| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <014136d2-8599-4a1f-ab8e-c5be4f522e5a@infradead.org> Date: Sun, 14 Sep 2025 17:14:37 -0700 From: Randy Dunlap <rdunlap@...radead.org> To: "Masami Hiramatsu (Google)" <mhiramat@...nel.org>, Steven Rostedt <rostedt@...dmis.org>, Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...nel.org>, x86@...nel.org Cc: Jinchao Wang <wangjinchao600@...il.com>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "H . Peter Anvin" <hpa@...or.com>, Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Ian Rogers <irogers@...gle.com>, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, linux-doc@...r.kernel.org, linux-perf-users@...r.kernel.org Subject: Re: [PATCH v4 1/8] tracing: wprobe: Add watchpoint probe event based on hardware breakpoint Hi, On 9/14/25 7:09 AM, Masami Hiramatsu (Google) wrote: > From: Masami Hiramatsu (Google) <mhiramat@...nel.org> > > Add a new probe event for the hardware breakpoint called wprobe-event. > This wprobe allows user to trace (watch) the memory access at the > specified memory address. > The new syntax is; > > w[:[GROUP/]EVENT] [r|w|rw]@[ADDR|SYM][:SIZE] [FETCH_ARGs] > > User also can use $addr to fetch the accessed address. But no other > variables are supported. To record updated value, use '+0($addr)'. > > For example, tracing updates of the jiffies; > > /sys/kernel/tracing # echo 'w:my_jiffies w@...fies' >> dynamic_events > /sys/kernel/tracing # cat dynamic_events > w:wprobes/my_jiffies w@...fies:4 > /sys/kernel/tracing # echo 1 > events/wprobes/my_jiffies/enable > /sys/kernel/tracing # head -n 20 trace | tail -n 5 > # TASK-PID CPU# ||||| TIMESTAMP FUNCTION > # | | | ||||| | | > <idle>-0 [000] d.Z1. 206.547317: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130) > <idle>-0 [000] d.Z1. 206.548341: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130) > <idle>-0 [000] d.Z1. 206.549346: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130) > > > Signed-off-by: Masami Hiramatsu (Google) <mhiramat@...nel.org> > --- > Changes in v3: > - Enclose the register-API dependent code in trace_probe.c with > CONFIG_HAVE_FUNCTION_ARG_ACCESS_API. > --- > Documentation/trace/index.rst | 1 > Documentation/trace/wprobetrace.rst | 69 ++++ > include/linux/trace_events.h | 2 > kernel/trace/Kconfig | 14 + > kernel/trace/Makefile | 1 > kernel/trace/trace.c | 9 > kernel/trace/trace.h | 5 > kernel/trace/trace_probe.c | 22 + > kernel/trace/trace_probe.h | 8 > kernel/trace/trace_wprobe.c | 685 +++++++++++++++++++++++++++++++++++ > 10 files changed, 813 insertions(+), 3 deletions(-) > create mode 100644 Documentation/trace/wprobetrace.rst > create mode 100644 kernel/trace/trace_wprobe.c > > diff --git a/Documentation/trace/wprobetrace.rst b/Documentation/trace/wprobetrace.rst > new file mode 100644 > index 000000000000..9774f57e2947 > --- /dev/null > +++ b/Documentation/trace/wprobetrace.rst > @@ -0,0 +1,69 @@ > +.. SPDX-License-Identifier: GPL-2.0 > + > +======================================= > +Watchpoint probe (wprobe) Event Tracing > +======================================= > + > +.. Author: Masami Hiramatsu <mhiramat@...nel.org> > + > +Overview > +-------- > + > +Wprobe event is a dynamic event based on the hardware breakpoint, which is > +similar to other probe events, but it is for watching data access. It allows > +you to trace which code accesses a specified data. > + > +As same as other dynamic events, wprobe events are defined via > +`dynamic_events` interface file on tracefs. > + > +Synopsis of wprobe-events > +------------------------- > +:: > + > + w:[GRP/][EVENT] SPEC [FETCHARGS] : Probe on data access > + > + GRP : Group name for wprobe. If omitted, use "wprobes" for it. > + EVENT : Event name for wprobe. If omitted, an event name is > + generated based on the address or symbol. > + SPEC : Breakpoint specification. > + [r|w|rw]@<ADDRESS|SYMBOL[+|-OFFS]>[:LENGTH] > + > + r|w|rw : Access type, r for read, w for write, and rw for both. > + Use rw if omitted. Default is rw if omitted. > + ADDRESS : Address to trace (hexadecimal). > + SYMBOL : Symbol name to trace. > + LENGTH : Length of the data to trace in bytes. (1, 2, 4, or 8) > + > + FETCHARGS : Arguments. Each probe can have up to 128 args. > + $addr : Fetch the accessing address. > + @ADDR : Fetch memory at ADDR (ADDR should be in kernel) > + @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol) > + +|-[u]OFFS(FETCHARG) : Fetch memory at FETCHARG +|- OFFS address.(\*1)(\*2) > + \IMM : Store an immediate value to the argument. > + NAME=FETCHARG : Set NAME as the argument name of FETCHARG. > + FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types > + (u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types > + (x8/x16/x32/x64), "char", "string", "ustring", "symbol", "symstr" > + and bitfield are supported. > + > + (\*1) this is useful for fetching a field of data structures. > + (\*2) "u" means user-space dereference. > + > +For the details of TYPE, see :ref:`kprobetrace documentation <kprobetrace_types>`. > + > +Usage examples > +-------------- > +Here is an example to add a wprobe event on a variable `jiffies`. > +:: > + > + # echo 'w:my_jiffies w@...fies' >> dynamic_events > + # cat dynamic_events > + w:wprobes/my_jiffies w@...fies > + # echo 1 > events/wprobes/enable > + # cat trace | head > + # TASK-PID CPU# ||||| TIMESTAMP FUNCTION > + # | | | ||||| | | > + <idle>-0 [000] d.Z1. 717.026259: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130) > + <idle>-0 [000] d.Z1. 717.026373: my_jiffies: (tick_do_update_jiffies64+0xbe/0x130) > + > +You can see the code which writes to `jiffies` is `do_timer()`. I'm having trouble getting from tick_do_update_jiffies64+0xbe/0x130, which I expect is jiffies_64 += ticks; in that function, over to do_timer(), which also updates jiffies_64, but is not called by tick_do_update_jiffies64(). AFAICT, there are no calls to do_timer() in the file (kernel/time/tick-sched.c). Can you explain, please? > diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig > index d2c79da81e4f..dd8919386425 100644 > --- a/kernel/trace/Kconfig > +++ b/kernel/trace/Kconfig > @@ -807,6 +807,20 @@ config EPROBE_EVENTS > convert the type of an event field. For example, turn an > address into a string. > > +config WPROBE_EVENTS > + bool "Enable wprobe-based dynamic events" > + depends on TRACING > + depends on HAVE_HW_BREAKPOINT > + select PROBE_EVENTS > + select DYNAMIC_EVENTS > + default y Wny default y? > + help > + This allows the user to add watchpoint tracing events based on > + hardware breakpoints on the fly via the ftrace interface. > + > + Those events can be inserted wherever hardware breakpoints can be > + set, and record various register and memory values. > + > config BPF_EVENTS > depends on BPF_SYSCALL > depends on (KPROBE_EVENTS || UPROBE_EVENTS) && PERF_EVENTS thanks. -- ~Randy
Powered by blists - more mailing lists