Check out my first novel, midnight's simulacra!
Kprobes: Difference between revisions
From dankwiki
(→Kernel configuration: add necessary FTRACE options) |
|||
Line 9: | Line 9: | ||
==Working with kprobes== | ==Working with kprobes== | ||
List kernel | The primary means for working with kprobes from userspace is [[sysfs]] and the [[perf]] tool. | ||
{|class="wikitable" | |||
! Task !! sysfs !! perf | |||
|- | |||
| List enabled kprobes || <tt>cat /sys/kernel/debug/tracing/kprobe_events</tt> || <tt>perf probe -l</tt> | |||
|- | |||
| Enable kprobe || <tt>echo > /sys/kernel/debug/tracing/kprobe_events</tt> | |||
|| <tt>perf probe -a</tt> | |||
|} | |||
===Kprobe definition=== | ===Kprobe definition=== |
Revision as of 05:03, 6 October 2019
Kprobes use the breakpoint mechanism to dynamically instrument Linux kernel code. Two types exist: kprobes can be attached to all but a few blacklisted instruction ranges in a running kernel, while kretprobes are attached to a function and run when it returns. This instrumentation is typically packaged as a kernel module or eBPF.
Kernel configuration
CONFIG_KPROBES=y CONFIG_KPROBES_ON_FTRACE=y CONFIG_HAVE_KPROBES=y CONFIG_HAVE_KPROBES_ON_FTRACE=y CONFIG_KPROBE_EVENTS=y
Working with kprobes
The primary means for working with kprobes from userspace is sysfs and the perf tool.
Task | sysfs | perf |
---|---|---|
List enabled kprobes | cat /sys/kernel/debug/tracing/kprobe_events | perf probe -l |
Enable kprobe | echo > /sys/kernel/debug/tracing/kprobe_events | perf probe -a |
Kprobe definition
Taken from the 5.3.4 kernel source at Documentation/trace/kprobetrace.txt:
p[:[GRP/]EVENT] [MOD:]SYM[+offs]|MEMADDR [FETCHARGS] : Set a probe r[MAXACTIVE][:[GRP/]EVENT] [MOD:]SYM[+0] [FETCHARGS] : Set a return probe -:[GRP/]EVENT : Clear a probe GRP : Group name. If omitted, use "kprobes" for it. EVENT : Event name. If omitted, the event name is generated based on SYM+offs or MEMADDR. MOD : Module name which has given SYM. SYM[+offs] : Symbol+offset where the probe is inserted. MEMADDR : Address where the probe is inserted. MAXACTIVE : Maximum number of instances of the specified function that can be probed simultaneously, or 0 for the default value as defined in Documentation/kprobes.txt section 1.3.1. FETCHARGS : Arguments. Each probe can have up to 128 args. %REG : Fetch register REG @ADDR : Fetch memory at ADDR (ADDR should be in kernel) @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol) $stackN : Fetch Nth entry of stack (N >= 0) $stack : Fetch stack address. $argN : Fetch the Nth function argument. (N >= 1) (\*1) $retval : Fetch return value.(\*2) $comm : Fetch current task comm. +|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*3)(\*4) NAME=FETCHARG : Set NAME as the argument name of FETCHARG. FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types (u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types (x8/x16/x32/x64), "string", "ustring" and bitfield are supported. (\*1) only for the probe on function entry (offs == 0). (\*2) only for return probe. (\*3) this is useful for fetching a field of data structures. (\*4) "u" means user-space dereference. See :ref:`user_mem_access`.
Further reading
- LWN's Introduction to Kprobes, 2005-04-18