The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the \href{https://opensource.org/licenses/OSL-3.0}{Open Software License}, version 3.0.
This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose.
The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the \href{https://opensource.org/licenses/OSL-3.0}{Open Software License}.
In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic.
Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact.
If you have contributed new material to this book, you must make the material and source code available for your revisions.
If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the \href{http://www.tldp.org}{Linux Documentation Project} (LDP).
Contributing in this way shows your support for free software and the LDP. If you have questions or comments, please contact the address above.
Eventually, Peter no longer had time to follow developments with the 2.6 kernel, so Michael Burian became a co-maintainer to update the document for the 2.6 kernels.
Bob Mottram updated the examples for 3.8+ kernels.
The following people have contributed corrections or good suggestions: Ignacio Martin, David Porter, Daniele Paolo Scarpazza, Dimo Velev, Francois Audeon, Horst Schirmeier, and Roman Lakeev.
You know C, you have written a few normal programs to run as processes, and now you want to get to where the real action is, to where a single wild pointer can wipe out your file system and a core dump means a reboot.
For the purposes of following this guide you don't necessarily need to do that.
However, it would be wise to run the examples within a test distribution running on a virtual machine in order to avoid any possibility of messing up your system.
Modules can not print to the screen like \verb|printf()| can, but they can log information and warnings, which ends up being printed on your screen, but only on a console.
If you insmod a module from an xterm, the information and warnings will be logged, but only to your systemd journal.
You will not see it unless you look through your \verb|journalctl|.
Kernel modules must have at least two functions: a "start" (initialization) function called \textbf{init\_module()} which is called when the module is insmoded into the kernel, and an "end" (cleanup) function called \textbf{cleanup\_module()} which is called just before it is removed from the kernel.
Actually, things have changed starting with kernel 2.3.13.
% TODO: adjust the section anchor
You can now use whatever name you like for the start and end functions of a module, and you will learn how to do this in Section 2.3.
In fact, the new method is the preferred method.
However, many people still use \verb|init_module()| and \verb|cleanup_module()| for their start and end functions.
Typically, init\_module() either registers a handler for something with the kernel, or it replaces one of the kernel functions with its own code (usually code to do something and then call the original function).
The \verb|cleanup_module()| function is supposed to undo whatever \verb|init_module()| did, so the module can be unloaded safely.
Another thing which may not be immediately obvious to anyone getting started with kernel programming is that indentation within your code should be using \textbf{tabs} and \textbf{not spaces}.
It is one of the coding conventions of the kernel.
You may not like it, but you'll need to get used to it if you ever submit a patch upstream.
\item Introducing print macros.
In the beginning there was \textbf{printk}, usually followed by a priority such as \verb|KERN_INFO| or \verb|KERN_DEBUG|.
More recently this can also be expressed in abbreviated form using a set of print macros, such as \textbf{pr\_info} and \textbf{pr\_debug}.
This just saves some mindless keyboard bashing and looks a bit neater.
They can be found within \textbf{linux/printk.h}.
Take time to read through the available priority macros.
\item About Compiling.
Kernel modules need to be compiled a bit differently from regular userspace apps.
Former kernel versions required us to care much about these settings, which are usually stored in Makefiles.
Although hierarchically organized, many redundant settings accumulated in sublevel Makefiles and made them large and rather difficult to maintain.
Fortunately, there is a new way of doing these things, called kbuild, and the build process for external loadable modules is now fully integrated into the standard kernel build mechanism.
To learn more on how to compile modules which are not part of the official kernel (such as all the examples you will find in this guide), see file \verb|Documentation/kbuild/modules.rst|.
Additional details about Makefiles for kernel modules are available in \verb|Documentation/kbuild/makefiles.rst|. Be sure to read this and the related files before starting to hack Makefiles. It will probably save you lots of work.
In early kernel versions you had to use the \textbf{init\_module} and \textbf{cleanup\_module} functions, as in the first hello world example, but these days you can name those anything you want by using the \textbf{module\_init} and \textbf{module\_exit} macros.
These macros are defined in \textbf{linux/init.h}. The only requirement is that your init and cleanup functions must be defined before calling the those macros, otherwise you'll get compilation errors.
Now have a look at \verb|linux/drivers/char/Makefile| for a real world example.
As you can see, some things get hardwired into the kernel (\verb|obj-y|) but where are all those \verb|obj-m| gone?
Those familiar with shell scripts will easily be able to spot them.
For those not, the \verb|obj-$(CONFIG_FOO)| entries you see everywhere expand into \verb|obj-y| or \verb|obj-m|, depending on whether the \verb|CONFIG_FOO| variable has been set to y or m.
While we are at it, those were exactly the kind of variables that you have set in the \verb|linux/.confi|g file, the last time when you said make menuconfig or something like that.
This demonstrates a feature of kernel 2.2 and later.
Notice the change in the definitions of the init and cleanup functions.
The \textbf{\_\_init} macro causes the init function to be discarded and its memory freed once the init function finishes for built-in drivers, but not loadable modules.
If you think about when the init function is invoked, this makes perfect sense.
The \textbf{\_\_exit} macro causes the omission of the function when the module is built into the kernel, and like \_\_init, has no effect for loadable modules.
Again, if you consider when the cleanup function runs, this makes complete sense; built-in drivers do not need a cleanup function, while loadable modules do.
To allow arguments to be passed to your module, declare the variables that will take the values of the command line arguments as global and then use the module\_param() macro, (defined in linux/moduleparam.h) to set the mechanism up.
The module\_param() macro takes 3 arguments: the name of the variable, its type and permissions for the corresponding file in sysfs.
Integer types can be signed as usual or unsigned. If you'd like to use arrays of integers or strings see \verb|module_param_array()| and \verb|module_param_string()|.
Obviously, we strongly suggest you to recompile your kernel, so that you can enable a number of useful debugging features, such as forced module unloading (\textbf{MODULE\_FORCE\_UNLOAD}): when this option is enabled, you can force the kernel to unload a module even when it believes it is unsafe, via a \textbf{sudo rmmod -f module} command.
This option can save you a lot of time and a number of reboots during the development of a module.
If you do not want to recompile your kernel then you should consider running the examples within a test distribution on a virtual machine.
If you mess anything up then you can easily reboot or restore the virtual machine (VM).
There are a number of cases in which you may want to load your module into a precompiled running kernel, such as the ones shipped with common Linux distributions, or a kernel you have compiled in the past.
In certain circumstances you could require to compile and insert a module into a running kernel which you are not allowed to recompile, or on a machine that you prefer not to reboot.
If you can't think of a case that will force you to use modules for a precompiled kernel you might want to skip this and treat the rest of this chapter as a big footnote.
Now, if you just install a kernel source tree, use it to compile your kernel module and you try to insert your module into the kernel, in most cases you would obtain an error as follows:
\begin{verbatim}
insmod: error inserting 'poet_atkm.ko': -1 Invalid module format
\end{verbatim}
Less cryptical information are logged to the systemd journal:
\begin{verbatim}
Jun 4 22:07:54 localhost kernel: poet_atkm: version magic '2.6.5-1.358custom 686
REGPARM 4KSTACKS gcc-3.3' should be '2.6.5-1.358 686 REGPARM 4KSTACKS gcc-3.3'
To overcome this problem we could resort to the \textbf{--force-vermagic} option, but this solution is potentially unsafe, and unquestionably inacceptable in production modules.
Consequently, we want to compile our module in an environment which was identical to the one in which our precompiled kernel was built.
How to do this, is the subject of the remainder of this chapter.
Let's focus again on the previous error message: a closer look at the version magic strings suggests that, even with two configuration files which are exactly the same, a slight difference in the version magic could be possible, and it is sufficient to prevent insertion of the module into the kernel.
That slight difference, namely the custom string which appears in the module's version magic and not in the kernel's one, is due to a modification with respect to the original, in the makefile that some distribution include.
Then, examine your \textbf{/usr/src/linux/Makefile}, and make sure that the specified version information matches exactly the one used for your current kernel. For example, you makefile could start as follows:
In this case, you need to restore the value of symbol \textbf{EXTRAVERSION} to \textbf{-rc2}.
We suggest to keep a backup copy of the makefile used to compile your kernel available in \textbf{/lib/modules/5.14.0-rc2/build}.
A simple \textbf{cp /lib/modules/`uname-r`/build/Makefile /usr/src/linux-`uname -r`} should suffice.
% TODO: out-of-date information
Additionally, if you already started a kernel build with the previous (wrong) Makefile, you should also rerun make, or directly modify symbol UTS\_RELEASE in file \textbf{/usr/src/linux-5.14.0/include/linux/version.h} according to contents of file \textbf{/lib/modules/5.14.0/build/include/linux/version.h}, or overwrite the latter with the first.
If you do not desire to actually compile the kernel, you can interrupt the build process (CTRL-C) just after the SPLIT line, because at that time, the files you need will be are ready.
Now you can turn back to the directory of your module and compile it: It will be built exactly according to your current kernel settings, and it will load into it without any errors.
A program usually begins with a \textbf{main()} function, executes a bunch of instructions and terminates upon completion of those instructions.
Kernel modules work a bit differently. A module always begin with either the init\_module or the function you specify with module\_init call.
This is the entry function for modules; it tells the kernel what functionality the module provides and sets up the kernel to run the module's functions when they are needed.
Once it does this, entry function returns and the module does nothing until the kernel wants to do something with the code that the module provides.
Every module must have an entry function and an exit function.
Since there's more than one way to specify entry and exit functions, I'll try my best to use the terms ``entry function'' and ``exit function'', but if I slip and simply refer to them as init\_module and cleanup\_module, I think you'll know what I mean.
Programmers use functions they do not define all the time. A prime example of this is \textbf{printf()}.
You use these library functions which are provided by the standard C library, libc.
The definitions for these functions do not actually enter your program until the linking stage, which insures that the code (for printf() for example) is available, and fixes the call instruction to point to that code.
Kernel modules are different here, too. In the hello world example, you might have noticed that we used a function, \textbf{pr\_info()} but did not include a standard I/O library.
That is because modules are object files whose symbols get resolved upon insmod'ing.
The definition for the symbols comes from the kernel itself; the only external functions you can use are the ones provided by the kernel.
If you're curious about what symbols have been exported by your kernel, take a look at \textbf{/proc/kallsyms}.
One point to keep in mind is the difference between library functions and system calls. Library functions are higher level, run completely in user space and provide a more convenient interface for the programmer to the functions that do the real work --- system calls.
System calls run in kernel mode on the user's behalf and are provided by the kernel itself.
The library function printf() may look like a very general printing function, but all it really does is format the data into strings and write the string data using the low-level system call write(), which then sends the data to standard output.
\href{https://strace.io/}{strace} is a handy program that gives you details about what system calls a program is making, including which call is made, what its arguments are and what it returns.
It is an invaluable tool for figuring out things like what files a program is trying to access.
Towards the end, you will see a line which looks like \verb|write(1, "hello", 5hello)|.
There it is.
The face behind the printf() mask.
You may not be familiar with write, since most people use library functions for file I/O (like fopen, fputs, fclose).
If that is the case, try looking at man 2 write.
The 2nd man section is devoted to system calls (like kill() and read()).
The 3rd man section is devoted to library calls, which you would probably be more familiar with (like cosh() and random()).
You can even write modules to replace the kernel's system calls, which we will do shortly.
Crackers often make use of this sort of thing for backdoors or trojans, but you can write your own modules to do more benign things, like have the kernel write Tee hee, that tickles! everytime someone tries to delete a file on your system.
A kernel is all about access to resources, whether the resource in question happens to be a video card, a hard drive or even memory.
Programs often compete for the same resource. As I just saved this document, updatedb started updating the locate database.
My vim session and updatedb are both using the hard drive concurrently.
The kernel needs to keep things orderly, and not give users access to resources whenever they feel like it.
To this end, a CPU can run in different modes.
Each mode gives a different level of freedom to do what you want on the system.
The Intel 80386 architecture had 4 of these modes, which were called rings. Unix uses only two rings; the highest ring (ring 0, also known as ``supervisor mode'' where everything is allowed to happen) and the lowest ring, which is called ``user mode''.
Recall the discussion about library functions vs system calls.
Typically, you use a library function in user mode.
The library function calls one or more system calls, and these system calls execute on the library function's behalf, but do so in supervisor mode since they are part of the kernel itself.
Once the system call completes its task, it returns and execution gets transfered back to user mode.
When you write a small C program, you use variables which are convenient and make sense to the reader.
If, on the other hand, you are writing routines which will be part of a bigger problem, any global variables you have are part of a community of other peoples' global variables; some of the variable names can clash.
When a program has lots of global variables which aren't meaningful enough to be distinguished, you get namespace pollution.
In large projects, effort must be made to remember reserved names, and to find ways to develop a scheme for naming unique variable names and symbols.
When writing kernel code, even the smallest module will be linked against the entire kernel, so this is definitely an issue.
The best way to deal with this is to declare all your variables as static and to use a well-defined prefix for your symbols.
By convention, all kernel prefixes are lowercase. If you do not want to declare everything as static, another option is to declare a symbol table and register it with a kernel.
The file \textbf{/proc/kallsyms} holds all the symbols that the kernel knows about and which are therefore accessible to your modules since they share the kernel's codespace.
Memory management is a very complicated subject and the majority of O'Reilly's "\emph{Understanding The Linux Kernel}" exclusively covers memory management!
We are not setting out to be experts on memory managements, but we do need to know a couple of facts to even begin worrying about writing real modules.
If you have not thought about what a segfault really means, you may be surprised to hear that pointers do not actually point to memory locations.
Not real ones, anyway.
When a process is created, the kernel sets aside a portion of real physical memory and hands it to the process to use for its executing code, variables, stack, heap and other things which a computer scientist would know about.
This memory begins with 0x00000000 and extends up to whatever it needs to be.
Since the memory space for any two processes do not overlap, every process that can access a memory address, say 0xbffff978, would be accessing a different location in real physical memory! The processes would be accessing an index named 0xbffff978 which points to some kind of offset into the region of memory set aside for that particular process.
For the most part, a process like our Hello, World program can't access the space of another process, although there are ways which we will talk about later.
The kernel has its own space of memory as well. Since a module is code which can be dynamically inserted and removed in the kernel (as opposed to a semi-autonomous object), it shares the kernel's codespace rather than having its own.
Therefore, if your module segfaults, the kernel segfaults.
And if you start writing over data because of an off-by-one error, then you're trampling on kernel data (or code).
This is even worse than it sounds, so try your best to be careful.
By the way, I would like to point out that the above discussion is true for any operating system which uses a monolithic kernel.
This is not quite the same thing as \emph{"building all your modules into the kernel"}, although the idea is the same.
There are things called microkernels which have modules which get their own codespace.
The GNU Hurd and the Zircon kernel of Google Fuchsia are two examples of a microkernel.
One class of module is the device driver, which provides functionality for hardware like a serial port.
On Unix, each piece of hardware is represented by a file located in /dev named a device file which provides the means to communicate with the hardware.
The device driver provides the communication on behalf of a user program.
So the es1370.ko sound card device driver might connect the /dev/sound device file to the Ensoniq IS1370 sound card.
A userspace program like mp3blaster can use /dev/sound without ever knowing what kind of sound card is installed.
The minor number is used by the driver to distinguish between the various hardware it controls.
Returning to the example above, although all three devices are handled by the same driver they have unique minor numbers because the driver sees them as being different pieces of hardware.
Devices are divided into two types: character devices and block devices.
The difference is that block devices have a buffer for requests, so they can choose the best order in which to respond to the requests.
This is important in the case of storage devices, where it is faster to read or write sectors which are close to each other, rather than those which are further apart.
Another difference is that block devices can only accept input and return output in blocks (whose size can vary according to the device), whereas character devices are allowed to use as many or as few bytes as they like.
Most devices in the world are character, because they don't need this type of buffering, and they don't operate with a fixed block size.
You can tell whether a device file is for a block device or a character device by looking at the first character in the output of ls -l.
If it is `b' then it is a block device, and if it is `c' then it is a character device.
The devices you see above are block devices. Here are some character devices (the serial ports):
When the system was installed, all of those device files were created by the mknod command.
To create a new char device named `coffee' with major/minor number 12 and 2, simply do mknod /dev/coffee c 12 2.
You do not have to put your device files into /dev, but it is done by convention.
Linus put his device files in /dev, and so should you.
However, when creating a device file for testing purposes, it is probably OK to place it in your working directory where you compile the kernel module.
Just be sure to put it in the right place when you're done writing the device driver.
The \verb|file_operations| structure is defined in \textbf{/usr/include/linux/fs.h}, and holds pointers to functions defined by the driver that perform various operations on the device.
However, there is also a C99 way of assigning to elements of a structure, \href{https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html}{designated initializers}, and this is definitely preferred over using the GNU extension.
You should use this syntax in case someone wants to port your driver.
An instance of struct \verb|file_operations| containing pointers to functions that are used to implement read, write, open, \ldots{} syscalls is commonly named fops.
Sin Linux v5.6, the \verb|proc_ops| structure was introduced to replace the use of the \verb|file_operations| structure when registering proc handlers.
As discussed earlier, char devices are accessed through device files, usually located in /dev.
This is by convention. When writing a driver, it is OK to put the device file in your current directory.
Just make sure you place it in /dev for a production driver.
The major number tells you which driver handles which device file.
The minor number is used only by the driver itself to differentiate which device it is operating on, just in case the driver handles more than one device.
where unsigned int major is the major number you want to request, \emph{const char *name} is the name of the device as it will appear in \textbf{/proc/devices} and \emph{struct file\_operations *fops} is a pointer to the \verb|file_operations| table for your driver.
First, the driver itself can print the newly assigned number and we can make the device file by hand.
Second, the newly registered device will have an entry in \textbf{/proc/devices}, and we can either make the device file by hand or write a shell script to read the file in and make the device file.
The third method is we can have our driver make the the device file using the \textbf{device\_create} function after a successful registration and \textbf{device\_destroy} during the call to cleanup\_module.
We can not allow the kernel module to be rmmod'ed whenever root feels like it.
If the device file is opened by a process and then we remove the kernel module, using the file would cause a call to the memory location where the appropriate function (read/write) used to be.
If we are lucky, no other code was loaded there, and we'll get an ugly error message.
If we are unlucky, another kernel module was loaded into the same location, which means a jump into the middle of another function within the kernel.
The results of this would be impossible to predict, but they can not be very positive.
Normally, when you don't want to allow something, you return an error code (a negative number) from the function which is supposed to do it.
With cleanup\_module that's impossible because it is a void function.
However, there is a counter which keeps track of how many processes are using your module.
You can see what its value is by looking at the 3rd field of \textbf{/proc/modules}.
If this number isn't zero, rmmod will fail. Note that you don't have to check the counter from within cleanup\_module because the check will be performed for you by the system call sys\_delete\_module, defined in \textbf{linux/module.c}.
You should not use this counter directly, but there are functions defined in \textbf{linux/module.h} which let you increase, decrease and display this counter:
It is important to keep the counter accurate; if you ever do lose track of the correct usage count, you will never be able to unload the module; it's now reboot time, boys and girls.
This is bound to happen to you sooner or later during a module's development.
(or open the file with a program) and the driver will put the number of times the device file has been read from into the file.
We do not support writing to the file (like \textbf{echo "hi" > /dev/hello}), but catch these attempts and tell the user that the operation is not supported.
Don't worry if you don't see what we do with the data we read into the buffer; we don't do much with it.
We simply read in the data and print a message acknowledging that we received it.
The system calls, which are the major interface the kernel shows to the processes, generally stay the same across versions.
A new system call may be added, but usually the old ones will behave exactly like they used to.
This is necessary for backward compatibility -- a new kernel version is not supposed to break regular processes.
In most cases, the device files will also remain the same. On the other hand, the internal interfaces within the kernel can and do change between versions.
There are differences between different kernel versions, and if you want to support multiple kernel versions, you will find yourself having to code conditional compilation directives.
While previous versions of this guide showed how you can write backward compatible code with such constructs in great detail, we decided to break with this tradition for the better.
People interested in doing such might now use a LKMPG with a version matching to their kernel.
In Linux, there is an additional mechanism for the kernel and kernel modules to send information to processes --- the \textbf{/proc} file system.
Originally designed to allow easy access to information about processes (hence the name), it is now used by every bit of the kernel which has something interesting to report, such as \textbf{/proc/modules} which provides the list of modules and \textbf{/proc/meminfo} which stats memory usage statistics.
The method to use the proc file system is very similar to the one used with device drivers --- a structure is created with all the information needed for the \textbf{/proc} file, including pointers to any handler functions (in our case there is only one, the one called when somebody attempts to read from the \textbf{/proc} file).
Then, init\_module registers the structure with the kernel and cleanup\_module unregisters it.
Normal file systems are located on a disk, rather than just in memory (which is where \textbf{/proc} is), and in that case the inode number is a pointer to a disk location where the file's index-node (inode for short) is located.
The inode contains information about the file, for example the file's permissions, together with a pointer to the disk location or locations where the file's data can be found.
Because we don't get called when the file is opened or closed, there's nowhere for us to put try\_module\_get and try\_module\_put in this module, and if the file is opened and then the module is removed, there's no way to avoid the consequences.
There are three parts: create the file \textbf{/proc/helloworld} in the function init\_module, return a value (and a buffer) when the file \textbf{/proc/helloworld} is read in the callback function \textbf{procfile\_read}, and delete the file \textbf{/proc/helloworld} in the function cleanup\_module.
The \textbf{/proc/helloworld} is created when the module is loaded with the function \textbf{proc\_create}.
The return value is a \textbf{struct proc\_dir\_entry} , and it will be used to configure the file \textbf{/proc/helloworld} (for example, the owner of this file).
A null return value means that the creation has failed.
The \verb|proc_ops| structure is defined in \textbf{/usr/include/linux/proc\_fs.h} in Linux v5.6+.
In older kernels, it used \verb|file_operations| for custom hooks in \textbf{/proc} file system, but it contains some members that are unnecessary in VFS, and every time VFS expands \verb|file_operations| set, \textbf{/proc} code comes bloated.
On the other hand, not only the space, but also some operations were saved by this structure to improve its performance.
For example, the file which never disappears in \textbf{/proc} can set the \textbf{proc\_flag} as \textbf{PROC\_ENTRY\_PERMANENT} to save 2 atomic ops, 1 allocation, 1 free in per open/read/close sequence.
We have seen a very simple example for a /proc file where we only read the file /proc/helloworld.
It is also possible to write in a /proc file.
It works the same way as read, a function is called when the /proc file is written.
But there is a little difference with read, data comes from user, so you have to import data from user space to kernel space (with copy\_from\_user or get\_user)
The reason for copy\_from\_user or get\_user is that Linux memory (on Intel architecture, it may be different under some other processors) is segmented.
This means that a pointer, by itself, does not reference a unique location in memory, only a location in a memory segment, and you need to know which memory segment it is to be able to use it.
There is one memory segment for the kernel, and one for each of the processes.
The only memory segment accessible to a process is its own, so when writing regular programs to run as processes, there is no need to worry about segments.
When you write a kernel module, normally you want to access the kernel memory segment, which is handled automatically by the system.
However, when the content of a memory buffer needs to be passed between the currently running process and the kernel, the kernel function receives a pointer to the memory buffer which is in the process segment.
The put\_user and get\_user macros allow you to access that memory.
As the buffer (in read or write function) is in kernel space, for write function you need to import data because it comes from user space, but not for the read function because data is already in kernel space.
In Linux, there is a standard mechanism for file system registration.
Since every file system has to have its own functions to handle inode and file operations, there is a special structure to hold pointers to all those functions, struct \textbf{inode\_operations}, which includes a pointer to struct proc\_ops.
The difference between file and inode operations is that file operations deal with the file itself whereas inode operations deal with ways of referencing the file, such as creating links to it.
In /proc, whenever we register a new file, we're allowed to specify which struct inode\_operations will be used to access to it.
This is the mechanism we use, a struct inode\_operations which includes a pointer to a struct proc\_ops which includes pointers to our procfs\_read and procfs\_write functions.
Another interesting point here is the \verb|module_permission| function.
This function is called whenever a process tries to do something with the /proc file, and it can decide whether to allow access or not.
Right now it is only based on the operation and the uid of the current user (as available in current, a pointer to a structure which includes information on the currently running process), but it could be based on anything we like, such as what other processes are doing with the same file, the time of day, or the last input we received.
It is important to note that the standard roles of read and write are reversed in the kernel.
Read functions are used for output, whereas write functions are used for input.
The reason for that is that read and write refer to the user's point of view --- if a process reads something from the kernel, then the kernel needs to output it, and if a process writes something to the kernel, then the kernel receives it as input.
Device files are supposed to represent physical devices.
Most physical devices are used for output as well as input, so there has to be some mechanism for device drivers in the kernel to get the output to send to the device from processes.
This is done by opening the device file for output and writing to it, just like writing to a file.
In the following example, this is implemented by device\_write.
Imagine you had a serial port connected to a modem (even if you have an internal modem, it is still implemented from the CPU's perspective as a serial port connected to a modem, so you don't have to tax your imagination too hard).
The natural thing to do would be to use the device file to write things to the modem (either modem commands or data to be sent through the phone line) and read things from the modem (either responses for commands or the data received through the phone line).
However, this leaves open the question of what to do when you need to talk to the serial port itself, for example to send the rate at which data is sent and received.
The answer in Unix is to use a special function called \textbf{ioctl} (short for Input Output ConTroL).
Every device can have its own ioctl commands, which can be read ioctl's (to send information from a process to the kernel), write ioctl's (to return information to a process), both or neither.
Notice here the roles of read and write are reversed again, so in ioctl's read is to send information to the kernel and write is to receive information from the kernel.
The ioctl function is called with three parameters: the file descriptor of the appropriate device file, the ioctl number, and a parameter, which is of type long so you can use a cast to use it to pass anything.
You will not be able to pass a structure this way, but you will be able to pass a pointer to the structure.
The ioctl number encodes the major device number, the type of the ioctl, the command, and the type of the parameter.
This ioctl number is usually created by a macro call (\_IO, \_IOR, \_IOW or \_IOWR --- depending on the type) in a header file.
This header file should then be included both by the programs which will use ioctl (so they can generate the appropriate ioctl's) and by the kernel module (so it can understand it).
In the example below, the header file is chardev.h and the program which uses it is ioctl.c.
If you want to use ioctls in your own kernel modules, it is best to receive an official ioctl assignment, so if you accidentally get somebody else's ioctls, or if they get yours, you'll know something is wrong.
% FIXME: use the right entry about ioctl assignment
For more information, consult the kernel source tree at Documentation/ioctl-number.txt.
So far, the only thing we've done was to use well defined kernel mechanisms to register \textbf{/proc} files and device handlers.
This is fine if you want to do something the kernel programmers thought you'd want, such as write a device driver.
But what if you want to do something unusual, to change the behavior of the system in some way?
Then, you are mostly on your own.
If you are not being sensible and using a virtual machine then this is where kernel programming can become hazardous.
While writing the example below, I killed the \textbf{open()} system call.
This meant I could not open any files, I could not run any programs, and I could not shutdown the system.
I had to restart the virtual machine.
No important files got anihilated, but if I was doing this on some live mission critical system then that could have been a possible outcome.
To ensure you do not lose any files, even within a test environment, please run \textbf{sync} right before you do the \textbf{insmod} and the \textbf{rmmod}.
Forget about \textbf{/proc} files, forget about device files.
They are just minor details.
Minutiae in the vast expanse of the universe.
The real process to kernel communication mechanism, the one used by all processes, is \emph{system calls}.
When a process requests a service from the kernel (such as opening a file, forking to a new process, or requesting more memory), this is the mechanism used.
If you want to change the behaviour of the kernel in interesting ways, this is the place to do it.
By the way, if you want to see which system calls a program uses, run \verb|strace <arguments>|.
In general, a process is not supposed to be able to access the kernel.
It can not access kernel memory and it can't call kernel functions.
The hardware of the CPU enforces this (that is the reason why it is called ``protected mode'' or ``page protection'').
System calls are an exception to this general rule.
What happens is that the process fills the registers with the appropriate values and then calls a special instruction which jumps to a previously defined location in the kernel (of course, that location is readable by user processes, it is not writable by them).
Under Intel CPUs, this is done by means of interrupt 0x80. The hardware knows that once you jump to this location, you are no longer running in restricted user mode, but as the operating system kernel --- and therefore you're allowed to do whatever you want.
% FIXME: recent kernel changes the system call entries
The location in the kernel a process can jump to is called \verb|system_call|.
The procedure at that location checks the system call number, which tells the kernel what service the process requested.
Then, it looks at the table of system calls (\verb|sys_call_table|) to see the address of the kernel function to call.
Then it calls the function, and after it returns, does a few system checks and then return back to the process (or to a different process, if the process time ran out).
If you want to read this code, it is at the source file \verb|arch/$(architecture)/kernel/entry.S|, after the line \verb|ENTRY(system_call)|.
So, if we want to change the way a certain system call works, what we need to do is to write our own function to implement it (usually by adding a bit of our own code, and then calling the original function) and then change the pointer at sys\_call\_table to point to our function.
Because we might be removed later and we don't want to leave the system in an unstable state, it's important for cleanup\_module to restore the table to its original state.
The source code here is an example of such a kernel module.
We want to ``spy'' on a certain user, and to \textbf{pr\_info()} a message whenever that user opens a file.
Towards this end, we replace the system call to open a file with our own function, called \textbf{our\_sys\_open}.
This function checks the uid (user's id) of the current process, and if it is equal to the uid we spy on, it calls pr\_info() to display the name of the file to be opened.
Then, either way, it calls the original open() function with the same parameters, to actually open the file.
The \textbf{init\_module} function replaces the appropriate location in \textbf{sys\_call\_table} and keeps the original pointer in a variable.
The cleanup\_module function uses that variable to restore everything back to normal.
This approach is dangerous, because of the possibility of two kernel modules changing the same system call.
Imagine we have two kernel modules, A and B. A's open system call will be A\_open and B's will be B\_open.
Now, when A is inserted into the kernel, the system call is replaced with A\_open, which will call the original sys\_open when it is done.
Next, B is inserted into the kernel, which replaces the system call with B\_open, which will call what it thinks is the original system call, A\_open, when it's done.
Now, if B is removed first, everything will be well --- it will simply restore the system call to A\_open, which calls the original.
However, if A is removed and then B is removed, the system will crash.
A's removal will restore the system call to the original, sys\_open, cutting B out of the loop.
Then, when B is removed, it will restore the system call to what it thinks is the original, \textbf{A\_open}, which is no longer in memory.
At first glance, it appears we could solve this particular problem by checking if the system call is equal to our open function and if so not changing it at all (so that B won't change the system call when it is removed), but that will cause an even worse problem.
When A is removed, it sees that the system call was changed to \textbf{B\_open} so that it is no longer pointing to \textbf{A\_open}, so it will not restore it to \textbf{sys\_open} before it is removed from memory.
Unfortunately, \textbf{B\_open} will still try to call \textbf{A\_open} which is no longer there, so that even without removing B the system would crash.
Note that all the related problems make syscall stealing unfeasiable for production use.
In order to keep people from doing potential harmful things \textbf{sys\_call\_table} is no longer exported.
This means, if you want to do something more than a mere dry run of this example, you will have to patch your current kernel in order to have \verb|sys_call_table| exported.
In the example directory you will find a README and the patch.
As you can imagine, such modifications are not to be taken lightly.
Do not try this on valueable systems (ie systems that you do not own - or cannot restore easily).
You will need to get the complete sourcecode of this guide as a tarball in order to get the patch and the README.
Depending on your kernel version, you might even need to hand apply the patch.
What do you do when somebody asks you for something you can not do right away?
If you are a human being and you are bothered by a human being, the only thing you can say is: "\emph{Not right now, I'm busy. Go away!}".
But if you are a kernel module and you are bothered by a process, you have another possibility.
You can put the process to sleep until you can service it.
After all, processes are being put to sleep by the kernel and woken up all the time (that is the way multiple processes appear to run on the same time on a single CPU).
This kernel module is an example of this.
The file (called \textbf{/proc/sleep}) can only be opened by a single process at a time.
If the file is already open, the kernel module calls \verb|wait_event_interruptible|.
The easiest way to keep a file open is to open it with:
This function changes the status of the task (a task is the kernel data structure which holds information about a process and the system call it is in,
if any) to \textbf{TASK\_INTERRUPTIBLE}, which means that the task will not run until it is woken up somehow, and adds it to WaitQ, the queue of tasks waiting to access the file.
Then, the function calls the scheduler to context switch to a different process, one which has some use for the CPU.
This means that the process is still in kernel mode - as far as the process is concerned, it issued the open system call and the system call has not returned yet.
The process does not know somebody else used the CPU for most of the time between the moment it issued the call and the moment it returned.
So we will use \verb|tail -f| to keep the file open in the background, while trying to access it with another process (again in the background, so that we need not switch to a different vt).
As soon as the first background process is killed with kill \%1 , the second is woken up, is able to access the file and finally terminates.
In that case, we want to return with \textbf{-EINTR} immediately. This is important so users can, for example, kill the process before it receives the file.
There is one more point to remember. Some times processes don't want to sleep, they want either to get what they want immediately, or to be told it cannot be done.
Such processes use the \verb|O_NONBLOCK| flag when opening the file.
The kernel is supposed to respond by returning with the error code \textbf{-EAGAIN} from operations which would otherwise block, such as opening the file in this example. The program \verb|cat_nonblock|, available in the \textit{examples/other} directory for this chapter, can be used to open a file with \verb|O_NONBLOCK|.
The \emph{machine} structure stores the completion states for the two threads.
At the exit point of each thread the respective completion state is updated, and \verb|{wait_for_completion| is used by the flywheel thread to ensure that it does not begin prematurely.
So even though \emph{flywheel\_thread} is started first you should notice if you load this module and run \emph{dmesg} that turning the crank always happens first because the flywheel thread waits for it to complete.
There are other variations upon the \verb|wait_for_completion| function, which include timeouts or being interrupted, but this basic mechanism is enough for many common situations without adding a lot of complexity.
If processes running on different CPUs or in different threads try to access the same memory, then it is possible that strange things can happen or your system can lock up.
To avoid this, various types of mutual exclusion kernel functions are available.
These indicate if a section of code is "locked" or "unlocked" so that simultaneous attempts to run it can not happen.
As the name suggests, spinlocks lock up the CPU that the code is running on, taking 100\% of its resources.
Because of this you should only use the spinlock mechanism around code which is likely to take no more than a few milliseconds to run and so will not noticably slow anything down from the user's point of view.
The example here is \emph{"irq safe"} in that if interrupts happen during the lock then they will not be forgotten and will activate when the unlock happens, using the \emph{flags} variable to retain their state.
Read and write locks are specialised kinds of spinlocks so that you can exclusively read from something or write to something.
Like the earlier spinlocks example the one below shows an "irq safe" situation in which if other functions were triggered from irqs which might also read and write to whatever you are concerned with then they would not disrupt the logic.
As before it is a good idea to keep anything done within the lock as short as possible so that it does not hang up the system and cause users to start revolting against the tyranny of your module.
Of course, if you know for sure that there are no functions triggered by irqs which could possibly interfere with your logic then you can use the simpler \emph{read\_lock(\&myrwlock)} and \emph{read\_unlock(\&myrwlock)} or the corresponding write functions.
If you are doing simple arithmetic: adding, subtracting or bitwise operations then there is another way in the multi-CPU and multi-hyperthreaded world to stop other parts of the system from messing with your mojo.
By using atomic operations you can be confident that your addition, subtraction or bit flip did actually happen and was not overwritten by some other shenanigans.
In Section 1.2.1.2, I said that X and kernel module programming do not mix.
That is true for developing kernel modules, but in actual use, you want to be able to send messages to whichever tty the command to load the module came from.
"tty" is an abbreviation of \emph{teletype}: originally a combination keyboard-printer used to communicate with a Unix system, and today an abstraction for the text stream used for a Unix program, whether it is a physical terminal, an xterm on an X display, a network connection used with ssh, etc.
In certain conditions, you may desire a simpler and more direct way to communicate to the external world.
Flashing keyboard LEDs can be such a solution: It is an immediate way to attract attention or to display a status condition.
Keyboard LEDs are present on every hardware, they are always visible, they do not need any setup, and their use is rather simple and non-intrusive, compared to writing to a tty or a file.
If none of the examples in this chapter fit your debugging needs there might yet be some other tricks to try.
Ever wondered what \verb|CONFIG_LL_DEBUG| in make menuconfig is good for?
If you activate that you get low level access to the serial port.
While this might not sound very powerful by itself, you can patch \textbf{kernel/printk.c} or any other essential syscall to print ASCII characters, thus makeing it possible to trace virtually everything what your code does over a serial line.
If you find yourself porting the kernel to some new and former unsupported architecture, this is usually amongst the first things that should be implemented.
Logging over a netconsole might also be worth a try.
There are two main ways of running tasks: tasklets and work queues.
Tasklets are a quick and easy way of scheduling a single function to be run, for example when triggered from an interrupt, whereas work queues are more complicated but also better suited to running multiple things in a sequence.
The \verb|tasklet_fn| function runs for a few seconds and in the mean time execution of the \verb|example_tasklet_init| function continues to the exit point.
Except for the last chapter, everything we did in the kernel so far we have done as a response to a process asking for it, either by dealing with a special file, sending an \verb|ioctl()|, or issuing a system call.
But the job of the kernel is not just to respond to process requests.
Another job, which is every bit as important, is to speak to the hardware connected to the machine.
There are two types of interaction between the CPU and the rest of the computer's hardware.
The first type is when the CPU gives orders to the hardware, the other is when the hardware needs to tell the CPU something.
The second, called interrupts, is much harder to implement because it has to be dealt with when convenient for the hardware, not the CPU.
Hardware devices typically have a very small amount of RAM, and if you do not read their information when available, it is lost.
Under Linux, hardware interrupts are called IRQ's (Interrupt ReQuests).
There are two types of IRQ's, short and long.
A short IRQ is one which is expected to take a very short period of time, during which the rest of the machine will be blocked and no other interrupts will be handled.
A long IRQ is one which can take longer, and during which other interrupts may occur (but not interrupts from the same device).
If at all possible, it is better to declare an interrupt handler to be long.
When the CPU receives an interrupt, it stops whatever it is doing (unless it is processing a more important interrupt, in which case it will deal with this one only when the more important one is done),
saves certain parameters on the stack and calls the interrupt handler.
This means that certain things are not allowed in the interrupt handler itself, because the system is in an unknown state.
The solution to this problem is for the interrupt handler to do what needs to be done immediately, usually read something from the hardware or send something to the hardware, and then schedule the handling of the new information at a later time (this is called the "bottom half") and return.
The kernel is then guaranteed to call the bottom half as soon as possible -- and when it does, everything allowed in kernel modules will be allowed.
In practice IRQ handling can be a bit more complex.
Hardware is often designed in a way that chains two interrupt controllers, so that all the IRQs from interrupt controller B are cascaded to a certain IRQ from interrupt controller A.
Of course, that requires that the kernel finds out which IRQ it really was afterwards and that adds overhead. Other architectures offer some special, very low overhead, so called "fast IRQ" or FIQs.
To take advantage of them requires handlers to be written in assembler, so they do not really fit into the kernel.
They can be made to work similar to the others, but after that procedure, they are no longer any faster than "common" IRQs.
SMP enabled kernels running on systems with more than one processor need to solve another truckload of problems.
It is not enough to know if a certain IRQs has happend, it's also important for what CPU(s) it was for.
People still interested in more details, might want to refer to "APIC" now.
This function receives the IRQ number, the name of the function, flags, a name for \verb|/proc/interrupts| and a parameter to pass to the interrupt handler.
Usually there is a certain number of IRQs available.
How many IRQs there are is hardware-dependent.
The flags can include \verb|SA_SHIRQ| to indicate you are willing to share the IRQ with other interrupt handlers (usually because a number of hardware devices sit on the same IRQ) and \verb|SA_INTERRUPT| to indicate this is a fast interrupt.
This function will only succeed if there is not already a handler on this IRQ, or if you are both willing to share.
Many popular single board computers, such as Raspberry Pi or Beagleboards, have a bunch of GPIO pins.
Attaching buttons to those and then having a button press do something is a classic case in which you might need to use interrupts,
so that instead of having the CPU waste time and battery power polling for a change in input state it is better for the input to trigger the CPU to then run a particular handling function.
At the dawn of the internet everybody trusted everybody completely\ldots{}but that did not work out so well.
When this guide was originally written it was a more innocent era in which almost nobody actually gave a damn about crypto - least of all kernel developers.
That is certainly no longer the case now.
To handle crypto stuff the kernel has its own API enabling common methods of encryption, decryption and your favourite hash functions.
\section{Standardizing the interfaces: The Device Model}
\label{sec:device_model}
Up to this point we have seen all kinds of modules doing all kinds of things, but there was no consistency in their interfaces with the rest of the kernel.
To impose some consistency such that there is at minimum a standardized way to start, suspend and resume a device a device model was added.
An example is show below, and you can use this as a template to add your own suspend, resume or other interface functions.
Sometimes you might want your code to run as quickly as possible, especially if it is handling an interrupt or doing something which might cause noticible latency.
If your code contains boolean conditions and if you know that the conditions are almost always likely to evaluate as either \emph{true} or \emph{false},
then you can allow the compiler to optimize for this using the \emph{likely} and \emph{unlikely} macros.
When the \emph{unlikely} macro is used, the compiler alters its machine instruction output, so that it continues along the false branch and only jumps if the condition is true.
That avoids flushing the processor pipeline.
The opposite happens if you use the \emph{likely} macro.
You might need to do this for a short time and that is OK, but if you do not enable them afterwards, your system will be stuck and you will have to power it off.
For people seriously interested in kernel programming, I recommend \href{https://kernelnewbies.org}{kernelnewbies.org} and the \emph{Documentation} subdirectory within the kernel source code which is bot always easy to understand but can be a starting point for further investigation.
Also, as Linus Torvalds said, the best way to learn the kernel is to read the source code yourself.
If you are interested in more examples of short kernel modules then searching on sites such as Github and Gitlab is a good way to start, although there is a lot of duplication of older LKMPG examples which may not compile with newer kernel versions.
You will also be able to find examples of the use of kernel modules to attack or compromise systems or exfiltrate data and those can be useful for thinking about how to defend systems and learning about existing security mechanisms within the kernel.