The module namespace support has been introduced to allow restricting
exports to specific modules only, and intended for in-tree modules such
as kvm. Make this intention explicit by disallowing out of tree modules
both for the module loader and modpost.
Signed-off-by: Vlastimil Babka <vbabka@xxxxxxx>
---
Documentation/core-api/symbol-namespaces.rst | 5 +++--
kernel/module/main.c | 3 ++-
scripts/mod/modpost.c | 6 +++++-
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
index 32fc73dc5529e8844c2ce2580987155bcd13cd09..dc228ac738a5cdc49cc736c29170ca96df6a28dc 100644
--- a/Documentation/core-api/symbol-namespaces.rst
+++ b/Documentation/core-api/symbol-namespaces.rst
@@ -83,13 +83,14 @@ Symbols exported using this macro are put into a module namespace. This
namespace cannot be imported.
The macro takes a comma separated list of module names, allowing only those
-modules to access this symbol. Simple tail-globs are supported.
+modules to access this symbol. The access is restricted to in-tree modules.
+Simple tail-globs are supported.
For example::
EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
-will limit usage of this symbol to modules whoes name matches the given
+will limit usage of this symbol to in-tree modules whoes name matches the given
patterns.
How to use Symbols exported in Namespaces
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 413ac6ea37021bc8ae260f624ca2745ed85333fc..ec7d8daa0347e3b65713396d6b6d14c2cb0270d3 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1157,7 +1157,8 @@ static int verify_namespace_is_imported(const struct load_info *info,
namespace = kernel_symbol_namespace(sym);
if (namespace && namespace[0]) {
- if (verify_module_namespace(namespace, mod->name))
+ if (get_modinfo(info, "intree") &&
+ verify_module_namespace(namespace, mod->name))
return 0;
for_each_modinfo_entry(imported_namespace, info, "import_ns") {
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 5ca7c268294ebb65acb0ba52a671eddca9279c61..d78be9834ed75f4b6ddb9af02a300a9bcc9234cc 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1695,7 +1695,8 @@ void buf_write(struct buffer *buf, const char *s, int len)
* @modname: module name
*
* If @namespace is prefixed with "module:" to indicate it is a module namespace
- * then test if @modname matches any of the comma separated patterns.
+ * then test if @modname matches any of the comma separated patterns. Access to
+ * module namespaces is restricted to in-tree modules only.
*
* The patterns only support tail-glob.
*/
@@ -1706,6 +1707,9 @@ static bool verify_module_namespace(const char *namespace, const char *modname)
const char *sep;
bool glob;
+ if (external_module)
+ return false;
+
if (!strstarts(namespace, prefix))
return false;
--
2.50.0
