lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210806235413.61c78c57@oasis.local.home>
Date:   Fri, 6 Aug 2021 23:54:13 -0400
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     "Tzvetomir Stoyanov (VMware)" <tz.stoyanov@...il.com>,
        linux-trace-devel@...r.kernel.org, linux-kernel@...r.kernel.org,
        tom.zanussi@...ux.intel.com,
        Daniel Bristot de Oliveira <bristot@...hat.com>
Subject: Re: [RFC] [RFC] trace: Add kprobe on tracepoint

On Sat, 7 Aug 2021 10:28:46 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:

> Hmm, sorry, I rather like to use synthetic event with trigger action,
> since this is not a kprobe.

Correct, but I don't think it matches synthetic events either.

> Can you change your idea to use trigger action with synthetic event?
> 
> For example, if we have a "trace" action in the trigger action,
> 
> echo "eopen char filename[]" >> synthetic_events
> echo "trace:eopen,filename.ustring" >> events/syscalls/sys_enter_openat/trigger
> 
> A new action is,
>   trace:SYNTH_EVENT,PARAM(s) [if FILTER]
> and
>   .ustring/.string modifier for the PARAMS.
> 
> I think this matches the current dynamic event model, and can extend
> programmability of the ftrace, and keeps dynamic events simple.

But we want to follow all the features of kprobes. This isn't about
just taking existing fields. In fact, we want fields that are not
available from the event. Here's an idea of what we want to do:

  echo 'e:hr_nr_events timer.hrtimer_expire_entry nr_events=+0x58(+0(+0x30($hrtimer))):u32' > kprobe_events
  echo 1 > events/kprobes/enable
  cat trace
          <idle>-0       [002] d.h2   937.412239: hr_nr_events: (0) nr_events=38380
          <idle>-0       [000] d.h2   937.412239: hr_nr_events: (0) nr_events=930268
            bash-1409    [001] d.h1   937.412239: hr_nr_events: (0) nr_events=33874
          <idle>-0       [000] d.h2   937.413238: hr_nr_events: (0) nr_events=930269
          <idle>-0       [004] d.h2   937.413238: hr_nr_events: (0) nr_events=35263
          <idle>-0       [001] d.h2   937.413238: hr_nr_events: (0) nr_events=33875


Which gives me the nr_events from the hrtimer pointer passed to the
  timer.hrtimer_entry event via hrtimer->base->cpu_base->nr_events

The idea is that we can get trace events into places that the
maintainers have issues with (like the scheduler or vfs), where we may
be allow to add a trace event that only gives us access to a pointer
and nothing else that can become a limiting API.

Then we can attach an eprobe to it that can offset the pointer to a
structure and create dynamically all the fields we need.

Daniel has some work he's doing that will can be improved by this
feature.

Having it as a trigger, will make this rather complex.

Which is why we want this as a probe, and not a trigger. We are only
using the trigger to get the data from the field. What we are also
looking at is a way to create a "trace_probe" that can attach to a
tracepoint (before the event data is added). Which will not be using
the trigger code at all, but will be using the similar offset logic we
want to do here, but on the entry of the tracepoint, not the exit of it.

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ