| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Aug 2021 23:54:13 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Masami Hiramatsu <mhiramat@...nel.org>
Cc: "Tzvetomir Stoyanov (VMware)" <tz.stoyanov@...il.com>,
linux-trace-devel@...r.kernel.org, linux-kernel@...r.kernel.org,
tom.zanussi@...ux.intel.com,
Daniel Bristot de Oliveira <bristot@...hat.com>
Subject: Re: [RFC] [RFC] trace: Add kprobe on tracepoint
On Sat, 7 Aug 2021 10:28:46 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:
> Hmm, sorry, I rather like to use synthetic event with trigger action,
> since this is not a kprobe.
Correct, but I don't think it matches synthetic events either.
> Can you change your idea to use trigger action with synthetic event?
>
> For example, if we have a "trace" action in the trigger action,
>
> echo "eopen char filename[]" >> synthetic_events
> echo "trace:eopen,filename.ustring" >> events/syscalls/sys_enter_openat/trigger
>
> A new action is,
> trace:SYNTH_EVENT,PARAM(s) [if FILTER]
> and
> .ustring/.string modifier for the PARAMS.
>
> I think this matches the current dynamic event model, and can extend
> programmability of the ftrace, and keeps dynamic events simple.
But we want to follow all the features of kprobes. This isn't about
just taking existing fields. In fact, we want fields that are not
available from the event. Here's an idea of what we want to do:
echo 'e:hr_nr_events timer.hrtimer_expire_entry nr_events=+0x58(+0(+0x30($hrtimer))):u32' > kprobe_events
echo 1 > events/kprobes/enable
cat trace
<idle>-0 [002] d.h2 937.412239: hr_nr_events: (0) nr_events=38380
<idle>-0 [000] d.h2 937.412239: hr_nr_events: (0) nr_events=930268
bash-1409 [001] d.h1 937.412239: hr_nr_events: (0) nr_events=33874
<idle>-0 [000] d.h2 937.413238: hr_nr_events: (0) nr_events=930269
<idle>-0 [004] d.h2 937.413238: hr_nr_events: (0) nr_events=35263
<idle>-0 [001] d.h2 937.413238: hr_nr_events: (0) nr_events=33875
Which gives me the nr_events from the hrtimer pointer passed to the
timer.hrtimer_entry event via hrtimer->base->cpu_base->nr_events
The idea is that we can get trace events into places that the
maintainers have issues with (like the scheduler or vfs), where we may
be allow to add a trace event that only gives us access to a pointer
and nothing else that can become a limiting API.
Then we can attach an eprobe to it that can offset the pointer to a
structure and create dynamically all the fields we need.
Daniel has some work he's doing that will can be improved by this
feature.
Having it as a trigger, will make this rather complex.
Which is why we want this as a probe, and not a trigger. We are only
using the trigger to get the data from the field. What we are also
looking at is a way to create a "trace_probe" that can attach to a
tracepoint (before the event data is added). Which will not be using
the trigger code at all, but will be using the similar offset logic we
want to do here, but on the entry of the tracepoint, not the exit of it.
-- Steve
Powered by blists - more mailing lists