From: greg@kroah.com (Greg KH)
To: kernelnewbies@lists.kernelnewbies.org
Subject: Query regarding kernel modules intercepting system call.
Date: Sat, 8 Jul 2017 16:13:09 +0200 [thread overview]
Message-ID: <20170708141309.GA23183@kroah.com> (raw)
In-Reply-To: <CANoRqo=3Ect=Qb7Cqz==1aZn6vy4D0ndh=8jaWn_2wivUycGRQ@mail.gmail.com>
On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote:
> Hi guys,
>
> I'm new to kernelnewbies and this is my first question in the list.
>
>
> I'm working on system call interception (for?open()?system call) and I got one
> problem: I have two kernel modules (mod1?and?mod2) and both of them are trying
> to intercept?open()?syscall. I've loaded?mod1?first and then?mod2.
> The?mod1?intercepted?open()?by:
>
> original_open1 = sys_call_table[__NR_open];
> sys_call_table[__NR_open] = mod1_open;
>
> Here?original_open1?would be?sys_open. After this,?mod2?intercepted?open()?by:
>
> original_open2 = sys_call_table[__NR_open];
> sys_call_table[__NR_open] = mod2_open;
Eeek! First of, don't do this, you are seeing why you should not do
this already, no need to have to explain in detail why this is a bad
thing :)
>
> problem is: Suppose I unload?mod1?first and?open()?system call gets executed,
> then?mod2_open()?would get called, which ultimately calls?mod1_open().
>
> Since?mod1?is already unloaded, calling?mod1_open()?caused panic (since the
> function pointer is no longer a valid memory region).
>
> I need some mechanism to avoid this problem. Basically, I want a solution which
> facilitates loading/unloading the modules (which intercept same syscall) in any
> random order without causing any panic.
Why doy ou feel you wish to grab the system call in the first place?
What problem are you trying to solve where this is the only solution?
> Is there some kind of facility such that while unloading the module (`mod2`
> here), the module will broadcast the message to all other modules that it's
> being unloaded and instead of refering to `original_open2()` the other modules
> should use `original_open1()`.
Nope, don't try to grab syscalls, it's a bad idea, and you get to keep
the pieces your kernel will be in when things die (and they will die...)
sorry,
greg k-h
next prev parent reply other threads:[~2017-07-08 14:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-08 14:08 Query regarding kernel modules intercepting system call Ajinkya Surnis
2017-07-08 14:13 ` Greg KH [this message]
2017-07-08 14:23 ` Ajinkya Surnis
2017-07-08 15:20 ` Greg KH
2017-07-08 15:38 ` Ajinkya Surnis
2017-07-08 16:04 ` Greg KH
2017-07-08 16:08 ` Ajinkya Surnis
2017-07-08 16:14 ` Greg KH
2017-07-08 18:06 ` Aruna Hewapathirane
2017-07-08 18:19 ` Ajinkya Surnis
2017-07-08 19:36 ` Aruna Hewapathirane
2017-07-09 1:06 ` valdis.kletnieks at vt.edu
2017-07-09 10:06 ` Lino Sanfilippo
2017-07-09 10:18 ` Lino Sanfilippo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170708141309.GA23183@kroah.com \
--to=greg@kroah.com \
--cc=kernelnewbies@lists.kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).