2

I'm working on system call interception (for open() system call) and I got one problem: I have two kernel modules (mod1 and mod2) and both of them are trying to intercept open() syscall. I've loaded mod1 first and then mod2. The mod1 intercepted open() by:

original_open1 = sys_call_table[__NR_open];
sys_call_table[__NR_open] = mod1_open;

Here original_open1 would be sys_open. After this, mod2 intercepted open() by:

original_open2 = sys_call_table[__NR_open];
sys_call_table[__NR_open] = mod2_open;

Here, original_open2 would be mod1_open() since mod1 was loaded first. Now, the problem is: Suppose I unload mod1 first and open() system call gets executed, then mod2_open() would get called, which ultimately calls mod1_open().

Since mod1 is already unloaded, calling mod1_open() would cause panic (since the function pointer is no longer a valid memory region).

I need some mechanism to avoid this problem. Basically, I want a solution which facilitates loading/unloading the modules (which intercept same syscall) in any random order without causing any panic.

jww
  • 97,681
  • 90
  • 411
  • 885
Ajk
  • 31
  • 5
  • 1
    I think due to the kind of dependency you have between the modules, you must preserve the order in which you unload the modules. – vtha Jul 08 '17 at 07:15
  • @vtha - Is it possible for `mod1` to broadcast a message that says, "I'm being unloaded. If you were using `mod1_open`, then use `original_open1` instead". Obviously the message parameters are pointers to functions. Perhaps [Can kernel module take initiative to send message to user space with netlink?](https://stackoverflow.com/q/35098943/608639) and [Listening for netlink broadcasts in a kernel module](https://stackoverflow.com/a/27406105/608639). Maybe this is a question for [kernel newbies](https://kernelnewbies.org/MailingList). – jww Jul 08 '17 at 09:03
  • @jww I like the approach you mentioned, but couldn't find any mechanism to broadcast the message from one module to all. – Ajk Jul 08 '17 at 13:33
  • @Ajk - I don't know enough about kernel modules to help you further. I'd be surprised if the kernel lacked a similar method for IPC. That's kind of why I mentioned kernel newbies. Some of the kernel guys hang there, and they are gentler than asking on a full-fledged kernel list. Some of their answers are short or terse, but its often the toe-hold you need to investigate things further. – jww Jul 08 '17 at 13:45
  • @jww Thanks. I will post my query on kernelnewbies. – Ajk Jul 08 '17 at 13:53
  • 1
    For completeness, also see [Query regarding kernel modules intercepting system call](https://lists.kernelnewbies.org/pipermail/kernelnewbies/2017-July/018091.html) on the Kernel Newbies mailing list. – jww Jul 09 '17 at 02:29

0 Answers0