0

I try to do hooking to system call sys_wait4 and every time I try to do rmmod to module the kernel crashes.

This is my code.

void **sys_call_table;//pointer for the system call's table
typedef asmlinkage long (*sys)( struct pt_regs * );
sys wait_dos;//save the original system call sys_wait4

//Function init
asmlinkage long hooked_wait(struct pt_regs *param)
{
  printk("hello world\n");
  return wait_dos(param);
}
//Functiom exit
static int lkm_example_init(void)
{

  write_cr0(read_cr0()&(~ 0x10000));
  sys_call_table = (void*)kallsyms_lookup_name("sys_call_table");
  wait_dos = sys_call_table[__NR_wait4];
  sys_call_table[__NR_wait4] = hooked_wait;
  write_cr0(read_cr0() | 0X10000);
  return 0;
}
static void lkm_example_exit(void)
{
  write_cr0(read_cr0()&(~ 0x10000));
  sys_call_table[__NR_wait4] =wait_dos;
  write_cr0(read_cr0() | 0X10000);
}
module_init(lkm_example_init);
module_exit(lkm_example_exit);
MODULE_LICENSE("GPL");
Jonatan Haish
  • 9
  • 3
  • 1
    Probably, some other process executes `wait4` syscall while your module is unloading. Because unloading your module means that `hooked_wait` function becomes inaccessible, that concurrent process crashes. Note, that there is no safe mechanism to unload a module with a syscall function. See e.g. [that question](https://stackoverflow.com/questions/44900284/race-condition-in-replace-linux-kernel-system-call) and my comment for it. – Tsyvarev Dec 20 '21 at 06:33
  • What will happen to programs that are already calling `wait` when your module unloads? What will happen to those programs when `wait_dos` returns? – user253751 Mar 21 '22 at 18:36

0 Answers0