure

[Nadav Amit]

> On Jun 10, 2019, at 10:19 AM, Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote:
> 
> On Fri, Jun 07, 2019 at 10:37:56AM +0200, Peter Zijlstra wrote:
>>>> +}
>>>> +
>>>> +static int static_call_module_notify(struct notifier_block *nb,
>>>> +				     unsigned long val, void *data)
>>>> +{
>>>> +	struct module *mod = data;
>>>> +	int ret = 0;
>>>> +
>>>> +	cpus_read_lock();
>>>> +	static_call_lock();
>>>> +
>>>> +	switch (val) {
>>>> +	case MODULE_STATE_COMING:
>>>> +		module_disable_ro(mod);
>>>> +		ret = static_call_add_module(mod);
>>>> +		module_enable_ro(mod, false);
>>> 
>>> Doesnât it cause some pages to be W+X ?
> 
> How so?
> 
>>> Can it be avoided?
>> 
>> I don't know why it does this, jump_labels doesn't seem to need this,
>> and I'm not seeing what static_call needs differently.
> 
> I forgot why I did this, but it's probably for the case where there's a
> static call site in module init code.  It deserves a comment.
> 
> Theoretically, jump labels need this to.
> 
> BTW, there's a change coming that will require the text_mutex before
> calling module_{disable,enable}_ro().

I think that eventually, the most secure flow is for the module executable
to be write-protected immediately after the module signature is checked and
then use text_poke() to change the code without removing the
write-protection in such manner.

Ideally, these pieces of code (module signature check and static-key/call
mechanisms) would somehow be isolated.

I wonder whether static-calls in init-code cannot just be avoided. They
would most likely introduce more overhead in patching than they would save
in execution time.