Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1379388rdb;
        Tue, 30 Jan 2024 17:36:15 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHYJzg1grVFBrayqvQf3VGMqMlqHctlxUvHnewfgh7SiZ+hO2EbbY1RMf/SmyIUV1DMQghN
X-Received: by 2002:a05:6402:1a33:b0:55e:f9f7:332 with SMTP id be19-20020a0564021a3300b0055ef9f70332mr2927996edb.9.1706664975631;
        Tue, 30 Jan 2024 17:36:15 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706664975; cv=pass;
        d=google.com; s=arc-20160816;
        b=StrfE0O5xWMnnSN7a0tS0/x40FPhjaJHxFCU59xDPf96zQjrJyp2/qXbA0n5qNH4ia
         3ScC+iMesAm7wZLcH9wp49X40xhWEQGdCDUtMDF2Se4xCJgLMlsHqkhEN+6ppD1moSTU
         PmhtHeXIqOjrbchWPpE0Yat6Dshj6EoTNLbZrp6qeeoOSPJzcMHtkHMwTA9K/fWE7lep
         KIGOntzDcJTFJ2hh3A7x/bJo7PAb30xnpdszhR/0/uK/xknI3ZIZv0ZvbvjzRfASZ0fe
         te/4PCi/q7lG27/OpTfC7Rx5UhJqtoVJTmTs9618yOSewcZ7L3tUvDc3bNwuR4bS9gJ7
         mDMA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=sender:in-reply-to:content-disposition:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=mcM6EuKiC3PBnN3pomFJtPETtxYW50FEofYHj2SjpCE=;
        fh=5YwK54LpjW7Hk5ryvpBMvg8mESzb/MubVshgW48wd1I=;
        b=wUMNTUl38zsGrkFbk8WuWGQ+TljjYYSloqwpx/XVfMtwYGOPYHyPC9/Yy5ywXdfyuY
         nSVZ9b7TeKwY68D3cF9BU6WSvqDVEdMcESvi5cm1ABu6LrPCdo9YSEYCfc9Y2xiMv0fp
         9mg59TYT/gHOvbCKxmtE7I3/btyMkOQ7avnk8W8/hFaiBhvk6R4N0CUjyvIEO9p1SKHK
         +WGbwcTbSulVvYy8cmaF8dee/fVqxUdjmy/hNam39aTFXS1dYlBgWQ2H7C62XYfJmhON
         mACNSZamQgQvpQW6fsGUn1LpcTCDXNaIgt4i5QhvXcCaD2AZbbkj0ichWYI9rPMmgr7A
         fe2w==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=sMwovpyW;
       arc=pass (i=1 dkim=pass dkdomain=infradead.org);
       spf=pass (google.com: domain of linux-kernel+bounces-45292-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45292-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
X-Forwarded-Encrypted: i=1; AJvYcCWC6nve38w0Cs92tW5pRIt662zp7lv1GYMKmMIBBSRXVSnPVmiZ7C4g4L4xQHpYm91+bbkTKHCYFcnWuZmwDvOTT3G59jZlwmMIAjqFOg==
Return-Path: <linux-kernel+bounces-45292-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id y2-20020a50bb02000000b0055ef174bcbdsi2751170ede.147.2024.01.30.17.36.15
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 30 Jan 2024 17:36:15 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-45292-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=sMwovpyW;
       arc=pass (i=1 dkim=pass dkdomain=infradead.org);
       spf=pass (google.com: domain of linux-kernel+bounces-45292-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45292-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 42B511F25398
	for <linux.lists.archive@gmail.com>; Tue, 30 Jan 2024 20:47:36 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 6410A6E2A5;
	Tue, 30 Jan 2024 20:47:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="sMwovpyW"
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4299671B52;
	Tue, 30 Jan 2024 20:47:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706647641; cv=none; b=nGvucdk+dpKTLonQlz+/2gtf5KB1vSGnCZkyJ6jSr0mKyrk7vsq38De5tntNJCHjIgMpDqFJttajji6rk/7C64AggdGQlt4a6yeJPVT1QHtlcA0pqZSdRO9s9xArPNBTPTueLCt2iFRDUi69OgrZeBAKOY474u3p9/3wLWUgVZw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706647641; c=relaxed/simple;
	bh=cHPCGyt+KrZk5VCGXZ1+oIB0HxHmQMG2D925MBo7pRs=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=LM6/rlyGQ83xxKg1K8gUGavvNzNe+h7DrTNPChw4JFgu0Ssgag/hhlN6GeZLuCGdgtcxwspvM+OuEAWACYBKrcGBxQhWgo2Q1ZgmQ/oHDkVeO0L7dx+KMW2RvFpsy9omM8LrY+/RSRCwpL7m0iNHwH1lSu/JtvaVIBHU6fAkeUg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=sMwovpyW; arc=none smtp.client-ip=198.137.202.133
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=bombadil.20210309; h=Sender:In-Reply-To:Content-Type:
	MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description;
	bh=mcM6EuKiC3PBnN3pomFJtPETtxYW50FEofYHj2SjpCE=; b=sMwovpyWAef1DSNFeKhzCxMtZC
	DoseHGxVC5FLC8iUVL4fsLGlXIFuxcJNt4s09RpCiJ5fddfKScNsWQAlxPbF8xoadTRK8jWt6mqWi
	uz2cYy+U0UQevsFq2iUx/LNWzNXS1vHP+TCdo9bPItONjmc42bdOYGhaZCn8KRUmYhHVfskzm6f04
	kqq1frt2oQxIBm0MNLdr01IU50+ZzZaPs7n5iIT6PHtDOdV6G7kfIi7TmFauHo2qh+dZsXZfbBDUg
	BiC/306Kclpzvmo76haLYjBf5PZdSaEreUPIFIEmCnXBh7Y3wnU6IQ6i6LpxMuPuainWUfBSrNCVf
	qYlwCjbg==;
Received: from mcgrof by bombadil.infradead.org with local (Exim 4.97.1 #2 (Red Hat Linux))
	id 1rUv0p-00000000XL3-2vsS;
	Tue, 30 Jan 2024 20:47:19 +0000
Date: Tue, 30 Jan 2024 12:47:19 -0800
From: Luis Chamberlain <mcgrof@kernel.org>
To: Marco Pagani <marpagan@redhat.com>
Cc: linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] kernel/module: add a safer implementation of
 try_module_get()
Message-ID: <ZblgV0ApD-9cQWwl@bombadil.infradead.org>
References: <20240130193614.49772-1-marpagan@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240130193614.49772-1-marpagan@redhat.com>
Sender: Luis Chamberlain <mcgrof@infradead.org>

On Tue, Jan 30, 2024 at 08:36:14PM +0100, Marco Pagani wrote:
> The current implementation of try_module_get() requires the module to
> exist and be live as a precondition. While this may seem intuitive at
> first glance, enforcing the precondition can be tricky, considering that
> modules can be unloaded at any time if not previously taken. For
> instance, the caller could be preempted just before calling
> try_module_get(), and while preempted, the module could be unloaded and
> freed. More subtly, the module could also be unloaded at any point while
> executing try_module_get() before incrementing the refount with
> atomic_inc_not_zero().
> 
> Neglecting the precondition that the module must exist and be live can
> cause unexpected race conditions that can lead to crashes. However,
> ensuring that the precondition is met may require additional locking
> that increases the complexity of the code and can make it more
> error-prone.
> 
> This patch adds a slower yet safer implementation of try_module_get()
> that checks if the module is valid by looking into the mod_tree before
> taking the module's refcount. This new function can be safely called on
> stale and invalid module pointers, relieving developers from the burden
> of ensuring that the module exists and is live before attempting to take
> it.
> 
> The tree lookup and refcount increment are executed after taking the
> module_mutex to prevent the module from being unloaded after looking up
> the tree.
> 
> Signed-off-by: Marco Pagani <marpagan@redhat.com>

It very much sounds like there is a desire to have this but without a
user, there is no justification.

> +bool try_module_get_safe(struct module *module)
> +{
> +	struct module *mod;
> +	bool ret = true;
> +
> +	if (!module)
> +		goto out;
> +
> +	mutex_lock(&module_mutex);

If a user comes around then this should be mutex_lock_interruptible(),
and add might_sleep()

> +
> +	/*
> +	 * Check if the address points to a valid live module and take
> +	 * the refcount only if it points to the module struct.
> +	 */
> +	mod = __module_address((unsigned long)module);
> +	if (mod && mod == module && module_is_live(mod))
> +		__module_get(mod);
> +	else
> +		ret = false;
> +
> +	mutex_unlock(&module_mutex);
> +
> +out:
> +	return ret;
> +}
> +EXPORT_SYMBOL(try_module_get_safe);

And EXPORT_SYMBOL_GPL() would need to be used.

I'd also expect selftests to be expanded for this case, but again,
without a user, this is just trying to resolve a problem which does not
exist.

  Luis