| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211008000540.GA31220@kbox>
Date: Thu, 7 Oct 2021 17:05:40 -0700
From: Beau Belgrave <beaub@...ux.microsoft.com>
To: Masami Hiramatsu <mhiramat@...nel.org>
Cc: rostedt@...dmis.org, linux-trace-devel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] user_events: Enable user processes to create and write
to trace events
On Fri, Oct 08, 2021 at 08:12:49AM +0900, Masami Hiramatsu wrote:
> > Please see v2 patch, I do this pattern except it's '(Used by ftrace)'
> > instead of '# Used by ftrace'.
> >
> > Format is id:name status
>
> Hm, why I suggested to use "# status" is that the comment will be
> removed when writing it. So you can do
>
> cat user_events > ~/saved_events
> (reboot)
> cat ~/saved_events > user_events
>
> to restore events :)
>
Nice, good idea.
> >
> > > > The other thing is we need ref counting to know if the event is busy.
> > > > Having the ID in the packet avoids having a fd per-event, but it also
> > > > makes ref counting process lifetime of each event quite hard.
> > >
> > > Hmm, I don't think so. You can use an array of the pointer to
> > > events on the private data of the struct file.
> > > When you add (or start using) an event (this is identified by ioctl),
> > > you can increment the event refcount and add it to the array.
> > > When the file is closed (in exiting process), it will loop on the
> > > array and decrement the refcount for each event.
> > > Then, after all tracers disabled the event, ftrace can remove the
> > > event in background (unless it is defined through 'dynamic_events' or
> > > 'user_events').
> > >
> > Yes, I didn't say it's impossible :) It's quite hard and takes a lot
> > more management. I don't see a clear benefit to that approach, why is it
> > better than an fd lifetime? Not trying to be difficult, just trying to
> > be pragmatic about what approach is best.
>
> I'm not sure this point, you mean 1 fd == 1 event model?
>
Yeah, I like the idea of not having an fd per event. I want to make
sure the complexity is worth it. Is the overhead of an FD per event in
user space too much? What happens to the first 4 bytes (ID)? Does it not
show up in the buffer? This would be fine as long as the rel_loc idea
gets into ftrace, etc.
This would require a global array as well as a local per-FD array. I'm
wondering if the per-FD array becoming large mitigates the gain by
simply having an FD per-event.
> > > > We also want
> > > > predicate filtering to work as cheap as possible. I would really like to
> > > > keep offset manipulation entirely in the user space to avoid confusion
> > > > across the various tracing mechanisms and avoid probing the user data
> > > > upon each call (eBPF programs only selectively probe in data).
> > >
> > > OK, so let's add __rel_loc__ attribute. The rel_loc type will be
> > >
> > > struct rel_loc {
> > > uint16_t len; /* The data size (including '\0' if string )*/
> > > uint16_t offs; /* The offset of actual data from this field */
> > > } __packed;
> > >
> > > Hmm, btw, this will be good for probe events... I don't need to pass
> > > the base address with this attribute.
> > >
> > What's the difference between __rel_loc__ and __data_loc? Seems like
> > instead of just offset it's length + offset?
>
> In my idea, rel_loc is similar to the data_loc. It has the offset, but
> the offset is the data offset from the rel_loc, not from the entry of
> the recorded data. So kernel doesn't need to adjust it.
>
Got it, makes sense and would eliminate the need for the IOCTL for
offsets. I like it.
Thanks,
-Beau
> Thank you,
>
> --
> Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists