lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Jan 2024 06:50:22 +0000
From: Sicheng Liu <lsc2001@...look.com>
To: linux-kernel@...r.kernel.org,
	linux-trace-kernel@...r.kernel.org,
	linux-doc@...r.kernel.org
Cc: rostedt@...dmis.org,
	mhiramat@...nel.org,
	mathieu.desnoyers@...icios.com,
	corbet@....net,
	Sicheng Liu <lsc2001@...look.com>
Subject: [RFC PATCH 2/2] tracing: Add documentation for event stack filter

A new chapter describing how to use trace event stack
filter is added to the documentation.

Signed-off-by: Sicheng Liu <lsc2001@...look.com>
---
 Documentation/trace/events.rst | 88 ++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/Documentation/trace/events.rst b/Documentation/trace/events.rst
index 759907c20e75..718a6d078e24 100644
--- a/Documentation/trace/events.rst
+++ b/Documentation/trace/events.rst
@@ -350,6 +350,94 @@ To add more PIDs without losing the PIDs already included, use '>>'.
 
 	# echo 123 244 1 >> set_event_pid
 
+5.6 Stack filters
+---------------------
+
+Trace events can be filtered by their call stacks.  There could exist
+various paths to tigger an trace event, but people sometimes only care
+about some of them.  Once the stack filter is set, call stack of the
+corresponding event will be compared with the stack filter.  An event
+with matched call stack will appear in the trace output and the rest will
+be discarded.
+
+5.6.1 Expression syntax
+------------------------
+
+Stack filters have the form (in regular expression style) below::
+
+  '!'?((function|'**')'/')*(function|'**')
+
+In the expression, '!' means negating the filter and '**' matches any
+call path (maybe empty).  The top of call stack will be ``stack_filter_match``,
+which means the call path will be something like ``**/stack_filter_match``.
+
+A stack filter matches if the call stack contains it, which means that
+``ret_from_fork/**/schedule`` has the same effect as
+``**/ret_from_fork/**/schedule/**``.
+
+A call stack is matched successfully if the following conditions are
+met simultaneously:
+[1] It matches any positive stack filter.
+[2] It doesn't match any negative stack filter.
+If no positive filter are set, condition 1 don't need to be satisified.
+
+5.6.2 Setting stack filters
+---------------------------
+
+Stack filters are add by echo commands to 'stack_filter' file for a given
+event, and unset by echo 0 or blank string to the same file.
+
+An usage example (on x86_64 platform):
+
+The call stack contains ``ret_from_fork`` but not ``do_syscall_64``::
+
+  # cd /sys/kernel/tracing/events/sched/sched_switch
+  # echo 'ret_from_fork' > stack_filter
+  # echo '!do_syscall_64' >> stack_filter
+  # cat stack_filter
+
+Another example (on arm64 platform):
+
+Set up a kprobe::
+
+  # echo 1 > /sys/kernel/tracing/options/stacktrace
+  # echo 'p alloc_pages' > /sys/kernel/tracing/kprobe_events
+
+The call stack contains ``copy_process``::
+
+  # echo 'copy_process' > \
+      /sys/kernel/tracing/events/kprobes/p_alloc_pages_0/stack_filter
+
+The call stack doesn't contain ``copy_process``::
+
+  # echo '!copy_process' > \
+      /sys/kernel/tracing/events/kprobes/p_alloc_pages_0/stack_filter
+
+The call stack contains ``copy_process`` or ``do_exit``,
+but not ``free_pgtables``::
+
+  # echo 'copy_process' > \
+      /sys/kernel/tracing/events/kprobes/p_alloc_pages_0/stack_filter
+  # echo 'do_exit' >> \
+      /sys/kernel/tracing/events/kprobes/p_alloc_pages_0/stack_filter
+  # echo '!free_pgtables' >> \
+      /sys/kernel/tracing/events/kprobes/p_alloc_pages_0/stack_filter
+
+The call stack contains ``invoke_syscall -> ... -> copy_process``::
+
+  # echo 'invoke_syscall/**/copy_process' > \
+      /sys/kernel/tracing/events/kprobes/p_alloc_pages_0/stack_filter
+
+Enable the kprobe event and check the trace log::
+
+  # echo 1 > /sys/kernel/tracing/events/kprobes/enable
+  # cat /sys/kernel/tracing/trace
+
+Disable the stack filter::
+
+  # echo 0 > stack_filter
+  or
+  # echo > stack_filter
 
 6. Event triggers
 =================
-- 
2.25.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ