2

I've got Generic Kernel Extension which is implemented in C++ example for the start and end routines, whereas all the other logic is stored within a dedicated class inherit from OSObject.

it creates the class upon module start routine, and release it upon stop routine as can be shown in the code below : 

class com_my_driver : public OSObject { ... };

...
..
.

com_my_driver *gDriver = NULL;

extern "C" kern_return_t my_driver_start(kmod_info_t * ki, void *d)
{
    gDriver = new com_my_driver;
    gDriver->init();
    return KERN_SUCCESS;
}

extern "C" kern_return_t my_driver_stop(kmod_info_t *ki, void *d)
{
    gDriver->release();
    gDriver = nullptr;
    return KERN_SUCCESS;
}

However, when trying to unload the service, It cannot reach the stop routine since the class is still being referenced (I assumed it reach to the stop routine where I release this class). Here's the exact log message:

(kernel) Can't unload kext com.my.driver; classes have instances:
(kernel)     Kext com.my.driver class com_my_driver has 1 instance.
Failed to unload com.my.driver - (libkern/kext) kext is in use or retained (cannot unload).

Is there any other even where I can release my class prior to the stop routine before the reference inspection ?

thanks

1 Answers1

0

I recently encountered just same problem, then I gave up(to release my class in kext stop function).
The OSObject and its derived classes are not for such use case I think.

The creation and deletion(release) has to be done another place for example:

// do new in connect(), release in disconnect().
#include <sys/kern_control.h>
...
static kern_ctl_ref g_ctl_ref;
static kern_ctl_reg g_ctl;

...
static errno_t setup() {
    g_ctl.ctl_id = 0;
    g_ctl.ctl_flags = CTL_FLAG_REG_ID_UNIT /*| CTL_FLAG_REG_SOCK_STREAM */;
    g_ctl.ctl_connect = connect_handler;
    g_ctl.ctl_send = send_handler;
    g_ctl.ctl_disconnect = disconnect_handler;
    g_ctl.ctl_getopt = getopt_handler;
    g_ctl.ctl_setopt = setopt_handler;

    strcpy(g_ctl.ctl_name, "kext_control_name");
    g_ctl.ctl_unit = 0;

    return ctl_register(&g_ctl, &g_ctl_ref);
}

static errno_t connect_handler(kern_ctl_ref ctlref, struct sockaddr_ctl *sac, void **unitinfo)
{
    gDriver = new com_my_driver;
    gDriver->init();
    // just my pattern, if your driver class has connect method..
    return gDriver->connect(ctlref, sac, unitinfo);
}

static errno_t disconnect_handler(kern_ctl_ref ctlref, unsigned int unit, void *unitinfo)
{
    // just my patter, if your class has disconnect method.
    gDriver->disconnect(ctlref, unit, unitinfo);
    gDriver->release();

    return 0;
}
...
// other handlers...
extern "C" kern_return_t com_my_driver_start(kmod_info_t * ki, void *d)
{
    setup();
}
//

The official description of kernel controls are: https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/NKEConceptual/control/control.html

kuro
  • 1
  • 3