On 11/9/24 11:35, Christophe Leroy wrote: > Once module init has succeded it is too late to cancel loading. > If setting ro_after_init data section to read-only fails, all we > can do is to inform the user through a warning. Makes sense to me. If I'm looking correctly, set_memory_ro() could mostly fail when splitting large pages. If we wanted to fix this cleanly, I wonder if it would be possible to divide the function into two. The first one which does the necessary splitting, can fail and is called prior to a module init, and the second one that eventually updates page table attributes and is called after the init. > > Reported-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@xxxxxxxxxx/ > Fixes: d1909c022173 ("module: Don't ignore errors from set_memory_XX()") > Signed-off-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx> > --- > kernel/module/main.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/kernel/module/main.c b/kernel/module/main.c > index 2de4ad7af335..1bf4b0db291b 100644 > --- a/kernel/module/main.c > +++ b/kernel/module/main.c > @@ -2583,7 +2583,9 @@ static noinline int do_init_module(struct module *mod) > #endif > ret = module_enable_rodata_ro_after_init(mod); > if (ret) > - goto fail_mutex_unlock; > + pr_warn("%s: %s() returned %d, ro_after_init data might still be writable\n", > + mod->name, __func__, ret); > + The __func__ magic constant here expands to "do_init_module" but the message should rather say that "module_enable_rodata_ro_after_init" failed. > mod_tree_remove_init(mod); > module_arch_freeing_init(mod); > for_class_mod_mem_type(type, init) { > @@ -2622,8 +2624,6 @@ static noinline int do_init_module(struct module *mod) > > return 0; > > -fail_mutex_unlock: > - mutex_unlock(&module_mutex); > fail_free_freeinit: > kfree(freeinit); > fail: -- Cheers, Petr