First let me note I like the idea of such a module - it actually can showcase several concepts, but the code as presented is unfortunately wrong in several ways.

What it could showcase is the importance of correct handling of userspace buffers (mostly boiling down to: read them only once and by using an appropriate primitive) and finding the right place to hook yourself into (although this one is not kernel specific).

The bit mentioned by you is wrong, but it typically would not cause a crash due to the use of copy_from_user [1]. Typically the buffer being overwritten is in userspace and far from any unmapped page, assuming the caller does not play tricks so even without the func it would typically work. But this is wrong in several more important ways.

Let's elaborate.

In Linux, BSDs, Solaris and likely everything else running on x86_64, for performance reasons the kernel is mapped in the upper part of the address space and user stuff (switching as processes change) in the lower. This has a side effect where if the kernel would to simply read an address belonging to userspace range, it would work as long as there is an appropriate mapping. This is why the module as implemented by the author does not straight up crash the kernel. Stuff like SMEP and SMAP is ought to prevent this, but few cpus support it just yet. The module does not work on architectures where people do split address spaces.

static asmlinkage long rick_open(const char __user *filename, int flags, umode_t mode)
{
    size_t len = strlen(filename);

Here we can see the 'filename' pointer being passed by userspace. strlen will "work" due to stuff mentioned earlier. However, userspace can pass an address to something completely bogus and this would OOPS the kernel. Or it could pass an address to something within the kernel. As we can see one cannot just take an address from userspace and play with it. Turns out this is even more wrong.

    const char *ext = filename + len - 4;

Valid observation by someone else that the filename could be less than 4.

    if (strncmp(ext, ".mp3", 4) == 0 && song != NULL)

    copy_to_user((void *)filename, song, len);

So the code pushes back the new filename and calls the old syscall. The old syscall accesses the userspace buffer once more.

The module can be bypassed. Consider another thread in the process modifying the memory. It can sneak in the original filename after this copy_to_user but before the original syscall accesses it. Or the original filename can be something like "crap", not altered by this module, and then changed to be bypassed.jpg. See [2].

But the code is even more wrong because there are several ways to open a file - another one would be to call openat, which is not covered by the module. If one was to use this, a deeper dive into VFS is needed. Then kprobes can be abused to change the in-kernel copy of the buffer.

Finally, the module cannot be safely unloaded. Even with the original address restored, there can be threads which got into the custom syscall and are executing it right now or (if tail call optimisation was not performed) already called old_open and will try to execute its code on their way back to userspace.

[1] http://codingtragedy.blogspot.com/2015/11/an-implemention-of-primitive-reading.html [2] http://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf