On Mon, Jan 25, 2021 at 05:40:39PM -0600, Josh Poimboeuf wrote: > On Fri, Jan 22, 2021 at 05:52:26PM +0100, Peter Zijlstra wrote: > > On Mon, Jan 18, 2021 at 03:12:21PM +0100, Frederic Weisbecker wrote: > > > +#ifdef CONFIG_PREEMPT_DYNAMIC > > > +DEFINE_STATIC_CALL(preempt_schedule, __preempt_schedule_func()); > > > +EXPORT_STATIC_CALL(preempt_schedule); > > > +#endif > > > > > +#ifdef CONFIG_PREEMPT_DYNAMIC > > > +DEFINE_STATIC_CALL(preempt_schedule_notrace, > > > __preempt_schedule_notrace_func()); > > > +EXPORT_STATIC_CALL(preempt_schedule_notrace); > > > +#endif > > > > So one of the things I hates most of this is that is allows 'random' > > modules to hijack the preemption by rewriting these callsites. Once you > > export the key, we've lost. > > > > I've tried a number of things, but this is the only one I could come up > > with that actually stands a chance against malicious modules (vbox and > > the like). > > > > It's somewhat elaborate, but afaict it actually works. > > What about this hopefully abuse-proof idea which has less code, less > complexity, no registration, no new data structures, no COC defiance. > > Add a writable-by-modules bit to the key struct, which can be set when > you define the key. Enforce it in __static_call_update() with a call to > __builtin_return_address(0). WARN when the caller's text isn't in the > kernel proper and the flag isn't set. > > Hm?
What stops a module from clearing said bit? It has the key pointer.