Merge tag 'trace-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
Pull tracing updates from Steven Rostedt: "The main changes in this release include: - Add user space specific memory reading for kprobes - Allow kprobes to be executed earlier in boot The rest are mostly just various clean ups and small fixes" * tag 'trace-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: (33 commits) tracing: Make trace_get_fields() global tracing: Let filter_assign_type() detect FILTER_PTR_STRING tracing: Pass type into tracing_generic_entry_update() ftrace/selftest: Test if set_event/ftrace_pid exists before writing ftrace/selftests: Return the skip code when tracing directory not configured in kernel tracing/kprobe: Check registered state using kprobe tracing/probe: Add trace_event_call accesses APIs tracing/probe: Add probe event name and group name accesses APIs tracing/probe: Add trace flag access APIs for trace_probe tracing/probe: Add trace_event_file access APIs for trace_probe tracing/probe: Add trace_event_call register API for trace_probe tracing/probe: Add trace_probe init and free functions tracing/uprobe: Set print format when parsing command tracing/kprobe: Set print format right after parsed command kprobes: Fix to init kprobes in subsys_initcall tracepoint: Use struct_size() in kmalloc() ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS ftrace: Enable trampoline when rec count returns back to one tracing/kprobe: Do not run kprobe boot tests if kprobe_event is on cmdline tracing: Make a separate config for trace event self tests ...
Este cometimento está contido em:
Linus Torvalds
@@ -2011,6 +2011,19 @@
|
||||
Built with CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y,
|
||||
the default is off.
|
||||
|
||||
kprobe_event=[probe-list]
|
||||
[FTRACE] Add kprobe events and enable at boot time.
|
||||
The probe-list is a semicolon delimited list of probe
|
||||
definitions. Each definition is same as kprobe_events
|
||||
interface, but the parameters are comma delimited.
|
||||
For example, to add a kprobe event on vfs_read with
|
||||
arg1 and arg2, add to the command line;
|
||||
|
||||
kprobe_event=p,vfs_read,$arg1,$arg2
|
||||
|
||||
See also Documentation/trace/kprobetrace.rst "Kernel
|
||||
Boot Parameter" section.
|
||||
|
||||
kpti= [ARM64] Control page table isolation of user
|
||||
and kernel address spaces.
|
||||
Default: enabled on cores which need mitigation.
|
||||
|
||||
@@ -51,15 +51,17 @@ Synopsis of kprobe_events
|
||||
$argN : Fetch the Nth function argument. (N >= 1) (\*1)
|
||||
$retval : Fetch return value.(\*2)
|
||||
$comm : Fetch current task comm.
|
||||
+|-offs(FETCHARG) : Fetch memory at FETCHARG +|- offs address.(\*3)
|
||||
+|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4)
|
||||
NAME=FETCHARG : Set NAME as the argument name of FETCHARG.
|
||||
FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types
|
||||
(u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types
|
||||
(x8/x16/x32/x64), "string" and bitfield are supported.
|
||||
(x8/x16/x32/x64), "string", "ustring" and bitfield
|
||||
are supported.
|
||||
|
||||
(\*1) only for the probe on function entry (offs == 0).
|
||||
(\*2) only for return probe.
|
||||
(\*3) this is useful for fetching a field of data structures.
|
||||
(\*4) "u" means user-space dereference. See :ref:`user_mem_access`.
|
||||
|
||||
Types
|
||||
-----
|
||||
@@ -77,7 +79,8 @@ apply it to registers/stack-entries etc. (for example, '$stack1:x8[8]' is
|
||||
wrong, but '+8($stack):x8[8]' is OK.)
|
||||
String type is a special type, which fetches a "null-terminated" string from
|
||||
kernel space. This means it will fail and store NULL if the string container
|
||||
has been paged out.
|
||||
has been paged out. "ustring" type is an alternative of string for user-space.
|
||||
See :ref:`user_mem_access` for more info..
|
||||
The string array type is a bit different from other types. For other base
|
||||
types, <base-type>[1] is equal to <base-type> (e.g. +0(%di):x32[1] is same
|
||||
as +0(%di):x32.) But string[1] is not equal to string. The string type itself
|
||||
@@ -92,6 +95,25 @@ Symbol type('symbol') is an alias of u32 or u64 type (depends on BITS_PER_LONG)
|
||||
which shows given pointer in "symbol+offset" style.
|
||||
For $comm, the default type is "string"; any other type is invalid.
|
||||
|
||||
.. _user_mem_access:
|
||||
User Memory Access
|
||||
------------------
|
||||
Kprobe events supports user-space memory access. For that purpose, you can use
|
||||
either user-space dereference syntax or 'ustring' type.
|
||||
|
||||
The user-space dereference syntax allows you to access a field of a data
|
||||
structure in user-space. This is done by adding the "u" prefix to the
|
||||
dereference syntax. For example, +u4(%si) means it will read memory from the
|
||||
address in the register %si offset by 4, and the memory is expected to be in
|
||||
user-space. You can use this for strings too, e.g. +u0(%si):string will read
|
||||
a string from the address in the register %si that is expected to be in user-
|
||||
space. 'ustring' is a shortcut way of performing the same task. That is,
|
||||
+0(%si):ustring is equivalent to +u0(%si):string.
|
||||
|
||||
Note that kprobe-event provides the user-memory access syntax but it doesn't
|
||||
use it transparently. This means if you use normal dereference or string type
|
||||
for user memory, it might fail, and may always fail on some archs. The user
|
||||
has to carefully check if the target data is in kernel or user space.
|
||||
|
||||
Per-Probe Event Filtering
|
||||
-------------------------
|
||||
@@ -124,6 +146,20 @@ You can check the total number of probe hits and probe miss-hits via
|
||||
The first column is event name, the second is the number of probe hits,
|
||||
the third is the number of probe miss-hits.
|
||||
|
||||
Kernel Boot Parameter
|
||||
---------------------
|
||||
You can add and enable new kprobe events when booting up the kernel by
|
||||
"kprobe_event=" parameter. The parameter accepts a semicolon-delimited
|
||||
kprobe events, which format is similar to the kprobe_events.
|
||||
The difference is that the probe definition parameters are comma-delimited
|
||||
instead of space. For example, adding myprobe event on do_sys_open like below
|
||||
|
||||
p:myprobe do_sys_open dfd=%ax filename=%dx flags=%cx mode=+4($stack)
|
||||
|
||||
should be below for kernel boot parameter (just replace spaces with comma)
|
||||
|
||||
p:myprobe,do_sys_open,dfd=%ax,filename=%dx,flags=%cx,mode=+4($stack)
|
||||
|
||||
|
||||
Usage examples
|
||||
--------------
|
||||
|
||||
@@ -42,16 +42,18 @@ Synopsis of uprobe_tracer
|
||||
@+OFFSET : Fetch memory at OFFSET (OFFSET from same file as PATH)
|
||||
$stackN : Fetch Nth entry of stack (N >= 0)
|
||||
$stack : Fetch stack address.
|
||||
$retval : Fetch return value.(*)
|
||||
$retval : Fetch return value.(\*1)
|
||||
$comm : Fetch current task comm.
|
||||
+|-offs(FETCHARG) : Fetch memory at FETCHARG +|- offs address.(**)
|
||||
+|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*2)(\*3)
|
||||
NAME=FETCHARG : Set NAME as the argument name of FETCHARG.
|
||||
FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types
|
||||
(u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types
|
||||
(x8/x16/x32/x64), "string" and bitfield are supported.
|
||||
|
||||
(*) only for return probe.
|
||||
(**) this is useful for fetching a field of data structures.
|
||||
(\*1) only for return probe.
|
||||
(\*2) this is useful for fetching a field of data structures.
|
||||
(\*3) Unlike kprobe event, "u" prefix will just be ignored, becuse uprobe
|
||||
events can access only user-space memory.
|
||||
|
||||
Types
|
||||
-----
|
||||
|
||||
Criar uma nova questão referindo esta
Bloquear um utilizador