Re: [RFC PATCH 6/8] preempt/dynamic: Provide preempt_schedule[_notrace]() static calls
From: Josh Poimboeuf
Date: Mon Jan 25 2021 - 18:44:16 EST
On Fri, Jan 22, 2021 at 05:52:26PM +0100, Peter Zijlstra wrote:
> On Mon, Jan 18, 2021 at 03:12:21PM +0100, Frederic Weisbecker wrote:
> > +#ifdef CONFIG_PREEMPT_DYNAMIC
> > +DEFINE_STATIC_CALL(preempt_schedule, __preempt_schedule_func());
> > +EXPORT_STATIC_CALL(preempt_schedule);
> > +#endif
>
> > +#ifdef CONFIG_PREEMPT_DYNAMIC
> > +DEFINE_STATIC_CALL(preempt_schedule_notrace, __preempt_schedule_notrace_func());
> > +EXPORT_STATIC_CALL(preempt_schedule_notrace);
> > +#endif
>
> So one of the things I hates most of this is that is allows 'random'
> modules to hijack the preemption by rewriting these callsites. Once you
> export the key, we've lost.
>
> I've tried a number of things, but this is the only one I could come up
> with that actually stands a chance against malicious modules (vbox and
> the like).
>
> It's somewhat elaborate, but afaict it actually works.
What about this hopefully abuse-proof idea which has less code, less
complexity, no registration, no new data structures, no COC defiance.
Add a writable-by-modules bit to the key struct, which can be set when
you define the key. Enforce it in __static_call_update() with a call to
__builtin_return_address(0). WARN when the caller's text isn't in the
kernel proper and the flag isn't set.
Hm?
--
Josh