lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250729115021.135bca64@batman.local.home>
Date: Tue, 29 Jul 2025 11:50:21 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Randy Dunlap <rdunlap@...radead.org>
Cc: LKML <linux-kernel@...r.kernel.org>, Linux trace kernel
 <linux-trace-kernel@...r.kernel.org>, linux-doc@...r.kernel.org, Masami
 Hiramatsu <mhiramat@...nel.org>, Mathieu Desnoyers
 <mathieu.desnoyers@...icios.com>, Mark Rutland <mark.rutland@....com>,
 Andrew Morton <akpm@...ux-foundation.org>, Namhyung Kim
 <namhyung@...nel.org>, Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH] Documentation: tracing: Add documentation about eprobes

On Mon, 28 Jul 2025 18:02:37 -0700
Randy Dunlap <rdunlap@...radead.org> wrote:
> > +Overview
> > +========
> > +
> > +Eprobes are dynamic events that are placed on existing events to eiter  
> 
>                                                                     either
> 
> > +dereference a field that is a pointer, or simply to limit what fields get  
> 
>                                                        (preference:)     are
> 
> > +recorded in the trace event.
> > +
> > +Eprobes depend on kprobe events so to enable this feature, build your kernel  
> 
>                                                          s/,/;/

OK.


> > +  FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types
> > +		  (u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types
> > +		  (x8/x16/x32/x64), VFS layer common type(%pd/%pD), "char",
> > +                  "string", "ustring", "symbol", "symstr" and bitfield are  
> 
> 		Should bitfield be quoted?

Hmm, probably. And we should fix kprobetrace.rst as that's where I copied it from.

> > +
> > +Attaching to dynamic events
> > +---------------------------
> > +
> > +Note that eprobes may attach to dynamic events as well as to normal events. It  
> 
> Don't need "Note that".

OK.

> 
> > +may attach to a kprobe event, a synthetic event or a fprobe event. This is  
> 
>                                       I would say:    an fprobe event.
> 

OK.


> > +
> > +Example 2
> > +---------
> > +
> > +If syscall events are not enabled but the raw syscall are (systemcall  
> 
>                                                  syscalls are (system call
> 
> > +events are not normal events, but are created from the raw_syscall events
> > +within the kernel). In order to trace the openat system call, one can create  
> 
>                     ^^ not a complete sentence.

Ah, I'm thinking that "This example is for the case that syscall events
are not enabled..."

But it came out as the above. Will fix.

> 
> 
> > +an event probe on top of the raw_syscall event:
> > +::
> > +
> > + # cd /sys/kernel/tracing
> > + # cat events/raw_syscalls/sys_enter/format
> > + name: sys_enter
> > + ID: 395
> > + format:
> > +	field:unsigned short common_type;	offset:0;	size:2;	signed:0;
> > +	field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
> > +	field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
> > +	field:int common_pid;	offset:4;	size:4;	signed:1;
> > +
> > +	field:long id;	offset:8;	size:8;	signed:1;
> > +	field:unsigned long args[6];	offset:16;	size:48;	signed:0;
> > +
> > + print fmt: "NR %ld (%lx, %lx, %lx, %lx, %lx, %lx)", REC->id, REC->args[0], REC->args[1], REC->args[2], REC->args[3], REC->args[4], REC->args[5]
> > +
> > +From the source code, the sys_openat() has:
> > +::
> > +
> > + int sys_openat(int dirfd, const char *path, int flags, mode_t mode)
> > + {
> > +	return my_syscall4(__NR_openat, dirfd, path, flags, mode);
> > + }
> > +
> > +The path is the second parameter, and that is what is wanted.  
> 
> s/wanted/want/

Really? That sounds funny to me:

   The path is the second parameter and that is what is want.

??


> 
> > +::
> > +
> > + # echo 'e:openat raw_syscalls.sys_enter nr=$id filename=+8($args):ustring' >> dynamic_events
> > +
> > +This is being run on x86_64 where the word size is 8 bytes and the openat
> > +systemcall __NR_openat is set at 257.  
> 
>    system call

OK.


> > +The filename shows "(fault)". This is likely because the filename has not been
> > +pulled into memory yet and currently trace events cannot fault in memory that
> > +is not present. When a eprobe tries to read memory that has not been faulted  
> 
>                         an eprobe

OK.


> > +Now that the address of the filename has been passed to the end of the
> > +systemcall, create another eprobe to attach to the exit event to show the  
> 
>    system call,

OK.

> 
> Thanks for the new documentation.
> 

It was a long time coming :-p

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ