system call hook triggers kernel panic

Yi Li adamliyi at msn.com
Thu Oct 17 21:33:35 AEDT 2019



> On Oct 17, 2019, at 12:29 PM, Oliver O'Halloran <oohall at gmail.com> wrote:
> 
> 
> The ABI (v1 and v2) uses r2 as a pointer to the "table of contents"
> which is used to look up the addresses of global symbols. TOCs are
> specific to the current unit of execution and the vmlinux and each
> module has its own TOC. From the dump it looks like the r2 is pointing
> into the vmalloc area where modules are loaded so odds are the crash
> is because the TOC isn't being restored when we return from the
> patched function. One of the many reasons why you really shouldn't
> hook the syscall table ;)
> 
> The vmlinux's TOC is saved somewhere in the PACA (legacy ppc specific
> per-cpu thing) so you could restore it with some inline asm before
> returning from your hook. Have a look at what we to load r2 in the
> system call entry path.
> 

Thanks for the insight!
I tried to restore 'r2' before return from the system call, there is no kernel panic:

"
static asmlinkage long umount_hook(char __user *name, int flags)
{
        char *dir_name;
        long ret;

        dir_name = strndup_user(name, 512);
        printk(KERN_NOTICE "umount %s 0x%x\n", dir_name, flags);
        kfree(dir_name);

        ret = orig_umount(name, flags);

        printk("umount2 returned %ld\n", ret);

        // PACATOC offsetof(struct paca_struct, kernel_toc)
        // asm volatile("ld 2,PACATOC(13)");
        asm volatile("ld 2, 16(13)");

        return ret;
}
"


More information about the Linuxppc-dev mailing list