The Linux Kernel Module Programming Guide is a free book; you may reproduce +
The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 3.0. -
This book is distributed in the hope it will be useful, but without any warranty, +
This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. -
The author encourages wide distribution of this book for personal or commercial +
The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. -
Derivative works and translations of this document must be placed under the +
Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly @@ -119,15 +119,15 @@ code available for your revisions. Please make revisions and updates available d to the document maintainer, Jim Huang <jserv@ccns.ncku.edu.tw>. This will allow for the merging of updates and provide consistent revisions to the Linux community. -
If you publish or distribute this book commercially, donations, royalties, and/or +
If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP). Contributing in this way shows your support for free software and the LDP. If you have questions or comments, please contact the address above. -
+
The Linux Kernel Module Programming Guide was originally written for the 2.2 +
The Linux Kernel Module Programming Guide was originally written for the 2.2 kernels by Ori Pomerantz. Eventually, Ori no longer had time to maintain the document. After all, the Linux kernel is a fast moving target. Peter Jay Salzman took over maintenance and updated it for the 2.4 kernels. Eventually, Peter no longer had @@ -135,13 +135,13 @@ time to follow developments with the 2.6 kernel, so Michael Burian became a co-maintainer to update the document for the 2.6 kernels. Bob Mottram updated the examples for 3.8+ kernels. Jim Huang upgraded to recent kernel versions (v5.x) and revised the LaTeX document. -
+
The following people have contributed corrections or good suggestions: +
The following people have contributed corrections or good suggestions:
+
2011eric, 25077667, Arush Sharma, asas1asas200, Benno Bielmeier, Brad Baker, ccs100203, Chih-Yu Chen, ChinYikMing, Cyril Brulebois, Daniele Paolo Scarpazza, David Porter, demonsome, Dimo Velev, Ekang Monyet, @@ -149,17 +149,17 @@ fennecJ, Francois Audeon, gagachang, Gilad Reti, Horst Schirmeier, Hsin-Hsiang Peng, Ignacio Martin, JianXing Wu, linD026, Marconi Jiang, RinHizakura, Roman Lakeev, Stacy Prowell, Tucker Polomik, VxTeemo, Wei-Lun Tsai, xatier, Ylowy.
+
So, you want to write a kernel module. You know C, you have written a few normal +
So, you want to write a kernel module. You know C, you have written a few normal programs to run as processes, and now you want to get to where the real action is, to where a single wild pointer can wipe out your file system and a core dump means a reboot. -
What exactly is a kernel module? Modules are pieces of code that can be loaded +
What exactly is a kernel module? Modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. @@ -167,24 +167,24 @@ Without modules, we would have to build monolithic kernels and add new functionality directly into the kernel image. Besides having larger kernels, this has the disadvantage of requiring us to rebuild and reboot the kernel every time we want new functionality. -
+
Linux distributions provide the commands +
Linux distributions provide the commands
modprobe
, insmod
and depmod
within a package.
-
On Ubuntu/Debian: +
On Ubuntu/Debian:
1sudo apt-get install build-essential kmod-
On Arch Linux: +
On Arch Linux:
1sudo pacman -S gcc kmod-
+
To discover what modules are already loaded within your current kernel use the command +
To discover what modules are already loaded within your current kernel use the command
lsmod
.
Modules are stored within the file /proc/modules, so you can also see them with: +
Modules are stored within the file /proc/modules, so you can also see them with:
1sudo cat /proc/modules-
This can be a long list, and you might prefer to search for something particular. +
This can be a long list, and you might prefer to search for something particular. To search for the fat module:
1sudo lsmod | grep fat-
+
For the purposes of following this guide you don’t necessarily need to do that. +
For the purposes of following this guide you don’t necessarily need to do that. However, it would be wise to run the examples within a test distribution running on a virtual machine in order to avoid any possibility of messing up your system. -
+
Before we delve into code, there are a few issues we need to cover. Everyone’s system +
Before we delve into code, there are a few issues we need to cover. Everyone’s system is different and everyone has their own groove. Getting your first "hello world" program to compile and load correctly can sometimes be a trick. Rest assured, after you get over the initial hurdle of doing it for the first time, it will be smooth sailing thereafter. -
+
CONFIG_MODVERSIONS
@@ -230,10 +230,10 @@ thereafter.
Using X Window System. It is highly recommended that you extract, +
Using X Window System. It is highly recommended that you extract, compile and load all the examples this guide discusses from a console. You should not be working on this stuff in X Window System. -
Modules can not print to the screen like printf()
+
Modules can not print to the screen like printf()
can, but they can log information and warnings, which ends up being
printed on your screen, but only on a console. If you insmod
a module from an xterm, the information and warnings will be logged, but
@@ -241,48 +241,48 @@ thereafter.
your journalctl
. See 4 for details. To have immediate access to this information, do all
your work from the console.
+
Before you can build anything you’ll need to install the header files for your +
Before you can build anything you’ll need to install the header files for your kernel. -
On Ubuntu/Debian: +
On Ubuntu/Debian:
1sudo apt-get update 2apt-cache search linux-headers-`uname -r`-
On Arch Linux: +
On Arch Linux:
1sudo pacman -S linux-headers-
This will tell you what kernel header files are available. Then for example: +
This will tell you what kernel header files are available. Then for example:
1sudo apt-get install kmod linux-headers-5.4.0-80-generic-
+
All the examples from this document are available within the examples +
All the examples from this document are available within the examples subdirectory. -
If there are any compile errors then you might have a more recent kernel version +
If there are any compile errors then you might have a more recent kernel version or need to install the corresponding kernel header files. -
+
+
Most people learning programming start out with some sort of "hello world" +
Most people learning programming start out with some sort of "hello world" example. I don’t know what happens to people who break with this tradition, but I think it is safer not to find out. We will start with a series of hello world programs that demonstrate the different aspects of the basics of writing a kernel module. -
Here is the simplest module possible. -
Make a test directory: +
Here is the simplest module possible. +
Make a test directory:
1mkdir -p ~/develop/kernel/hello-1 2cd ~/develop/kernel/hello-1-
Paste this into your favorite editor and save it as hello-1.c: +
Paste this into your favorite editor and save it as hello-1.c:
1/* @@ -305,7 +305,7 @@ module. 18} 19 20MODULE_LICENSE("GPL");-
Now you will need a Makefile. If you copy and paste this, change the indentation +
Now you will need a Makefile. If you copy and paste this, change the indentation to use tabs, not spaces.
@@ -318,17 +318,17 @@ to use tabs, not spaces. 7 8clean: 9 make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean -
In Makefile, $(CURDIR) can set to the absolute pathname of the current working +
In Makefile, $(CURDIR) can set to the absolute pathname of the current working directory(after all -C options are processed, if any). See more about CURDIR in GNU make manual. -
And finally, just run make directly. +
And finally, just run make directly.
1make-
If there is no PWD := $(CURDIR) statement in Makefile, then it may not compile +
If there is no PWD := $(CURDIR) statement in Makefile, then it may not compile correctly with sudo make. Because some environment variables are specified by the security policy, they can’t be inherited. The default security policy is sudoers. In the sudoers security policy, env_reset is enabled by default, @@ -344,14 +344,14 @@ by: $ sudo -s # sudo -V -
-
Here is a simple Makefile as an example to demonstrate the problem mentioned +
+
Here is a simple Makefile as an example to demonstrate the problem mentioned above.
1all: 2 echo $(PWD)-
Then, we can use -p flag to print out the environment variable values from the +
Then, we can use -p flag to print out the environment variable values from the Makefile. @@ -363,8 +363,8 @@ PWD = /home/ubuntu/temp OLDPWD = /home/ubuntu echo $(PWD) -
-
The PWD variable won’t be inherited with sudo. +
+
The PWD variable won’t be inherited with sudo. @@ -373,12 +373,12 @@ OLDPWD = /home/ubuntu $ sudo make -p | grep PWD echo $(PWD) -
-
However, there are three ways to solve this problem. -
+
+
However, there are three ways to solve this problem. +
You can use the -E flag to temporarily preserve them. +
You can use the -E flag to temporarily preserve them.
1 $ sudo -E make -p | grep PWD @@ -387,7 +387,7 @@ $ sudo make -p | grep PWD 4 echo $(PWD)
You can set the env_reset disabled by editing the /etc/sudoers with +
You can set the env_reset disabled by editing the /etc/sudoers with root and visudo.
@@ -396,7 +396,7 @@ $ sudo make -p | grep PWD 3 ... 4 Defaults env_reset 5 ## Change env_reset to !env_reset in previous line to keep all environment variables -
Then execute env and sudo env individually. +
Then execute env and sudo env individually.
1 # disable the env_reset @@ -405,11 +405,11 @@ $ sudo make -p | grep PWD 4 # enable the env_reset 5 echo "user:" > env_reset.log; env >> env_reset.log 6 echo "root:" >> env_reset.log; sudo env >> env_reset.log-
You can view and compare these logs to find differences between +
You can view and compare these logs to find differences between env_reset and !env_reset.
You can preserve environment variables by appending them to env_keep +
You can preserve environment variables by appending them to env_keep in /etc/sudoers.
@@ -420,7 +420,7 @@ $ sudo make -p | grep PWD 2 ## 3 ... 4 Defaults env_keep += ``ftp_proxy http_proxy https_proxy no_proxy PWD'' -
After finishing setting modification, you can check the environment variable +
After finishing setting modification, you can check the environment variable settings by: @@ -431,33 +431,33 @@ $ sudo make -p | grep PWD # sudo -V -
If all goes smoothly you should then find that you have a compiled hello-1.ko +
+If all goes smoothly you should then find that you have a compiled hello-1.ko module. You can find info on it with the command:
1modinfo hello-1.ko-
At this point the command: +
At this point the command:
1sudo lsmod | grep hello-
should return nothing. You can try loading your shiny new module with: +
should return nothing. You can try loading your shiny new module with:
1sudo insmod hello-1.ko-
The dash character will get converted to an underscore, so when you again try: +
The dash character will get converted to an underscore, so when you again try:
1sudo lsmod | grep hello-
you should now see your loaded module. It can be removed again with: +
you should now see your loaded module. It can be removed again with:
1sudo rmmod hello_1-
Notice that the dash was replaced by an underscore. To see what just happened in +
Notice that the dash was replaced by an underscore. To see what just happened in the logs:
1sudo journalctl --since "1 hour ago" | grep kernel-
You now know the basics of creating, compiling, installing and removing modules. +
You now know the basics of creating, compiling, installing and removing modules. Now for more of a description of how this module works. -
Kernel modules must have at least two functions: a "start" (initialization) function +
Kernel modules must have at least two functions: a "start" (initialization) function
called init_module()
which is called when the module is insmod
ed into the kernel, and an "end" (cleanup) function called
@@ -469,18 +469,18 @@ In fact, the new method is the preferred method. However, many people still use
init_module()
and cleanup_module()
for their start and end functions.
-
Typically, init_module()
+
Typically, init_module()
either registers a handler for something with the kernel, or it replaces one of the kernel
functions with its own code (usually code to do something and then call the original function).
The cleanup_module()
function is supposed to undo whatever
init_module()
did, so the module can be unloaded safely.
-
Lastly, every kernel module needs to include <linux/module.h>. We +
Lastly, every kernel module needs to include <linux/module.h>. We
needed to include <linux/kernel.h> only for the macro expansion for the
pr_alert()
log level, which you’ll learn about in Section 2.
-
+
About Compiling. Kernel modules need to be compiled a bit differently +
About Compiling. Kernel modules need to be compiled a bit differently from regular userspace apps. Former kernel versions required us to care much about these settings, which are usually stored in Makefiles. Although hierarchically organized, many redundant settings accumulated @@ -512,21 +512,21 @@ needed to include Documentation/kbuild/modules.rst. -
Additional details about Makefiles for kernel modules are available in +
Additional details about Makefiles for kernel modules are available in Documentation/kbuild/makefiles.rst. Be sure to read this and the related files before starting to hack Makefiles. It will probably save you lots of work. -
+
-Here is another exercise for the reader. See that comment above +
Here is another exercise for the reader. See that comment above the return statement in
init_module()? Change the return value to something negative, recompile and load the module again. What happens?
+
In early kernel versions you had to use the +
In early kernel versions you had to use the @@ -564,7 +564,7 @@ technique: 21module_exit(hello_2_exit); 22 23MODULE_LICENSE("GPL"); -
So now we have two real kernel modules under our belt. Adding another module +
So now we have two real kernel modules under our belt. Adding another module is as simple as this:
@@ -578,7 +578,7 @@ is as simple as this: 8 9clean: 10 make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean -
Now have a look at drivers/char/Makefile for a real world example. As you can +
Now have a look at drivers/char/Makefile for a real world example. As you can see, some things get hardwired into the kernel (obj-y) but where are all those obj-m gone? Those familiar with shell scripts will easily be able to spot them. For those not, the obj-$(CONFIG_FOO) entries you see everywhere expand into obj-y or obj-m, @@ -587,17 +587,17 @@ at it, those were exactly the kind of variables that you have set in the make menuconfig or something like that. -
+
The The There is also an There is also an The The These macros are defined in include/linux/init.h and serve to free up kernel
+ These macros are defined in include/linux/init.h and serve to free up kernel
memory. When you boot your kernel and see something like Freeing unused kernel
memory: 236k freed, this is precisely what the kernel is freeing.
@@ -635,10 +635,10 @@ memory: 236k freed, this is precisely what the kernel is freeing.
22module_exit(hello_3_exit);
23
24MODULE_LICENSE("GPL");
-
+
Honestly, who loads or even cares about proprietary modules? If you do then you
+ Honestly, who loads or even cares about proprietary modules? If you do then you
might have seen something like this:
@@ -649,12 +649,12 @@ $ sudo insmod xxxxxx.ko
loading out-of-tree module taints kernel.
module license 'unspecified' taints kernel.
-
- You can use a few macros to indicate the license for your module. Some examples
+
+ You can use a few macros to indicate the license for your module. Some examples
are "GPL", "GPL v2", "GPL and additional rights", "Dual BSD/GPL", "Dual
MIT/GPL", "Dual MPL/GPL" and "Proprietary". They are defined within
include/linux/module.h.
- To reference what license you’re using a macro is available called
+ To reference what license you’re using a macro is available called
+
Modules can take command line arguments, but not with the argc/argv you might be
+ Modules can take command line arguments, but not with the argc/argv you might be
used to.
- To allow arguments to be passed to your module, declare the variables that will
+ To allow arguments to be passed to your module, declare the variables that will
take the values of the command line arguments as global and then use the
__init
+. The variable declarations and macros should be placed at the beginning of the
module for clarity. The example code should clear up my admittedly lousy
explanation.
- __init
macro causes the init function to be discarded and its memory freed once the init
function finishes for built-in drivers, but not loadable modules. If you think about
when the init function is invoked, this makes perfect sense.
- __initdata
+ __initdata
which works similarly to __init
but for init variables rather than functions.
- __exit
+ __exit
macro causes the omission of the function when the module is built into the kernel, and
like __init
, has no effect for loadable modules. Again, if you consider when the cleanup function
@@ -606,7 +606,7 @@ while loadable modules do.
-4.4 Licensing and Module Documentation
- MODULE_LICENSE
. This and a few other macros describing the module are illustrated in the below
example.
@@ -684,12 +684,12 @@ example.
22
23module_init(init_hello_4);
24module_exit(cleanup_hello_4);
-4.5 Passing Command Line Arguments to a Module
- module_param()
macro, (defined in include/linux/moduleparam.h) to set the mechanism up. At runtime,
@@ -699,7 +699,7 @@ take the values of the command line arguments as global and then use the
The module_param()
+
The module_param()
macro takes 3 arguments: the name of the variable, its type and
permissions for the corresponding file in sysfs. Integer types can be signed
as usual or unsigned. If you’d like to use arrays of integers or strings see
@@ -713,7 +713,7 @@ as usual or unsigned. If you’d like to use arrays of integers or strings see
1int myint = 3; 2module_param(myint, int, 0);-
Arrays are supported too, but things are a bit different now than they were in the +
Arrays are supported too, but things are a bit different now than they were in the
olden days. To keep track of the number of parameters you need to pass a pointer to
a count variable as third parameter. At your option, you could also ignore the count and
pass A good use for this is to have the module variable’s default values set, like an port
+ A good use for this is to have the module variable’s default values set, like an port
or IO address. If the variables contain the default values, then perform autodetection
(explained elsewhere). Otherwise, keep the current value. This will be made clear
later on.
- Lastly, there is a macro function, Lastly, there is a macro function,
@@ -802,7 +802,7 @@ parameters: a variable name and a free form string describing that variable.
65
66module_init(hello_5_init);
67module_exit(hello_5_exit);
- I would recommend playing around with this code:
+ I would recommend playing around with this code:
@@ -839,13 +839,13 @@ Goodbye, world 5
$ sudo insmod hello-5.ko mylong=hello
insmod: ERROR: could not insert module hello-5.ko: Invalid parameters
-
-
+
+
Sometimes it makes sense to divide a kernel module between several source
+ Sometimes it makes sense to divide a kernel module between several source
files.
- Here is an example of such a kernel module.
+ Here is an example of such a kernel module.
The next file:
+ The next file:
And finally, the makefile:
+ And finally, the makefile:
This is the complete makefile for all the examples we have seen so far. The first
+ This is the complete makefile for all the examples we have seen so far. The first
five lines are nothing special, but for the last example we will need two lines.
First we invent an object name for our combined module, second we tell
+
Obviously, we strongly suggest you to recompile your kernel, so that you can enable
+ Obviously, we strongly suggest you to recompile your kernel, so that you can enable
a number of useful debugging features, such as forced module unloading
( There are a number of cases in which you may want to load your module into a
+ There are a number of cases in which you may want to load your module into a
precompiled running kernel, such as the ones shipped with common Linux
distributions, or a kernel you have compiled in the past. In certain circumstances you
could require to compile and insert a module into a running kernel which you are not
@@ -923,7 +923,7 @@ allowed to recompile, or on a machine that you prefer not to reboot. If you
can’t think of a case that will force you to use modules for a precompiled
kernel you might want to skip this and treat the rest of this chapter as a big
footnote.
- Now, if you just install a kernel source tree, use it to compile your kernel module
+ Now, if you just install a kernel source tree, use it to compile your kernel module
and you try to insert your module into the kernel, in most cases you would obtain an
error as follows:
@@ -933,8 +933,8 @@ error as follows:
- Less cryptic information is logged to the systemd journal:
+
+ Less cryptic information is logged to the systemd journal:
@@ -942,8 +942,8 @@ insmod: ERROR: could not insert module poet.ko: Invalid module format
- In other words, your kernel refuses to accept your module because version strings
+
+ In other words, your kernel refuses to accept your module because version strings
(more precisely, version magic, see include/linux/vermagic.h) do not match. Incidentally,
version magic strings are stored in the module object in the form of a static string, starting
with
- To overcome this problem we could resort to the --force-vermagic option,
+
+ To overcome this problem we could resort to the --force-vermagic option,
but this solution is potentially unsafe, and unquestionably unacceptable
in production modules. Consequently, we want to compile our module in
an environment which was identical to the one in which our precompiled
kernel was built. How to do this, is the subject of the remainder of this
chapter.
- First of all, make sure that a kernel source tree is available, having exactly the same
+ First of all, make sure that a kernel source tree is available, having exactly the same
version as your current kernel. Then, find the configuration file which was used to
compile your precompiled kernel. Usually, this is available in your current boot directory,
under a name like config-5.14.x. You may just want to copy it to your kernel source
tree: Let’s focus again on the previous error message: a closer look at the version magic
+ Let’s focus again on the previous error message: a closer look at the version magic
strings suggests that, even with two configuration files which are exactly the same, a
slight difference in the version magic could be possible, and it is sufficient to prevent
insertion of the module into the kernel. That slight difference, namely the
@@ -999,16 +999,16 @@ PATCHLEVEL = 14
SUBLEVEL = 0
EXTRAVERSION = -rc2
-
- In this case, you need to restore the value of symbol EXTRAVERSION to
+
+ In this case, you need to restore the value of symbol EXTRAVERSION to
-rc2. We suggest to keep a backup copy of the makefile used to compile your kernel
available in /lib/modules/5.14.0-rc2/build. A simple command as following
should suffice.
Here Here Now, please run Now, please run
- If you do not desire to actually compile the kernel, you can interrupt the build
+
+ If you do not desire to actually compile the kernel, you can interrupt the build
process (CTRL-C) just after the SPLIT line, because at that time, the files you need
are ready. Now you can turn back to the directory of your module and compile it: It
will be built exactly according to your current kernel settings, and it will load into it
without any errors.
-
+
+
A program usually begins with a A program usually begins with a All modules end by calling either All modules end by calling either Every module must have an entry function and an exit function. Since there’s
+ Every module must have an entry function and an exit function. Since there’s
more than one way to specify entry and exit functions, I will try my best to use the
terms “entry function” and “exit function”, but if I slip and simply refer to them as
+
Programmers use functions they do not define all the time. A prime example of this
+ Programmers use functions they do not define all the time. A prime example of this
is Kernel modules are different here, too. In the hello world
+ Kernel modules are different here, too. In the hello world
example, you might have noticed that we used a function,
One point to keep in mind is the difference between library functions and system
+ One point to keep in mind is the difference between library functions and system
calls. Library functions are higher level, run completely in user space and
provide a more convenient interface for the programmer to the functions
that do the real work — system calls. System calls run in kernel mode on
@@ -1095,7 +1095,7 @@ the user’s behalf and are provided by the kernel itself. The library function
data into strings and write the string data using the low-level system call
Would you like to see what system calls are made by
+ Would you like to see what system calls are made by
with with You can even write modules to replace the kernel’s system calls, which we will do
+ You can even write modules to replace the kernel’s system calls, which we will do
shortly. Crackers often make use of this sort of thing for backdoors or trojans, but
you can write your own modules to do more benign things, like have the kernel
write Tee hee, that tickles! every time someone tries to delete a file on your
system.
-
+
A kernel is all about access to resources, whether the resource in question happens to
+ A kernel is all about access to resources, whether the resource in question happens to
be a video card, a hard drive or even memory. Programs often compete for the same
resource. As I just saved this document, updatedb started updating the locate
database. My vim session and updatedb are both using the hard drive concurrently.
@@ -1152,16 +1152,16 @@ mode”.
- Recall the discussion about library functions vs system calls. Typically, you use a
+ Recall the discussion about library functions vs system calls. Typically, you use a
library function in user mode. The library function calls one or more system calls,
and these system calls execute on the library function’s behalf, but do so in
supervisor mode since they are part of the kernel itself. Once the system call
completes its task, it returns and execution gets transfered back to user
mode.
-
+
When you write a small C program, you use variables which are convenient and make
+ When you write a small C program, you use variables which are convenient and make
sense to the reader. If, on the other hand, you are writing routines which will be part
of a bigger problem, any global variables you have are part of a community of other
peoples’ global variables; some of the variable names can clash. When a program has
@@ -1169,24 +1169,24 @@ lots of global variables which aren’t meaningful enough to be distinguished, y
namespace pollution. In large projects, effort must be made to remember reserved
names, and to find ways to develop a scheme for naming unique variable names and
symbols.
- When writing kernel code, even the smallest module will be linked against the
+ When writing kernel code, even the smallest module will be linked against the
entire kernel, so this is definitely an issue. The best way to deal with this is to declare
all your variables as static and to use a well-defined prefix for your symbols. By
convention, all kernel prefixes are lowercase. If you do not want to declare everything
as static, another option is to declare a symbol table and register it with the kernel.
We will get to this later.
- The file /proc/kallsyms holds all the symbols that the kernel knows about and
+ The file /proc/kallsyms holds all the symbols that the kernel knows about and
which are therefore accessible to your modules since they share the kernel’s
codespace.
-
+
Memory management is a very complicated subject and the majority of O’Reilly’s
+ Memory management is a very complicated subject and the majority of O’Reilly’s
Understanding The Linux Kernel exclusively covers memory management!
We are not setting out to be experts on memory managements, but we do
need to know a couple of facts to even begin worrying about writing real
modules.
- If you have not thought about what a segfault really means, you may be surprised
+ If you have not thought about what a segfault really means, you may be surprised
to hear that pointers do not actually point to memory locations. Not real
ones, anyway. When a process is created, the kernel sets aside a portion of
real physical memory and hands it to the process to use for its executing
@@ -1203,23 +1203,23 @@ offset into the region of memory set aside for that particular process. For
the most part, a process like our Hello, World program can’t access the
space of another process, although there are ways which we will talk about
later.
- The kernel has its own space of memory as well. Since a module is code which
+ The kernel has its own space of memory as well. Since a module is code which
can be dynamically inserted and removed in the kernel (as opposed to a
semi-autonomous object), it shares the kernel’s codespace rather than having its own.
Therefore, if your module segfaults, the kernel segfaults. And if you start writing
over data because of an off-by-one error, then you’re trampling on kernel
data (or code). This is even worse than it sounds, so try your best to be
careful.
- By the way, I would like to point out that the above discussion is true for any
+ By the way, I would like to point out that the above discussion is true for any
operating system which uses a monolithic kernel. This is not quite the same thing as
"building all your modules into the kernel", although the idea is the same. There are
things called microkernels which have modules which get their own codespace. The
GNU Hurd and the Zircon kernel of Google Fuchsia are two examples of a
microkernel.
-
+
One class of module is the device driver, which provides functionality for hardware
+ One class of module is the device driver, which provides functionality for hardware
like a serial port. On Unix, each piece of hardware is represented by a file located in
/dev named a device file which provides the means to communicate with the
hardware. The device driver provides the communication on behalf of a
@@ -1227,7 +1227,7 @@ user program. So the es1370.ko sound card device driver might connect the
/dev/sound device file to the Ensoniq IS1370 sound card. A userspace program like
mp3blaster can use /dev/sound without ever knowing what kind of sound card is
installed.
- Let’s look at some device files. Here are device files which represent the first three
+ Let’s look at some device files. Here are device files which represent the first three
partitions on the primary master IDE hard drive:
@@ -1239,18 +1239,18 @@ brw-rw---- 1 root disk 3, 1 Jul 5 2000 /dev/hda1
brw-rw---- 1 root disk 3, 2 Jul 5 2000 /dev/hda2
brw-rw---- 1 root disk 3, 3 Jul 5 2000 /dev/hda3
-
- Notice the column of numbers separated by a comma. The first number is called
+
+ Notice the column of numbers separated by a comma. The first number is called
the device’s major number. The second number is the minor number. The major
number tells you which driver is used to access the hardware. Each driver is assigned
a unique major number; all device files with the same major number are controlled
by the same driver. All the above major numbers are 3, because they’re all controlled
by the same driver.
- The minor number is used by the driver to distinguish between the various
+ The minor number is used by the driver to distinguish between the various
hardware it controls. Returning to the example above, although all three devices are
handled by the same driver they have unique minor numbers because the driver sees
them as being different pieces of hardware.
- Devices are divided into two types: character devices and block devices. The
+ Devices are divided into two types: character devices and block devices. The
difference is that block devices have a buffer for requests, so they can choose the best
order in which to respond to the requests. This is important in the case of storage
devices, where it is faster to read or write sectors which are close to each
@@ -1275,10 +1275,10 @@ crw-r----- 1 root dial 4, 65 Nov 17 10:26 /dev/ttyS1
crw-rw---- 1 root dial 4, 66 Jul 5 2000 /dev/ttyS2
crw-rw---- 1 root dial 4, 67 Jul 5 2000 /dev/ttyS3
-
- If you want to see which major numbers have been assigned, you can look at
+
+ If you want to see which major numbers have been assigned, you can look at
Documentation/admin-guide/devices.txt.
- When the system was installed, all of those device files were created by the
+ When the system was installed, all of those device files were created by the
I would like to make a few last points which are implicit from the above
+ I would like to make a few last points which are implicit from the above
discussion, but I would like to make them explicit just in case. When a device file is
accessed, the kernel uses the major number of the file to determine which driver
should be used to handle the access. This means that the kernel doesn’t really need
to use or even know about the minor number. The driver itself is the only thing that
cares about the minor number. It uses the minor number to distinguish between
different pieces of hardware.
- By the way, when I say "hardware", I mean something a bit more abstract
+ By the way, when I say "hardware", I mean something a bit more abstract
than a PCI card that you can hold in your hand. Look at these two device
files:
@@ -1306,24 +1306,24 @@ $ ls -l /dev/sda /dev/sdb
brw-rw---- 1 root disk 8, 0 Jan 3 09:02 /dev/sda
brw-rw---- 1 root disk 8, 16 Jan 3 09:02 /dev/sdb
-
- By now you can look at these two device files and know instantly that they are
+
+ By now you can look at these two device files and know instantly that they are
block devices and are handled by same driver (block major 8). Sometimes two device
files with the same major but different minor number can actually represent the same
piece of physical hardware. So just be aware that the word “hardware” in our
discussion can mean something very abstract.
-
+
+
The The For example, every character driver needs to define a function that reads from the
+ For example, every character driver needs to define a function that reads from the
device. The Some operations are not implemented by a driver. For example, a driver that handles
+ Some operations are not implemented by a driver. For example, a driver that handles
a video card will not need to read from a directory structure. The corresponding entries
in the There is a gcc extension that makes assigning to this structure more convenient.
+ There is a gcc extension that makes assigning to this structure more convenient.
You will see it in modern drivers, and may catch you by surprise. This is what the
new way of assigning to the structure looks like:
@@ -1386,7 +1386,7 @@ new way of assigning to the structure looks like:
4 open: device_open,
5 release: device_release
6};
- However, there is also a C99 way of assigning to elements of a structure,
+ However, there is also a C99 way of assigning to elements of a structure,
designated initializers, and this is definitely preferred over using the GNU extension.
You should use this syntax in case someone wants to port your driver. It will help
with compatibility:
@@ -1398,30 +1398,30 @@ with compatibility:
4 .open = device_open,
5 .release = device_release
6};
- The meaning is clear, and you should be aware that any member of
+ The meaning is clear, and you should be aware that any member of
the structure which you do not explicitly assign will be initialized to
An instance of An instance of Since Linux v3.14, the read, write and seek operations are guaranteed for thread-safe by
+ Since Linux v3.14, the read, write and seek operations are guaranteed for thread-safe by
using the Since Linux v5.6, the Since Linux v5.6, the
+
Each device is represented in the kernel by a file structure, which is defined
+ Each device is represented in the kernel by a file structure, which is defined
in include/linux/fs.h. Be aware that a file is a kernel level structure and
never appears in a user space program. It is not the same thing as a
An instance of struct file is commonly named
+ An instance of struct file is commonly named
Go ahead and look at the definition of file. Most of the entries you see, like struct
+ Go ahead and look at the definition of file. Most of the entries you see, like struct
dentry are not used by device drivers, and you can ignore them. This is because
drivers do not fill file directly; they only use structures contained in file which are
created elsewhere.
-
+
As discussed earlier, char devices are accessed through device files, usually located in
+ As discussed earlier, char devices are accessed through device files, usually located in
/dev. This is by convention. When writing a driver, it is OK to put the
device file in your current directory. Just make sure you place it in /dev for a
production driver. The major number tells you which driver handles which
device file. The minor number is used only by the driver itself to differentiate
which device it is operating on, just in case the driver handles more than one
device.
- Adding a driver to your system means registering it with the kernel. This is synonymous
+ Adding a driver to your system means registering it with the kernel. This is synonymous
with assigning it a major number during the module’s initialization. You do this by
using the
Where unsigned int major is the major number you want to request,
+ Where unsigned int major is the major number you want to request,
Now the question is, how do you get a major number without hijacking
+ Now the question is, how do you get a major number without hijacking
one that’s already in use? The easiest way would be to look through
Documentation/admin-guide/devices.txt and pick an unused one. That is a bad way
of doing things because you will never be sure if the number you picked will be
assigned later. The answer is that you can ask the kernel to assign you a dynamic
major number.
- If you pass a major number of 0 to If you pass a major number of 0 to However, However, The newer interface completes the char device registration in two distinct steps.
+ The newer interface completes the char device registration in two distinct steps.
First, we should register a range of device numbers, which can be completed with
The choose of two different functions depend on whether you know the major numbers for your
+ The choose of two different functions depend on whether you know the major numbers for your
device. Using Second, we should initialize the data structure
+ Second, we should initialize the data structure
However, the common usage pattern will embed the
+ However, the common usage pattern will embed the
Once we finish the initialization, we can add the char device to the system by using
+ Once we finish the initialization, we can add the char device to the system by using
the
To find a example using the interface, you can see ioctl.c described in section
+ To find a example using the interface, you can see ioctl.c described in section
9.
-
+
We can not allow the kernel module to be
+ We can not allow the kernel module to be
Normally, when you do not want to allow something, you return an error code
+ Normally, when you do not want to allow something, you return an error code
(a negative number) from the function which is supposed to do it. With
It is important to keep the counter accurate; if you ever do lose track of the
+ It is important to keep the counter accurate; if you ever do lose track of the
correct usage count, you will never be able to unload the module; it’s now reboot
time, boys and girls. This is bound to happen to you sooner or later during a
module’s development.
-
+
The next code sample creates a char driver named chardev. You can dump its device
+ The next code sample creates a char driver named chardev. You can dump its device
file.
(or open the file with a program) and the driver will put the number of times the
+ (or open the file with a program) and the driver will put the number of times the
device file has been read from into the file. We do not support writing to the file (like
In the multiple-threaded environment, without any protection, concurrent access
+ In the multiple-threaded environment, without any protection, concurrent access
to the same memory may lead to the race condition, and will not preserve the
performance. In the kernel module, this problem may happen due to multiple
instances accessing the shared resources. Therefore, a solution is to enforce the
@@ -1768,32 +1768,32 @@ concurrency details in the 12
+
The system calls, which are the major interface the kernel shows to the processes,
+ The system calls, which are the major interface the kernel shows to the processes,
generally stay the same across versions. A new system call may be added, but
usually the old ones will behave exactly like they used to. This is necessary for
backward compatibility – a new kernel version is not supposed to break regular
processes. In most cases, the device files will also remain the same. On the other
hand, the internal interfaces within the kernel can and do change between
versions.
- There are differences between different kernel versions, and if you want
+ There are differences between different kernel versions, and if you want
to support multiple kernel versions, you will find yourself having to code
conditional compilation directives. The way to do this to compare the macro
+
In Linux, there is an additional mechanism for the kernel and kernel modules to send
+ In Linux, there is an additional mechanism for the kernel and kernel modules to send
information to processes — the /proc file system. Originally designed to allow easy
access to information about processes (hence the name), it is now used by every bit
of the kernel which has something interesting to report, such as /proc/modules
which provides the list of modules and /proc/meminfo which gathers memory usage
statistics.
- The method to use the proc file system is very similar to the one used with device
+ The method to use the proc file system is very similar to the one used with device
drivers — a structure is created with all the information needed for the /proc file,
including pointers to any handler functions (in our case there is only one, the
one called when somebody attempts to read from the /proc file). Then,
@@ -1804,18 +1804,18 @@ one called when somebody attempts to read from the Normal file systems are located on a disk, rather than just in memory (which is
+ Normal file systems are located on a disk, rather than just in memory (which is
where /proc is), and in that case the index-node (inode for short) number
is a pointer to a disk location where the file’s inode is located. The inode
contains information about the file, for example the file’s permissions, together
with a pointer to the disk location or locations where the file’s data can be
found.
- Because we don’t get called when the file is opened or closed, there’s nowhere for
+ Because we don’t get called when the file is opened or closed, there’s nowhere for
us to put Here a simple example showing how to use a /proc file. This is the HelloWorld for
+ Here a simple example showing how to use a /proc file. This is the HelloWorld for
the /proc filesystem. There are three parts: create the file /proc/helloworld in the
function The /proc/helloworld is created when the module is loaded with the function
+ The /proc/helloworld is created when the module is loaded with the function
Every time the file /proc/helloworld is read, the function
+ Every time the file /proc/helloworld is read, the function
+
+
The The
+
We have seen a very simple example for a /proc file where we only read
+ We have seen a very simple example for a /proc file where we only read
the file /proc/helloworld. It is also possible to write in a /proc file. It
works the same way as read, a function is called when the /proc file
is written. But there is a little difference with read, data comes from
@@ -1943,7 +1943,7 @@ user, so you have to import data from user space to kernel space (with
The reason for The reason for The only memory segment accessible to a process is its own, so when
+ The only memory segment accessible to a process is its own, so when
writing regular programs to run as processes, there is no need to worry about
segments. When you write a kernel module, normally you want to access
the kernel memory segment, which is handled automatically by the system.
@@ -2069,22 +2069,22 @@ because data is already in kernel space.
95module_exit(procfs2_exit);
96
97MODULE_LICENSE("GPL");
-
+
We have seen how to read and write a /proc file with the /proc interface. But it is
+ We have seen how to read and write a /proc file with the /proc interface. But it is
also possible to manage /proc file with inodes. The main concern is to use advanced
functions, like permissions.
- In Linux, there is a standard mechanism for file system registration.
+ In Linux, there is a standard mechanism for file system registration.
Since every file system has to have its own functions to handle inode and file
operations, there is a special structure to hold pointers to all those functions,
The difference between file and inode operations is that file operations deal with
+ The difference between file and inode operations is that file operations deal with
the file itself whereas inode operations deal with ways of referencing the file, such as
creating links to it.
- In /proc, whenever we register a new file, we’re allowed to specify which
+ In /proc, whenever we register a new file, we’re allowed to specify which
Another interesting point here is the
+ Another interesting point here is the
It is important to note that the standard roles of read and write are reversed in
+ It is important to note that the standard roles of read and write are reversed in
the kernel. Read functions are used for output, whereas write functions are used for
input. The reason for that is that read and write refer to the user’s point of view — if
a process reads something from the kernel, then the kernel needs to output it, and
@@ -2219,14 +2219,14 @@ input.
105module_exit(procfs3_exit);
106
107MODULE_LICENSE("GPL");
- Still hungry for procfs examples? Well, first of all keep in mind, there are rumors
+ Still hungry for procfs examples? Well, first of all keep in mind, there are rumors
around, claiming that procfs is on its way out, consider using sysfs instead. Consider
using this mechanism, in case you want to document something kernel related
yourself.
-
+
As we have seen, writing a /proc file may be quite “complex”.
+ As we have seen, writing a /proc file may be quite “complex”.
So to help people writting /proc file, there is an API named
A sequence begins with the call of the function
+ A sequence begins with the call of the function
BE CAREFUL: when a sequence is finished, another one starts. That means that at the end
+ BE CAREFUL: when a sequence is finished, another one starts. That means that at the end
of function The The If you want more information, you can read this web page:
+ If you want more information, you can read this web page:
You can also read the code of fs/seq_file.c in the linux kernel.
+ You can also read the code of fs/seq_file.c in the linux kernel.
sysfs allows you to interact with the running kernel from userspace by reading or
+ sysfs allows you to interact with the running kernel from userspace by reading or
setting variables inside of modules. This can be useful for debugging purposes, or just
as an interface for applications or scripts. You can find sysfs directories and files
under the /sys directory on your system.
An example of a hello world module which includes the creation of a variable
+ An example of a hello world module which includes the creation of a variable
accessible via sysfs is given below.
Make and install the module:
+ Make and install the module:
Check that it exists:
+ Check that it exists:
What is the current value of What is the current value of
Set the value of Set the value of
Finally, remove the test module:
+ Finally, remove the test module:
+
Device files are supposed to represent physical devices. Most physical devices are
+ Device files are supposed to represent physical devices. Most physical devices are
used for output as well as input, so there has to be some mechanism for
device drivers in the kernel to get the output to send to the device from
processes. This is done by opening the device file for output and writing to it,
just like writing to a file. In the following example, this is implemented by
This is not always enough. Imagine you had a serial port connected to a modem
+ This is not always enough. Imagine you had a serial port connected to a modem
(even if you have an internal modem, it is still implemented from the CPU’s
perspective as a serial port connected to a modem, so you don’t have to tax
your imagination too hard). The natural thing to do would be to use the
@@ -2532,7 +2532,7 @@ received.
- The answer in Unix is to use a special function called
+ The answer in Unix is to use a special function called
The ioctl function is called with three parameters: the file descriptor of the
+ The ioctl function is called with three parameters: the file descriptor of the
appropriate device file, the ioctl number, and a parameter, which is of type
long so you can use a cast to use it to pass anything. You will not be able
to pass a structure this way, but you will be able to pass a pointer to the
structure.
- The ioctl number encodes the major device number, the type of the ioctl, the
+ The ioctl number encodes the major device number, the type of the ioctl, the
command, and the type of the parameter. This ioctl number is usually created by a macro
call ( If you want to use ioctls in your own kernel modules, it is best to receive an
+ If you want to use ioctls in your own kernel modules, it is best to receive an
official ioctl assignment, so if you accidentally get somebody else’s ioctls, or if they
get yours, you’ll know something is wrong. For more information, consult the kernel
source tree at Documentation/userspace-api/ioctl/ioctl-number.rst.
- Also, we need to be careful that concurrent access to the shared resources will
+ Also, we need to be careful that concurrent access to the shared resources will
lead to the race condition. The solution is using atomic Compare-And-Swap (CAS),
which we mentioned at 6.5 section, to enforce the exclusive access.
@@ -3039,15 +3039,15 @@ which we mentioned at 6.5
-
+
So far, the only thing we’ve done was to use well defined kernel mechanisms to
+ So far, the only thing we’ve done was to use well defined kernel mechanisms to
register /proc files and device handlers. This is fine if you want to do something the
kernel programmers thought you’d want, such as write a device driver. But what if
you want to do something unusual, to change the behavior of the system in some
way? Then, you are mostly on your own.
- If you are not being sensible and using a virtual machine then this is where kernel
+ If you are not being sensible and using a virtual machine then this is where kernel
programming can become hazardous. While writing the example below, I killed the
Forget about /proc files, forget about device files. They are just minor details.
+ Forget about /proc files, forget about device files. They are just minor details.
Minutiae in the vast expanse of the universe. The real process to kernel
communication mechanism, the one used by all processes, is system calls. When a
process requests a service from the kernel (such as opening a file, forking to a new
@@ -3068,11 +3068,11 @@ change the behaviour of the kernel in interesting ways, this is the place to do
it. By the way, if you want to see which system calls a program uses, run
In general, a process is not supposed to be able to access the kernel. It can not
+ In general, a process is not supposed to be able to access the kernel. It can not
access kernel memory and it can’t call kernel functions. The hardware of the CPU
enforces this (that is the reason why it is called “protected mode” or “page
protection”).
- System calls are an exception to this general rule. What happens is that the
+ System calls are an exception to this general rule. What happens is that the
process fills the registers with the appropriate values and then calls a special
instruction which jumps to a previously defined location in the kernel (of course, that
location is readable by user processes, it is not writable by them). Under Intel CPUs,
@@ -3080,7 +3080,7 @@ this is done by means of interrupt 0x80. The hardware knows that once you jump t
this location, you are no longer running in restricted user mode, but as the
operating system kernel — and therefore you’re allowed to do whatever you
want.
- The location in the kernel a process can jump to is called system_call. The
+ The location in the kernel a process can jump to is called system_call. The
procedure at that location checks the system call number, which tells the kernel what
service the process requested. Then, it looks at the table of system calls
( So, if we want to change the way a certain system call works, what we need to do
+ So, if we want to change the way a certain system call works, what we need to do
is to write our own function to implement it (usually by adding a bit of our own
code, and then calling the original function) and then change the pointer at
To modify the content of To modify the content of However, However, Because of the control-flow integrity, which is a technique to prevent the redirect
+ Because of the control-flow integrity, which is a technique to prevent the redirect
execution code from the attacker, for making sure that the indirect calls go to the
expected addresses and the return addresses are not changed. Since Linux v5.7, the
kernel patched the series of control-flow enforcement (CET) for x86, and some
@@ -3143,10 +3143,10 @@ COLLECT_GCC_OPTIONS='-v' '-Q' '-O2' '--help=target' '-mtune=generic' '-marc
GNU C17 (Ubuntu 9.3.0-17ubuntu1~20.04) version 9.3.0 (x86_64-linux-gnu)
...
But CET should not be enabled in the kernel, it may break the Kprobes and bpf.
+ But CET should not be enabled in the kernel, it may break the Kprobes and bpf.
Consequently, CET is disabled since v5.11. To guarantee the manual symbol lookup
worked, we only use up to v5.4.
- Unfortunately, since Linux v5.7 Unfortunately, since Linux v5.7 Otherwise, specify the address of Otherwise, specify the address of
- Using the address from /boot/System.map, be careful about KASLR (Kernel
+
+ Using the address from /boot/System.map, be careful about KASLR (Kernel
Address Space Layout Randomization). KASLR may randomize the address of
kernel code and data at every boot time, such as the static address listed in
/boot/System.map will offset by some entropy. The purpose of KASLR is to protect
@@ -3203,7 +3203,7 @@ ffffffff82000300 R sys_call_table
$ sudo grep sys_call_table /proc/kallsyms
ffffffff86400300 R sys_call_table
- If KASLR is enabled, we have to take care of the address from /proc/kallsyms each
+ If KASLR is enabled, we have to take care of the address from /proc/kallsyms each
time we reboot the machine. In order to use the address from /boot/System.map,
make sure that KASLR is disabled. You can add the nokaslr for disabling KASLR in
next booting time:
@@ -3219,8 +3219,8 @@ $ grep quiet /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet nokaslr splash"
$ sudo update-grub
-
- For more information, check out the following:
+
+ For more information, check out the following:
The source code here is an example of such a kernel module. We want to “spy” on a certain
+ The source code here is an example of such a kernel module. We want to “spy” on a certain
user, and to The The Now, if B is removed first, everything will be well — it will simply restore the system
+ Now, if B is removed first, everything will be well — it will simply restore the system
call to Note that all the related problems make syscall stealing unfeasible for
+ Note that all the related problems make syscall stealing unfeasible for
production use. In order to keep people from doing potential harmful things
+
+
What do you do when somebody asks you for something you can not do right
+ What do you do when somebody asks you for something you can not do right
away? If you are a human being and you are bothered by a human being, the
only thing you can say is: "Not right now, I’m busy. Go away!". But if you
are a kernel module and you are bothered by a process, you have another
@@ -3540,21 +3540,21 @@ possibility. You can put the process to sleep until you can service it. After al
processes are being put to sleep by the kernel and woken up all the time (that
is the way multiple processes appear to run on the same time on a single
CPU).
- This kernel module is an example of this. The file (called /proc/sleep) can only
+ This kernel module is an example of this. The file (called /proc/sleep) can only
be opened by a single process at a time. If the file is already open, the kernel module
calls
This function changes the status of the task (a task is the kernel data structure
+ This function changes the status of the task (a task is the kernel data structure
which holds information about a process and the system call it is in, if any) to
When a process is done with the file, it closes it, and
+ When a process is done with the file, it closes it, and
This means that the process is still in kernel mode - as far as the process
+ This means that the process is still in kernel mode - as far as the process
is concerned, it issued the open system call and the system call has not
returned yet. The process does not know somebody else used the CPU for
most of the time between the moment it issued the call and the moment it
returned.
- It can then proceed to set a global variable to tell all the other processes that the
+ It can then proceed to set a global variable to tell all the other processes that the
file is still open and go on with its life. When the other processes get a piece of the
CPU, they’ll see that global variable and go back to sleep.
- So we will use So we will use To make our life more interesting, To make our life more interesting, In that case, we want to return with
+ In that case, we want to return with
There is one more point to remember. Some times processes don’t want to sleep, they want
+ There is one more point to remember. Some times processes don’t want to sleep, they want
either to get what they want immediately, or to be told it cannot be done. Such processes
use the
+
+
Sometimes one thing should happen before another within a module having multiple threads.
+ Sometimes one thing should happen before another within a module having multiple threads.
Rather than using In the following example two threads are started, but one needs to start before
+ In the following example two threads are started, but one needs to start before
another.
@@ -3996,31 +3996,31 @@ another.
74
75MODULE_DESCRIPTION("Completions example");
76MODULE_LICENSE("GPL");
- The The So even though So even though There are other variations upon the
+ There are other variations upon the
+
If processes running on different CPUs or in different threads try to access the same
+ If processes running on different CPUs or in different threads try to access the same
memory, then it is possible that strange things can happen or your system can lock
up. To avoid this, various types of mutual exclusion kernel functions are available.
These indicate if a section of code is "locked" or "unlocked" so that simultaneous
attempts to run it can not happen.
You can use kernel mutexes (mutual exclusions) in much the same manner that you
+ You can use kernel mutexes (mutual exclusions) in much the same manner that you
might deploy them in userland. This may be all that is needed to avoid collisions in
most cases.
@@ -4066,10 +4066,10 @@ most cases.
39
40MODULE_DESCRIPTION("Mutex example");
41MODULE_LICENSE("GPL");
-
+
As the name suggests, spinlocks lock up the CPU that the code is running on,
+ As the name suggests, spinlocks lock up the CPU that the code is running on,
taking 100% of its resources. Because of this you should only use the spinlock
@@ -4077,7 +4077,7 @@ taking 100% of its resources. Because of this you should only use the spinlock
mechanism around code which is likely to take no more than a few milliseconds to
run and so will not noticeably slow anything down from the user’s point of
view.
- The example here is "irq safe" in that if interrupts happen during the lock then
+ The example here is "irq safe" in that if interrupts happen during the lock then
they will not be forgotten and will activate when the unlock happens, using the
+
Read and write locks are specialised kinds of spinlocks so that you can exclusively
+ Read and write locks are specialised kinds of spinlocks so that you can exclusively
read from something or write to something. Like the earlier spinlocks example, the
one below shows an "irq safe" situation in which if other functions were triggered
from irqs which might also read and write to whatever you are concerned with
@@ -4214,14 +4214,14 @@ module.
53
54MODULE_DESCRIPTION("Read/Write locks example");
55MODULE_LICENSE("GPL");
- Of course, if you know for sure that there are no functions triggered by irqs
+ Of course, if you know for sure that there are no functions triggered by irqs
which could possibly interfere with your logic then you can use the simpler
If you are doing simple arithmetic: adding, subtracting or bitwise operations, then
+ If you are doing simple arithmetic: adding, subtracting or bitwise operations, then
there is another way in the multi-CPU and multi-hyperthreaded world to stop other
parts of the system from messing with your mojo. By using atomic operations you
can be confident that your addition, subtraction or bit flip did actually happen
@@ -4306,7 +4306,7 @@ below.
- Before the C11 standard adopts the built-in atomic types, the kernel already
+ Before the C11 standard adopts the built-in atomic types, the kernel already
provided a small set of atomic types by using a bunch of tricky architecture-specific
codes. Implementing the atomic types by C11 atomics may allow the kernel to throw
away the architecture-specific codes and letting the kernel code be more friendly to
@@ -4319,21 +4319,21 @@ For further details, see:
+
+
In Section 2, I said that X Window System and kernel module programming do not
+ In Section 2, I said that X Window System and kernel module programming do not
mix. That is true for developing kernel modules. But in actual use, you want to be
able to send messages to whichever tty the command to load the module came
from.
- "tty" is an abbreviation of teletype: originally a combination keyboard-printer
+ "tty" is an abbreviation of teletype: originally a combination keyboard-printer
used to communicate with a Unix system, and today an abstraction for the text
stream used for a Unix program, whether it is a physical terminal, an xterm on an X
display, a network connection used with ssh, etc.
- The way this is done is by using current, a pointer to the currently running task,
+ The way this is done is by using current, a pointer to the currently running task,
to get the current task’s tty structure. Then, we look inside that tty structure to find
a pointer to a string write function, which we use to write a string to the
tty.
@@ -4416,16 +4416,16 @@ tty.
-
+
In certain conditions, you may desire a simpler and more direct way to communicate
+ In certain conditions, you may desire a simpler and more direct way to communicate
to the external world. Flashing keyboard LEDs can be such a solution: It is an
immediate way to attract attention or to display a status condition. Keyboard LEDs
are present on every hardware, they are always visible, they do not need any setup,
and their use is rather simple and non-intrusive, compared to writing to a tty or a
file.
- From v4.14 to v4.15, the timer API made a series of changes
+ From v4.14 to v4.15, the timer API made a series of changes
to improve memory safety. A buffer overflow in the area of a
Before Linux v4.14, Before Linux v4.14, Since Linux v4.14, Since Linux v4.14, The The The following source code illustrates a minimal kernel module which, when
+ The following source code illustrates a minimal kernel module which, when
loaded, starts blinking the keyboard LEDs until it is unloaded.
If none of the examples in this chapter fit your debugging needs,
+ If none of the examples in this chapter fit your debugging needs,
there might yet be some other tricks to try. Ever wondered what
While you have seen lots of stuff that can be used to aid debugging here, there are
+ While you have seen lots of stuff that can be used to aid debugging here, there are
some things to be aware of. Debugging is almost always intrusive. Adding debug code
can change the situation enough to make the bug seem to disappear. Thus, you
should keep debug code to a minimum and make sure it does not show up in
production code.
-
+
There are two main ways of running tasks: tasklets and work queues. Tasklets are a
+ There are two main ways of running tasks: tasklets and work queues. Tasklets are a
quick and easy way of scheduling a single function to be run. For example, when
triggered from an interrupt, whereas work queues are more complicated but also
better suited to running multiple things in a sequence.
-
+
Here is an example tasklet module. The
+ Here is an example tasklet module. The
So with this example loaded So with this example loaded Although tasklet is easy to use, it comes with several defators, and developers are
+ Although tasklet is easy to use, it comes with several defators, and developers are
discussing about getting rid of tasklet in linux kernel. The tasklet callback
runs in atomic context, inside a software interrupt, meaning that it cannot
sleep or access user-space data, so not all work can be done in a tasklet
handler. Also, the kernel only allows one instance of any given tasklet to be
running at any given time; multiple different tasklet callbacks can run in
parallel.
- In recent kernels, tasklets can be replaced by workqueues, timers, or threaded
+ In recent kernels, tasklets can be replaced by workqueues, timers, or threaded
interrupts.1
While the removal of tasklets remains a longer-term goal, the current kernel contains more
than a hundred uses of tasklets. Now developers are proceeding with the API changes and
the macro
+
To add a task to the scheduler we can use a workqueue. The kernel then uses the
+ To add a task to the scheduler we can use a workqueue. The kernel then uses the
Completely Fair Scheduler (CFS) to execute work within the queue.
+
+
Except for the last chapter, everything we did in the kernel so far we have done as a
+ Except for the last chapter, everything we did in the kernel so far we have done as a
response to a process asking for it, either by dealing with a special file, sending an
There are two types of interaction between the CPU and the rest of the
+ There are two types of interaction between the CPU and the rest of the
computer’s hardware. The first type is when the CPU gives orders to the hardware,
the order is when the hardware needs to tell the CPU something. The second, called
interrupts, is much harder to implement because it has to be dealt with when
convenient for the hardware, not the CPU. Hardware devices typically have a very
small amount of RAM, and if you do not read their information when available, it is
lost.
- Under Linux, hardware interrupts are called IRQ’s (Interrupt ReQuests). There
+ Under Linux, hardware interrupts are called IRQ’s (Interrupt ReQuests). There
are two types of IRQ’s, short and long. A short IRQ is one which is expected to take
a very short period of time, during which the rest of the machine will be blocked and
no other interrupts will be handled. A long IRQ is one which can take longer, and
during which other interrupts may occur (but not interrupts from the same
device). If at all possible, it is better to declare an interrupt handler to be
long.
- When the CPU receives an interrupt, it stops whatever it is doing (unless it is
+ When the CPU receives an interrupt, it stops whatever it is doing (unless it is
processing a more important interrupt, in which case it will deal with this one only
when the more important one is done), saves certain parameters on the stack and
calls the interrupt handler. This means that certain things are not allowed in the
@@ -4763,10 +4763,10 @@ heavy work deferred from an interrupt handler. Historically, BH (Linux
naming for Bottom Halves) statistically book-keeps the deferred functions.
Softirq and its higher level abstraction, Tasklet, replace BH since Linux
2.3.
- The way to implement this is to call
+ The way to implement this is to call
In practice IRQ handling can be a bit more complex. Hardware is often
+ In practice IRQ handling can be a bit more complex. Hardware is often
designed in a way that chains two interrupt controllers, so that all the IRQs
from interrupt controller B are cascaded to a certain IRQ from interrupt
controller A. Of course, that requires that the kernel finds out which IRQ it
@@ -4783,7 +4783,7 @@ need to solve another truckload of problems. It is not enough to know if a
certain IRQs has happened, it’s also important to know what CPU(s) it was
for. People still interested in more details, might want to refer to "APIC"
now.
- This function receives the IRQ number, the name of the function,
+ This function receives the IRQ number, the name of the function,
flags, a name for /proc/interrupts and a parameter to be passed to the
interrupt handler. Usually there is a certain number of IRQs available.
How many IRQs there are is hardware-dependent. The flags can include
@@ -4793,16 +4793,16 @@ How many IRQs there are is hardware-dependent. The flags can include
+
Many popular single board computers, such as Raspberry Pi or Beagleboards, have a
+ Many popular single board computers, such as Raspberry Pi or Beagleboards, have a
bunch of GPIO pins. Attaching buttons to those and then having a button press do
something is a classic case in which you might need to use interrupts, so that instead
of having the CPU waste time and battery power polling for a change in input state,
it is better for the input to trigger the CPU to then run a particular handling
function.
- Here is an example where buttons are connected to GPIO numbers 17 and 18 and
+ Here is an example where buttons are connected to GPIO numbers 17 and 18 and
an LED is connected to GPIO 4. You can change those numbers to whatever is
appropriate for your board.
@@ -4951,14 +4951,14 @@ appropriate for your board.
142
143MODULE_LICENSE("GPL");
144MODULE_DESCRIPTION("Handle some GPIO interrupts");
-
+
Suppose you want to do a bunch of stuff inside of an interrupt routine. A common
+ Suppose you want to do a bunch of stuff inside of an interrupt routine. A common
way to do that without rendering the interrupt unavailable for a significant duration
is to combine it with a tasklet. This pushes the bulk of the work off into the
scheduler.
- The example below modifies the previous example to also run an additional task
+ The example below modifies the previous example to also run an additional task
when an interrupt is triggered.
@@ -5132,19 +5132,19 @@ when an interrupt is triggered.
165
166MODULE_LICENSE("GPL");
167MODULE_DESCRIPTION("Interrupt with top and bottom half");
-
+
At the dawn of the internet, everybody trusted everybody completely…but that did
+ At the dawn of the internet, everybody trusted everybody completely…but that did
not work out so well. When this guide was originally written, it was a more innocent
era in which almost nobody actually gave a damn about crypto - least of all kernel
developers. That is certainly no longer the case now. To handle crypto stuff, the
kernel has its own API enabling common methods of encryption, decryption and your
favourite hash functions.
-
+
Calculating and checking the hashes of things is a common operation. Here is a
+ Calculating and checking the hashes of things is a common operation. Here is a
demonstration of how to calculate a sha256 hash within a kernel module.
Install the module:
+ Install the module:
And you should see that the hash was calculated for the test string.
- Finally, remove the test module:
+ And you should see that the hash was calculated for the test string.
+ Finally, remove the test module:
+
Here is an example of symmetrically encrypting a string using the AES algorithm
+ Here is an example of symmetrically encrypting a string using the AES algorithm
and a password.
@@ -5430,10 +5430,10 @@ and a password.
196
197MODULE_DESCRIPTION("Symmetric key encryption example");
198MODULE_LICENSE("GPL");
-
+
Up to this point we have seen all kinds of modules doing all kinds of things, but there
+ Up to this point we have seen all kinds of modules doing all kinds of things, but there
was no consistency in their interfaces with the rest of the kernel. To impose some
consistency such that there is at minimum a standardized way to start, suspend and
resume a device a device model was added. An example is shown below, and you can
@@ -5540,13 +5540,13 @@ functions.
97
98MODULE_LICENSE("GPL");
99MODULE_DESCRIPTION("Linux Device Model example");
-
+
+
Sometimes you might want your code to run as quickly as possible,
+ Sometimes you might want your code to run as quickly as possible,
especially if it is handling an interrupt or doing something which might
cause noticeable latency. If your code contains boolean conditions and if
you know that the conditions are almost always likely to evaluate as either
@@ -5568,43 +5568,43 @@ to succeed.
- When the When the
+
+
You can not do that. In a kernel module, you can only use kernel functions which are
+ You can not do that. In a kernel module, you can only use kernel functions which are
the functions you can see in /proc/kallsyms.
-
+
You might need to do this for a short time and that is OK, but if you do not enable
+ You might need to do this for a short time and that is OK, but if you do not enable
them afterwards, your system will be stuck and you will have to power it
off.
-
+
For people seriously interested in kernel programming, I recommend kernelnewbies.org
+ For people seriously interested in kernel programming, I recommend kernelnewbies.org
and the Documentation subdirectory within the kernel source code which is not
always easy to understand but can be a starting point for further investigation. Also,
as Linus Torvalds said, the best way to learn the kernel is to read the source code
yourself.
- If you would like to contribute to this guide or notice anything glaringly wrong,
+ If you would like to contribute to this guide or notice anything glaringly wrong,
please create an issue at https://github.com/sysprog21/lkmpg. Your pull requests
will be appreciated.
- Happy hacking!
+ Happy hacking!
1The goal of threaded interrupts is to push more of the work to separate threads, so that the
+ 1The goal of threaded interrupts is to push more of the work to separate threads, so that the
minimum needed for acknowledging an interrupt is reduced, and therefore the time spent handling
the interrupt (where it can’t handle any other interrupts at the same time) is reduced. See
https://lwn.net/Articles/302043/. The Linux Kernel Module Programming Guide is a free book; you may reproduce
+ The Linux Kernel Module Programming Guide is a free book; you may reproduce
and/or modify it under the terms of the Open Software License, version
3.0.
- This book is distributed in the hope it will be useful, but without any warranty,
+ This book is distributed in the hope it will be useful, but without any warranty,
without even the implied warranty of merchantability or fitness for a particular
purpose.
- The author encourages wide distribution of this book for personal or commercial
+ The author encourages wide distribution of this book for personal or commercial
use, provided the above copyright notice remains intact and the method adheres to
the provisions of the Open Software License. In summary, you may copy and
distribute this book free of charge or for a profit. No explicit permission is required
from the author for reproduction of this book in any medium, physical or
electronic.
- Derivative works and translations of this document must be placed under the
+ Derivative works and translations of this document must be placed under the
Open Software License, and the original copyright notice must remain intact. If you
have contributed new material to this book, you must make the material and source
code available for your revisions. Please make revisions and updates available directly
@@ -119,15 +119,15 @@ code available for your revisions. Please make revisions and updates available d
to the document maintainer, Jim Huang <jserv@ccns.ncku.edu.tw>. This will allow
for the merging of updates and provide consistent revisions to the Linux
community.
- If you publish or distribute this book commercially, donations, royalties, and/or
+ If you publish or distribute this book commercially, donations, royalties, and/or
printed copies are greatly appreciated by the author and the Linux Documentation
Project (LDP). Contributing in this way shows your support for free software and
the LDP. If you have questions or comments, please contact the address
above.
-
+
The Linux Kernel Module Programming Guide was originally written for the 2.2
+ The Linux Kernel Module Programming Guide was originally written for the 2.2
kernels by Ori Pomerantz. Eventually, Ori no longer had time to maintain the
document. After all, the Linux kernel is a fast moving target. Peter Jay Salzman took
over maintenance and updated it for the 2.4 kernels. Eventually, Peter no longer had
@@ -135,13 +135,13 @@ time to follow developments with the 2.6 kernel, so Michael Burian became a
co-maintainer to update the document for the 2.6 kernels. Bob Mottram updated the
examples for 3.8+ kernels. Jim Huang upgraded to recent kernel versions (v5.x) and
revised the LaTeX document.
-
+
The following people have contributed corrections or good suggestions:
+ The following people have contributed corrections or good suggestions:
+
2011eric, 25077667, Arush Sharma, asas1asas200, Benno Bielmeier, Brad
Baker, ccs100203, Chih-Yu Chen, ChinYikMing, Cyril Brulebois, Daniele
Paolo Scarpazza, David Porter, demonsome, Dimo Velev, Ekang Monyet,
@@ -149,17 +149,17 @@ fennecJ, Francois Audeon, gagachang, Gilad Reti, Horst Schirmeier,
Hsin-Hsiang Peng, Ignacio Martin, JianXing Wu, linD026, Marconi Jiang,
RinHizakura, Roman Lakeev, Stacy Prowell, Tucker Polomik, VxTeemo,
Wei-Lun Tsai, xatier, Ylowy.
+
So, you want to write a kernel module. You know C, you have written a few normal
+ So, you want to write a kernel module. You know C, you have written a few normal
programs to run as processes, and now you want to get to where the real action is, to
where a single wild pointer can wipe out your file system and a core dump means a
reboot.
- What exactly is a kernel module? Modules are pieces of code that can be loaded
+ What exactly is a kernel module? Modules are pieces of code that can be loaded
and unloaded into the kernel upon demand. They extend the functionality of the
kernel without the need to reboot the system. For example, one type of module is the
device driver, which allows the kernel to access hardware connected to the system.
@@ -167,24 +167,24 @@ Without modules, we would have to build monolithic kernels and add new
functionality directly into the kernel image. Besides having larger kernels, this has
the disadvantage of requiring us to rebuild and reboot the kernel every time we want
new functionality.
-
+
Linux distributions provide the commands
+ Linux distributions provide the commands
On Ubuntu/Debian:
+ On Ubuntu/Debian:
On Arch Linux:
+ On Arch Linux:
+
To discover what modules are already loaded within your current kernel use the command
+ To discover what modules are already loaded within your current kernel use the command
Modules are stored within the file /proc/modules, so you can also see them with:
+ Modules are stored within the file /proc/modules, so you can also see them with:
This can be a long list, and you might prefer to search for something particular.
+ This can be a long list, and you might prefer to search for something particular.
To search for the fat module:
+
For the purposes of following this guide you don’t necessarily need to do that.
+ For the purposes of following this guide you don’t necessarily need to do that.
However, it would be wise to run the examples within a test distribution running
on a virtual machine in order to avoid any possibility of messing up your
system.
-
+
Before we delve into code, there are a few issues we need to cover. Everyone’s system
+ Before we delve into code, there are a few issues we need to cover. Everyone’s system
is different and everyone has their own groove. Getting your first "hello world"
program to compile and load correctly can sometimes be a trick. Rest assured, after
you get over the initial hurdle of doing it for the first time, it will be smooth sailing
thereafter.
-
+
Using X Window System. It is highly recommended that you extract,
+ Using X Window System. It is highly recommended that you extract,
compile and load all the examples this guide discusses from a console. You
should not be working on this stuff in X Window System.
- Modules can not print to the screen like Modules can not print to the screen like
+
Before you can build anything you’ll need to install the header files for your
+ Before you can build anything you’ll need to install the header files for your
kernel.
- On Ubuntu/Debian:
+ On Ubuntu/Debian:
On Arch Linux:
+ On Arch Linux:
This will tell you what kernel header files are available. Then for example:
+ This will tell you what kernel header files are available. Then for example:
+
All the examples from this document are available within the examples
+ All the examples from this document are available within the examples
subdirectory.
- If there are any compile errors then you might have a more recent kernel version
+ If there are any compile errors then you might have a more recent kernel version
or need to install the corresponding kernel header files.
-
+
+
Most people learning programming start out with some sort of "hello world"
+ Most people learning programming start out with some sort of "hello world"
example. I don’t know what happens to people who break with this tradition, but I
think it is safer not to find out. We will start with a series of hello world
programs that demonstrate the different aspects of the basics of writing a kernel
module.
- Here is the simplest module possible.
- Make a test directory:
+ Here is the simplest module possible.
+ Make a test directory:
Paste this into your favorite editor and save it as hello-1.c:
+ Paste this into your favorite editor and save it as hello-1.c:
Now you will need a Makefile. If you copy and paste this, change the indentation
+ Now you will need a Makefile. If you copy and paste this, change the indentation
to use tabs, not spaces.
In Makefile, $(CURDIR) can set to the absolute pathname of the current working
+ In Makefile, $(CURDIR) can set to the absolute pathname of the current working
directory(after all -C options are processed, if any). See more about CURDIR in GNU
make manual.
- And finally, just run make directly.
+ And finally, just run make directly.
If there is no PWD := $(CURDIR) statement in Makefile, then it may not compile
+ If there is no PWD := $(CURDIR) statement in Makefile, then it may not compile
correctly with sudo make. Because some environment variables are specified by
the security policy, they can’t be inherited. The default security policy is
sudoers. In the sudoers security policy, env_reset is enabled by default,
@@ -344,14 +344,14 @@ by:
$ sudo -s
# sudo -V
-
- Here is a simple Makefile as an example to demonstrate the problem mentioned
+
+ Here is a simple Makefile as an example to demonstrate the problem mentioned
above.
Then, we can use -p flag to print out the environment variable values from the
+ Then, we can use -p flag to print out the environment variable values from the
Makefile.
@@ -363,8 +363,8 @@ PWD = /home/ubuntu/temp
OLDPWD = /home/ubuntu
echo $(PWD)
-
- The PWD variable won’t be inherited with sudo.
+
+ The PWD variable won’t be inherited with sudo.
@@ -373,12 +373,12 @@ OLDPWD = /home/ubuntu
$ sudo make -p | grep PWD
echo $(PWD)
-
- However, there are three ways to solve this problem.
-
+
+ However, there are three ways to solve this problem.
+
You can use the -E flag to temporarily preserve them.
+ You can use the -E flag to temporarily preserve them.
You can set the env_reset disabled by editing the /etc/sudoers with
+ You can set the env_reset disabled by editing the /etc/sudoers with
root and visudo.
Then execute env and sudo env individually.
+ Then execute env and sudo env individually.
You can view and compare these logs to find differences between
+ You can view and compare these logs to find differences between
env_reset and !env_reset.
You can preserve environment variables by appending them to env_keep
+ You can preserve environment variables by appending them to env_keep
in /etc/sudoers.
@@ -420,7 +420,7 @@ $ sudo make -p | grep PWD
2 ##
3 ...
4 Defaults env_keep += ``ftp_proxy http_proxy https_proxy no_proxy PWD''
- After finishing setting modification, you can check the environment variable
+ After finishing setting modification, you can check the environment variable
settings by:
@@ -431,33 +431,33 @@ $ sudo make -p | grep PWD
# sudo -V
- If all goes smoothly you should then find that you have a compiled hello-1.ko
+ If all goes smoothly you should then find that you have a compiled hello-1.ko
module. You can find info on it with the command:
At this point the command:
+ At this point the command:
should return nothing. You can try loading your shiny new module with:
+ should return nothing. You can try loading your shiny new module with:
The dash character will get converted to an underscore, so when you again try:
+ The dash character will get converted to an underscore, so when you again try:
you should now see your loaded module. It can be removed again with:
+ you should now see your loaded module. It can be removed again with:
Notice that the dash was replaced by an underscore. To see what just happened in
+ Notice that the dash was replaced by an underscore. To see what just happened in
the logs:
You now know the basics of creating, compiling, installing and removing modules.
+ You now know the basics of creating, compiling, installing and removing modules.
Now for more of a description of how this module works.
- Kernel modules must have at least two functions: a "start" (initialization) function
+ Kernel modules must have at least two functions: a "start" (initialization) function
called Typically, Typically, Lastly, every kernel module needs to include <linux/module.h>. We
+ Lastly, every kernel module needs to include <linux/module.h>. We
needed to include <linux/kernel.h> only for the macro expansion for the
+
About Compiling. Kernel modules need to be compiled a bit differently
+ About Compiling. Kernel modules need to be compiled a bit differently
from regular userspace apps. Former kernel versions required us to
care much about these settings, which are usually stored in Makefiles.
Although hierarchically organized, many redundant settings accumulated
@@ -512,21 +512,21 @@ needed to include Documentation/kbuild/modules.rst Additional details about Makefiles for kernel modules are available in
+ Additional details about Makefiles for kernel modules are available in
Documentation/kbuild/makefiles.rst. Be sure to read this and the related
files before starting to hack Makefiles. It will probably save you lots of
work.
-
+
Here is another exercise for the reader. See that comment above
+ Here is another exercise for the reader. See that comment above
the return statement in
+
In early kernel versions you had to use the
+ In early kernel versions you had to use the
@@ -564,7 +564,7 @@ technique:
21module_exit(hello_2_exit);
22
23MODULE_LICENSE("GPL");
- So now we have two real kernel modules under our belt. Adding another module
+ So now we have two real kernel modules under our belt. Adding another module
is as simple as this:
Now have a look at drivers/char/Makefile for a real world example. As you can
+ Now have a look at drivers/char/Makefile for a real world example. As you can
see, some things get hardwired into the kernel (obj-y) but where are all those obj-m
gone? Those familiar with shell scripts will easily be able to spot them. For those not,
the obj-$(CONFIG_FOO) entries you see everywhere expand into obj-y or obj-m,
@@ -587,17 +587,17 @@ at it, those were exactly the kind of variables that you have set in the make menuconfig
+
The The There is also an There is also an The The These macros are defined in include/linux/init.h and serve to free up kernel
+ These macros are defined in include/linux/init.h and serve to free up kernel
memory. When you boot your kernel and see something like Freeing unused kernel
memory: 236k freed, this is precisely what the kernel is freeing.
@@ -635,10 +635,10 @@ memory: 236k freed, this is precisely what the kernel is freeing.
22module_exit(hello_3_exit);
23
24MODULE_LICENSE("GPL");
-
+
Honestly, who loads or even cares about proprietary modules? If you do then you
+ Honestly, who loads or even cares about proprietary modules? If you do then you
might have seen something like this:
@@ -649,12 +649,12 @@ $ sudo insmod xxxxxx.ko
loading out-of-tree module taints kernel.
module license 'unspecified' taints kernel.
-
- You can use a few macros to indicate the license for your module. Some examples
+
+ You can use a few macros to indicate the license for your module. Some examples
are "GPL", "GPL v2", "GPL and additional rights", "Dual BSD/GPL", "Dual
MIT/GPL", "Dual MPL/GPL" and "Proprietary". They are defined within
include/linux/module.h.
- To reference what license you’re using a macro is available called
+ To reference what license you’re using a macro is available called
+
Modules can take command line arguments, but not with the argc/argv you might be
+ Modules can take command line arguments, but not with the argc/argv you might be
used to.
- To allow arguments to be passed to your module, declare the variables that will
+ To allow arguments to be passed to your module, declare the variables that will
take the values of the command line arguments as global and then use the
The The Arrays are supported too, but things are a bit different now than they were in the
+ Arrays are supported too, but things are a bit different now than they were in the
olden days. To keep track of the number of parameters you need to pass a pointer to
a count variable as third parameter. At your option, you could also ignore the count and
pass A good use for this is to have the module variable’s default values set, like an port
+ A good use for this is to have the module variable’s default values set, like an port
or IO address. If the variables contain the default values, then perform autodetection
(explained elsewhere). Otherwise, keep the current value. This will be made clear
later on.
- Lastly, there is a macro function, Lastly, there is a macro function,
@@ -802,7 +802,7 @@ parameters: a variable name and a free form string describing that variable.
65
66module_init(hello_5_init);
67module_exit(hello_5_exit);
- I would recommend playing around with this code:
+ I would recommend playing around with this code:
@@ -839,13 +839,13 @@ Goodbye, world 5
$ sudo insmod hello-5.ko mylong=hello
insmod: ERROR: could not insert module hello-5.ko: Invalid parameters
-
-
+
+
Sometimes it makes sense to divide a kernel module between several source
+ Sometimes it makes sense to divide a kernel module between several source
files.
- Here is an example of such a kernel module.
+ Here is an example of such a kernel module.
The next file:
+ The next file:
And finally, the makefile:
+ And finally, the makefile:
This is the complete makefile for all the examples we have seen so far. The first
+ This is the complete makefile for all the examples we have seen so far. The first
five lines are nothing special, but for the last example we will need two lines.
First we invent an object name for our combined module, second we tell
+
Obviously, we strongly suggest you to recompile your kernel, so that you can enable
+ Obviously, we strongly suggest you to recompile your kernel, so that you can enable
a number of useful debugging features, such as forced module unloading
( There are a number of cases in which you may want to load your module into a
+ There are a number of cases in which you may want to load your module into a
precompiled running kernel, such as the ones shipped with common Linux
distributions, or a kernel you have compiled in the past. In certain circumstances you
could require to compile and insert a module into a running kernel which you are not
@@ -923,7 +923,7 @@ allowed to recompile, or on a machine that you prefer not to reboot. If you
can’t think of a case that will force you to use modules for a precompiled
kernel you might want to skip this and treat the rest of this chapter as a big
footnote.
- Now, if you just install a kernel source tree, use it to compile your kernel module
+ Now, if you just install a kernel source tree, use it to compile your kernel module
and you try to insert your module into the kernel, in most cases you would obtain an
error as follows:
@@ -933,8 +933,8 @@ error as follows:
- Less cryptic information is logged to the systemd journal:
+
+ Less cryptic information is logged to the systemd journal:
@@ -942,8 +942,8 @@ insmod: ERROR: could not insert module poet.ko: Invalid module format
- In other words, your kernel refuses to accept your module because version strings
+
+ In other words, your kernel refuses to accept your module because version strings
(more precisely, version magic, see include/linux/vermagic.h) do not match. Incidentally,
version magic strings are stored in the module object in the form of a static string, starting
with
- To overcome this problem we could resort to the --force-vermagic option,
+
+ To overcome this problem we could resort to the --force-vermagic option,
but this solution is potentially unsafe, and unquestionably unacceptable
in production modules. Consequently, we want to compile our module in
an environment which was identical to the one in which our precompiled
kernel was built. How to do this, is the subject of the remainder of this
chapter.
- First of all, make sure that a kernel source tree is available, having exactly the same
+ First of all, make sure that a kernel source tree is available, having exactly the same
version as your current kernel. Then, find the configuration file which was used to
compile your precompiled kernel. Usually, this is available in your current boot directory,
under a name like config-5.14.x. You may just want to copy it to your kernel source
tree: Let’s focus again on the previous error message: a closer look at the version magic
+ Let’s focus again on the previous error message: a closer look at the version magic
strings suggests that, even with two configuration files which are exactly the same, a
slight difference in the version magic could be possible, and it is sufficient to prevent
insertion of the module into the kernel. That slight difference, namely the
@@ -999,16 +999,16 @@ PATCHLEVEL = 14
SUBLEVEL = 0
EXTRAVERSION = -rc2
-
- In this case, you need to restore the value of symbol EXTRAVERSION to
+
+ In this case, you need to restore the value of symbol EXTRAVERSION to
-rc2. We suggest to keep a backup copy of the makefile used to compile your kernel
available in /lib/modules/5.14.0-rc2/build. A simple command as following
should suffice.
Here Here Now, please run Now, please run
- If you do not desire to actually compile the kernel, you can interrupt the build
+
+ If you do not desire to actually compile the kernel, you can interrupt the build
process (CTRL-C) just after the SPLIT line, because at that time, the files you need
are ready. Now you can turn back to the directory of your module and compile it: It
will be built exactly according to your current kernel settings, and it will load into it
without any errors.
-
+
+
A program usually begins with a A program usually begins with a All modules end by calling either All modules end by calling either Every module must have an entry function and an exit function. Since there’s
+ Every module must have an entry function and an exit function. Since there’s
more than one way to specify entry and exit functions, I will try my best to use the
terms “entry function” and “exit function”, but if I slip and simply refer to them as
+
Programmers use functions they do not define all the time. A prime example of this
+ Programmers use functions they do not define all the time. A prime example of this
is Kernel modules are different here, too. In the hello world
+ Kernel modules are different here, too. In the hello world
example, you might have noticed that we used a function,
One point to keep in mind is the difference between library functions and system
+ One point to keep in mind is the difference between library functions and system
calls. Library functions are higher level, run completely in user space and
provide a more convenient interface for the programmer to the functions
that do the real work — system calls. System calls run in kernel mode on
@@ -1095,7 +1095,7 @@ the user’s behalf and are provided by the kernel itself. The library function
data into strings and write the string data using the low-level system call
Would you like to see what system calls are made by
+ Would you like to see what system calls are made by
with with You can even write modules to replace the kernel’s system calls, which we will do
+ You can even write modules to replace the kernel’s system calls, which we will do
shortly. Crackers often make use of this sort of thing for backdoors or trojans, but
you can write your own modules to do more benign things, like have the kernel
write Tee hee, that tickles! every time someone tries to delete a file on your
system.
-
+
A kernel is all about access to resources, whether the resource in question happens to
+ A kernel is all about access to resources, whether the resource in question happens to
be a video card, a hard drive or even memory. Programs often compete for the same
resource. As I just saved this document, updatedb started updating the locate
database. My vim session and updatedb are both using the hard drive concurrently.
@@ -1152,16 +1152,16 @@ mode”.
- Recall the discussion about library functions vs system calls. Typically, you use a
+ Recall the discussion about library functions vs system calls. Typically, you use a
library function in user mode. The library function calls one or more system calls,
and these system calls execute on the library function’s behalf, but do so in
supervisor mode since they are part of the kernel itself. Once the system call
completes its task, it returns and execution gets transfered back to user
mode.
-
+
When you write a small C program, you use variables which are convenient and make
+ When you write a small C program, you use variables which are convenient and make
sense to the reader. If, on the other hand, you are writing routines which will be part
of a bigger problem, any global variables you have are part of a community of other
peoples’ global variables; some of the variable names can clash. When a program has
@@ -1169,24 +1169,24 @@ lots of global variables which aren’t meaningful enough to be distinguished, y
namespace pollution. In large projects, effort must be made to remember reserved
names, and to find ways to develop a scheme for naming unique variable names and
symbols.
- When writing kernel code, even the smallest module will be linked against the
+ When writing kernel code, even the smallest module will be linked against the
entire kernel, so this is definitely an issue. The best way to deal with this is to declare
all your variables as static and to use a well-defined prefix for your symbols. By
convention, all kernel prefixes are lowercase. If you do not want to declare everything
as static, another option is to declare a symbol table and register it with the kernel.
We will get to this later.
- The file /proc/kallsyms holds all the symbols that the kernel knows about and
+ The file /proc/kallsyms holds all the symbols that the kernel knows about and
which are therefore accessible to your modules since they share the kernel’s
codespace.
-
+
Memory management is a very complicated subject and the majority of O’Reilly’s
+ Memory management is a very complicated subject and the majority of O’Reilly’s
Understanding The Linux Kernel exclusively covers memory management!
We are not setting out to be experts on memory managements, but we do
need to know a couple of facts to even begin worrying about writing real
modules.
- If you have not thought about what a segfault really means, you may be surprised
+ If you have not thought about what a segfault really means, you may be surprised
to hear that pointers do not actually point to memory locations. Not real
ones, anyway. When a process is created, the kernel sets aside a portion of
real physical memory and hands it to the process to use for its executing
@@ -1203,23 +1203,23 @@ offset into the region of memory set aside for that particular process. For
the most part, a process like our Hello, World program can’t access the
space of another process, although there are ways which we will talk about
later.
- The kernel has its own space of memory as well. Since a module is code which
+ The kernel has its own space of memory as well. Since a module is code which
can be dynamically inserted and removed in the kernel (as opposed to a
semi-autonomous object), it shares the kernel’s codespace rather than having its own.
Therefore, if your module segfaults, the kernel segfaults. And if you start writing
over data because of an off-by-one error, then you’re trampling on kernel
data (or code). This is even worse than it sounds, so try your best to be
careful.
- By the way, I would like to point out that the above discussion is true for any
+ By the way, I would like to point out that the above discussion is true for any
operating system which uses a monolithic kernel. This is not quite the same thing as
"building all your modules into the kernel", although the idea is the same. There are
things called microkernels which have modules which get their own codespace. The
GNU Hurd and the Zircon kernel of Google Fuchsia are two examples of a
microkernel.
-
+
One class of module is the device driver, which provides functionality for hardware
+ One class of module is the device driver, which provides functionality for hardware
like a serial port. On Unix, each piece of hardware is represented by a file located in
/dev named a device file which provides the means to communicate with the
hardware. The device driver provides the communication on behalf of a
@@ -1227,7 +1227,7 @@ user program. So the es1370.ko sound card device driver might connect the
/dev/sound device file to the Ensoniq IS1370 sound card. A userspace program like
mp3blaster can use /dev/sound without ever knowing what kind of sound card is
installed.
- Let’s look at some device files. Here are device files which represent the first three
+ Let’s look at some device files. Here are device files which represent the first three
partitions on the primary master IDE hard drive:
@@ -1239,18 +1239,18 @@ brw-rw---- 1 root disk 3, 1 Jul 5 2000 /dev/hda1
brw-rw---- 1 root disk 3, 2 Jul 5 2000 /dev/hda2
brw-rw---- 1 root disk 3, 3 Jul 5 2000 /dev/hda3
-
- Notice the column of numbers separated by a comma. The first number is called
+
+ Notice the column of numbers separated by a comma. The first number is called
the device’s major number. The second number is the minor number. The major
number tells you which driver is used to access the hardware. Each driver is assigned
a unique major number; all device files with the same major number are controlled
by the same driver. All the above major numbers are 3, because they’re all controlled
by the same driver.
- The minor number is used by the driver to distinguish between the various
+ The minor number is used by the driver to distinguish between the various
hardware it controls. Returning to the example above, although all three devices are
handled by the same driver they have unique minor numbers because the driver sees
them as being different pieces of hardware.
- Devices are divided into two types: character devices and block devices. The
+ Devices are divided into two types: character devices and block devices. The
difference is that block devices have a buffer for requests, so they can choose the best
order in which to respond to the requests. This is important in the case of storage
devices, where it is faster to read or write sectors which are close to each
@@ -1275,10 +1275,10 @@ crw-r----- 1 root dial 4, 65 Nov 17 10:26 /dev/ttyS1
crw-rw---- 1 root dial 4, 66 Jul 5 2000 /dev/ttyS2
crw-rw---- 1 root dial 4, 67 Jul 5 2000 /dev/ttyS3
-
- If you want to see which major numbers have been assigned, you can look at
+
+ If you want to see which major numbers have been assigned, you can look at
Documentation/admin-guide/devices.txt.
- When the system was installed, all of those device files were created by the
+ When the system was installed, all of those device files were created by the
I would like to make a few last points which are implicit from the above
+ I would like to make a few last points which are implicit from the above
discussion, but I would like to make them explicit just in case. When a device file is
accessed, the kernel uses the major number of the file to determine which driver
should be used to handle the access. This means that the kernel doesn’t really need
to use or even know about the minor number. The driver itself is the only thing that
cares about the minor number. It uses the minor number to distinguish between
different pieces of hardware.
- By the way, when I say "hardware", I mean something a bit more abstract
+ By the way, when I say "hardware", I mean something a bit more abstract
than a PCI card that you can hold in your hand. Look at these two device
files:
@@ -1306,24 +1306,24 @@ $ ls -l /dev/sda /dev/sdb
brw-rw---- 1 root disk 8, 0 Jan 3 09:02 /dev/sda
brw-rw---- 1 root disk 8, 16 Jan 3 09:02 /dev/sdb
-
- By now you can look at these two device files and know instantly that they are
+
+ By now you can look at these two device files and know instantly that they are
block devices and are handled by same driver (block major 8). Sometimes two device
files with the same major but different minor number can actually represent the same
piece of physical hardware. So just be aware that the word “hardware” in our
discussion can mean something very abstract.
-
+
+
The The For example, every character driver needs to define a function that reads from the
+ For example, every character driver needs to define a function that reads from the
device. The Some operations are not implemented by a driver. For example, a driver that handles
+ Some operations are not implemented by a driver. For example, a driver that handles
a video card will not need to read from a directory structure. The corresponding entries
in the There is a gcc extension that makes assigning to this structure more convenient.
+ There is a gcc extension that makes assigning to this structure more convenient.
You will see it in modern drivers, and may catch you by surprise. This is what the
new way of assigning to the structure looks like:
@@ -1386,7 +1386,7 @@ new way of assigning to the structure looks like:
4 open: device_open,
5 release: device_release
6};
- However, there is also a C99 way of assigning to elements of a structure,
+ However, there is also a C99 way of assigning to elements of a structure,
designated initializers, and this is definitely preferred over using the GNU extension.
You should use this syntax in case someone wants to port your driver. It will help
with compatibility:
@@ -1398,30 +1398,30 @@ with compatibility:
4 .open = device_open,
5 .release = device_release
6};
- The meaning is clear, and you should be aware that any member of
+ The meaning is clear, and you should be aware that any member of
the structure which you do not explicitly assign will be initialized to
An instance of An instance of Since Linux v3.14, the read, write and seek operations are guaranteed for thread-safe by
+ Since Linux v3.14, the read, write and seek operations are guaranteed for thread-safe by
using the Since Linux v5.6, the Since Linux v5.6, the
+
Each device is represented in the kernel by a file structure, which is defined
+ Each device is represented in the kernel by a file structure, which is defined
in include/linux/fs.h. Be aware that a file is a kernel level structure and
never appears in a user space program. It is not the same thing as a
An instance of struct file is commonly named
+ An instance of struct file is commonly named
Go ahead and look at the definition of file. Most of the entries you see, like struct
+ Go ahead and look at the definition of file. Most of the entries you see, like struct
dentry are not used by device drivers, and you can ignore them. This is because
drivers do not fill file directly; they only use structures contained in file which are
created elsewhere.
-
+
As discussed earlier, char devices are accessed through device files, usually located in
+ As discussed earlier, char devices are accessed through device files, usually located in
/dev. This is by convention. When writing a driver, it is OK to put the
device file in your current directory. Just make sure you place it in /dev for a
production driver. The major number tells you which driver handles which
device file. The minor number is used only by the driver itself to differentiate
which device it is operating on, just in case the driver handles more than one
device.
- Adding a driver to your system means registering it with the kernel. This is synonymous
+ Adding a driver to your system means registering it with the kernel. This is synonymous
with assigning it a major number during the module’s initialization. You do this by
using the
Where unsigned int major is the major number you want to request,
+ Where unsigned int major is the major number you want to request,
Now the question is, how do you get a major number without hijacking
+ Now the question is, how do you get a major number without hijacking
one that’s already in use? The easiest way would be to look through
Documentation/admin-guide/devices.txt and pick an unused one. That is a bad way
of doing things because you will never be sure if the number you picked will be
assigned later. The answer is that you can ask the kernel to assign you a dynamic
major number.
- If you pass a major number of 0 to If you pass a major number of 0 to However, However, The newer interface completes the char device registration in two distinct steps.
+ The newer interface completes the char device registration in two distinct steps.
First, we should register a range of device numbers, which can be completed with
The choose of two different functions depend on whether you know the major numbers for your
+ The choose of two different functions depend on whether you know the major numbers for your
device. Using Second, we should initialize the data structure
+ Second, we should initialize the data structure
However, the common usage pattern will embed the
+ However, the common usage pattern will embed the
Once we finish the initialization, we can add the char device to the system by using
+ Once we finish the initialization, we can add the char device to the system by using
the
To find a example using the interface, you can see ioctl.c described in section
+ To find a example using the interface, you can see ioctl.c described in section
9.
-
+
We can not allow the kernel module to be
+ We can not allow the kernel module to be
Normally, when you do not want to allow something, you return an error code
+ Normally, when you do not want to allow something, you return an error code
(a negative number) from the function which is supposed to do it. With
It is important to keep the counter accurate; if you ever do lose track of the
+ It is important to keep the counter accurate; if you ever do lose track of the
correct usage count, you will never be able to unload the module; it’s now reboot
time, boys and girls. This is bound to happen to you sooner or later during a
module’s development.
-
+
The next code sample creates a char driver named chardev. You can dump its device
+ The next code sample creates a char driver named chardev. You can dump its device
file.
(or open the file with a program) and the driver will put the number of times the
+ (or open the file with a program) and the driver will put the number of times the
device file has been read from into the file. We do not support writing to the file (like
In the multiple-threaded environment, without any protection, concurrent access
+ In the multiple-threaded environment, without any protection, concurrent access
to the same memory may lead to the race condition, and will not preserve the
performance. In the kernel module, this problem may happen due to multiple
instances accessing the shared resources. Therefore, a solution is to enforce the
@@ -1768,32 +1768,32 @@ concurrency details in the 12
+
The system calls, which are the major interface the kernel shows to the processes,
+ The system calls, which are the major interface the kernel shows to the processes,
generally stay the same across versions. A new system call may be added, but
usually the old ones will behave exactly like they used to. This is necessary for
backward compatibility – a new kernel version is not supposed to break regular
processes. In most cases, the device files will also remain the same. On the other
hand, the internal interfaces within the kernel can and do change between
versions.
- There are differences between different kernel versions, and if you want
+ There are differences between different kernel versions, and if you want
to support multiple kernel versions, you will find yourself having to code
conditional compilation directives. The way to do this to compare the macro
+
In Linux, there is an additional mechanism for the kernel and kernel modules to send
+ In Linux, there is an additional mechanism for the kernel and kernel modules to send
information to processes — the /proc file system. Originally designed to allow easy
access to information about processes (hence the name), it is now used by every bit
of the kernel which has something interesting to report, such as /proc/modules
which provides the list of modules and /proc/meminfo which gathers memory usage
statistics.
- The method to use the proc file system is very similar to the one used with device
+ The method to use the proc file system is very similar to the one used with device
drivers — a structure is created with all the information needed for the /proc file,
including pointers to any handler functions (in our case there is only one, the
one called when somebody attempts to read from the /proc file). Then,
@@ -1804,18 +1804,18 @@ one called when somebody attempts to read from the Normal file systems are located on a disk, rather than just in memory (which is
+ Normal file systems are located on a disk, rather than just in memory (which is
where /proc is), and in that case the index-node (inode for short) number
is a pointer to a disk location where the file’s inode is located. The inode
contains information about the file, for example the file’s permissions, together
with a pointer to the disk location or locations where the file’s data can be
found.
- Because we don’t get called when the file is opened or closed, there’s nowhere for
+ Because we don’t get called when the file is opened or closed, there’s nowhere for
us to put Here a simple example showing how to use a /proc file. This is the HelloWorld for
+ Here a simple example showing how to use a /proc file. This is the HelloWorld for
the /proc filesystem. There are three parts: create the file /proc/helloworld in the
function The /proc/helloworld is created when the module is loaded with the function
+ The /proc/helloworld is created when the module is loaded with the function
Every time the file /proc/helloworld is read, the function
+ Every time the file /proc/helloworld is read, the function
+
+
The The
+
We have seen a very simple example for a /proc file where we only read
+ We have seen a very simple example for a /proc file where we only read
the file /proc/helloworld. It is also possible to write in a /proc file. It
works the same way as read, a function is called when the /proc file
is written. But there is a little difference with read, data comes from
@@ -1943,7 +1943,7 @@ user, so you have to import data from user space to kernel space (with
The reason for The reason for The only memory segment accessible to a process is its own, so when
+ The only memory segment accessible to a process is its own, so when
writing regular programs to run as processes, there is no need to worry about
segments. When you write a kernel module, normally you want to access
the kernel memory segment, which is handled automatically by the system.
@@ -2069,22 +2069,22 @@ because data is already in kernel space.
95module_exit(procfs2_exit);
96
97MODULE_LICENSE("GPL");
-
+
We have seen how to read and write a /proc file with the /proc interface. But it is
+ We have seen how to read and write a /proc file with the /proc interface. But it is
also possible to manage /proc file with inodes. The main concern is to use advanced
functions, like permissions.
- In Linux, there is a standard mechanism for file system registration.
+ In Linux, there is a standard mechanism for file system registration.
Since every file system has to have its own functions to handle inode and file
operations, there is a special structure to hold pointers to all those functions,
The difference between file and inode operations is that file operations deal with
+ The difference between file and inode operations is that file operations deal with
the file itself whereas inode operations deal with ways of referencing the file, such as
creating links to it.
- In /proc, whenever we register a new file, we’re allowed to specify which
+ In /proc, whenever we register a new file, we’re allowed to specify which
Another interesting point here is the
+ Another interesting point here is the
It is important to note that the standard roles of read and write are reversed in
+ It is important to note that the standard roles of read and write are reversed in
the kernel. Read functions are used for output, whereas write functions are used for
input. The reason for that is that read and write refer to the user’s point of view — if
a process reads something from the kernel, then the kernel needs to output it, and
@@ -2219,14 +2219,14 @@ input.
105module_exit(procfs3_exit);
106
107MODULE_LICENSE("GPL");
- Still hungry for procfs examples? Well, first of all keep in mind, there are rumors
+ Still hungry for procfs examples? Well, first of all keep in mind, there are rumors
around, claiming that procfs is on its way out, consider using sysfs instead. Consider
using this mechanism, in case you want to document something kernel related
yourself.
-
+
As we have seen, writing a /proc file may be quite “complex”.
+ As we have seen, writing a /proc file may be quite “complex”.
So to help people writting /proc file, there is an API named
A sequence begins with the call of the function
+ A sequence begins with the call of the function
BE CAREFUL: when a sequence is finished, another one starts. That means that at the end
+ BE CAREFUL: when a sequence is finished, another one starts. That means that at the end
of function The The If you want more information, you can read this web page:
+ If you want more information, you can read this web page:
You can also read the code of fs/seq_file.c in the linux kernel.
+ You can also read the code of fs/seq_file.c in the linux kernel.
sysfs allows you to interact with the running kernel from userspace by reading or
+ sysfs allows you to interact with the running kernel from userspace by reading or
setting variables inside of modules. This can be useful for debugging purposes, or just
as an interface for applications or scripts. You can find sysfs directories and files
under the /sys directory on your system.
An example of a hello world module which includes the creation of a variable
+ An example of a hello world module which includes the creation of a variable
accessible via sysfs is given below.
Make and install the module:
+ Make and install the module:
Check that it exists:
+ Check that it exists:
What is the current value of What is the current value of
Set the value of Set the value of
Finally, remove the test module:
+ Finally, remove the test module:
+
Device files are supposed to represent physical devices. Most physical devices are
+ Device files are supposed to represent physical devices. Most physical devices are
used for output as well as input, so there has to be some mechanism for
device drivers in the kernel to get the output to send to the device from
processes. This is done by opening the device file for output and writing to it,
just like writing to a file. In the following example, this is implemented by
This is not always enough. Imagine you had a serial port connected to a modem
+ This is not always enough. Imagine you had a serial port connected to a modem
(even if you have an internal modem, it is still implemented from the CPU’s
perspective as a serial port connected to a modem, so you don’t have to tax
your imagination too hard). The natural thing to do would be to use the
@@ -2532,7 +2532,7 @@ received.
- The answer in Unix is to use a special function called
+ The answer in Unix is to use a special function called
The ioctl function is called with three parameters: the file descriptor of the
+ The ioctl function is called with three parameters: the file descriptor of the
appropriate device file, the ioctl number, and a parameter, which is of type
long so you can use a cast to use it to pass anything. You will not be able
to pass a structure this way, but you will be able to pass a pointer to the
structure.
- The ioctl number encodes the major device number, the type of the ioctl, the
+ The ioctl number encodes the major device number, the type of the ioctl, the
command, and the type of the parameter. This ioctl number is usually created by a macro
call ( If you want to use ioctls in your own kernel modules, it is best to receive an
+ If you want to use ioctls in your own kernel modules, it is best to receive an
official ioctl assignment, so if you accidentally get somebody else’s ioctls, or if they
get yours, you’ll know something is wrong. For more information, consult the kernel
source tree at Documentation/userspace-api/ioctl/ioctl-number.rst.
- Also, we need to be careful that concurrent access to the shared resources will
+ Also, we need to be careful that concurrent access to the shared resources will
lead to the race condition. The solution is using atomic Compare-And-Swap (CAS),
which we mentioned at 6.5 section, to enforce the exclusive access.
@@ -3039,15 +3039,15 @@ which we mentioned at 6.5
-
+
So far, the only thing we’ve done was to use well defined kernel mechanisms to
+ So far, the only thing we’ve done was to use well defined kernel mechanisms to
register /proc files and device handlers. This is fine if you want to do something the
kernel programmers thought you’d want, such as write a device driver. But what if
you want to do something unusual, to change the behavior of the system in some
way? Then, you are mostly on your own.
- If you are not being sensible and using a virtual machine then this is where kernel
+ If you are not being sensible and using a virtual machine then this is where kernel
programming can become hazardous. While writing the example below, I killed the
Forget about /proc files, forget about device files. They are just minor details.
+ Forget about /proc files, forget about device files. They are just minor details.
Minutiae in the vast expanse of the universe. The real process to kernel
communication mechanism, the one used by all processes, is system calls. When a
process requests a service from the kernel (such as opening a file, forking to a new
@@ -3068,11 +3068,11 @@ change the behaviour of the kernel in interesting ways, this is the place to do
it. By the way, if you want to see which system calls a program uses, run
In general, a process is not supposed to be able to access the kernel. It can not
+ In general, a process is not supposed to be able to access the kernel. It can not
access kernel memory and it can’t call kernel functions. The hardware of the CPU
enforces this (that is the reason why it is called “protected mode” or “page
protection”).
- System calls are an exception to this general rule. What happens is that the
+ System calls are an exception to this general rule. What happens is that the
process fills the registers with the appropriate values and then calls a special
instruction which jumps to a previously defined location in the kernel (of course, that
location is readable by user processes, it is not writable by them). Under Intel CPUs,
@@ -3080,7 +3080,7 @@ this is done by means of interrupt 0x80. The hardware knows that once you jump t
this location, you are no longer running in restricted user mode, but as the
operating system kernel — and therefore you’re allowed to do whatever you
want.
- The location in the kernel a process can jump to is called system_call. The
+ The location in the kernel a process can jump to is called system_call. The
procedure at that location checks the system call number, which tells the kernel what
service the process requested. Then, it looks at the table of system calls
( So, if we want to change the way a certain system call works, what we need to do
+ So, if we want to change the way a certain system call works, what we need to do
is to write our own function to implement it (usually by adding a bit of our own
code, and then calling the original function) and then change the pointer at
To modify the content of To modify the content of However, However, Because of the control-flow integrity, which is a technique to prevent the redirect
+ Because of the control-flow integrity, which is a technique to prevent the redirect
execution code from the attacker, for making sure that the indirect calls go to the
expected addresses and the return addresses are not changed. Since Linux v5.7, the
kernel patched the series of control-flow enforcement (CET) for x86, and some
@@ -3143,10 +3143,10 @@ COLLECT_GCC_OPTIONS='-v' '-Q' '-O2' '--help=target' '-mtune=generic' '-marc
GNU C17 (Ubuntu 9.3.0-17ubuntu1~20.04) version 9.3.0 (x86_64-linux-gnu)
...
But CET should not be enabled in the kernel, it may break the Kprobes and bpf.
+ But CET should not be enabled in the kernel, it may break the Kprobes and bpf.
Consequently, CET is disabled since v5.11. To guarantee the manual symbol lookup
worked, we only use up to v5.4.
- Unfortunately, since Linux v5.7 Unfortunately, since Linux v5.7 Otherwise, specify the address of Otherwise, specify the address of
- Using the address from /boot/System.map, be careful about KASLR (Kernel
+
+ Using the address from /boot/System.map, be careful about KASLR (Kernel
Address Space Layout Randomization). KASLR may randomize the address of
kernel code and data at every boot time, such as the static address listed in
/boot/System.map will offset by some entropy. The purpose of KASLR is to protect
@@ -3203,7 +3203,7 @@ ffffffff82000300 R sys_call_table
$ sudo grep sys_call_table /proc/kallsyms
ffffffff86400300 R sys_call_table
- If KASLR is enabled, we have to take care of the address from /proc/kallsyms each
+ If KASLR is enabled, we have to take care of the address from /proc/kallsyms each
time we reboot the machine. In order to use the address from /boot/System.map,
make sure that KASLR is disabled. You can add the nokaslr for disabling KASLR in
next booting time:
@@ -3219,8 +3219,8 @@ $ grep quiet /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet nokaslr splash"
$ sudo update-grub
-
- For more information, check out the following:
+
+ For more information, check out the following:
The source code here is an example of such a kernel module. We want to “spy” on a certain
+ The source code here is an example of such a kernel module. We want to “spy” on a certain
user, and to The The Now, if B is removed first, everything will be well — it will simply restore the system
+ Now, if B is removed first, everything will be well — it will simply restore the system
call to Note that all the related problems make syscall stealing unfeasible for
+ Note that all the related problems make syscall stealing unfeasible for
production use. In order to keep people from doing potential harmful things
+
+
What do you do when somebody asks you for something you can not do right
+ What do you do when somebody asks you for something you can not do right
away? If you are a human being and you are bothered by a human being, the
only thing you can say is: "Not right now, I’m busy. Go away!". But if you
are a kernel module and you are bothered by a process, you have another
@@ -3540,21 +3540,21 @@ possibility. You can put the process to sleep until you can service it. After al
processes are being put to sleep by the kernel and woken up all the time (that
is the way multiple processes appear to run on the same time on a single
CPU).
- This kernel module is an example of this. The file (called /proc/sleep) can only
+ This kernel module is an example of this. The file (called /proc/sleep) can only
be opened by a single process at a time. If the file is already open, the kernel module
calls
This function changes the status of the task (a task is the kernel data structure
+ This function changes the status of the task (a task is the kernel data structure
which holds information about a process and the system call it is in, if any) to
When a process is done with the file, it closes it, and
+ When a process is done with the file, it closes it, and
This means that the process is still in kernel mode - as far as the process
+ This means that the process is still in kernel mode - as far as the process
is concerned, it issued the open system call and the system call has not
returned yet. The process does not know somebody else used the CPU for
most of the time between the moment it issued the call and the moment it
returned.
- It can then proceed to set a global variable to tell all the other processes that the
+ It can then proceed to set a global variable to tell all the other processes that the
file is still open and go on with its life. When the other processes get a piece of the
CPU, they’ll see that global variable and go back to sleep.
- So we will use So we will use To make our life more interesting, To make our life more interesting, In that case, we want to return with
+ In that case, we want to return with
There is one more point to remember. Some times processes don’t want to sleep, they want
+ There is one more point to remember. Some times processes don’t want to sleep, they want
either to get what they want immediately, or to be told it cannot be done. Such processes
use the
+
+
Sometimes one thing should happen before another within a module having multiple threads.
+ Sometimes one thing should happen before another within a module having multiple threads.
Rather than using In the following example two threads are started, but one needs to start before
+ In the following example two threads are started, but one needs to start before
another.
@@ -3996,31 +3996,31 @@ another.
74
75MODULE_DESCRIPTION("Completions example");
76MODULE_LICENSE("GPL");
- The The So even though So even though There are other variations upon the
+ There are other variations upon the
+
If processes running on different CPUs or in different threads try to access the same
+ If processes running on different CPUs or in different threads try to access the same
memory, then it is possible that strange things can happen or your system can lock
up. To avoid this, various types of mutual exclusion kernel functions are available.
These indicate if a section of code is "locked" or "unlocked" so that simultaneous
attempts to run it can not happen.
You can use kernel mutexes (mutual exclusions) in much the same manner that you
+ You can use kernel mutexes (mutual exclusions) in much the same manner that you
might deploy them in userland. This may be all that is needed to avoid collisions in
most cases.
@@ -4066,10 +4066,10 @@ most cases.
39
40MODULE_DESCRIPTION("Mutex example");
41MODULE_LICENSE("GPL");
-
+
As the name suggests, spinlocks lock up the CPU that the code is running on,
+ As the name suggests, spinlocks lock up the CPU that the code is running on,
taking 100% of its resources. Because of this you should only use the spinlock
@@ -4077,7 +4077,7 @@ taking 100% of its resources. Because of this you should only use the spinlock
mechanism around code which is likely to take no more than a few milliseconds to
run and so will not noticeably slow anything down from the user’s point of
view.
- The example here is "irq safe" in that if interrupts happen during the lock then
+ The example here is "irq safe" in that if interrupts happen during the lock then
they will not be forgotten and will activate when the unlock happens, using the
+
Read and write locks are specialised kinds of spinlocks so that you can exclusively
+ Read and write locks are specialised kinds of spinlocks so that you can exclusively
read from something or write to something. Like the earlier spinlocks example, the
one below shows an "irq safe" situation in which if other functions were triggered
from irqs which might also read and write to whatever you are concerned with
@@ -4214,14 +4214,14 @@ module.
53
54MODULE_DESCRIPTION("Read/Write locks example");
55MODULE_LICENSE("GPL");
- Of course, if you know for sure that there are no functions triggered by irqs
+ Of course, if you know for sure that there are no functions triggered by irqs
which could possibly interfere with your logic then you can use the simpler
If you are doing simple arithmetic: adding, subtracting or bitwise operations, then
+ If you are doing simple arithmetic: adding, subtracting or bitwise operations, then
there is another way in the multi-CPU and multi-hyperthreaded world to stop other
parts of the system from messing with your mojo. By using atomic operations you
can be confident that your addition, subtraction or bit flip did actually happen
@@ -4306,7 +4306,7 @@ below.
- Before the C11 standard adopts the built-in atomic types, the kernel already
+ Before the C11 standard adopts the built-in atomic types, the kernel already
provided a small set of atomic types by using a bunch of tricky architecture-specific
codes. Implementing the atomic types by C11 atomics may allow the kernel to throw
away the architecture-specific codes and letting the kernel code be more friendly to
@@ -4319,21 +4319,21 @@ For further details, see:
+
+
In Section 2, I said that X Window System and kernel module programming do not
+ In Section 2, I said that X Window System and kernel module programming do not
mix. That is true for developing kernel modules. But in actual use, you want to be
able to send messages to whichever tty the command to load the module came
from.
- "tty" is an abbreviation of teletype: originally a combination keyboard-printer
+ "tty" is an abbreviation of teletype: originally a combination keyboard-printer
used to communicate with a Unix system, and today an abstraction for the text
stream used for a Unix program, whether it is a physical terminal, an xterm on an X
display, a network connection used with ssh, etc.
- The way this is done is by using current, a pointer to the currently running task,
+ The way this is done is by using current, a pointer to the currently running task,
to get the current task’s tty structure. Then, we look inside that tty structure to find
a pointer to a string write function, which we use to write a string to the
tty.
@@ -4416,16 +4416,16 @@ tty.
-
+
In certain conditions, you may desire a simpler and more direct way to communicate
+ In certain conditions, you may desire a simpler and more direct way to communicate
to the external world. Flashing keyboard LEDs can be such a solution: It is an
immediate way to attract attention or to display a status condition. Keyboard LEDs
are present on every hardware, they are always visible, they do not need any setup,
and their use is rather simple and non-intrusive, compared to writing to a tty or a
file.
- From v4.14 to v4.15, the timer API made a series of changes
+ From v4.14 to v4.15, the timer API made a series of changes
to improve memory safety. A buffer overflow in the area of a
Before Linux v4.14, Before Linux v4.14, Since Linux v4.14, Since Linux v4.14, The The The following source code illustrates a minimal kernel module which, when
+ The following source code illustrates a minimal kernel module which, when
loaded, starts blinking the keyboard LEDs until it is unloaded.
If none of the examples in this chapter fit your debugging needs,
+ If none of the examples in this chapter fit your debugging needs,
there might yet be some other tricks to try. Ever wondered what
While you have seen lots of stuff that can be used to aid debugging here, there are
+ While you have seen lots of stuff that can be used to aid debugging here, there are
some things to be aware of. Debugging is almost always intrusive. Adding debug code
can change the situation enough to make the bug seem to disappear. Thus, you
should keep debug code to a minimum and make sure it does not show up in
production code.
-
+
There are two main ways of running tasks: tasklets and work queues. Tasklets are a
+ There are two main ways of running tasks: tasklets and work queues. Tasklets are a
quick and easy way of scheduling a single function to be run. For example, when
triggered from an interrupt, whereas work queues are more complicated but also
better suited to running multiple things in a sequence.
-
+
Here is an example tasklet module. The
+ Here is an example tasklet module. The
So with this example loaded So with this example loaded Although tasklet is easy to use, it comes with several defators, and developers are
+ Although tasklet is easy to use, it comes with several defators, and developers are
discussing about getting rid of tasklet in linux kernel. The tasklet callback
runs in atomic context, inside a software interrupt, meaning that it cannot
sleep or access user-space data, so not all work can be done in a tasklet
handler. Also, the kernel only allows one instance of any given tasklet to be
running at any given time; multiple different tasklet callbacks can run in
parallel.
- In recent kernels, tasklets can be replaced by workqueues, timers, or threaded
+ In recent kernels, tasklets can be replaced by workqueues, timers, or threaded
interrupts.1
While the removal of tasklets remains a longer-term goal, the current kernel contains more
than a hundred uses of tasklets. Now developers are proceeding with the API changes and
the macro
+
To add a task to the scheduler we can use a workqueue. The kernel then uses the
+ To add a task to the scheduler we can use a workqueue. The kernel then uses the
Completely Fair Scheduler (CFS) to execute work within the queue.
+
+
Except for the last chapter, everything we did in the kernel so far we have done as a
+ Except for the last chapter, everything we did in the kernel so far we have done as a
response to a process asking for it, either by dealing with a special file, sending an
There are two types of interaction between the CPU and the rest of the
+ There are two types of interaction between the CPU and the rest of the
computer’s hardware. The first type is when the CPU gives orders to the hardware,
the order is when the hardware needs to tell the CPU something. The second, called
interrupts, is much harder to implement because it has to be dealt with when
convenient for the hardware, not the CPU. Hardware devices typically have a very
small amount of RAM, and if you do not read their information when available, it is
lost.
- Under Linux, hardware interrupts are called IRQ’s (Interrupt ReQuests). There
+ Under Linux, hardware interrupts are called IRQ’s (Interrupt ReQuests). There
are two types of IRQ’s, short and long. A short IRQ is one which is expected to take
a very short period of time, during which the rest of the machine will be blocked and
no other interrupts will be handled. A long IRQ is one which can take longer, and
during which other interrupts may occur (but not interrupts from the same
device). If at all possible, it is better to declare an interrupt handler to be
long.
- When the CPU receives an interrupt, it stops whatever it is doing (unless it is
+ When the CPU receives an interrupt, it stops whatever it is doing (unless it is
processing a more important interrupt, in which case it will deal with this one only
when the more important one is done), saves certain parameters on the stack and
calls the interrupt handler. This means that certain things are not allowed in the
@@ -4763,10 +4763,10 @@ heavy work deferred from an interrupt handler. Historically, BH (Linux
naming for Bottom Halves) statistically book-keeps the deferred functions.
Softirq and its higher level abstraction, Tasklet, replace BH since Linux
2.3.
- The way to implement this is to call
+ The way to implement this is to call
In practice IRQ handling can be a bit more complex. Hardware is often
+ In practice IRQ handling can be a bit more complex. Hardware is often
designed in a way that chains two interrupt controllers, so that all the IRQs
from interrupt controller B are cascaded to a certain IRQ from interrupt
controller A. Of course, that requires that the kernel finds out which IRQ it
@@ -4783,7 +4783,7 @@ need to solve another truckload of problems. It is not enough to know if a
certain IRQs has happened, it’s also important to know what CPU(s) it was
for. People still interested in more details, might want to refer to "APIC"
now.
- This function receives the IRQ number, the name of the function,
+ This function receives the IRQ number, the name of the function,
flags, a name for /proc/interrupts and a parameter to be passed to the
interrupt handler. Usually there is a certain number of IRQs available.
How many IRQs there are is hardware-dependent. The flags can include
@@ -4793,16 +4793,16 @@ How many IRQs there are is hardware-dependent. The flags can include
+
Many popular single board computers, such as Raspberry Pi or Beagleboards, have a
+ Many popular single board computers, such as Raspberry Pi or Beagleboards, have a
bunch of GPIO pins. Attaching buttons to those and then having a button press do
something is a classic case in which you might need to use interrupts, so that instead
of having the CPU waste time and battery power polling for a change in input state,
it is better for the input to trigger the CPU to then run a particular handling
function.
- Here is an example where buttons are connected to GPIO numbers 17 and 18 and
+ Here is an example where buttons are connected to GPIO numbers 17 and 18 and
an LED is connected to GPIO 4. You can change those numbers to whatever is
appropriate for your board.
@@ -4951,14 +4951,14 @@ appropriate for your board.
142
143MODULE_LICENSE("GPL");
144MODULE_DESCRIPTION("Handle some GPIO interrupts");
-
+
Suppose you want to do a bunch of stuff inside of an interrupt routine. A common
+ Suppose you want to do a bunch of stuff inside of an interrupt routine. A common
way to do that without rendering the interrupt unavailable for a significant duration
is to combine it with a tasklet. This pushes the bulk of the work off into the
scheduler.
- The example below modifies the previous example to also run an additional task
+ The example below modifies the previous example to also run an additional task
when an interrupt is triggered.
@@ -5132,19 +5132,19 @@ when an interrupt is triggered.
165
166MODULE_LICENSE("GPL");
167MODULE_DESCRIPTION("Interrupt with top and bottom half");
-
+
At the dawn of the internet, everybody trusted everybody completely…but that did
+ At the dawn of the internet, everybody trusted everybody completely…but that did
not work out so well. When this guide was originally written, it was a more innocent
era in which almost nobody actually gave a damn about crypto - least of all kernel
developers. That is certainly no longer the case now. To handle crypto stuff, the
kernel has its own API enabling common methods of encryption, decryption and your
favourite hash functions.
-
+
Calculating and checking the hashes of things is a common operation. Here is a
+ Calculating and checking the hashes of things is a common operation. Here is a
demonstration of how to calculate a sha256 hash within a kernel module.
Install the module:
+ Install the module:
And you should see that the hash was calculated for the test string.
- Finally, remove the test module:
+ And you should see that the hash was calculated for the test string.
+ Finally, remove the test module:
+
Here is an example of symmetrically encrypting a string using the AES algorithm
+ Here is an example of symmetrically encrypting a string using the AES algorithm
and a password.
@@ -5430,10 +5430,10 @@ and a password.
196
197MODULE_DESCRIPTION("Symmetric key encryption example");
198MODULE_LICENSE("GPL");
-
+
Up to this point we have seen all kinds of modules doing all kinds of things, but there
+ Up to this point we have seen all kinds of modules doing all kinds of things, but there
was no consistency in their interfaces with the rest of the kernel. To impose some
consistency such that there is at minimum a standardized way to start, suspend and
resume a device a device model was added. An example is shown below, and you can
@@ -5540,13 +5540,13 @@ functions.
97
98MODULE_LICENSE("GPL");
99MODULE_DESCRIPTION("Linux Device Model example");
-
+
+
Sometimes you might want your code to run as quickly as possible,
+ Sometimes you might want your code to run as quickly as possible,
especially if it is handling an interrupt or doing something which might
cause noticeable latency. If your code contains boolean conditions and if
you know that the conditions are almost always likely to evaluate as either
@@ -5568,43 +5568,43 @@ to succeed.
- When the When the
+
+
You can not do that. In a kernel module, you can only use kernel functions which are
+ You can not do that. In a kernel module, you can only use kernel functions which are
the functions you can see in /proc/kallsyms.
-
+
You might need to do this for a short time and that is OK, but if you do not enable
+ You might need to do this for a short time and that is OK, but if you do not enable
them afterwards, your system will be stuck and you will have to power it
off.
-
+
For people seriously interested in kernel programming, I recommend kernelnewbies.org
+ For people seriously interested in kernel programming, I recommend kernelnewbies.org
and the Documentation subdirectory within the kernel source code which is not
always easy to understand but can be a starting point for further investigation. Also,
as Linus Torvalds said, the best way to learn the kernel is to read the source code
yourself.
- If you would like to contribute to this guide or notice anything glaringly wrong,
+ If you would like to contribute to this guide or notice anything glaringly wrong,
please create an issue at https://github.com/sysprog21/lkmpg. Your pull requests
will be appreciated.
- Happy hacking!
+ Happy hacking!
1The goal of threaded interrupts is to push more of the work to separate threads, so that the
+ 1The goal of threaded interrupts is to push more of the work to separate threads, so that the
minimum needed for acknowledging an interrupt is reduced, and therefore the time spent handling
the interrupt (where it can’t handle any other interrupts at the same time) is reduced. See
https://lwn.net/Articles/302043/. NULL
@@ -726,11 +726,11 @@ pass NULL
4short myshortarray[4];
5int count;
6module_param_array(myshortarray, short, &count, 0); /* put count into "count" variable */
- MODULE_PARM_DESC()
+ MODULE_PARM_DESC()
, that is used to document arguments that the module can take. It takes two
parameters: a variable name and a free form string describing that variable.
4.6 Modules Spanning Multiple Files
-1/*
2 * stop.c - Illustration of multi filed modules
@@ -879,7 +879,7 @@ files.
11}
12
13MODULE_LICENSE("GPL");
-1obj-m += hello-1.o
@@ -897,15 +897,15 @@ files.
13
14clean:
15 make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
- make
what object files are part of that module.
-4.7 Building modules for a precompiled kernel
- MODULE_FORCE_UNLOAD
): when this option is enabled, you can force the kernel to unload a module even when it believes
@@ -915,7 +915,7 @@ the development of a module. If you do not want to recompile your kernel then yo
should consider running the examples within a test distribution on a virtual machine.
If you mess anything up then you can easily reboot or restore the virtual machine
(VM).
-
insmod: ERROR: could not insert module poet.ko: Invalid module format
-
kernel: poet: disagrees about version of symbol module_layout
- vermagic:
@@ -966,20 +966,20 @@ retpoline: Y
name: hello_4
vermagic: 5.4.0-70-generic SMP mod_unload modversions
- cp /boot/config-`uname -r` .config
.
-1cp /lib/modules/`uname -r`/build/Makefile linux-`uname -r`
- linux-`uname -r`
+ linux-`uname -r`
is the Linux kernel source you are attempting to build.
- make
+ make
to update configuration and version headers and objects:
@@ -1030,19 +1030,19 @@ $ make
HOSTCC scripts/kconfig/parser.tab.o
HOSTLD scripts/kconfig/conf
-5 Preliminaries
-5.1 How modules begin and end
- main()
+ main()
function, executes a bunch of instructions and terminates upon completion of those
instructions. Kernel modules work a bit differently. A module always begin with either
the init_module
@@ -1055,20 +1055,20 @@ provides.
- cleanup_module
+ cleanup_module
or the function you specify with the module_exit
call. This is the exit function for modules; it undoes whatever entry function did. It
unregisters the functionality that the entry function registered.
- init_module
and cleanup_module
, I think you will know what I mean.
-5.2 Functions available to modules
- printf()
. You use these library functions which are provided by the standard C
library, libc. The definitions for these functions do not actually enter
@@ -1076,7 +1076,7 @@ your program until the linking stage, which insures that the code (for
printf()
for example) is available, and fixes the call instruction to point to that
code.
- pr_info()
but did not include a standard I/O library. That is because modules are object files whose symbols
@@ -1085,7 +1085,7 @@ get resolved upon insmod
external functions you can use are the ones provided by the kernel. If you’re
curious about what symbols have been exported by your kernel, take a look at
/proc/kallsyms.
- write()
, which then sends the data to standard output.
- printf()
@@ -1110,7 +1110,7 @@ data into strings and write the string data using the low-level system call
5 printf("hello");
6 return 0;
7}
- gcc -Wall -o hello hello.c
+ gcc -Wall -o hello hello.c
. Run the executable with strace ./hello
. Are you impressed? Every line you see corresponds to a system call. strace is a
handy program that gives you details about what system calls a program is
@@ -1130,15 +1130,15 @@ calls (like kill()
with (like cosh()
and random()
).
-5.3 User Space vs Kernel Space
-5.4 Name Space
-5.5 Code space
-5.6 Device Drivers
- mknod
command. To create a new char device named coffee with major/minor number 12 and 2,
simply do mknod /dev/coffee c 12 2
@@ -1287,14 +1287,14 @@ Linus put his device files in 6 Character Device drivers
-6.1 The file_operations Structure
- file_operations
+ file_operations
structure is defined in include/linux/fs.h, and holds pointers to functions defined by
the driver that perform various operations on the device. Each field of the structure
corresponds to the address of some function defined by the driver to handle a
requested operation.
- file_operations
structure holds the address of the module’s function that performs that operation.
Here is what the definition looks like for kernel 5.4:
@@ -1367,12 +1367,12 @@ Here is what the definition looks like for kernel 5.4:
36 loff_t len, unsigned int remap_flags);
37 int (*fadvise)(struct file *, loff_t, loff_t, int);
38} __randomize_layout;
- file_operations
structure should be set to NULL
.
- NULL
by gcc.
- struct file_operations
+ struct file_operations
containing pointers to functions that are used to implement
read
, write
, open
, … system calls is commonly named fops
.
- f_pos
specific lock, which makes the file position update to become the mutual
exclusion. So, we can safely implement those operations without unnecessary
locking.
- proc_ops
+ proc_ops
structure was introduced to replace the use of the
file_operations
structure when registering proc handlers.
-6.2 The file structure
- FILE
@@ -1433,31 +1433,31 @@ function. Also, its name is a bit misleading; it represents an abstract open
- filp
. You’ll also see it referred to as a struct file object. Resist the temptation.
-6.3 Registering A Device
- register_chrdev
function, defined by include/linux/fs.h.
1int register_chrdev(unsigned int major, const char *name, struct file_operations *fops);
- const char *name
is the name of the device as it will appear in /proc/devices and
struct file_operations *fops
@@ -1467,13 +1467,13 @@ registration failed. Note that we didn’t pass the minor number to
register_chrdev
. That is because the kernel doesn’t care about the minor number; only our driver
uses it.
- register_chrdev
+ register_chrdev
, the return value will be the dynamically allocated major number. The
downside is that you can not make a device file in advance, since you do not
@@ -1490,11 +1490,11 @@ third method is that we can have our driver make the device file using the
device_destroy
during the call to cleanup_module
.
- register_chrdev()
+ register_chrdev()
would occupy a range of minor numbers associated with the given major. The
recommended way to reduce waste for char device registration is using cdev
interface.
- register_chrdev_region
or alloc_chrdev_region
@@ -1503,12 +1503,12 @@ First, we should register a range of device numbers, which can be completed with
1int register_chrdev_region(dev_t from, unsigned count, const char *name);
2int alloc_chrdev_region(dev_t *dev, unsigned baseminor, unsigned count, const char *name);
- register_chrdev_region
if you know the device major number and
alloc_chrdev_region
if you would like to allocate a dynamicly-allocated major number.
- struct cdev
for our char device and associate it with the device numbers. To initialize the
struct cdev
@@ -1517,7 +1517,7 @@ device. Using register_chrdev_region
1struct cdev *my_dev = cdev_alloc();
2my_cdev->ops = &my_fops;
- struct cdev
within a device-specific structure of your own. In this case, we’ll need
cdev_init
@@ -1528,18 +1528,18 @@ device. Using register_chrdev_region
- or something like that.
- cdev_add
.
1int cdev_add(struct cdev *p, dev_t dev, unsigned count);
-6.4 Unregistering A Device
- rmmod
’ed whenever root feels like it. If the device file is opened by a process and then we
remove the kernel module, using the file would cause a call to the memory location
@@ -1549,7 +1549,7 @@ unlucky, another kernel module was loaded into the same location, which
means a jump into the middle of another function within the kernel. The
results of this would be impossible to predict, but they can not be very
positive.
- cleanup_module
that’s impossible because it is a void function. However, there is a counter
@@ -1575,26 +1575,26 @@ decrease and display this counter:
module_refcount(THIS_MODULE)
: Return the value of reference count of current module.6.5 chardev.c
-1cat /proc/devices
- echo "hi" > /dev/hello
), but catch these attempts and tell the user that the operation is not supported.
Don’t worry if you don’t see what we do with the data we read into the buffer; we
don’t do much with it. We simply read in the data and print a message
acknowledging that we received it.
-6.6 Writing Modules for Multiple Kernel Versions
- LINUX_VERSION_CODE
to the macro KERNEL_VERSION
. In version a.b.c of the kernel, the value of this macro would be 
.
-7 The /proc File System
- try_module_get
and module_put
in this module, and if the file is opened and then the module is removed, there’s no
way to avoid the consequences.
- init_module
, return a value (and a buffer) when the file /proc/helloworld is read in the callback
@@ -1823,12 +1823,12 @@ function procfile_read
, and delete the file /proc/helloworld in the function
cleanup_module
.
- proc_create
. The return value is a struct proc_dir_entry
, and it will be used to configure the file /proc/helloworld (for example, the owner
of this file). A null return value means that the creation has failed.
- procfile_read
is called. Two parameters of this function are very important: the buffer
(the second parameter) and the offset (the fourth one). The content of the
@@ -1845,7 +1845,7 @@ function, if it never returns zero, the read function is called endlessly.
$ cat /proc/helloworld
HelloWorld!
-1/*
@@ -1917,10 +1917,10 @@ HelloWorld!
67module_exit(procfs1_exit);
68
69MODULE_LICENSE("GPL");
-7.1 The proc_ops Structure
- proc_ops
+ as proc_ops
structure is defined in include/linux/proc_fs.h in Linux v5.6+. In older kernels, it
used file_operations
for custom hooks in /proc file system, but it contains some
@@ -1932,10 +1932,10 @@ performance. For example, the file which never disappears in proc_flag
PROC_ENTRY_PERMANENT
to save 2 atomic ops, 1 allocation, 1 free in per open/read/close sequence.
-7.2 Read and Write a /proc File
- copy_from_user
or get_user
)
- copy_from_user
+ copy_from_user
or get_user
is that Linux memory (on Intel architecture, it may be different under some
@@ -1954,7 +1954,7 @@ not reference a unique location in memory, only a location in a memory
segment, and you need to know which memory segment it is to be able to use
it. There is one memory segment for the kernel, and one for each of the
processes.
-7.3 Manage /proc file with standard filesystem
- struct inode_operations
, which includes a pointer to struct proc_ops
.
- struct inode_operations
will be used to access to it. This is the mechanism we use, a
struct inode_operations
@@ -2095,7 +2095,7 @@ creating links to it.
which includes pointers to our procf_read
and procfs_write
functions.
- module_permission
function. This function is called whenever a process tries to do something with the
/proc file, and it can decide whether to allow access or not. Right now it is only
@@ -2104,7 +2104,7 @@ pointer to a structure which includes information on the currently running
process), but it could be based on anything we like, such as what other
processes are doing with the same file, the time of day, or the last input we
received.
-7.4 Manage /proc file with seq_file
- seq_file
that helps formating a /proc file for output. It is based on sequence, which is composed of
@@ -2235,7 +2235,7 @@ So to help people writting , and stop()
. The seq_file
API starts a sequence when a user read the /proc file.
- start()
. If the return is a non NULL
value, the function next()
@@ -2252,7 +2252,7 @@ time next()
returns NULL
, then the function stop()
is called.
- stop()
, the function start()
is called again. This loop finishes when the function
@@ -2269,14 +2269,14 @@ of function stop()
-
+
seq_file
+ seq_file
provides basic functions for proc_ops
, such as seq_read
, seq_lseek
@@ -2401,23 +2401,23 @@ the same way as in the previous example.
116module_exit(procfs4_exit);
117
118MODULE_LICENSE("GPL");
- will still try to call 8 sysfs: Interacting with your module
-1ls -l /sys
-1make
@@ -2490,36 +2490,36 @@ accessible via sysfs is given below.
-
-1sudo lsmod | grep hello_sysfs
- myvariable
+ myvariable
?
1cat /sys/kernel/mymodule/myvariable
- myvariable
+ right before you do the myvariable
and check that it changed.
1echo "32" > /sys/kernel/mymodule/myvariable
2cat /sys/kernel/mymodule/myvariable
-1sudo rmmod hello_sysfs
-9 Talking To Device Files
- device_write
.
- ioctl
(short for Input Output ConTroL). Every device can have its own
ioctl
@@ -2541,12 +2541,12 @@ kernel), write ioctl’s (to return information to a process), both or neither.
here the roles of read and write are reversed again, so in ioctl’s read is to
send information to the kernel and write is to receive information from the
kernel.
- _IO
, _IOR
@@ -2557,11 +2557,11 @@ included both by the programs which will use ioctl (so they can generate the
appropriate ioctl’s) and by the kernel module (so it can understand it). In the
example below, the header file is chardev.h and the program which uses it is
ioctl.c.
-10 System Calls
- open()
system call. This meant I could not open any files, I could not run any
@@ -3059,7 +3059,7 @@ ensure you do not lose any files, even within a test environment, please run
insmod
and the rmmod
.
- strace <arguments>
.
- sys_call_table
@@ -3093,7 +3093,7 @@ different process, if the process time ran out). If you want to read this code,
at the source file arch/$(architecture)/kernel/entry.S, after the line
ENTRY(system_call)
.
- sys_call_table
@@ -3101,7 +3101,7 @@ code, and then calling the original function) and then change the pointer at
don’t want to leave the system in an unstable state, it’s important for
cleanup_module
to restore the table to its original state.
- sys_call_table
+ sys_call_table
, we need to consider the control register. A control register is a processor
register that changes or controls the general behavior of the CPU. For x86
architecture, the cr0 register has various control flags that modify the basic
@@ -3114,11 +3114,11 @@ read-only sections Therefore, we must disable the sys_call_table
+ sys_call_table
symbol is unexported to prevent misuse. But there have few ways to get the symbol, manual
symbol lookup and kallsyms_lookup_name
. Here we use both depend on the kernel version.
- kallsyms_lookup_name
+ kallsyms_lookup_name
is also unexported, it needs certain trick to get the address of
kallsyms_lookup_name
. If CONFIG_KPROBES
@@ -3158,7 +3158,7 @@ passes the addresses of the saved registers and the Kprobe struct to the handler
you defined, then executes it. Kprobes can be registered by symbol name
or address. Within the symbol name, the address will be handled by the
kernel.
- sys_call_table
+ sys_call_table
from /proc/kallsyms and /boot/System.map into
sym
parameter. Following is the sample usage for /proc/kallsyms:
@@ -3173,8 +3173,8 @@ ffffffff820013a0 R sys_call_table
ffffffff820023e0 R ia32_sys_call_table
$ sudo insmod syscall.ko sym=0xffffffff820013a0
-
- pr_info()
a message whenever that user opens a file. Towards this end, we
replace the system call to open a file with our own function, called
@@ -3247,7 +3247,7 @@ spy on, it calls pr_info()
to display the name of the file to be opened. Then, either way, it calls the original
open()
function with the same parameters, to actually open the file.
- init_module
+ init_module
function replaces the appropriate location in
sys_call_table
and keeps the original pointer in a variable. The
@@ -3265,7 +3265,7 @@ with B_open
, which will call what it thinks is the original system call,
A_open
, when it’s done.
- A_open
, which calls the original. However, if A is removed and then B is removed, the
system will crash. A’s removal will restore the system call to the original,
@@ -3285,7 +3285,7 @@ problem. When A is removed, it sees that the system call was changed to
A_open
which is no longer there, so that even without removing B the system would
crash.
- sys_call_table
is no longer exported. This means, if you want to do something more than a mere
@@ -3526,13 +3526,13 @@ dry run of this example, you will have to patch your current kernel in order to
227module_exit(syscall_end);
228
229MODULE_LICENSE("GPL");
-11 Blocking Processes and threads
-11.1 Sleep
- wait_event_interruptible
. The easiest way to keep a file open is to open it with:
1tail -f
- TASK_INTERRUPTIBLE
, which means that the task will not run until it is woken up somehow, and adds it to
WaitQ, the queue of tasks waiting to access the file. Then, the function calls the
scheduler to context switch to a different process, one which has some use for the
CPU.
- module_close
is called. That function wakes up all the processes in the queue (there’s no
mechanism to only wake up one of them). It then returns and the process which just
@@ -3567,31 +3567,31 @@ Eventually, one of the processes which was in the queue will be given control
of the CPU by the scheduler. It starts at the point right after the call to
module_interruptible_sleep_on
.
- tail -f
+ tail -f
to keep the file open in the background, while trying to access it with another
process (again in the background, so that we need not switch to a different vt). As
soon as the first background process is killed with kill %1 , the second is woken up, is
able to access the file and finally terminates.
- module_close
+ module_close
does not have a monopoly on waking up the processes which wait to access the file.
A signal, such as Ctrl +c (SIGINT) can also wake up a process. This is because we
used module_interruptible_sleep_on
. We could have used module_sleep_on
instead, but that would have resulted in extremely angry users whose Ctrl+c’s are
ignored.
- -EINTR
immediately. This is important so users can, for example, kill the process before it
receives the file.
- O_NONBLOCK
flag when opening the file. The kernel is supposed to respond by returning with the error
@@ -3627,7 +3627,7 @@ $ cat_nonblock /proc/sleep
Last input:
$
-1/*
@@ -3906,14 +3906,14 @@ $
57
58 return 0;
59}
-11.2 Completions
- /bin/sleep
commands, the kernel has another way to do this which allows timeouts or
interrupts to also happen.
- machine
+ machine
structure stores the completion states for the two threads. At the exit
point of each thread the respective completion state is updated, and
wait_for_completion
is used by the flywheel thread to ensure that it does not begin prematurely.
- flywheel_thread
+ flywheel_thread
is started first you should notice if you load this module and run
dmesg
that turning the crank always happens first because the flywheel thread waits for it
to complete.
- wait_for_completion
function, which include timeouts or being interrupted, but this basic mechanism is
enough for many common situations without adding a lot of complexity.
-12 Avoiding Collisions and Deadlocks
-12.1 Mutex
-12.2 Spinlocks
- flags
variable to retain their state.
@@ -4146,10 +4146,10 @@ they will not be forgotten and will activate when the unlock happens, using the
61
62MODULE_DESCRIPTION("Spinlock example");
63MODULE_LICENSE("GPL");
-12.3 Read and write locks
- read_lock(&myrwlock)
and read_unlock(&myrwlock)
or the corresponding write functions.
12.4 Atomic operations
-13 Replacing Print Macros
-13.1 Replacement
-13.2 Flashing keyboard LEDs
- timer_list
structure may be able to overwrite the
@@ -4448,7 +4448,7 @@ to use a unique prototype to separate from the cluster that takes an
container_of
macro instead of the unsigned long
value.
- setup_timer
+ setup_timer
was used to initialize the timer and the
timer_list
structure looked like:
@@ -4463,7 +4463,7 @@ to use a unique prototype to separate from the cluster that takes an
8
9void setup_timer(struct timer_list *timer, void (*callback)(unsigned long),
10 unsigned long data);
- timer_setup
+ timer_setup
is adopted and the kernel step by step converting to
timer_setup
from setup_timer
@@ -4477,7 +4477,7 @@ Moreover, the timer_setup
1void timer_setup(struct timer_list *timer,
2 void (*callback)(struct timer_list *), unsigned int flags);
- setup_timer
+ setup_timer
was then removed since v4.15. As a result, the
timer_list
structure had changed to the following.
@@ -4488,7 +4488,7 @@ Moreover, the timer_setup
4 u32 flags;
5 /* ... */
6};
- CONFIG_LL_DEBUG
in make menuconfig
@@ -4588,25 +4588,25 @@ everything what your code does over a serial line. If you find yourself porting
kernel to some new and former unsupported architecture, this is usually amongst the
first things that should be implemented. Logging over a netconsole might also be
worth a try.
-14 Scheduling Tasks
-14.1 Tasklets
- tasklet_fn
function runs for a few seconds and in the mean time execution of the
example_tasklet_init
@@ -4657,7 +4657,7 @@ better suited to running multiple things in a sequence.
42
43MODULE_DESCRIPTION("Tasklet example");
44MODULE_LICENSE("GPL");
- dmesg
+ dmesg
should show:
@@ -4669,23 +4669,23 @@ Example tasklet starts
Example tasklet init continues...
Example tasklet ends
- DECLARE_TASKLET_OLD
exists for compatibility. For further information, see https://lwn.net/Articles/830964/.
-14.2 Work queues
-15 Interrupt Handlers
-15.1 Interrupt Handlers
- ioctl()
, or issuing a system call. But the job of the kernel is not just to respond to process
requests. Another job, which is every bit as important, is to speak to the hardware
connected to the machine.
- request_irq()
to get your interrupt handler called when the relevant IRQ is received.
- SA_INTERRUPT
to indicate this is a fast interrupt. This function will only succeed if there is not
already a handler on this IRQ, or if you are both willing to share.
-15.2 Detecting button presses
-15.3 Bottom Half
-16 Crypto
-16.1 Hash functions
-1sudo insmod cryptosha256.ko
2sudo dmesg
-1sudo rmmod cryptosha256
-16.2 Symmetric key encryption
-17 Standardizing the interfaces: The Device Model
-18 Optimizations
-18.1 Likely and Unlikely conditions
- unlikely
+ unlikely
macro is used, the compiler alters its machine instruction output, so that it
continues along the false branch and only jumps if the condition is true. That
avoids flushing the processor pipeline. The opposite happens if you use the
likely
macro.
-19 Common Pitfalls
-19.1 Using standard libraries
-19.2 Disabling interrupts
-20 Where To Go From Here?
-
+
diff --git a/lkmpg-for-ht.html b/lkmpg-for-ht.html
index b635a63..0e991b0 100644
--- a/lkmpg-for-ht.html
+++ b/lkmpg-for-ht.html
@@ -18,11 +18,11 @@
The Linux Kernel Module Programming Guide
-December 28, 2021
+January 9, 2022
- 1 Introduction
-1.1 Authorship
-1.2 Acknowledgements
-
-
-1.3 What Is A Kernel Module?
-1.4 Kernel module package
- modprobe
, insmod
and depmod
within a package.
-1sudo apt-get install build-essential kmod
-1sudo pacman -S gcc kmod
-1.5 What Modules are in my Kernel?
- lsmod
.
1sudo cat /proc/modules
-1sudo lsmod | grep fat
-1.6 Do I need to download and compile the kernel?
-1.7 Before We Begin
-
- CONFIG_MODVERSIONS
@@ -230,10 +230,10 @@ thereafter.
printf()
+ printf()
can, but they can log information and warnings, which ends up being
printed on your screen, but only on a console. If you insmod
a module from an xterm, the information and warnings will be logged, but
@@ -241,48 +241,48 @@ thereafter.
your journalctl
. See 4 for details. To have immediate access to this information, do all
your work from the console.2 Headers
-1sudo apt-get update
2apt-cache search linux-headers-`uname -r`
-1sudo pacman -S linux-headers
-1sudo apt-get install kmod linux-headers-5.4.0-80-generic
-3 Examples
-4 Hello World
-4.1 The Simplest Module
-1mkdir -p ~/develop/kernel/hello-1
2cd ~/develop/kernel/hello-1
-1/*
@@ -305,7 +305,7 @@ module.
18}
19
20MODULE_LICENSE("GPL");
-1make
-1all:
2 echo $(PWD)
-
-1 $ sudo -E make -p | grep PWD
@@ -387,7 +387,7 @@ $ sudo make -p | grep PWD
4 echo $(PWD)
1 # disable the env_reset
@@ -405,11 +405,11 @@ $ sudo make -p | grep PWD
4 # enable the env_reset
5 echo "user:" > env_reset.log; env >> env_reset.log
6 echo "root:" >> env_reset.log; sudo env >> env_reset.log
- 1modinfo hello-1.ko
-1sudo lsmod | grep hello
-1sudo insmod hello-1.ko
-1sudo lsmod | grep hello
-1sudo rmmod hello_1
-1sudo journalctl --since "1 hour ago" | grep kernel
- init_module()
which is called when the module is insmod
ed into the kernel, and an "end" (cleanup) function called
@@ -469,18 +469,18 @@ In fact, the new method is the preferred method. However, many people still use
init_module()
and cleanup_module()
for their start and end functions.
- init_module()
+ init_module()
either registers a handler for something with the kernel, or it replaces one of the kernel
functions with its own code (usually code to do something and then call the original function).
The cleanup_module()
function is supposed to undo whatever
init_module()
did, so the module can be unloaded safely.
- pr_alert()
log level, which you’ll learn about in Section 2.
-
-
- init_module()
? Change the return value to something negative, recompile and
load the module again. What happens?4.2 Hello and Goodbye
-4.3 The __init and __exit Macros
- __init
+. The variable declarations and macros should be placed at the beginning of the
module for clarity. The example code should clear up my admittedly lousy
explanation.
- __init
macro causes the init function to be discarded and its memory freed once the init
function finishes for built-in drivers, but not loadable modules. If you think about
when the init function is invoked, this makes perfect sense.
- __initdata
+ __initdata
which works similarly to __init
but for init variables rather than functions.
- __exit
+ __exit
macro causes the omission of the function when the module is built into the kernel, and
like __init
, has no effect for loadable modules. Again, if you consider when the cleanup function
@@ -606,7 +606,7 @@ while loadable modules do.
-4.4 Licensing and Module Documentation
- MODULE_LICENSE
. This and a few other macros describing the module are illustrated in the below
example.
@@ -684,12 +684,12 @@ example.
22
23module_init(init_hello_4);
24module_exit(cleanup_hello_4);
-4.5 Passing Command Line Arguments to a Module
- module_param()
macro, (defined in include/linux/moduleparam.h) to set the mechanism up. At runtime,
@@ -699,7 +699,7 @@ take the values of the command line arguments as global and then use the
module_param()
+ module_param()
macro takes 3 arguments: the name of the variable, its type and
permissions for the corresponding file in sysfs. Integer types can be signed
as usual or unsigned. If you’d like to use arrays of integers or strings see
@@ -713,7 +713,7 @@ as usual or unsigned. If you’d like to use arrays of integers or strings see
1int myint = 3;
2module_param(myint, int, 0);
- NULL
@@ -726,11 +726,11 @@ pass NULL
4short myshortarray[4];
5int count;
6module_param_array(myshortarray, short, &count, 0); /* put count into "count" variable */
- MODULE_PARM_DESC()
+ MODULE_PARM_DESC()
, that is used to document arguments that the module can take. It takes two
parameters: a variable name and a free form string describing that variable.
4.6 Modules Spanning Multiple Files
-1/*
2 * stop.c - Illustration of multi filed modules
@@ -879,7 +879,7 @@ files.
11}
12
13MODULE_LICENSE("GPL");
-1obj-m += hello-1.o
@@ -897,15 +897,15 @@ files.
13
14clean:
15 make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
- make
what object files are part of that module.
-4.7 Building modules for a precompiled kernel
- MODULE_FORCE_UNLOAD
): when this option is enabled, you can force the kernel to unload a module even when it believes
@@ -915,7 +915,7 @@ the development of a module. If you do not want to recompile your kernel then yo
should consider running the examples within a test distribution on a virtual machine.
If you mess anything up then you can easily reboot or restore the virtual machine
(VM).
-
insmod: ERROR: could not insert module poet.ko: Invalid module format
-
kernel: poet: disagrees about version of symbol module_layout
- vermagic:
@@ -966,20 +966,20 @@ retpoline: Y
name: hello_4
vermagic: 5.4.0-70-generic SMP mod_unload modversions
- cp /boot/config-`uname -r` .config
.
-1cp /lib/modules/`uname -r`/build/Makefile linux-`uname -r`
- linux-`uname -r`
+ linux-`uname -r`
is the Linux kernel source you are attempting to build.
- make
+ make
to update configuration and version headers and objects:
@@ -1030,19 +1030,19 @@ $ make
HOSTCC scripts/kconfig/parser.tab.o
HOSTLD scripts/kconfig/conf
-5 Preliminaries
-5.1 How modules begin and end
- main()
+ main()
function, executes a bunch of instructions and terminates upon completion of those
instructions. Kernel modules work a bit differently. A module always begin with either
the init_module
@@ -1055,20 +1055,20 @@ provides.
- cleanup_module
+ cleanup_module
or the function you specify with the module_exit
call. This is the exit function for modules; it undoes whatever entry function did. It
unregisters the functionality that the entry function registered.
- init_module
and cleanup_module
, I think you will know what I mean.
-5.2 Functions available to modules
- printf()
. You use these library functions which are provided by the standard C
library, libc. The definitions for these functions do not actually enter
@@ -1076,7 +1076,7 @@ your program until the linking stage, which insures that the code (for
printf()
for example) is available, and fixes the call instruction to point to that
code.
- pr_info()
but did not include a standard I/O library. That is because modules are object files whose symbols
@@ -1085,7 +1085,7 @@ get resolved upon insmod
external functions you can use are the ones provided by the kernel. If you’re
curious about what symbols have been exported by your kernel, take a look at
/proc/kallsyms.
- write()
, which then sends the data to standard output.
- printf()
@@ -1110,7 +1110,7 @@ data into strings and write the string data using the low-level system call
5 printf("hello");
6 return 0;
7}
- gcc -Wall -o hello hello.c
+ gcc -Wall -o hello hello.c
. Run the executable with strace ./hello
. Are you impressed? Every line you see corresponds to a system call. strace is a
handy program that gives you details about what system calls a program is
@@ -1130,15 +1130,15 @@ calls (like kill()
with (like cosh()
and random()
).
-5.3 User Space vs Kernel Space
-5.4 Name Space
-5.5 Code space
-5.6 Device Drivers
- mknod
command. To create a new char device named coffee with major/minor number 12 and 2,
simply do mknod /dev/coffee c 12 2
@@ -1287,14 +1287,14 @@ Linus put his device files in 6 Character Device drivers
-6.1 The file_operations Structure
- file_operations
+ file_operations
structure is defined in include/linux/fs.h, and holds pointers to functions defined by
the driver that perform various operations on the device. Each field of the structure
corresponds to the address of some function defined by the driver to handle a
requested operation.
- file_operations
structure holds the address of the module’s function that performs that operation.
Here is what the definition looks like for kernel 5.4:
@@ -1367,12 +1367,12 @@ Here is what the definition looks like for kernel 5.4:
36 loff_t len, unsigned int remap_flags);
37 int (*fadvise)(struct file *, loff_t, loff_t, int);
38} __randomize_layout;
- file_operations
structure should be set to NULL
.
- NULL
by gcc.
- struct file_operations
+ struct file_operations
containing pointers to functions that are used to implement
read
, write
, open
, … system calls is commonly named fops
.
- f_pos
specific lock, which makes the file position update to become the mutual
exclusion. So, we can safely implement those operations without unnecessary
locking.
- proc_ops
+ proc_ops
structure was introduced to replace the use of the
file_operations
structure when registering proc handlers.
-6.2 The file structure
- FILE
@@ -1433,31 +1433,31 @@ function. Also, its name is a bit misleading; it represents an abstract open
- filp
. You’ll also see it referred to as a struct file object. Resist the temptation.
-6.3 Registering A Device
- register_chrdev
function, defined by include/linux/fs.h.
1int register_chrdev(unsigned int major, const char *name, struct file_operations *fops);
- const char *name
is the name of the device as it will appear in /proc/devices and
struct file_operations *fops
@@ -1467,13 +1467,13 @@ registration failed. Note that we didn’t pass the minor number to
register_chrdev
. That is because the kernel doesn’t care about the minor number; only our driver
uses it.
- register_chrdev
+ register_chrdev
, the return value will be the dynamically allocated major number. The
downside is that you can not make a device file in advance, since you do not
@@ -1490,11 +1490,11 @@ third method is that we can have our driver make the device file using the
device_destroy
during the call to cleanup_module
.
- register_chrdev()
+ register_chrdev()
would occupy a range of minor numbers associated with the given major. The
recommended way to reduce waste for char device registration is using cdev
interface.
- register_chrdev_region
or alloc_chrdev_region
@@ -1503,12 +1503,12 @@ First, we should register a range of device numbers, which can be completed with
1int register_chrdev_region(dev_t from, unsigned count, const char *name);
2int alloc_chrdev_region(dev_t *dev, unsigned baseminor, unsigned count, const char *name);
- register_chrdev_region
if you know the device major number and
alloc_chrdev_region
if you would like to allocate a dynamicly-allocated major number.
- struct cdev
for our char device and associate it with the device numbers. To initialize the
struct cdev
@@ -1517,7 +1517,7 @@ device. Using register_chrdev_region
1struct cdev *my_dev = cdev_alloc();
2my_cdev->ops = &my_fops;
- struct cdev
within a device-specific structure of your own. In this case, we’ll need
cdev_init
@@ -1528,18 +1528,18 @@ device. Using register_chrdev_region
- cdev_add
.
1int cdev_add(struct cdev *p, dev_t dev, unsigned count);
-6.4 Unregistering A Device
- rmmod
’ed whenever root feels like it. If the device file is opened by a process and then we
remove the kernel module, using the file would cause a call to the memory location
@@ -1549,7 +1549,7 @@ unlucky, another kernel module was loaded into the same location, which
means a jump into the middle of another function within the kernel. The
results of this would be impossible to predict, but they can not be very
positive.
- cleanup_module
that’s impossible because it is a void function. However, there is a counter
@@ -1575,26 +1575,26 @@ decrease and display this counter:
module_refcount(THIS_MODULE)
: Return the value of reference count of current module.6.5 chardev.c
-1cat /proc/devices
- echo "hi" > /dev/hello
), but catch these attempts and tell the user that the operation is not supported.
Don’t worry if you don’t see what we do with the data we read into the buffer; we
don’t do much with it. We simply read in the data and print a message
acknowledging that we received it.
-6.6 Writing Modules for Multiple Kernel Versions
- LINUX_VERSION_CODE
to the macro KERNEL_VERSION
. In version a.b.c of the kernel, the value of this macro would be .
-7 The /proc File System
- try_module_get
and module_put
in this module, and if the file is opened and then the module is removed, there’s no
way to avoid the consequences.
- init_module
, return a value (and a buffer) when the file /proc/helloworld is read in the callback
@@ -1823,12 +1823,12 @@ function procfile_read
, and delete the file /proc/helloworld in the function
cleanup_module
.
- proc_create
. The return value is a struct proc_dir_entry
, and it will be used to configure the file /proc/helloworld (for example, the owner
of this file). A null return value means that the creation has failed.
- procfile_read
is called. Two parameters of this function are very important: the buffer
(the second parameter) and the offset (the fourth one). The content of the
@@ -1845,7 +1845,7 @@ function, if it never returns zero, the read function is called endlessly.
$ cat /proc/helloworld
HelloWorld!
-1/*
@@ -1917,10 +1917,10 @@ HelloWorld!
67module_exit(procfs1_exit);
68
69MODULE_LICENSE("GPL");
-7.1 The proc_ops Structure
- proc_ops
+ as proc_ops
structure is defined in include/linux/proc_fs.h in Linux v5.6+. In older kernels, it
used file_operations
for custom hooks in /proc file system, but it contains some
@@ -1932,10 +1932,10 @@ performance. For example, the file which never disappears in proc_flag
PROC_ENTRY_PERMANENT
to save 2 atomic ops, 1 allocation, 1 free in per open/read/close sequence.
-7.2 Read and Write a /proc File
- copy_from_user
or get_user
)
- copy_from_user
+ copy_from_user
or get_user
is that Linux memory (on Intel architecture, it may be different under some
@@ -1954,7 +1954,7 @@ not reference a unique location in memory, only a location in a memory
segment, and you need to know which memory segment it is to be able to use
it. There is one memory segment for the kernel, and one for each of the
processes.
-7.3 Manage /proc file with standard filesystem
- struct inode_operations
, which includes a pointer to struct proc_ops
.
- struct inode_operations
will be used to access to it. This is the mechanism we use, a
struct inode_operations
@@ -2095,7 +2095,7 @@ creating links to it.
which includes pointers to our procf_read
and procfs_write
functions.
- module_permission
function. This function is called whenever a process tries to do something with the
/proc file, and it can decide whether to allow access or not. Right now it is only
@@ -2104,7 +2104,7 @@ pointer to a structure which includes information on the currently running
process), but it could be based on anything we like, such as what other
processes are doing with the same file, the time of day, or the last input we
received.
-7.4 Manage /proc file with seq_file
- seq_file
that helps formating a /proc file for output. It is based on sequence, which is composed of
@@ -2235,7 +2235,7 @@ So to help people writting , and stop()
. The seq_file
API starts a sequence when a user read the /proc file.
- start()
. If the return is a non NULL
value, the function next()
@@ -2252,7 +2252,7 @@ time next()
returns NULL
, then the function stop()
is called.
- stop()
, the function start()
is called again. This loop finishes when the function
@@ -2269,14 +2269,14 @@ of function stop()
-
+
seq_file
+ seq_file
provides basic functions for proc_ops
, such as seq_read
, seq_lseek
@@ -2401,23 +2401,23 @@ the same way as in the previous example.
116module_exit(procfs4_exit);
117
118MODULE_LICENSE("GPL");
- will still try to call 8 sysfs: Interacting with your module
-1ls -l /sys
-1make
@@ -2490,36 +2490,36 @@ accessible via sysfs is given below.
-
-1sudo lsmod | grep hello_sysfs
- myvariable
+ myvariable
?
1cat /sys/kernel/mymodule/myvariable
- myvariable
+ right before you do the myvariable
and check that it changed.
1echo "32" > /sys/kernel/mymodule/myvariable
2cat /sys/kernel/mymodule/myvariable
-1sudo rmmod hello_sysfs
-9 Talking To Device Files
- device_write
.
- ioctl
(short for Input Output ConTroL). Every device can have its own
ioctl
@@ -2541,12 +2541,12 @@ kernel), write ioctl’s (to return information to a process), both or neither.
here the roles of read and write are reversed again, so in ioctl’s read is to
send information to the kernel and write is to receive information from the
kernel.
- _IO
, _IOR
@@ -2557,11 +2557,11 @@ included both by the programs which will use ioctl (so they can generate the
appropriate ioctl’s) and by the kernel module (so it can understand it). In the
example below, the header file is chardev.h and the program which uses it is
ioctl.c.
-10 System Calls
- open()
system call. This meant I could not open any files, I could not run any
@@ -3059,7 +3059,7 @@ ensure you do not lose any files, even within a test environment, please run
insmod
and the rmmod
.
- strace <arguments>
.
- sys_call_table
@@ -3093,7 +3093,7 @@ different process, if the process time ran out). If you want to read this code,
at the source file arch/$(architecture)/kernel/entry.S, after the line
ENTRY(system_call)
.
- sys_call_table
@@ -3101,7 +3101,7 @@ code, and then calling the original function) and then change the pointer at
don’t want to leave the system in an unstable state, it’s important for
cleanup_module
to restore the table to its original state.
- sys_call_table
+ sys_call_table
, we need to consider the control register. A control register is a processor
register that changes or controls the general behavior of the CPU. For x86
architecture, the cr0 register has various control flags that modify the basic
@@ -3114,11 +3114,11 @@ read-only sections Therefore, we must disable the sys_call_table
+ sys_call_table
symbol is unexported to prevent misuse. But there have few ways to get the symbol, manual
symbol lookup and kallsyms_lookup_name
. Here we use both depend on the kernel version.
- kallsyms_lookup_name
+ kallsyms_lookup_name
is also unexported, it needs certain trick to get the address of
kallsyms_lookup_name
. If CONFIG_KPROBES
@@ -3158,7 +3158,7 @@ passes the addresses of the saved registers and the Kprobe struct to the handler
you defined, then executes it. Kprobes can be registered by symbol name
or address. Within the symbol name, the address will be handled by the
kernel.
- sys_call_table
+ sys_call_table
from /proc/kallsyms and /boot/System.map into
sym
parameter. Following is the sample usage for /proc/kallsyms:
@@ -3173,8 +3173,8 @@ ffffffff820013a0 R sys_call_table
ffffffff820023e0 R ia32_sys_call_table
$ sudo insmod syscall.ko sym=0xffffffff820013a0
-
- pr_info()
a message whenever that user opens a file. Towards this end, we
replace the system call to open a file with our own function, called
@@ -3247,7 +3247,7 @@ spy on, it calls pr_info()
to display the name of the file to be opened. Then, either way, it calls the original
open()
function with the same parameters, to actually open the file.
- init_module
+ init_module
function replaces the appropriate location in
sys_call_table
and keeps the original pointer in a variable. The
@@ -3265,7 +3265,7 @@ with B_open
, which will call what it thinks is the original system call,
A_open
, when it’s done.
- A_open
, which calls the original. However, if A is removed and then B is removed, the
system will crash. A’s removal will restore the system call to the original,
@@ -3285,7 +3285,7 @@ problem. When A is removed, it sees that the system call was changed to
A_open
which is no longer there, so that even without removing B the system would
crash.
- sys_call_table
is no longer exported. This means, if you want to do something more than a mere
@@ -3526,13 +3526,13 @@ dry run of this example, you will have to patch your current kernel in order to
227module_exit(syscall_end);
228
229MODULE_LICENSE("GPL");
-11 Blocking Processes and threads
-11.1 Sleep
- wait_event_interruptible
. The easiest way to keep a file open is to open it with:
1tail -f
- TASK_INTERRUPTIBLE
, which means that the task will not run until it is woken up somehow, and adds it to
WaitQ, the queue of tasks waiting to access the file. Then, the function calls the
scheduler to context switch to a different process, one which has some use for the
CPU.
- module_close
is called. That function wakes up all the processes in the queue (there’s no
mechanism to only wake up one of them). It then returns and the process which just
@@ -3567,31 +3567,31 @@ Eventually, one of the processes which was in the queue will be given control
of the CPU by the scheduler. It starts at the point right after the call to
module_interruptible_sleep_on
.
- tail -f
+ tail -f
to keep the file open in the background, while trying to access it with another
process (again in the background, so that we need not switch to a different vt). As
soon as the first background process is killed with kill %1 , the second is woken up, is
able to access the file and finally terminates.
- module_close
+ module_close
does not have a monopoly on waking up the processes which wait to access the file.
A signal, such as Ctrl +c (SIGINT) can also wake up a process. This is because we
used module_interruptible_sleep_on
. We could have used module_sleep_on
instead, but that would have resulted in extremely angry users whose Ctrl+c’s are
ignored.
- -EINTR
immediately. This is important so users can, for example, kill the process before it
receives the file.
- O_NONBLOCK
flag when opening the file. The kernel is supposed to respond by returning with the error
@@ -3627,7 +3627,7 @@ $ cat_nonblock /proc/sleep
Last input:
$
-1/*
@@ -3906,14 +3906,14 @@ $
57
58 return 0;
59}
-11.2 Completions
- /bin/sleep
commands, the kernel has another way to do this which allows timeouts or
interrupts to also happen.
- machine
+ machine
structure stores the completion states for the two threads. At the exit
point of each thread the respective completion state is updated, and
wait_for_completion
is used by the flywheel thread to ensure that it does not begin prematurely.
- flywheel_thread
+ flywheel_thread
is started first you should notice if you load this module and run
dmesg
that turning the crank always happens first because the flywheel thread waits for it
to complete.
- wait_for_completion
function, which include timeouts or being interrupted, but this basic mechanism is
enough for many common situations without adding a lot of complexity.
-12 Avoiding Collisions and Deadlocks
-12.1 Mutex
-12.2 Spinlocks
- flags
variable to retain their state.
@@ -4146,10 +4146,10 @@ they will not be forgotten and will activate when the unlock happens, using the
61
62MODULE_DESCRIPTION("Spinlock example");
63MODULE_LICENSE("GPL");
-12.3 Read and write locks
- read_lock(&myrwlock)
and read_unlock(&myrwlock)
or the corresponding write functions.
12.4 Atomic operations
-13 Replacing Print Macros
-13.1 Replacement
-13.2 Flashing keyboard LEDs
- timer_list
structure may be able to overwrite the
@@ -4448,7 +4448,7 @@ to use a unique prototype to separate from the cluster that takes an
container_of
macro instead of the unsigned long
value.
- setup_timer
+ setup_timer
was used to initialize the timer and the
timer_list
structure looked like:
@@ -4463,7 +4463,7 @@ to use a unique prototype to separate from the cluster that takes an
8
9void setup_timer(struct timer_list *timer, void (*callback)(unsigned long),
10 unsigned long data);
- timer_setup
+ timer_setup
is adopted and the kernel step by step converting to
timer_setup
from setup_timer
@@ -4477,7 +4477,7 @@ Moreover, the timer_setup
1void timer_setup(struct timer_list *timer,
2 void (*callback)(struct timer_list *), unsigned int flags);
- setup_timer
+ setup_timer
was then removed since v4.15. As a result, the
timer_list
structure had changed to the following.
@@ -4488,7 +4488,7 @@ Moreover, the timer_setup
4 u32 flags;
5 /* ... */
6};
- CONFIG_LL_DEBUG
in make menuconfig
@@ -4588,25 +4588,25 @@ everything what your code does over a serial line. If you find yourself porting
kernel to some new and former unsupported architecture, this is usually amongst the
first things that should be implemented. Logging over a netconsole might also be
worth a try.
-14 Scheduling Tasks
-14.1 Tasklets
- tasklet_fn
function runs for a few seconds and in the mean time execution of the
example_tasklet_init
@@ -4657,7 +4657,7 @@ better suited to running multiple things in a sequence.
42
43MODULE_DESCRIPTION("Tasklet example");
44MODULE_LICENSE("GPL");
- dmesg
+ dmesg
should show:
@@ -4669,23 +4669,23 @@ Example tasklet starts
Example tasklet init continues...
Example tasklet ends
- DECLARE_TASKLET_OLD
exists for compatibility. For further information, see https://lwn.net/Articles/830964/.
-14.2 Work queues
-15 Interrupt Handlers
-15.1 Interrupt Handlers
- ioctl()
, or issuing a system call. But the job of the kernel is not just to respond to process
requests. Another job, which is every bit as important, is to speak to the hardware
connected to the machine.
- request_irq()
to get your interrupt handler called when the relevant IRQ is received.
- SA_INTERRUPT
to indicate this is a fast interrupt. This function will only succeed if there is not
already a handler on this IRQ, or if you are both willing to share.
-15.2 Detecting button presses
-15.3 Bottom Half
-16 Crypto
-16.1 Hash functions
-1sudo insmod cryptosha256.ko
2sudo dmesg
-1sudo rmmod cryptosha256
-16.2 Symmetric key encryption
-17 Standardizing the interfaces: The Device Model
-18 Optimizations
-18.1 Likely and Unlikely conditions
- unlikely
+ unlikely
macro is used, the compiler alters its machine instruction output, so that it
continues along the false branch and only jumps if the condition is true. That
avoids flushing the processor pipeline. The opposite happens if you use the
likely
macro.
-19 Common Pitfalls
-19.1 Using standard libraries
-19.2 Disabling interrupts
-20 Where To Go From Here?
-