From mboxrd@z Thu Jan 1 00:00:00 1970 From: greg@kroah.com (Greg KH) Date: Sat, 8 Jul 2017 16:13:09 +0200 Subject: Query regarding kernel modules intercepting system call. In-Reply-To: References: Message-ID: <20170708141309.GA23183@kroah.com> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote: > Hi guys, > > I'm new to kernelnewbies and this is my first question in the list. > > > I'm working on system call interception (for?open()?system call) and I got one > problem: I have two kernel modules (mod1?and?mod2) and both of them are trying > to intercept?open()?syscall. I've loaded?mod1?first and then?mod2. > The?mod1?intercepted?open()?by: > > original_open1 = sys_call_table[__NR_open]; > sys_call_table[__NR_open] = mod1_open; > > Here?original_open1?would be?sys_open. After this,?mod2?intercepted?open()?by: > > original_open2 = sys_call_table[__NR_open]; > sys_call_table[__NR_open] = mod2_open; Eeek! First of, don't do this, you are seeing why you should not do this already, no need to have to explain in detail why this is a bad thing :) > > problem is: Suppose I unload?mod1?first and?open()?system call gets executed, > then?mod2_open()?would get called, which ultimately calls?mod1_open(). > > Since?mod1?is already unloaded, calling?mod1_open()?caused panic (since the > function pointer is no longer a valid memory region). > > I need some mechanism to avoid this problem. Basically, I want a solution which > facilitates loading/unloading the modules (which intercept same syscall) in any > random order without causing any panic. Why doy ou feel you wish to grab the system call in the first place? What problem are you trying to solve where this is the only solution? > Is there some kind of facility such that while unloading the module (`mod2` > here), the module will broadcast the message to all other modules that it's > being unloaded and instead of refering to `original_open2()` the other modules > should use `original_open1()`. Nope, don't try to grab syscalls, it's a bad idea, and you get to keep the pieces your kernel will be in when things die (and they will die...) sorry, greg k-h