| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c3842632-cb15-469f-a6e8-8e9ccb3fff56@efficios.com> Date: Tue, 28 Jan 2025 11:46:25 -0500 From: Mathieu Desnoyers <mathieu.desnoyers@...icios.com> To: Steven Rostedt <rostedt@...dmis.org> Cc: "Masami Hiramatsu (Google)" <mhiramat@...nel.org>, Luis Chamberlain <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>, Daniel Gomez <da.gomez@...sung.com>, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, linux-modules@...r.kernel.org Subject: Re: [RFC PATCH 0/3] tracing: Introduce relative stacktrace On 2025-01-28 11:27, Steven Rostedt wrote: > On Tue, 28 Jan 2025 10:46:21 -0500 > Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote: > >> This does not handle the situation where a module is already loaded >> before tracing starts. In LTTng we have a statedump facility for this, >> where we can iterate on all modules at trace start and dump the relevant >> information. >> >> You may want to consider a similar approach for other tracers. > > Last night Masami and I were talking about this. The idea I was thinking of > was to simply have a module load notifier that would add modules to an > array. It would only keep track of loaded modules, and when the trace hit, > if the address was outside of core text, it would search the array for the > module, and use that. When a module is removed, it would also be removed > from the array. We currently do not support tracing module removal (if the > module is traced, the buffers are cleared when the module is removed). I'm trying to wrap my head around what you are trying to achieve here. So AFAIU you are aiming to store the relative offset from kernel _text and module base text address into the traced events rather than the actual address. Based on Masami's cover letter, this appears to be done to make sure users can get to this base+offset information even if they cannot read kallsyms. Why make the tracing fast path more complex for a simple matter of accessing this base address information ? All you need to have to convert from kernel address to base + offset is: - The kernel _text base address, - Each loaded module text base address, - Unloaded modules events to prune this information. What is wrong with simply exporting this base address information in the trace buffers rather than rely on kallsyms, and deal with the conversion to module name / base+offset at post-processing ? Thanks, Mathieu > > If it is a module address, set the MSB, and for 32 bit machines use the > next 7 bits as an index into the module array, and for 64 bit machines, use > the next 10 bits as an index. This would be exposed in the format file for > the kernel_stack_rel event, so if these numbers change, user space can cope > with it. In fact, it would need to use the format file to distinguish the > 32 bit and 64 bit values. > > That is, a stack trace will contain addresses that are core kernel simply > subtracted from ".text", and the modules address would have the MSB set, > the next bits would be an index into that array that holds the module > information, and the address would be the address minus the module address > where it was loaded. > > This way we do not need to save the information from any events. Also, for > the persistent ring buffer, this array could live in that memory, so that > it will be available on the next boot. -- Mathieu Desnoyers EfficiOS Inc. https://www.efficios.com
Powered by blists - more mailing lists