Query regarding kernel modules intercepting system call.

[Greg KH]

On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote:
> Hi guys,
> 
> I'm new to kernelnewbies and this is my first question in the list.
> 
> 
> I'm working on system call interception (for open() system call) and I got one
> problem: I have two kernel modules (mod1 and mod2) and both of them are trying
> to intercept open() syscall. I've loaded mod1 first and then mod2.
> The mod1 intercepted open() by:
> 
> original_open1 = sys_call_table[__NR_open];
> sys_call_table[__NR_open] = mod1_open;
> 
> Here original_open1 would be sys_open. After this, mod2 intercepted open() by:
> 
> original_open2 = sys_call_table[__NR_open];
> sys_call_table[__NR_open] = mod2_open;

Eeek!  First of, don't do this, you are seeing why you should not do
this already, no need to have to explain in detail why this is a bad
thing :)

> 
> problem is: Suppose I unload mod1 first and open() system call gets executed,
> then mod2_open() would get called, which ultimately calls mod1_open().
> 
> Since mod1 is already unloaded, calling mod1_open() caused panic (since the
> function pointer is no longer a valid memory region).
> 
> I need some mechanism to avoid this problem. Basically, I want a solution which
> facilitates loading/unloading the modules (which intercept same syscall) in any
> random order without causing any panic.

Why doy ou feel you wish to grab the system call in the first place?
What problem are you trying to solve where this is the only solution?

> Is there some kind of facility such that while unloading the module (`mod2`
> here), the module will broadcast the message to all other modules that it's
> being unloaded and instead of refering to `original_open2()` the other modules
> should use `original_open1()`.

Nope, don't try to grab syscalls, it's a bad idea, and you get to keep
the pieces your kernel will be in when things die (and they will die...)

sorry,

greg k-h