Userspace app crash causes system crash on do_exit probe

Greg KH greg at
Tue Sep 1 03:33:20 EDT 2020

On Tue, Sep 01, 2020 at 09:16:22AM +0200, César Augusto Marcelino dos Santos wrote:
> Dear community,
> I have created a kernel module that adds probes to do_execve() and
> do_exit() syscalls (code by the end of this email). It is running on a
> custom kernel-based system, version 3.18.31.

Wow, 3.18.y is from December of 2014, many years ago, and over 467,000
changes ago.  You really need to ask the company that is forcing you to
rely on that old kernel version for stuff like this, as you are paying
them for that support, take advantage of it, do not rely on the
community to try to attempt to help with such an obsolete system.

That being said:

> The goal of this module is to see if I can capture several information
> from any process that is about to start, or that is about to leave
> userspace. I have tested the following scenarios:
> - app inits
> - app finishes its execution gracefully
> - app is killed
> - app crashes

Just use the LSM interface instead please, that is wht it is there for,
you really really really do not want to attempt to hook system calls,
unless you are a rootkit :)

good luck!

greg k-h

More information about the Kernelnewbies mailing list