Loadable Kernel Modules - Learning Module

Loading content...

0/240

Dynamic Loading

The Evolution of Kernel Extensibility

In the earliest days of operating systems, extending kernel functionality meant one thing: recompiling the entire kernel. This was not merely inconvenient—it was operationally catastrophic. Adding support for a new network card driver required shutting down production systems, rebuilding the kernel, and rebooting. In enterprise environments, this meant scheduled downtime, service disruptions, and the ever-present risk that the new kernel wouldn't boot correctly.

Dynamic loading fundamentally transformed this paradigm. It introduced the revolutionary concept that executable code could be inserted into a running kernel—safely, efficiently, and without requiring a reboot. This capability seems almost magical when you first encounter it: the kernel is running, executing critical system code, and yet we can add new code to it while it continues to operate.

Understanding dynamic loading is essential for any serious operating systems engineer. It reveals the sophisticated mechanisms that enable modern kernels to be both stable (by keeping the core minimal and well-tested) and extensible (by supporting thousands of hardware devices and features through loadable modules).

What You Will Learn

By the end of this page, you will understand the fundamental concepts of dynamic loading, including the distinction between compile-time and runtime linking, the mechanisms that enable code to be inserted into a running kernel, the role of symbol tables and relocation, and the architectural patterns that make kernel extensibility both possible and safe.

The Static Linking Problem

To understand why dynamic loading matters, we must first understand what it replaced: static linking. In a statically linked kernel, all code that will ever execute in kernel space must be determined at compile time and linked into a single, monolithic executable.

The compile-time commitment:

Static linking requires the kernel developer to anticipate every piece of hardware and every feature that any system running this kernel might need. The linker resolves all symbol references—every function call, every global variable access—at compile time, producing a single executable with fixed addresses.

This approach has one significant advantage: performance. Every function call resolves directly to a fixed address. There's no indirection, no symbol lookup at runtime, no relocation overhead. The resulting code is as fast as possible.

But the disadvantages are severe:

Static Linking Limitations

•Kernel Bloat — To support diverse hardware, the kernel must include drivers for all possible devices, even if most systems only use a fraction of them. A kernel supporting thousands of network cards, graphics adapters, and storage controllers becomes enormous.
•Memory Waste — All that compiled-in code occupies memory, even if it's never executed. Systems with limited RAM (embedded devices, IoT) cannot afford this overhead.
•Maintenance Nightmare — Any bug fix or improvement to any driver requires rebuilding and redistributing the entire kernel. Driver vendors cannot independently update their code.
•No Runtime Flexibility — Once the kernel boots, its capabilities are fixed. You cannot add support for new hardware without a reboot.
•Build Time Explosion — Large monolithic kernels take significant time to compile, slowing development iteration cycles.

The Windows 3.1 case study:

Early versions of Microsoft Windows exemplified the static linking problem. Hardware vendors had to work with Microsoft to include their drivers in the Windows distribution. Installing a new piece of hardware often meant obtaining floppy disks with driver files that the operating system would copy and recognize only after a reboot—and sometimes only after reinstallation.

The UNIX evolution:

Traditional UNIX systems took a different approach. The kernel source was available, and system administrators could rebuild a custom kernel including only the drivers needed for their specific hardware. While this was more efficient than Windows's approach, it required expertise that most users lacked and still demanded downtime for every kernel update.

The Link Process

Static linking involves several phases: compilation (source to object files), symbol resolution (matching function calls to definitions), relocation (adjusting addresses for final placement), and output generation (creating the executable). Dynamic loading shifts some of these phases from compile time to runtime.

Dynamic Loading Fundamentals

Dynamic loading is the ability to load executable code into a running program's address space after that program has started execution. When applied to operating system kernels, it enables inserting new kernel code—device drivers, filesystems, network protocols, and more—into the running kernel without rebooting.

This capability rests on three fundamental mechanisms:

Three Pillars of Dynamic Loading

•Object File Formats — A standardized way to package compiled code with metadata describing its symbols, dependencies, and relocation requirements. The object file format tells the loader what the code needs and what it provides.
•Symbol Tables — Data structures that map symbolic names (like pci_register_driver) to memory addresses. The symbol table enables the loader to resolve references between the new code and the existing kernel.
•Relocation — The process of adjusting addresses within the loaded code to reflect its actual placement in memory. Code compiled for one address range must be modified to execute correctly at a different address.

The loading workflow:

When the operating system dynamically loads a kernel module, a precise sequence of operations occurs:

Read the module file from disk into memory
Parse the object file headers to understand the module's structure
Allocate kernel memory in a region designated for module code and data
Copy code and data sections into the allocated memory
Resolve undefined symbols by looking up kernel symbol table entries
Apply relocations to adjust addresses in the loaded code
Execute initialization code to register the module with kernel subsystems
Update kernel data structures to track the loaded module

Position-Independent Code (PIC)

Modern modules are often compiled as position-independent code, which uses relative addressing instead of absolute addresses. PIC reduces the number of relocations required, as the code can execute correctly regardless of where it's loaded. This is especially important for shared libraries in user space, but has implications for kernel modules as well.

Memory allocation for modules:

Kernel modules require special memory allocation. Unlike user-space programs that receive virtual address space from the kernel, modules need memory in the kernel's own address space. This memory must be:

Permanently resident — Module code cannot be swapped to disk, as it may be needed for interrupt handling or when the swap device itself is unavailable
Executable — The memory region must be marked as containing executable code
Properly aligned — Many architectures require code to be aligned on specific boundaries
Contiguous (usually) — While some modern systems support scatter-gather loading, simple loaders expect contiguous allocation

Symbol Resolution Mechanics

Symbol resolution is the heart of dynamic loading. A kernel module is not a standalone program—it's a fragment of code designed to integrate with the kernel. It calls kernel functions, accesses kernel data structures, and registers itself with kernel subsystems. All these interactions are mediated through symbols.

What is a symbol?

A symbol is a named entity in compiled code—a function, a global variable, or a code label. The compiler generates symbol table entries for each symbol, recording:

Name — The textual identifier (e.g., printk, kmalloc, current)
Value — The address or offset where the symbol is located
Type — Whether it's a function, data object, or other entity
Binding — Whether it's local (internal) or global (exported)
Section — Which code or data section contains it

symbol_table_entry.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// Conceptual representation of an ELF symbol table entry
typedef struct {
    uint32_t st_name;      // Offset into string table for symbol name
    uint32_t st_value;     // Symbol value (address or offset)
    uint32_t st_size;      // Size of the symbol (for data objects)
    uint8_t  st_info;      // Type and binding attributes
    uint8_t  st_other;     // Visibility and other attributes
    uint16_t st_shndx;     // Section index where symbol is defined
} Elf32_Sym;
 
// Example symbol types
#define STT_NOTYPE  0   // Symbol type is unspecified
#define STT_OBJECT  1   // Symbol is a data object
#define STT_FUNC    2   // Symbol is a function
#define STT_SECTION 3   // Symbol is associated with a section
 
// Example symbol bindings
#define STB_LOCAL   0   // Local symbol (not visible outside object file)
#define STB_GLOBAL  1   // Global symbol (visible to all object files)
#define STB_WEAK    2   // Weak symbol (can be overridden)

The kernel symbol table:

For modules to reference kernel functions, the kernel must maintain a symbol table of exported symbols. Not all kernel symbols are exported—only those explicitly marked for module use. In Linux, this is done with EXPORT_SYMBOL() and EXPORT_SYMBOL_GPL() macros:

void printk(const char *fmt, ...);
EXPORT_SYMBOL(printk);  // Available to all modules

void internal_kernel_function(void);
// Not exported — modules cannot call this

Symbol lookup during loading:

When a module is loaded, the loader examines its undefined symbols—references to external entities not defined within the module. For each undefined symbol, the loader searches the kernel symbol table:

Look up the symbol name in the kernel's exported symbol table
If found, record the address for relocation
If not found, the load fails with an "unknown symbol" error

Symbol Namespace Management

The kernel symbol table can contain thousands of symbols. Symbol name collisions can cause incorrect linking. Modern kernels use symbol namespacing (prefixes) and version information to ensure modules link against the correct symbols. Linux uses module versioning (CONFIG_MODVERSIONS) to detect ABI incompatibilities.

Module-to-module dependencies:

Modules can export symbols for use by other modules, creating a dependency graph. For example:

usbcore exports USB infrastructure symbols
usb_storage depends on usbcore symbols and exports storage-related symbols
Specific USB storage device drivers depend on usb_storage symbols

The module loader must process dependencies in the correct order. If module A depends on module B, module B must be loaded first. This is typically resolved through:

Automatic dependency resolution — The loader reads dependency metadata and loads prerequisites
Manual specification — The administrator explicitly loads modules in dependency order
Soft dependencies — Optional dependencies that enhance functionality if present

Relocation in Detail

Relocation is the process of adjusting addresses within code to account for where the code is actually loaded in memory. When a compiler generates an object file, it doesn't know where the code will eventually reside. It uses placeholder addresses or offsets that must be fixed up by the linker (for static linking) or the loader (for dynamic loading).

Why relocation is necessary:

Consider a simple function call:

void my_driver_init(void) {
    printk("Driver initialized
");
}

The compiled code will contain a CALL instruction targeting printk. But at compile time, the address of printk is unknown—it depends on the kernel binary and where the kernel is loaded. The compiler emits a relocation entry recording:

The location in the code that needs patching
The symbol being referenced (printk)
The type of relocation (how to compute the new value)

Common Relocation Types (x86-64)
Type	Description	Calculation	Usage
R_X86_64_64	Absolute 64-bit address	S + A	Data pointers, function pointers
R_X86_64_PC32	32-bit PC-relative	S + A - P	Function calls, control flow
R_X86_64_PLT32	PLT entry reference	L + A - P	External function calls
R_X86_64_GOTPCREL	GOT entry, PC-relative	G + GOT + A - P	Global variable access
R_X86_64_32S	Signed 32-bit absolute	S + A	32-bit signed addresses

Where:

S = Value of the symbol (its address after symbol resolution)
A = Addend (a constant embedded in the relocation entry)
P = Place (address of the location being patched)
L = Address of the PLT entry for the symbol
G = Offset of the GOT entry for the symbol
GOT = Address of the Global Offset Table

Relocation processing:

The module loader processes relocations in this sequence:

Parse the relocation sections (.rela.text, .rela.data, etc.)
For each relocation entry:
- Resolve the symbol to get its address (S)
- Calculate the new value using the relocation formula
- Patch the specified location (P) with the calculated value
Repeat until all relocations are processed

relocation_pseudocode.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// Simplified relocation processing
void apply_relocations(Module *mod, RelocationSection *rela_sec) {
    for (int i = 0; i < rela_sec->num_entries; i++) {
        RelocationEntry *rel = &rela_sec->entries[i];
        
        // Get the symbol being referenced
        Symbol *sym = lookup_symbol(mod, rel->symbol_index);
        
        // Get the address where we need to patch
        void *patch_location = mod->load_address + rel->offset;
        
        // Calculate the new value based on relocation type
        uint64_t symbol_value = resolve_symbol(sym);
        uint64_t addend = rel->addend;
        uint64_t place = (uint64_t)patch_location;
        
        switch (rel->type) {
            case R_X86_64_64:
                // Absolute 64-bit: S + A
                *(uint64_t*)patch_location = symbol_value + addend;
                break;
                
            case R_X86_64_PC32:
                // PC-relative 32-bit: S + A - P
                *(int32_t*)patch_location = 
                    (int32_t)(symbol_value + addend - place);
                break;
                
            // ... handle other relocation types
        }
    }
}

RELA vs REL

Object formats support two relocation styles: REL (implicit addend stored at the patch location) and RELA (explicit addend in the relocation entry). Modern x86-64 ELF uses RELA exclusively, as explicit addends are clearer and avoid the need to read-modify-write during relocation.

Initialization and Entry Points

Once a module is loaded into memory and all relocations are applied, it's essentially dormant code—present but not active. The initialization entry point brings the module to life, allowing it to register with kernel subsystems, allocate resources, and announce its presence.

The initialization contract:

Kernel modules follow a well-defined contract:

Module provides an init function — This function is called exactly once when the module loads
Initialization can fail — The function returns 0 on success, or a negative error code on failure
On failure, the module is unloaded — Any resources allocated before failure must be cleaned up
On success, the module is registered — It becomes part of the running kernel

module_init_example.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <linux/module.h>
#include <linux/init.h>
 
// Module initialization function
static int __init my_module_init(void)
{
    int ret;
    
    printk(KERN_INFO "My module: initializing...
");
    
    // Allocate resources
    ret = allocate_device_memory();
    if (ret < 0) {
        printk(KERN_ERR "My module: memory allocation failed
");
        return ret;  // Return error, module loading fails
    }
    
    // Register with a subsystem
    ret = register_character_device();
    if (ret < 0) {
        printk(KERN_ERR "My module: device registration failed
");
        free_device_memory();  // Clean up previous allocation
        return ret;
    }
    
    printk(KERN_INFO "My module: initialized successfully
");
    return 0;  // Success
}
 
// Module cleanup function
static void __exit my_module_exit(void)
{
    printk(KERN_INFO "My module: cleaning up...
");
    unregister_character_device();
    free_device_memory();
    printk(KERN_INFO "My module: cleanup complete
");
}
 
// Register the init and exit functions
module_init(my_module_init);
module_exit(my_module_exit);
 
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Kernel Developer");
MODULE_DESCRIPTION("Example loadable kernel module");

Finding the entry point:

The loader needs to know which function to call for initialization. This is recorded in the module's metadata:

ELF note sections — Metadata embedded in the object file
Special section names — Linux uses .init.text for init code, .exit.text for cleanup
Symbol names — The loader looks for specifically named symbols (init_module in Linux)

The __init and __exit markers:

Linux uses GCC attributes to optimize module code:

#define __init __attribute__((section(".init.text")))
#define __exit __attribute__((section(".exit.text")))

Code marked __init is placed in a special section that can be discarded after initialization—the function will never be called again, so its memory can be reclaimed. Similarly, __exit code is discarded entirely if the module is compiled into the kernel (since built-in code can never be "unloaded").

Deferred Initialization

Not all module setup happens in the init function. Device drivers often register themselves and then wait for hardware events. The init function sets up the registration; actual device initialization happens when hardware is detected (probe function) or when user space opens the device.

Unloading and Cleanup

The ability to unload a module is as important as loading it. Modules consume kernel memory, and in embedded systems, memory is precious. More critically, unloading enables driver upgrades—replacing an older driver with a newer version without rebooting.

The unloading challenge:

Unloading is far more complex than loading. A loaded module has integrated itself into the kernel:

It may have registered interrupt handlers
It may have open file handles
Other modules may depend on its exported symbols
Kernel threads may be executing its code
Hardware may be actively using driver resources

Removing the module while any of these conditions exist would cause system crashes. The unloading process must verify that removal is safe.

Unloading Safety Checks

•Reference counting — Track how many kernel subsystems and other modules are using this module. Unloading is blocked while the reference count is non-zero.
•Dependency checking — If module B depends on module A, unloading A while B is loaded would crash the system.
•In-use detection — If user processes have open file handles to devices provided by the module, unloading would cause those handles to become invalid.
•Execution tracing — In extreme cases, the kernel must verify no CPU is currently executing code from the module. This may require synchronization barriers.

The cleanup function:

Every well-designed module provides a cleanup function that reverses everything the initialization function did:

static void __exit my_module_exit(void)
{
    // Unregister from subsystems in reverse order
    unregister_character_device();
    
    // Free allocated resources
    free_device_memory();
    
    // Cancel any pending work
    cancel_delayed_work_sync(&my_work);
    
    printk(KERN_INFO "Module unloaded
");
}

The unloading sequence:

Verify the module can be unloaded (reference count, dependencies)
Mark the module as "going away" to prevent new references
Call the module's cleanup function
Wait for any pending operations to complete
Remove module symbols from the kernel symbol table
Free the memory occupied by module code and data
Update module tracking data structures

Forced Unloading

Linux supports 'forced' unloading with rmmod -f, which bypasses safety checks. This is dangerous—it can crash the system if the module is in use. Forced unloading exists only for development and testing scenarios where a buggy module must be removed even if safety checks fail.

Memory Layout for Modules

Kernel modules must coexist with the kernel and other modules in the kernel address space. Understanding how this memory is organized is crucial for both performance and security.

Address space considerations:

In a 64-bit Linux kernel, the virtual address space is typically split:

User space:     0x0000_0000_0000_0000 — 0x0000_7FFF_FFFF_FFFF
                (128 TB of user-accessible memory)

Kernel space:   0xFFFF_8000_0000_0000 — 0xFFFF_FFFF_FFFF_FFFF
                (128 TB of kernel-accessible memory)

Within kernel space, modules are loaded into a specific region. On x86-64 Linux, this is typically around 0xFFFF_FFFF_C000_0000 (the "module area").

Linux x86-64 Module Memory Layout
Section	Purpose	Permissions	Size (typical)
.text	Executable code	Read + Execute	Variable
.rodata	Read-only data (strings, constants)	Read only	Variable
.data	Initialized writable data	Read + Write	Variable
.bss	Zero-initialized data	Read + Write	Minimal
.init.text	Initialization code (freed after init)	Read + Execute	Freed
.exit.text	Cleanup code	Read + Execute	Freed for built-ins
.symtab	Symbol table	Read only	Debug only

Memory protection and W^X:

Modern kernels enforce W^X (Write XOR Execute)—memory that is writable cannot be executable, and vice versa. This is a critical security measure:

Before relocations: Code sections may be temporarily writable to apply patches
After relocations: Code sections become read-only + executable
Data sections: Always writable, never executable

This prevents attackers who corrupt data from injecting executable shellcode.

Module memory allocation:

The kernel provides special allocation functions for module memory:

// Allocate memory for a module
void *module_alloc(unsigned long size);

// Free module memory
void module_memfree(void *ptr);

These differ from regular kmalloc because they allocate from the module region with appropriate permissions, and they may use different page sizes or mapping strategies optimized for code.

KASLR for Modules

Kernel Address Space Layout Randomization (KASLR) randomizes where modules are loaded. This makes exploits that depend on knowing module addresses more difficult. The module loader adds randomization to the base address within the module region.

Summary: Dynamic Loading Foundations

Dynamic loading is the architectural foundation that enables modern operating systems to be both lean and extensible. We've explored the mechanisms that make this possible:

Key Takeaways

•Static linking's limitations drove the development of dynamic loading—kernel bloat, memory waste, and the inability to update without rebooting made static kernels impractical for diverse hardware ecosystems.
•Object file formats (like ELF) provide the standardized structure that enables dynamic loading, packaging code with metadata about symbols, dependencies, and relocation requirements.
•Symbol tables enable communication between modules and the kernel—exported kernel symbols become the API that modules use to integrate with the running system.
•Relocation adjusts addresses in loaded code to account for where the code actually resides in memory, transforming position-dependent code into a working kernel extension.
•Initialization contracts ensure modules can safely integrate with kernel subsystems and properly clean up when unloaded.
•Unloading requires careful coordination—reference counting, dependency checking, and cleanup functions ensure modules can be safely removed.
•Memory layout for modules balances performance, security (W^X, KASLR), and efficient use of kernel address space.

What's next:

Now that we understand the foundations of dynamic loading, we'll examine the concrete format used by Linux: the kernel object file format (.ko). We'll see how ELF structures are extended with Linux-specific sections and how the modprobe, insmod, and rmmod tools interact with the kernel loader.

Page Complete

You now understand the fundamental mechanisms of dynamic loading—symbol resolution, relocation, initialization, and memory management. This knowledge forms the basis for understanding how real operating systems implement loadable kernel modules.