On Fri, Jan 22, 2021 at 05:52:26PM +0100, Peter Zijlstra wrote: > On Mon, Jan 18, 2021 at 03:12:21PM +0100, Frederic Weisbecker wrote: > > +#ifdef CONFIG_PREEMPT_DYNAMIC > > +DEFINE_STATIC_CALL(preempt_schedule, __preempt_schedule_func()); > > +EXPORT_STATIC_CALL(preempt_schedule); > > +#endif > > > +#ifdef CONFIG_PREEMPT_DYNAMIC > > +DEFINE_STATIC_CALL(preempt_schedule_notrace, > > __preempt_schedule_notrace_func()); > > +EXPORT_STATIC_CALL(preempt_schedule_notrace); > > +#endif > > So one of the things I hates most of this is that is allows 'random' > modules to hijack the preemption by rewriting these callsites. Once you > export the key, we've lost. > > I've tried a number of things, but this is the only one I could come up > with that actually stands a chance against malicious modules (vbox and > the like). > > It's somewhat elaborate, but afaict it actually works.
What about this hopefully abuse-proof idea which has less code, less complexity, no registration, no new data structures, no COC defiance. Add a writable-by-modules bit to the key struct, which can be set when you define the key. Enforce it in __static_call_update() with a call to __builtin_return_address(0). WARN when the caller's text isn't in the kernel proper and the flag isn't set. Hm? -- Josh
