Check out my first novel, midnight's simulacra!
Kprobes: Difference between revisions
From dankwiki
No edit summary |
|||
| Line 5: | Line 5: | ||
CONFIG_HAVE_KPROBES=y | CONFIG_HAVE_KPROBES=y | ||
CONFIG_KPROBE_EVENTS=y</pre> | CONFIG_KPROBE_EVENTS=y</pre> | ||
==Working with kprobes== | |||
List kernel functions suitable for probing with <tt>perf probe -L</tt>. | |||
===Kprobe definition=== | |||
Taken from the 5.3.4 kernel source at [https://www.kernel.org/doc/Documentation/trace/kprobetrace.txt Documentation/trace/kprobetrace.txt]: | |||
<pre> p[:[GRP/]EVENT] [MOD:]SYM[+offs]|MEMADDR [FETCHARGS] : Set a probe | |||
r[MAXACTIVE][:[GRP/]EVENT] [MOD:]SYM[+0] [FETCHARGS] : Set a return probe | |||
-:[GRP/]EVENT : Clear a probe | |||
GRP : Group name. If omitted, use "kprobes" for it. | |||
EVENT : Event name. If omitted, the event name is generated | |||
based on SYM+offs or MEMADDR. | |||
MOD : Module name which has given SYM. | |||
SYM[+offs] : Symbol+offset where the probe is inserted. | |||
MEMADDR : Address where the probe is inserted. | |||
MAXACTIVE : Maximum number of instances of the specified function that | |||
can be probed simultaneously, or 0 for the default value | |||
as defined in Documentation/kprobes.txt section 1.3.1. | |||
FETCHARGS : Arguments. Each probe can have up to 128 args. | |||
%REG : Fetch register REG | |||
@ADDR : Fetch memory at ADDR (ADDR should be in kernel) | |||
@SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol) | |||
$stackN : Fetch Nth entry of stack (N >= 0) | |||
$stack : Fetch stack address. | |||
$argN : Fetch the Nth function argument. (N >= 1) (\*1) | |||
$retval : Fetch return value.(\*2) | |||
$comm : Fetch current task comm. | |||
+|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4) | |||
NAME=FETCHARG : Set NAME as the argument name of FETCHARG. | |||
FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types | |||
(u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types | |||
(x8/x16/x32/x64), "string", "ustring" and bitfield | |||
are supported. | |||
(\*1) only for the probe on function entry (offs == 0). | |||
(\*2) only for return probe. | |||
(\*3) this is useful for fetching a field of data structures. | |||
(\*4) "u" means user-space dereference. See :ref:`user_mem_access`. | |||
</pre> | |||
==Further reading== | ==Further reading== | ||
* LWN's [https://lwn.net/Articles/132196/ Introduction to Kprobes], 2005-04-18 | * LWN's [https://lwn.net/Articles/132196/ Introduction to Kprobes], 2005-04-18 | ||
Revision as of 04:56, 6 October 2019
Kprobes use the breakpoint mechanism to dynamically instrument Linux kernel code. Two types exist: kprobes can be attached to all but a few blacklisted instruction ranges in a running kernel, while kretprobes are attached to a function and run when it returns. This instrumentation is typically packaged as a kernel module or eBPF.
Kernel configuration
CONFIG_KPROBES=y CONFIG_HAVE_KPROBES=y CONFIG_KPROBE_EVENTS=y
Working with kprobes
List kernel functions suitable for probing with perf probe -L.
Kprobe definition
Taken from the 5.3.4 kernel source at Documentation/trace/kprobetrace.txt:
p[:[GRP/]EVENT] [MOD:]SYM[+offs]|MEMADDR [FETCHARGS] : Set a probe
r[MAXACTIVE][:[GRP/]EVENT] [MOD:]SYM[+0] [FETCHARGS] : Set a return probe
-:[GRP/]EVENT : Clear a probe
GRP : Group name. If omitted, use "kprobes" for it.
EVENT : Event name. If omitted, the event name is generated
based on SYM+offs or MEMADDR.
MOD : Module name which has given SYM.
SYM[+offs] : Symbol+offset where the probe is inserted.
MEMADDR : Address where the probe is inserted.
MAXACTIVE : Maximum number of instances of the specified function that
can be probed simultaneously, or 0 for the default value
as defined in Documentation/kprobes.txt section 1.3.1.
FETCHARGS : Arguments. Each probe can have up to 128 args.
%REG : Fetch register REG
@ADDR : Fetch memory at ADDR (ADDR should be in kernel)
@SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
$stackN : Fetch Nth entry of stack (N >= 0)
$stack : Fetch stack address.
$argN : Fetch the Nth function argument. (N >= 1) (\*1)
$retval : Fetch return value.(\*2)
$comm : Fetch current task comm.
+|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4)
NAME=FETCHARG : Set NAME as the argument name of FETCHARG.
FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types
(u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types
(x8/x16/x32/x64), "string", "ustring" and bitfield
are supported.
(\*1) only for the probe on function entry (offs == 0).
(\*2) only for return probe.
(\*3) this is useful for fetching a field of data structures.
(\*4) "u" means user-space dereference. See :ref:`user_mem_access`.
Further reading
- LWN's Introduction to Kprobes, 2005-04-18
