lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.00.0904161028290.6495@gandalf.stny.rr.com>
Date:	Thu, 16 Apr 2009 10:50:02 -0400 (EDT)
From:	Steven Rostedt <rostedt@...dmis.org>
To:	"Frank Ch. Eigler" <fche@...stic.org>
cc:	LKML <linux-kernel@...r.kernel.org>, utrace-devel@...hat.com,
	systemtap@...rces.redhat.com,
	Frédéric Weisbecker <fweisbec@...il.com>,
	Ingo Molnar <mingo@...e.hu>,
	"Frank Ch. Eigler" <fche@...hat.com>
Subject: Re: [PATCH 2/2] utrace-based ftrace "process" engine, v3


Hi Frank,

I've finally got some time to look into this patch.


On Sun, 5 Apr 2009, Frank Ch. Eigler wrote:

> This is the v3 utrace-ftrace interface.  based on Roland McGrath's
> utrace API, which provides programmatic hooks to the in-tree tracehook
> layer.  This patch interfaces those events to ftrace, as configured by
> a small number of debugfs controls, and includes system-call
> pretty-printing using code from the ftrace syscall prototype by
> Frederic Weisbecker.  Here's the
> /debugfs/tracing/process_trace_README:
> 
>     process event tracer mini-HOWTO
> 
>     1. Select process hierarchy to monitor.  Other processes will be
>        completely unaffected.  Leave at 0 for system-wide tracing.
>     %  echo NNN > process_follow_pid
> 
>     2. Determine which process event traces are potentially desired.
>        syscall and signal tracing slow down monitored processes.
>     %  echo 0 > process_trace_{syscalls,signals,lifecycle}
> 
>     3. Add any final uid- or taskcomm-based filtering.  Non-matching
>        processes will skip trace messages, but will still be slowed.
>     %  echo NNN > process_trace_uid_filter # -1: unrestricted
>     %  echo ls > process_trace_taskcomm_filter # empty: unrestricted
> 
>     4. Start tracing.
>     %  echo process > current_tracer

Note, it would be better to make a process directory, instead of 
cluttering the debug/tracing one.

ie.

 debug/tracing/process/follow_pid
 debug/tracing/process/trace/syscalls
 debug/tracing/process/trace/signals
 debug/tracing/process/trace/lifecycle
 debug/tracing/process/trace/tracecomm_filter

etc.


> 
>     5. Examine trace.
>     %  cat trace
> 
>     6. Stop tracing.
>     %  echo nop > current_tracer
> 
> Signed-off-by: Frank Ch. Eigler <fche@...hat.com>
> ---
>  include/linux/processtrace.h |   51 ++++
>  kernel/trace/Kconfig         |    8 +
>  kernel/trace/Makefile        |    1 +
>  kernel/trace/trace.h         |    9 +
>  kernel/trace/trace_process.c |  642 ++++++++++++++++++++++++++++++++++++++++++
>  5 files changed, 711 insertions(+), 0 deletions(-)
>  create mode 100644 include/linux/processtrace.h
>  create mode 100644 kernel/trace/trace_process.c
> 
> diff --git a/include/linux/processtrace.h b/include/linux/processtrace.h
> new file mode 100644
> index 0000000..74d031e
> --- /dev/null
> +++ b/include/linux/processtrace.h
> @@ -0,0 +1,51 @@
> +#ifndef PROCESSTRACE_H
> +#define PROCESSTRACE_H
> +
> +#include <linux/types.h>
> +#include <linux/list.h>
> +
> +struct process_trace_entry {
> +	unsigned char opcode;	/* one of _UTRACE_EVENT_* */
> +	union {
> +		struct {
> +			pid_t child;
> +			unsigned long flags;
> +		} trace_clone;
> +		struct {
> +			int type;
> +                        int notify;
> +		} trace_jctl;
> +		struct {
> +			long code;
> +		} trace_exit;
> +		struct {
> +                        /* Selected fields from linux_binprm */
> +                        int argc;
> +                        /* We need to copy the file name, because by
> +                           the time we format the trace record for
> +                           display, the task may be gone. */
> +#define PROCESS_TRACE_FILENAME_LENGTH 64
> +                        char filename[PROCESS_TRACE_FILENAME_LENGTH];
> +		} trace_exec;
> +		struct {
> +			int si_signo;
> +			int si_errno;
> +			int si_code;
> +		} trace_signal;
> +		struct {
> +			long callno;
> +			unsigned long args[6];
> +		} trace_syscall_entry;
> +		struct {
> +			long rc;
> +			long error;
> +		} trace_syscall_exit;
> +	};
> +};
> +
> +/* in kernel/trace/trace_process.c */
> +
> +extern void enable_process_trace(void);
> +extern void disable_process_trace(void);
> +
> +#endif /* PROCESSTRACE_H */
> diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
> index b0a46f8..226cb60 100644
> --- a/kernel/trace/Kconfig
> +++ b/kernel/trace/Kconfig
> @@ -186,6 +186,14 @@ config FTRACE_SYSCALLS
>  	help
>  	  Basic tracer to catch the syscall entry and exit events.
>  
> +config PROCESS_TRACER
> +	bool "Trace process events via utrace"
> +	select TRACING
> +	select UTRACE
> +	help
> +	  This tracer records process events that may be hooked by utrace:
> +	  thread lifecycle, system calls, signals, and job control.
> +
>  config BOOT_TRACER
>  	bool "Trace boot initcalls"
>  	select TRACING
> diff --git a/kernel/trace/Makefile b/kernel/trace/Makefile
> index c3feea0..880080a 100644
> --- a/kernel/trace/Makefile
> +++ b/kernel/trace/Makefile
> @@ -44,5 +44,6 @@ obj-$(CONFIG_EVENT_TRACER) += trace_events.o
>  obj-$(CONFIG_EVENT_TRACER) += events.o
>  obj-$(CONFIG_EVENT_TRACER) += trace_export.o
>  obj-$(CONFIG_FTRACE_SYSCALLS) += trace_syscalls.o
> +obj-$(CONFIG_PROCESS_TRACER) += trace_process.o
>  
>  libftrace-y := ftrace.o
> diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
> index f561628..c27d2ba 100644
> --- a/kernel/trace/trace.h
> +++ b/kernel/trace/trace.h
> @@ -8,6 +8,7 @@
>  #include <linux/ring_buffer.h>
>  #include <linux/mmiotrace.h>
>  #include <linux/ftrace.h>
> +#include <linux/processtrace.h>
>  #include <trace/boot.h>
>  #include <trace/kmemtrace.h>
>  #include <trace/power.h>
> @@ -37,6 +38,7 @@ enum trace_type {
>  	TRACE_KMEM_FREE,
>  	TRACE_POWER,
>  	TRACE_BLK,
> +	TRACE_PROCESS,
>  
>  	__TRACE_LAST_TYPE,
>  };
> @@ -214,6 +216,12 @@ struct syscall_trace_exit {
>  	unsigned long		ret;
>  };
>  
> +struct trace_process {
> +	struct trace_entry		ent;
> +	struct process_trace_entry	event;
> +};
> +
> +
>  
>  /*
>   * trace_flag_type is an enumeration that holds different
> @@ -332,6 +340,7 @@ extern void __ftrace_bad_type(void);
>  			  TRACE_SYSCALL_ENTER);				\
>  		IF_ASSIGN(var, ent, struct syscall_trace_exit,		\
>  			  TRACE_SYSCALL_EXIT);				\
> +		IF_ASSIGN(var, ent, struct trace_process, TRACE_PROCESS); \
>  		__ftrace_bad_type();					\
>  	} while (0)
>  
> diff --git a/kernel/trace/trace_process.c b/kernel/trace/trace_process.c
> new file mode 100644
> index 0000000..b98ab28
> --- /dev/null
> +++ b/kernel/trace/trace_process.c
> @@ -0,0 +1,642 @@
> +/*
> + * utrace-based process event tracing
> + * Copyright (C) 2009 Red Hat Inc.
> + * By Frank Ch. Eigler <fche@...hat.com>
> + *
> + * Based on mmio ftrace engine by Pekka Paalanen
> + * and utrace-syscall-tracing prototype by Ananth Mavinakayanahalli
> + * and ftrace-syscall prototype by Frederic Weisbecker <fweisbec@...il.com>
> + */
> +
> +/* #define DEBUG 1 */
> +
> +#include <linux/kernel.h>
> +#include <linux/utrace.h>
> +#include <linux/uaccess.h>
> +#include <linux/debugfs.h>
> +#include <asm/syscall.h>
> +#include <linux/binfmts.h>
> +
> +#include "trace.h"
> +#include "trace_output.h"
> +
> +/* A process must match these filters in order to be traced. */
> +static char trace_taskcomm_filter[TASK_COMM_LEN]; /* \0: unrestricted */
> +static u32 trace_taskuid_filter = -1; /* -1: unrestricted */
> +static u32 trace_lifecycle_p = 1;
> +static u32 trace_syscalls_p = 1;
> +static u32 trace_signals_p = 1;
> +
> +/* A process must be a direct child of given pid in order to be
> +   followed. */
> +static u32 process_follow_pid; /* 0: unrestricted/systemwide */
> +
> +/* XXX: lock the above? */
> +
> +
> +/* trace data collection */
> +
> +static struct trace_array *process_trace_array;
> +
> +static void process_reset_data(struct trace_array *tr)
> +{
> +	pr_debug("in %s\n", __func__);
> +	tracing_reset_online_cpus(tr);
> +}
> +
> +static int process_trace_init(struct trace_array *tr)
> +{
> +	pr_debug("in %s\n", __func__);
> +	process_trace_array = tr;
> +	process_reset_data(tr);
> +	enable_process_trace();
> +	return 0;
> +}
> +
> +static void process_trace_reset(struct trace_array *tr)
> +{
> +	pr_debug("in %s\n", __func__);
> +	disable_process_trace();
> +	process_reset_data(tr);
> +	process_trace_array = NULL;
> +}
> +
> +static void process_trace_start(struct trace_array *tr)
> +{
> +	pr_debug("in %s\n", __func__);
> +	process_reset_data(tr);
> +}
> +
> +static void __trace_processtrace(struct trace_array *tr,
> +				struct trace_array_cpu *data,
> +				struct process_trace_entry *ent)
> +{
> +	struct ring_buffer_event *event;
> +	struct trace_process *entry;
> +
> +	event	= ring_buffer_lock_reserve(tr->buffer, sizeof(*entry));

It is better to use the new trace_buffer_lock_reserve, because it does the 
generic updates for you.

> +	if (!event)
> +		return;
> +	entry	= ring_buffer_event_data(event);
> +	tracing_generic_entry_update(&entry->ent, 0, preempt_count());
> +	entry->ent.type			= TRACE_PROCESS;
> +	entry->event			= *ent;
> +	ring_buffer_unlock_commit(tr->buffer, event);
> +
> +	trace_wake_up();

And the trace_buffer_unlock_commit does the wakeup too.

> +}
> +
> +void process_trace(struct process_trace_entry *ent)
> +{
> +	struct trace_array *tr = process_trace_array;
> +	struct trace_array_cpu *data;
> +
> +	preempt_disable();
> +	data = tr->data[smp_processor_id()];
> +	__trace_processtrace(tr, data, ent);
> +	preempt_enable();

Unless you want to trace the preempt disabled here too, I'd suggest to 
use:

preempt_disable_notrace()
preempt_enable_notrace()

And if this can ever be called within the scheduler, then you need to do:

	int resched;

	resched = ftrace_preempt_disable();

	[...]

	ftrace_preempt_enable(resched);


> +}
> +
> +
> +/* trace data rendering */
> +
> +static void process_pipe_open(struct trace_iterator *iter)
> +{
> +	pr_debug("in %s\n", __func__);
> +}
> +
> +static void process_close(struct trace_iterator *iter)
> +{
> +	iter->private = NULL;
> +}
> +
> +static ssize_t process_read(struct trace_iterator *iter, struct file *filp,
> +				char __user *ubuf, size_t cnt, loff_t *ppos)
> +{
> +	ssize_t ret;
> +	struct trace_seq *s = &iter->seq;

Space needed here. Also please do an upside down christmas tree type of 
declarations:

	struct trace_seq *s = &iter->seq;
	size_t ret;

Thus, the first declarations are longer than the proceeding ones. This is 
easier on the eyes and makes reviewing code nicer.

> +	ret = trace_seq_to_user(s, ubuf, cnt);
> +	return (ret == -EBUSY) ? 0 : ret;
> +}
> +
> +static enum print_line_t process_print(struct trace_iterator *iter)
> +{
> +	struct trace_entry *entry = iter->ent;
> +	struct trace_process *field;
> +        struct process_trace_entry *pte;

Whitespace issue here.

> +	struct trace_seq *s	= &iter->seq;
> +	int ret = 1;
> +	struct syscall_metadata *syscall;
> +        int i;

Again, sort the declarations by size of string.

> +
> +	trace_assign_type(field, entry);
> +        pte = &field->event;

More whitespace issues. You might want to run scripts/checkpatch.pl on 
patches before submitting.

> +
> +	if (!trace_print_context(iter))
> +		return TRACE_TYPE_PARTIAL_LINE;
> +
> +	switch (pte->opcode) {
> +	case _UTRACE_EVENT_CLONE:
> +		ret = trace_seq_printf(s, "fork %d flags 0x%lx\n",
> +				       pte->trace_clone.child,
> +				       pte->trace_clone.flags);
> +		break;
> +	case _UTRACE_EVENT_EXEC:
> +		ret = trace_seq_printf(s, "exec '%s' (args %d)\n",
> +                                       pte->trace_exec.filename,
> +                                       pte->trace_exec.argc);
> +		break;
> +	case _UTRACE_EVENT_EXIT:
> +		ret = trace_seq_printf(s, "exit %ld\n",
> +				       pte->trace_exit.code);
> +		break;
> +	case _UTRACE_EVENT_JCTL:
> +		ret = trace_seq_printf(s, "jctl %d %d\n",
> +				       pte->trace_jctl.type,
> +                                       pte->trace_jctl.notify);
> +		break;
> +	case _UTRACE_EVENT_SIGNAL:
> +		ret = trace_seq_printf(s, "signal %d errno %d code 0x%x\n",
> +				       pte->trace_signal.si_signo,
> +				       pte->trace_signal.si_errno,
> +				       pte->trace_signal.si_code);
> +		break;
> +	case _UTRACE_EVENT_SYSCALL_ENTRY:
> +                syscall = syscall_nr_to_meta (pte->trace_syscall_entry.callno);
> +                if (!syscall) {
> +                        /* Metadata is incomplete.  Simply hex dump. */
> +                        ret = trace_seq_printf(s, "syscall %ld [0x%lx 0x%lx"
> +                                               " 0x%lx 0x%lx 0x%lx 0x%lx]\n",
> +                                               pte->trace_syscall_entry.callno,
> +                                               pte->trace_syscall_entry.args[0],
> +                                               pte->trace_syscall_entry.args[1],
> +                                               pte->trace_syscall_entry.args[2],
> +                                               pte->trace_syscall_entry.args[3],
> +                                               pte->trace_syscall_entry.args[4],
> +                                               pte->trace_syscall_entry.args[5]);
> +                        break;
> +                }
> +                ret = trace_seq_printf(s, "%s(", syscall->name);
> +                if (!ret)
> +                        break;
> +                for (i = 0; i < syscall->nb_args; i++) {
> +                        ret = trace_seq_printf(s, "%s: 0x%lx%s", syscall->args[i],
> +                                               pte->trace_syscall_entry.args[i],
> +                                               i == syscall->nb_args - 1 ? ")\n" : ", ");
> +                        if (!ret)
> +                                break;
> +                }
> +		break;
> +	case _UTRACE_EVENT_SYSCALL_EXIT:
> +                /* utrace doesn't preserve the syscall number. */
> +                ret = trace_seq_printf(s, "syscall rc %ld error %ld\n",
> +                                       pte->trace_syscall_exit.rc,
> +                                       pte->trace_syscall_exit.error);
> +                break;
> +	default:
> +		ret = trace_seq_printf(s, "process event code %d?\n",
> +				       pte->opcode);
> +		break;
> +	}
> +        if (!ret)
> +        	return TRACE_TYPE_PARTIAL_LINE;
> +	return TRACE_TYPE_HANDLED;
> +}
> +
> +
> +static enum print_line_t process_print_line(struct trace_iterator *iter)
> +{
> +	switch (iter->ent->type) {
> +	case TRACE_PROCESS:
> +		return process_print(iter);
> +	default:
> +		return TRACE_TYPE_HANDLED; /* ignore unknown entries */
> +	}
> +}
> +
> +static struct tracer process_tracer = {
> +	.name		= "process",
> +	.init		= process_trace_init,
> +	.reset		= process_trace_reset,
> +	.start		= process_trace_start,
> +	.pipe_open	= process_pipe_open,
> +	.close		= process_close,
> +	.read		= process_read,
> +	.print_line	= process_print_line,
> +};
> +
> +
> +
> +/* utrace backend */
> +
> +/* Should tracing apply to given task?	Compare against filter
> +   values. */

Also, comments style is:

 /*
  * Make multi line comments like this.
  * Next line here.
  */

> +static int trace_test(struct task_struct *tsk)
> +{
> +	if (trace_taskcomm_filter[0]
> +	    && strncmp(trace_taskcomm_filter, tsk->comm, TASK_COMM_LEN))
> +		return 0;
> +
> +	if (trace_taskuid_filter != (u32)-1
> +	    && trace_taskuid_filter != task_uid(tsk))
> +		return 0;
> +
> +	return 1;
> +}
> +
> +
> +static const struct utrace_engine_ops process_trace_ops;
> +
> +static void process_trace_tryattach(struct task_struct *tsk)
> +{
> +	struct utrace_engine *engine;
> +
> +	pr_debug("in %s\n", __func__);
> +        tracing_record_cmdline (tsk);
> +	engine = utrace_attach_task(tsk,
> +				    UTRACE_ATTACH_CREATE |
> +				    UTRACE_ATTACH_EXCLUSIVE,
> +				    &process_trace_ops, NULL);
> +	if (IS_ERR(engine) || (engine == NULL)) {
> +		pr_warning("utrace_attach_task %d (rc %p)\n",
> +			   tsk->pid, engine);
> +	} else {
> +		int rc;
> +
> +		/* We always hook cost-free events. */
> +		unsigned long events =
> +			UTRACE_EVENT(CLONE) |
> +			UTRACE_EVENT(EXEC) |
> +			UTRACE_EVENT(JCTL) |
> +			UTRACE_EVENT(EXIT);
> +
> +		/* Penalizing events are individually controlled, so that
> +		   utrace doesn't even take the monitored threads off their
> +		   fast paths, nor bother call our callbacks. */
> +		if (trace_syscalls_p)
> +			events |= UTRACE_EVENT_SYSCALL;
> +		if (trace_signals_p)
> +			events |= UTRACE_EVENT_SIGNAL_ALL;
> +
> +		rc = utrace_set_events(tsk, engine, events);
> +		if (rc == -EINPROGRESS)
> +			rc = utrace_barrier(tsk, engine);
> +		if (rc)
> +			pr_warning("utrace_set_events/barrier rc %d\n", rc);
> +
> +		utrace_engine_put(engine);
> +		pr_debug("attached in %s to %s(%d)\n", __func__,
> +			 tsk->comm, tsk->pid);
> +	}
> +}
> +
> +
> +u32 process_trace_report_clone(enum utrace_resume_action action,
> +			       struct utrace_engine *engine,
> +			       struct task_struct *parent,
> +			       unsigned long clone_flags,
> +			       struct task_struct *child)
> +{
> +	if (trace_lifecycle_p && trace_test(parent)) {
> +		struct process_trace_entry ent;
> +		ent.opcode = _UTRACE_EVENT_CLONE;
> +		ent.trace_clone.child = child->pid;
> +		ent.trace_clone.flags = clone_flags;
> +		process_trace(&ent);
> +	}
> +
> +	process_trace_tryattach(child);
> +
> +	return UTRACE_RESUME;
> +}
> +
> +
> +u32 process_trace_report_jctl(enum utrace_resume_action action,
> +                              struct utrace_engine *engine,
> +                              struct task_struct *task,
> +                              int type, int notify)
> +{
> +        struct process_trace_entry ent;
> +        ent.opcode = _UTRACE_EVENT_JCTL;
> +        ent.trace_jctl.type = type;
> +        ent.trace_jctl.notify = notify;
> +        process_trace(&ent);
> +
> +	return UTRACE_RESUME;
> +}
> +
> +
> +u32 process_trace_report_syscall_entry(u32 action,
> +				       struct utrace_engine *engine,
> +				       struct task_struct *task,
> +				       struct pt_regs *regs)
> +{
> +	if (trace_syscalls_p && trace_test(task)) {
> +		struct process_trace_entry ent;
> +		ent.opcode = _UTRACE_EVENT_SYSCALL_ENTRY;
> +		ent.trace_syscall_entry.callno = syscall_get_nr(task, regs);
> +		syscall_get_arguments(task, regs, 0, 6,
> +				      ent.trace_syscall_entry.args);
> +		process_trace(&ent);
> +	}
> +
> +	return UTRACE_RESUME;
> +}
> +
> +
> +u32 process_trace_report_syscall_exit(enum utrace_resume_action action,
> +				   struct utrace_engine *engine,
> +				   struct task_struct *task,
> +				   struct pt_regs *regs)
> +{
> +	if (trace_syscalls_p && trace_test(task)) {
> +		struct process_trace_entry ent;
> +		ent.opcode = _UTRACE_EVENT_SYSCALL_EXIT;
> +		ent.trace_syscall_exit.rc =
> +			syscall_get_return_value(task, regs);
> +		ent.trace_syscall_exit.error = syscall_get_error(task, regs);
> +		process_trace(&ent);
> +	}
> +
> +	return UTRACE_RESUME;
> +}
> +
> +
> +u32 process_trace_report_exec(enum utrace_resume_action action,
> +			      struct utrace_engine *engine,
> +			      struct task_struct *task,
> +			      const struct linux_binfmt *fmt,
> +			      const struct linux_binprm *bprm,
> +			      struct pt_regs *regs)
> +{
> +	if (trace_lifecycle_p && trace_test(task)) {
> +		struct process_trace_entry ent;
> +		ent.opcode = _UTRACE_EVENT_EXEC;
> +                ent.trace_exec.argc = bprm->argc;
> +                strlcpy (ent.trace_exec.filename, bprm->filename, 
> +                         sizeof(ent.trace_exec.filename));
> +		process_trace(&ent);
> +	}
> +
> +        tracing_record_cmdline (task);
> +
> +	/* We're already attached; no need for a new tryattach. */
> +
> +	return UTRACE_RESUME;
> +}
> +
> +
> +u32 process_trace_report_signal(u32 action,
> +				struct utrace_engine *engine,
> +				struct task_struct *task,
> +				struct pt_regs *regs,
> +				siginfo_t *info,
> +				const struct k_sigaction *orig_ka,
> +				struct k_sigaction *return_ka)
> +{
> +	if (trace_signals_p && trace_test(task)) {
> +		struct process_trace_entry ent;
> +		ent.opcode = _UTRACE_EVENT_SIGNAL;
> +		ent.trace_signal.si_signo = info->si_signo;
> +		ent.trace_signal.si_errno = info->si_errno;
> +		ent.trace_signal.si_code = info->si_code;
> +		process_trace(&ent);
> +	}
> +
> +	/* We're already attached, so no need for a new tryattach. */
> +
> +	return UTRACE_RESUME | utrace_signal_action(action);
> +}
> +
> +
> +u32 process_trace_report_exit(enum utrace_resume_action action,
> +			      struct utrace_engine *engine,
> +			      struct task_struct *task,
> +			      long orig_code, long *code)
> +{
> +	if (trace_lifecycle_p && trace_test(task)) {
> +		struct process_trace_entry ent;
> +		ent.opcode = _UTRACE_EVENT_EXIT;
> +		ent.trace_exit.code = orig_code;
> +		process_trace(&ent);
> +	}
> +
> +	/* There is no need to explicitly attach or detach here. */
> +
> +	return UTRACE_RESUME;
> +}
> +
> +
> +void enable_process_trace()
> +{
> +	struct task_struct *grp, *tsk;
> +
> +	pr_debug("in %s\n", __func__);
> +	rcu_read_lock();
> +	do_each_thread(grp, tsk) {
> +		/* Skip over kernel threads. */
> +		if (tsk->flags & PF_KTHREAD)
> +			continue;
> +
> +		if (process_follow_pid) {
> +			if (tsk->tgid == process_follow_pid ||
> +			    tsk->parent->tgid == process_follow_pid)
> +				process_trace_tryattach(tsk);
> +		} else {
> +			process_trace_tryattach(tsk);
> +		}
> +	} while_each_thread(grp, tsk);
> +	rcu_read_unlock();
> +}
> +
> +void disable_process_trace()
> +{
> +	struct utrace_engine *engine;
> +	struct task_struct *grp, *tsk;
> +	int rc;
> +
> +	pr_debug("in %s\n", __func__);
> +	rcu_read_lock();
> +	do_each_thread(grp, tsk) {
> +		/* Find matching engine, if any.  Returns -ENOENT for
> +		   unattached threads. */
> +		engine = utrace_attach_task(tsk, UTRACE_ATTACH_MATCH_OPS,
> +					    &process_trace_ops, 0);
> +		if (IS_ERR(engine)) {
> +			if (PTR_ERR(engine) != -ENOENT)
> +				pr_warning("utrace_attach_task %d (rc %ld)\n",
> +					   tsk->pid, -PTR_ERR(engine));
> +		} else if (engine == NULL) {
> +			pr_warning("utrace_attach_task %d (null engine)\n",
> +				   tsk->pid);
> +		} else {
> +			/* Found one of our own engines.  Detach.  */
> +			rc = utrace_control(tsk, engine, UTRACE_DETACH);
> +			switch (rc) {
> +			case 0:		    /* success */
> +				break;
> +			case -ESRCH:	    /* REAP callback already begun */
> +			case -EALREADY:	    /* DEATH callback already begun */
> +				break;
> +			default:
> +				rc = -rc;
> +				pr_warning("utrace_detach %d (rc %d)\n",
> +					   tsk->pid, rc);
> +				break;
> +			}
> +			utrace_engine_put(engine);
> +			pr_debug("detached in %s from %s(%d)\n", __func__,
> +				 tsk->comm, tsk->pid);
> +		}
> +	} while_each_thread(grp, tsk);
> +	rcu_read_unlock();
> +}
> +
> +
> +static const struct utrace_engine_ops process_trace_ops = {
> +	.report_clone = process_trace_report_clone,
> +	.report_exec = process_trace_report_exec,
> +	.report_exit = process_trace_report_exit,
> +	.report_jctl = process_trace_report_jctl,
> +	.report_signal = process_trace_report_signal,
> +	.report_syscall_entry = process_trace_report_syscall_entry,
> +	.report_syscall_exit = process_trace_report_syscall_exit,
> +};
> +
> +
> +
> +/* control interfaces */
> +
> +
> +static ssize_t
> +trace_taskcomm_filter_read(struct file *filp, char __user *ubuf,
> +			   size_t cnt, loff_t *ppos)
> +{
> +	return simple_read_from_buffer(ubuf, cnt, ppos,
> +				       trace_taskcomm_filter, TASK_COMM_LEN);
> +}
> +
> +
> +static ssize_t
> +trace_taskcomm_filter_write(struct file *filp, const char __user *ubuf,
> +			    size_t cnt, loff_t *fpos)
> +{
> +	char *end;
> +
> +	if (cnt > TASK_COMM_LEN)
> +		cnt = TASK_COMM_LEN;
> +
> +	if (copy_from_user(trace_taskcomm_filter, ubuf, cnt))
> +		return -EFAULT;
> +
> +	/* Cut from the first nil or newline. */
> +	trace_taskcomm_filter[cnt] = '\0';
> +	end = strchr(trace_taskcomm_filter, '\n');
> +	if (end)
> +		*end = '\0';
> +
> +	*fpos += cnt;
> +	return cnt;
> +}
> +
> +
> +static const struct file_operations trace_taskcomm_filter_fops = {
> +	.open		= tracing_open_generic,
> +	.read		= trace_taskcomm_filter_read,
> +	.write		= trace_taskcomm_filter_write,
> +};
> +
> +
> +
> +static char README_text[] =
> +	"process event tracer mini-HOWTO\n"
> +	"\n"
> +	"1. Select process hierarchy to monitor.  Other processes will be\n"
> +	"   completely unaffected.  Leave at 0 for system-wide tracing.\n"
> +	"#  echo NNN > process_follow_pid\n"
> +	"\n"
> +	"2. Determine which process event traces are potentially desired.\n"
> +	"   syscall and signal tracing slow down monitored processes.\n"
> +	"#  echo 0 > process_trace_{syscalls,signals,lifecycle}\n"
> +	"\n"
> +	"3. Add any final uid- or taskcomm-based filtering.  Non-matching\n"
> +	"   processes will skip trace messages, but will still be slowed.\n"
> +	"#  echo NNN > process_trace_uid_filter # -1: unrestricted \n"
> +	"#  echo ls > process_trace_taskcomm_filter # empty: unrestricted\n"
> +	"\n"
> +	"4. Start tracing.\n"
> +	"#  echo process > current_tracer\n"
> +	"\n"
> +	"5. Examine trace.\n"
> +	"#  cat trace\n"
> +	"\n"
> +	"6. Stop tracing.\n"
> +	"#  echo nop > current_tracer\n"
> +	;
> +
> +static struct debugfs_blob_wrapper README_blob = {
> +	.data = README_text,
> +	.size = sizeof(README_text),
> +};
> +
> +
> +static __init int init_process_trace(void)
> +{
> +	struct dentry *d_tracer;
> +	struct dentry *entry;
> +
> +	d_tracer = tracing_init_dentry();
> +
> +        arch_init_ftrace_syscalls ();
> +
> +	entry = debugfs_create_blob("process_trace_README", 0444, d_tracer,
> +				    &README_blob);
> +	if (!entry)
> +		pr_warning("Could not create debugfs "
> +			   "'process_trace_README' entry\n");

We also now have a trace_create_file that does the warning for you.

> +
> +	/* Control for scoping process following. */
> +	entry = debugfs_create_u32("process_follow_pid", 0644, d_tracer,
> +				   &process_follow_pid);
> +	if (!entry)
> +		pr_warning("Could not create debugfs "
> +			   "'process_follow_pid' entry\n");
> +
> +	/* Process-level filters */
> +	entry = debugfs_create_file("process_trace_taskcomm_filter", 0644,
> +				    d_tracer, NULL,
> +				    &trace_taskcomm_filter_fops);
> +	/* XXX: it'd be nice to have a read/write debugfs_create_blob. */
> +	if (!entry)
> +		pr_warning("Could not create debugfs "
> +			   "'process_trace_taskcomm_filter' entry\n");
> +
> +	entry = debugfs_create_u32("process_trace_uid_filter", 0644, d_tracer,
> +				   &trace_taskuid_filter);
> +	if (!entry)
> +		pr_warning("Could not create debugfs "
> +			   "'process_trace_uid_filter' entry\n");
> +
> +	/* Event-level filters. */
> +	entry = debugfs_create_u32("process_trace_lifecycle", 0644, d_tracer,
> +				   &trace_lifecycle_p);
> +	if (!entry)
> +		pr_warning("Could not create debugfs "
> +			   "'process_trace_lifecycle' entry\n");
> +
> +	entry = debugfs_create_u32("process_trace_syscalls", 0644, d_tracer,
> +				   &trace_syscalls_p);
> +	if (!entry)
> +		pr_warning("Could not create debugfs "
> +			   "'process_trace_syscalls' entry\n");
> +
> +	entry = debugfs_create_u32("process_trace_signals", 0644, d_tracer,
> +				   &trace_signals_p);
> +	if (!entry)
> +		pr_warning("Could not create debugfs "
> +			   "'process_trace_signals' entry\n");
> +
> +	return register_tracer(&process_tracer);
> +}
> +
> +device_initcall(init_process_trace);
> -- 
> 1.6.0.6

Other than my minor comments, I see nothing wrong with this patch. I'd 
like to try it out. I would just need to apply the utrace changes first 
;-)

Thanks,

-- Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ