lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 8 Aug 2021 12:15:18 +0900
From:   Masami Hiramatsu <mhiramat@...nel.org>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     "Tzvetomir Stoyanov (VMware)" <tz.stoyanov@...il.com>,
        linux-trace-devel@...r.kernel.org, linux-kernel@...r.kernel.org,
        tom.zanussi@...ux.intel.com,
        Daniel Bristot de Oliveira <bristot@...hat.com>
Subject: Re: [RFC] [RFC] trace: Add kprobe on tracepoint

On Fri, 6 Aug 2021 23:54:13 -0400
Steven Rostedt <rostedt@...dmis.org> wrote:

> On Sat, 7 Aug 2021 10:28:46 +0900
> Masami Hiramatsu <mhiramat@...nel.org> wrote:
> 
> > Hmm, sorry, I rather like to use synthetic event with trigger action,
> > since this is not a kprobe.
> 
> Correct, but I don't think it matches synthetic events either.
> 
> > Can you change your idea to use trigger action with synthetic event?
> > 
> > For example, if we have a "trace" action in the trigger action,
> > 
> > echo "eopen char filename[]" >> synthetic_events
> > echo "trace:eopen,filename.ustring" >> events/syscalls/sys_enter_openat/trigger
> > 
> > A new action is,
> >   trace:SYNTH_EVENT,PARAM(s) [if FILTER]
> > and
> >   .ustring/.string modifier for the PARAMS.
> > 
> > I think this matches the current dynamic event model, and can extend
> > programmability of the ftrace, and keeps dynamic events simple.
> 
> But we want to follow all the features of kprobes. This isn't about
> just taking existing fields. In fact, we want fields that are not
> available from the event. Here's an idea of what we want to do:
> 
>   echo 'e:hr_nr_events timer.hrtimer_expire_entry nr_events=+0x58(+0(+0x30($hrtimer))):u32' > kprobe_events
>   echo 1 > events/kprobes/enable
>   cat trace
>           <idle>-0       [002] d.h2   937.412239: hr_nr_events: (0) nr_events=38380
>           <idle>-0       [000] d.h2   937.412239: hr_nr_events: (0) nr_events=930268
>             bash-1409    [001] d.h1   937.412239: hr_nr_events: (0) nr_events=33874
>           <idle>-0       [000] d.h2   937.413238: hr_nr_events: (0) nr_events=930269
>           <idle>-0       [004] d.h2   937.413238: hr_nr_events: (0) nr_events=35263
>           <idle>-0       [001] d.h2   937.413238: hr_nr_events: (0) nr_events=33875
> 
> 
> Which gives me the nr_events from the hrtimer pointer passed to the
>   timer.hrtimer_entry event via hrtimer->base->cpu_base->nr_events
> 
> The idea is that we can get trace events into places that the
> maintainers have issues with (like the scheduler or vfs), where we may
> be allow to add a trace event that only gives us access to a pointer
> and nothing else that can become a limiting API.
> 
> Then we can attach an eprobe to it that can offset the pointer to a
> structure and create dynamically all the fields we need.
> 
> Daniel has some work he's doing that will can be improved by this
> feature.

OK, that's a good reason why you need it. However, the desgin is still
be a bit wrong. You should make it as another probe event, because

1. eprobe is not a kprobe but an event converter (reusing fetchargs)
2. we already have dynevent framework for expanding new dynamic events.
3. what you need is the "fetch args", that is shared with uprobe-event
   there is no reason we can't share it with one more probe-event. :)

Thus, I recommend you to introduce a new dynevent, you don't need
to add "eprobe_events" file but you can use "dynamic_events" interface.

> 
> Having it as a trigger, will make this rather complex.

OK, for the dereference feature, it may need more careful
implementation. (and maybe need a different parser)

> 
> Which is why we want this as a probe, and not a trigger. We are only
> using the trigger to get the data from the field. What we are also
> looking at is a way to create a "trace_probe" that can attach to a
> tracepoint (before the event data is added). Which will not be using
> the trigger code at all, but will be using the similar offset logic we
> want to do here, but on the entry of the tracepoint, not the exit of it.

OK, but I want you to create another dynevent, not extending kprobe_events
for non-kprobe things. That will make things much harder to be maintained.

So maybe what you need is trace_eprobe.c, instead of modifying trace_kprobe.c.

Thank you,

-- 
Masami Hiramatsu <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ