The module loader will reject unsigned modules from loading if such a
module attempts to import a symbol which has the import protection bit
set in the kflagstab entry for the symbol.
Signed-off-by: Siddharth Nayyar <sidnayyar@google.com>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
kernel/module/internal.h | 1 +
kernel/module/main.c | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index 061161cc79d9..98faaf8900aa 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -108,6 +108,7 @@ struct find_symbol_arg {
const u32 *crc;
const struct kernel_symbol *sym;
enum mod_license license;
+ bool is_protected;
};
/* modules using other modules */
diff --git a/kernel/module/main.c b/kernel/module/main.c
index f5f9872dc070..c27df62a68f5 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -380,6 +380,7 @@ static bool find_exported_symbol_in_section(const struct symsearch *syms,
fsa->crc = symversion(syms->crcs, sym - syms->start);
fsa->sym = sym;
fsa->license = (sym_flags & KSYM_FLAG_GPL_ONLY) ? GPL_ONLY : NOT_GPL_ONLY;
+ fsa->is_protected = sym_flags & KSYM_FLAG_PROTECTED;
return true;
}
@@ -1267,6 +1268,13 @@ static const struct kernel_symbol *resolve_symbol(struct module *mod,
goto getname;
}
+ if (fsa.is_protected && !mod->sig_ok) {
+ pr_warn("%s: Cannot use protected symbol %s\n",
+ mod->name, name);
+ fsa.sym = ERR_PTR(-EACCES);
+ goto getname;
+ }
+
err = ref_module(mod, fsa.owner);
if (err) {
fsa.sym = ERR_PTR(err);
@@ -1550,7 +1558,7 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
break;
ret = PTR_ERR(ksym) ?: -ENOENT;
- pr_warn("%s: Unknown symbol %s (err %d)\n",
+ pr_warn("%s: Unresolved symbol %s (err %d)\n",
mod->name, name, ret);
break;
--
2.51.0.740.g6adb054d12-googHi Siddharth,
kernel test robot noticed the following build errors:
[auto build test ERROR on arnd-asm-generic/master]
[also build test ERROR on soc/for-next linus/master v6.18-rc2 next-20251023]
[cannot apply to mcgrof/modules-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Siddharth-Nayyar/define-kernel-symbol-flags/20251021-104658
base: https://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git master
patch link: https://lore.kernel.org/r/20251013153918.2206045-11-sidnayyar%40google.com
patch subject: [PATCH v2 10/10] module loader: enforce symbol import protection
config: x86_64-kexec (https://download.01.org/0day-ci/archive/20251023/202510231707.zbQhQZmN-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251023/202510231707.zbQhQZmN-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510231707.zbQhQZmN-lkp@intel.com/
All errors (new ones prefixed by >>):
>> kernel/module/main.c:1271:32: error: no member named 'sig_ok' in 'struct module'
1271 | if (fsa.is_protected && !mod->sig_ok) {
| ~~~ ^
1 error generated.
vim +1271 kernel/module/main.c
1228
1229 /* Resolve a symbol for this module. I.e. if we find one, record usage. */
1230 static const struct kernel_symbol *resolve_symbol(struct module *mod,
1231 const struct load_info *info,
1232 const char *name,
1233 char ownername[])
1234 {
1235 struct find_symbol_arg fsa = {
1236 .name = name,
1237 .gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)),
1238 .warn = true,
1239 };
1240 int err;
1241
1242 /*
1243 * The module_mutex should not be a heavily contended lock;
1244 * if we get the occasional sleep here, we'll go an extra iteration
1245 * in the wait_event_interruptible(), which is harmless.
1246 */
1247 sched_annotate_sleep();
1248 mutex_lock(&module_mutex);
1249 if (!find_symbol(&fsa))
1250 goto unlock;
1251
1252 if (fsa.license == GPL_ONLY)
1253 mod->using_gplonly_symbols = true;
1254
1255 if (!inherit_taint(mod, fsa.owner, name)) {
1256 fsa.sym = NULL;
1257 goto getname;
1258 }
1259
1260 if (!check_version(info, name, mod, fsa.crc)) {
1261 fsa.sym = ERR_PTR(-EINVAL);
1262 goto getname;
1263 }
1264
1265 err = verify_namespace_is_imported(info, fsa.sym, mod);
1266 if (err) {
1267 fsa.sym = ERR_PTR(err);
1268 goto getname;
1269 }
1270
> 1271 if (fsa.is_protected && !mod->sig_ok) {
1272 pr_warn("%s: Cannot use protected symbol %s\n",
1273 mod->name, name);
1274 fsa.sym = ERR_PTR(-EACCES);
1275 goto getname;
1276 }
1277
1278 err = ref_module(mod, fsa.owner);
1279 if (err) {
1280 fsa.sym = ERR_PTR(err);
1281 goto getname;
1282 }
1283
1284 getname:
1285 /* We must make copy under the lock if we failed to get ref. */
1286 strscpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN);
1287 unlock:
1288 mutex_unlock(&module_mutex);
1289 return fsa.sym;
1290 }
1291
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Siddharth,
kernel test robot noticed the following build errors:
[auto build test ERROR on arnd-asm-generic/master]
[also build test ERROR on soc/for-next linus/master v6.18-rc2 next-20251022]
[cannot apply to mcgrof/modules-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Siddharth-Nayyar/define-kernel-symbol-flags/20251021-104658
base: https://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git master
patch link: https://lore.kernel.org/r/20251013153918.2206045-11-sidnayyar%40google.com
patch subject: [PATCH v2 10/10] module loader: enforce symbol import protection
config: x86_64-randconfig-122-20251022 (https://download.01.org/0day-ci/archive/20251023/202510231021.yaURwkIz-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251023/202510231021.yaURwkIz-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510231021.yaURwkIz-lkp@intel.com/
All errors (new ones prefixed by >>):
kernel/module/main.c: In function 'resolve_symbol':
>> kernel/module/main.c:1271:37: error: 'struct module' has no member named 'sig_ok'
1271 | if (fsa.is_protected && !mod->sig_ok) {
| ^~
vim +1271 kernel/module/main.c
1228
1229 /* Resolve a symbol for this module. I.e. if we find one, record usage. */
1230 static const struct kernel_symbol *resolve_symbol(struct module *mod,
1231 const struct load_info *info,
1232 const char *name,
1233 char ownername[])
1234 {
1235 struct find_symbol_arg fsa = {
1236 .name = name,
1237 .gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)),
1238 .warn = true,
1239 };
1240 int err;
1241
1242 /*
1243 * The module_mutex should not be a heavily contended lock;
1244 * if we get the occasional sleep here, we'll go an extra iteration
1245 * in the wait_event_interruptible(), which is harmless.
1246 */
1247 sched_annotate_sleep();
1248 mutex_lock(&module_mutex);
1249 if (!find_symbol(&fsa))
1250 goto unlock;
1251
1252 if (fsa.license == GPL_ONLY)
1253 mod->using_gplonly_symbols = true;
1254
1255 if (!inherit_taint(mod, fsa.owner, name)) {
1256 fsa.sym = NULL;
1257 goto getname;
1258 }
1259
1260 if (!check_version(info, name, mod, fsa.crc)) {
1261 fsa.sym = ERR_PTR(-EINVAL);
1262 goto getname;
1263 }
1264
1265 err = verify_namespace_is_imported(info, fsa.sym, mod);
1266 if (err) {
1267 fsa.sym = ERR_PTR(err);
1268 goto getname;
1269 }
1270
> 1271 if (fsa.is_protected && !mod->sig_ok) {
1272 pr_warn("%s: Cannot use protected symbol %s\n",
1273 mod->name, name);
1274 fsa.sym = ERR_PTR(-EACCES);
1275 goto getname;
1276 }
1277
1278 err = ref_module(mod, fsa.owner);
1279 if (err) {
1280 fsa.sym = ERR_PTR(err);
1281 goto getname;
1282 }
1283
1284 getname:
1285 /* We must make copy under the lock if we failed to get ref. */
1286 strscpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN);
1287 unlock:
1288 mutex_unlock(&module_mutex);
1289 return fsa.sym;
1290 }
1291
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Siddharth,
kernel test robot noticed the following build errors:
[auto build test ERROR on arnd-asm-generic/master]
[also build test ERROR on soc/for-next linus/master v6.18-rc1 next-20251013]
[cannot apply to mcgrof/modules-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Siddharth-Nayyar/define-kernel-symbol-flags/20251014-005305
base: https://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git master
patch link: https://lore.kernel.org/r/20251013153918.2206045-11-sidnayyar%40google.com
patch subject: [PATCH v2 10/10] module loader: enforce symbol import protection
config: x86_64-kexec (https://download.01.org/0day-ci/archive/20251014/202510141538.VZqnRzHh-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251014/202510141538.VZqnRzHh-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510141538.VZqnRzHh-lkp@intel.com/
All errors (new ones prefixed by >>):
>> kernel/module/main.c:1271:32: error: no member named 'sig_ok' in 'struct module'
1271 | if (fsa.is_protected && !mod->sig_ok) {
| ~~~ ^
1 error generated.
vim +1271 kernel/module/main.c
1228
1229 /* Resolve a symbol for this module. I.e. if we find one, record usage. */
1230 static const struct kernel_symbol *resolve_symbol(struct module *mod,
1231 const struct load_info *info,
1232 const char *name,
1233 char ownername[])
1234 {
1235 struct find_symbol_arg fsa = {
1236 .name = name,
1237 .gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)),
1238 .warn = true,
1239 };
1240 int err;
1241
1242 /*
1243 * The module_mutex should not be a heavily contended lock;
1244 * if we get the occasional sleep here, we'll go an extra iteration
1245 * in the wait_event_interruptible(), which is harmless.
1246 */
1247 sched_annotate_sleep();
1248 mutex_lock(&module_mutex);
1249 if (!find_symbol(&fsa))
1250 goto unlock;
1251
1252 if (fsa.license == GPL_ONLY)
1253 mod->using_gplonly_symbols = true;
1254
1255 if (!inherit_taint(mod, fsa.owner, name)) {
1256 fsa.sym = NULL;
1257 goto getname;
1258 }
1259
1260 if (!check_version(info, name, mod, fsa.crc)) {
1261 fsa.sym = ERR_PTR(-EINVAL);
1262 goto getname;
1263 }
1264
1265 err = verify_namespace_is_imported(info, fsa.sym, mod);
1266 if (err) {
1267 fsa.sym = ERR_PTR(err);
1268 goto getname;
1269 }
1270
> 1271 if (fsa.is_protected && !mod->sig_ok) {
1272 pr_warn("%s: Cannot use protected symbol %s\n",
1273 mod->name, name);
1274 fsa.sym = ERR_PTR(-EACCES);
1275 goto getname;
1276 }
1277
1278 err = ref_module(mod, fsa.owner);
1279 if (err) {
1280 fsa.sym = ERR_PTR(err);
1281 goto getname;
1282 }
1283
1284 getname:
1285 /* We must make copy under the lock if we failed to get ref. */
1286 strscpy(ownername, module_name(fsa.owner), MODULE_NAME_LEN);
1287 unlock:
1288 mutex_unlock(&module_mutex);
1289 return fsa.sym;
1290 }
1291
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
On Tue, Oct 14, 2025 at 8:36AM kernel test robot <lkp@intel.com> wrote:
>
> Hi Siddharth,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on arnd-asm-generic/master]
> [also build test ERROR on soc/for-next linus/master v6.18-rc1 next-20251013]
> [cannot apply to mcgrof/modules-next]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Siddharth-Nayyar/define-kernel-symbol-flags/20251014-005305
> base: https://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git master
> patch link: https://lore.kernel.org/r/20251013153918.2206045-11-sidnayyar%40google.com
> patch subject: [PATCH v2 10/10] module loader: enforce symbol import protection
> config: x86_64-kexec (https://download.01.org/0day-ci/archive/20251014/202510141538.VZqnRzHh-lkp@intel.com/config)
> compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251014/202510141538.VZqnRzHh-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202510141538.VZqnRzHh-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
> >> kernel/module/main.c:1271:32: error: no member named 'sig_ok' in 'struct module'
> 1271 | if (fsa.is_protected && !mod->sig_ok) {
> | ~~~ ^
> 1 error generated.
'sig_ok' is only defined when CONFIG_MODULE_SIG is set. I will wrap this
statement in '#ifdef CONFIG_MODULE_SIG' in a follow-up patch.
Regards,
Siddharth Nayyar
© 2016 - 2025 Red Hat, Inc.