Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp763616rdg; Thu, 12 Oct 2023 23:28:01 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHzNgTFE7+QN/RoVYOZZBUNmxQsGD7KIBjnRhTW4eJPVINM3r8s59uxLF72D3mhf7cLaNBn X-Received: by 2002:a05:6a20:3c8b:b0:12c:b10d:693d with SMTP id b11-20020a056a203c8b00b0012cb10d693dmr28224857pzj.6.1697178481120; Thu, 12 Oct 2023 23:28:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697178481; cv=none; d=google.com; s=arc-20160816; b=cNGks2uyigTDA2t7sidim2JlmXt/BGnjaMfbdz5i7QoZryrRd1DCXCkxXdLdLJW+Hc y0CstgN6L31hM0SQfVWSe9Iuh3lISCVSRzyWqNzkPeOxEQDA/t51u1+Bx0BFT7++rBJ9 h/f5bIZfZ+1759RBrV9TR8ViYxdl3BGAuj3SWMEkx/BCvFwBSJZrw6iL1WVZmsB++3dC zYlf/ASx6dSebR7CTYkp93WewilgmlBlrzvsHwr3DPi63DY/hyj6Qgtmje/4+rQeaYzB wDEqeqzUOSckeHFX+BUC9qKSv13eqgWzB1FBiKPOlCIRKfBAw4vQhYGs5e8GlU5b5JB9 RfQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=nZ5lTCInN9V+BiHFhjiwiOZL80UvMAm2wBOPGV3c8hs=; fh=U9w07y/fOw8u/I4qaCE7RuXLRrUH+9oUUrnmIj4wcjA=; b=jGIEAxDKhy3VP+0+7+Z5RmBL5PVeeN2AHDL7d1+NvzhrhBMR/1l+Ob0wdoknfwf9lK qpIWztpcmgcdCis0Rv7hgMyP1m/rzM8Rm1EsKh5ocTWZKb8xc3yHbAepL+PenOnTCzor hjDHBEg3HfLxYjes0LLcvsb30W5CSw0r7UzdDSCtpsEbXTlaMWpZLmQdfl+lxCi8/voB kRo8o65ATKAi2t5Ppmja+/kXpzF9nnyKyRGqWCgp3Pvwqt+3F490Q2kV7mP9bfovmmA1 cjEOxSx+MavItLGY9aTh1zZm0WJFIUKHS8WAq5kikzTwR1abaP3Ief9n9xnP5DwUDUz7 mhfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=PIbhud9Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id m22-20020a637116000000b0057d3b77a9e2si3997664pgc.98.2023.10.12.23.28.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 23:28:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=PIbhud9Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id F20B280D6A3B; Thu, 12 Oct 2023 23:27:38 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229754AbjJMG13 (ORCPT + 99 others); Fri, 13 Oct 2023 02:27:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbjJMG11 (ORCPT ); Fri, 13 Oct 2023 02:27:27 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4EF0FBB; Thu, 12 Oct 2023 23:27:26 -0700 (PDT) Received: from pps.filterd (m0279867.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39D5hPdL032001; Fri, 13 Oct 2023 06:27:24 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=qcppdkim1; bh=nZ5lTCInN9V+BiHFhjiwiOZL80UvMAm2wBOPGV3c8hs=; b=PIbhud9ZDl14e/CamvI9CVKJeKBZYD2B1OhDt3NACIwA/jLKcq8+52EHtZOjjM+mhzkt p9KBXQSOUepHfbjvDl3wkxf3tb/kHcx3ryELFPQgeLvOilSUlFB9gP8VpzssCQAlB3hT spyBdYR7cYdAbT2lsn6FZnYyqpGcttnvfPCpMQsqrbMqjkjgElcn1rcukLrkw516QT8A LmmYC3JmW4dcFDgU8a7I2ucKvUiQgkvXQ8gSBFsCHUQ2eXJ0j9SC+aG8jGv7c96/PLWD 2pNmN6VlDuJdQhoYZxAghPxQjNjtb9EnNSCw1f3aTcuUlAz26N+knoUKqUBUcCeYNRdx +A== Received: from nalasppmta02.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3tpt11gkeq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Oct 2023 06:27:24 +0000 Received: from nalasex01c.na.qualcomm.com (nalasex01c.na.qualcomm.com [10.47.97.35]) by NALASPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 39D6RN3I027061 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Oct 2023 06:27:23 GMT Received: from hu-jiangenj-sha.qualcomm.com (10.80.80.8) by nalasex01c.na.qualcomm.com (10.47.97.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Thu, 12 Oct 2023 23:27:21 -0700 From: Joey Jiao To: CC: , , Luis Chamberlain , Subject: [PATCH v5] module: Add CONFIG_MODULE_DISABLE_INIT_FREE option Date: Fri, 13 Oct 2023 11:57:11 +0530 Message-ID: <20231013062711.28852-1-quic_jiangenj@quicinc.com> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01c.na.qualcomm.com (10.47.97.35) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: Q3BD-YPWkCQJsHYXFN2FbszG-u0t-0kW X-Proofpoint-ORIG-GUID: Q3BD-YPWkCQJsHYXFN2FbszG-u0t-0kW X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-13_03,2023-10-12_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 phishscore=0 mlxlogscore=852 impostorscore=0 suspectscore=0 priorityscore=1501 spamscore=0 adultscore=0 clxscore=1015 malwarescore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2310130054 X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 12 Oct 2023 23:27:39 -0700 (PDT) Syzkaller uses the _RET_IP_ (also known as pc) to decode covered file/function/line, and it employs pc ^ hash(prev_pc) (referred to as signal) to indicate covered edge. If the pc for the same file/line keeps changing across reboots, syzkaller will report incorrect coverage data. Additionally, even if kaslr can be disabled, we cannot get the same covered edge for module because both pc and prev_pc have changed, thus altering pc ^ hash(prev_pc). To facilitate syzkaller coverage, it is crucial for both the core kernel and modules to maintain at the same addresses across reboots. So, the following steps are necessary: - In userspace: 1) To maintain an uninterrupted loading sequence, it is recommended to execute modprobe commands by loading one module at a time, to avoid any interference from the scheduler. 2) Avoid unloading any module during fuzzing. - In kernel: 1) Disable CONFIG_RANDOMIZE_BASE to load the core kernel at the same address consistently. 2) To ensure deterministic module loading at the same address, enabling CONFIG_MODULE_DISABLE_INIT_FREE prevents the asynchronous freeing of init sections. Without this option, there is a possibility that the next module could be loaded into previous freed init pages of a previous loaded module. It is important to note that this option is intended for fuzzing tests only and should not be set as the default configuration in production builds. Signed-off-by: Joey Jiao --- kernel/module/Kconfig | 13 +++++++++++++ kernel/module/main.c | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 33a2e991f608..d0df0b5997b0 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -389,4 +389,17 @@ config MODULES_TREE_LOOKUP def_bool y depends on PERF_EVENTS || TRACING || CFI_CLANG +config MODULE_DISABLE_INIT_FREE + bool "Disable freeing of init sections" + default n + depends on !RANDOMIZE_BASE + help + By default, the kernel frees init sections after module is fully + loaded. + + Enabling MODULE_DISABLE_INIT_FREE allows users to prevent the freeing + of init sections. It is particularly helpful for syzkaller fuzzing, + ensuring that the module consistently loads at the same address + across reboots. + endif # MODULES diff --git a/kernel/module/main.c b/kernel/module/main.c index 98fedfdb8db5..d226df3a6cf6 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2593,7 +2593,8 @@ static noinline int do_init_module(struct module *mod) * be cleaned up needs to sync with the queued work - ie * rcu_barrier() */ - if (llist_add(&freeinit->node, &init_free_list)) + if (!IS_ENABLED(CONFIG_MODULE_DISABLE_INIT_FREE) && + llist_add(&freeinit->node, &init_free_list)) schedule_work(&init_free_wq); mutex_unlock(&module_mutex); -- 2.42.0