* ia64 kprobes on syscalls
@ 2006-02-24 9:54 Jes Sorensen
2006-02-24 10:51 ` Ananth N Mavinakayanahalli
2006-02-24 11:46 ` Jes Sorensen
0 siblings, 2 replies; 4+ messages in thread
From: Jes Sorensen @ 2006-02-24 9:54 UTC (permalink / raw)
To: systemtap
Hi,
I am trying to use kprobes to monitor system calls on ia64. However I am
not exactly having a lot of luck with it ;( I tried a couple of
approaches so far and they all seem to result in the kernel exploding
quickly.
First attempt was to add probes directly to the syscall entry code. Now
I am trying to add it to the sys_foo functions instead by walking the
sys_call_table, but it seems to have the same problem.
Has anyone done this successfully on ia64? Is it supposed to work? I was
speaking to Suparna who said there were some systemtap scripts to do
this, so I a presume it has at least been working at some point for the
x86?
I've attached a simple test case below if anyone wishes to comment upon
it (or tell me why I am utterly stupid ;) Ignore the fact that this
thing is leaking struct kprobe's left right and center.
Cheers,
Jes
Index: linux-2.6/arch/ia64/Kconfig.debug
===================================================================
--- linux-2.6.orig/arch/ia64/Kconfig.debug
+++ linux-2.6/arch/ia64/Kconfig.debug
@@ -2,6 +2,9 @@
source "lib/Kconfig.debug"
+config IA64_SYSCALL_PROBES
+ tristate "Enable syscall probe hack"
+
choice
prompt "Physical memory granularity"
default IA64_GRANULE_64MB
Index: linux-2.6/arch/ia64/kernel/Makefile
===================================================================
--- linux-2.6.orig/arch/ia64/kernel/Makefile
+++ linux-2.6/arch/ia64/kernel/Makefile
@@ -30,6 +30,7 @@
obj-$(CONFIG_KPROBES) += kprobes.o jprobes.o
obj-$(CONFIG_IA64_UNCACHED_ALLOCATOR) += uncached.o
mca_recovery-y += mca_drv.o mca_drv_asm.o
+obj-$(CONFIG_IA64_SYSCALL_PROBES) += syscall-probes.o
# The gate DSO image is built using a special linker script.
targets += gate.so gate-syms.o
Index: linux-2.6/arch/ia64/kernel/ia64_ksyms.c
===================================================================
--- linux-2.6.orig/arch/ia64/kernel/ia64_ksyms.c
+++ linux-2.6/arch/ia64/kernel/ia64_ksyms.c
@@ -108,3 +108,6 @@
extern char ia64_ivt[];
EXPORT_SYMBOL(ia64_ivt);
+
+extern unsigned long sys_call_table[];
+EXPORT_SYMBOL(sys_call_table);
Index: linux-2.6/arch/ia64/kernel/syscall-probes.c
===================================================================
--- /dev/null
+++ linux-2.6/arch/ia64/kernel/syscall-probes.c
@@ -0,0 +1,88 @@
+/*
+ * This file is subject to the terms and conditions of the GNU General Public
+ * License. See the file "COPYING" in the main directory of this archive
+ * for more details.
+ */
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/fs.h>
+#include <linux/uio.h>
+#include <linux/kprobes.h>
+#include <linux/kallsyms.h>
+#include <asm/unistd.h>
+
+static int count;
+
+
+static int
+syscall_enter_pre_handler(struct kprobe *probe, struct pt_regs *regs)
+{
+ if (count++ < 25)
+ printk(KERN_DEBUG "syscall me harder! r15\n");
+
+ return 0;
+}
+
+static int probe_fault_handler(struct kprobe *probe,
+ struct pt_regs *regs, int trap)
+{
+ printk(KERN_DEBUG "probe_fault_handler: addr %p, trap %i\n",
+ probe->addr, trap);
+ return 0;
+}
+
+extern unsigned long sys_call_table[];
+
+static int install_syscall_enter_probe(void)
+{
+ int ret, i, j;
+ struct kprobe *p;
+
+ printk(KERN_DEBUG "installing syscall_enter probe!\n");
+
+ for (i = 1, j = 0; i < NR_syscalls; i++) {
+ /*
+ * entry 0 is always a ni_syscall
+ */
+ if (sys_call_table[i] != sys_call_table[0]) {
+ p = kmalloc(sizeof(struct kprobe), GFP_KERNEL);
+ BUG_ON(!p);
+
+ p->pre_handler = syscall_enter_pre_handler;
+ p->fault_handler = probe_fault_handler;
+ p->addr = (void *)sys_call_table[i];
+
+ ret = register_kprobe(p);
+ if (ret)
+ BUG();
+ j++;
+ }
+ }
+
+
+ printk(KERN_DEBUG "installed %i syscall probes\n", j);
+ return ret;
+}
+
+
+static int init_syscall_probes(void)
+{
+ /* kprobes */
+ install_syscall_enter_probe();
+ return 0;
+};
+
+static void exit_syscall_probes(void)
+{
+#if 0
+ unregister_kprobe(&syscall_enter_probe);
+ printk(KERN_DEBUG "syscall probe be gone!\n");
+#endif
+};
+
+
+module_init(init_syscall_probes);
+module_exit(exit_syscall_probes);
+
+MODULE_LICENSE("GPL");
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ia64 kprobes on syscalls
2006-02-24 9:54 ia64 kprobes on syscalls Jes Sorensen
@ 2006-02-24 10:51 ` Ananth N Mavinakayanahalli
2006-02-24 10:54 ` Jes Sorensen
2006-02-24 11:46 ` Jes Sorensen
1 sibling, 1 reply; 4+ messages in thread
From: Ananth N Mavinakayanahalli @ 2006-02-24 10:51 UTC (permalink / raw)
To: Jes Sorensen; +Cc: systemtap
On Fri, Feb 24, 2006 at 04:54:47AM -0500, Jes Sorensen wrote:
> Hi,
>
> I am trying to use kprobes to monitor system calls on ia64. However I am
> not exactly having a lot of luck with it ;( I tried a couple of
> approaches so far and they all seem to result in the kernel exploding
> quickly.
>
> First attempt was to add probes directly to the syscall entry code. Now
> I am trying to add it to the sys_foo functions instead by walking the
> sys_call_table, but it seems to have the same problem.
>
> Has anyone done this successfully on ia64? Is it supposed to work? I was
> speaking to Suparna who said there were some systemtap scripts to do
> this, so I a presume it has at least been working at some point for the
> x86?
There is some work going on, on instrumenting syscalls using
systemtap, but AFAIK, the targets are currently i386 and x86_64 ...
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/src/tapset/syscalls.stp?rev=1.6&content-type=text/plain&cvsroot=systemtap
and
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/src/tapset/syscalls2.stp?rev=1.10&content-type=text/plain&cvsroot=systemtap
> I've attached a simple test case below if anyone wishes to comment upon
> it (or tell me why I am utterly stupid ;) Ignore the fact that this
> thing is leaking struct kprobe's left right and center.
>
> Cheers,
> Jes
>
>
> Index: linux-2.6/arch/ia64/Kconfig.debug
> ===================================================================
> --- linux-2.6.orig/arch/ia64/Kconfig.debug
> +++ linux-2.6/arch/ia64/Kconfig.debug
> @@ -2,6 +2,9 @@
>
> source "lib/Kconfig.debug"
>
> +config IA64_SYSCALL_PROBES
> + tristate "Enable syscall probe hack"
> +
> choice
> prompt "Physical memory granularity"
> default IA64_GRANULE_64MB
> Index: linux-2.6/arch/ia64/kernel/Makefile
> ===================================================================
> --- linux-2.6.orig/arch/ia64/kernel/Makefile
> +++ linux-2.6/arch/ia64/kernel/Makefile
> @@ -30,6 +30,7 @@
> obj-$(CONFIG_KPROBES) += kprobes.o jprobes.o
> obj-$(CONFIG_IA64_UNCACHED_ALLOCATOR) += uncached.o
> mca_recovery-y += mca_drv.o mca_drv_asm.o
> +obj-$(CONFIG_IA64_SYSCALL_PROBES) += syscall-probes.o
>
> # The gate DSO image is built using a special linker script.
> targets += gate.so gate-syms.o
> Index: linux-2.6/arch/ia64/kernel/ia64_ksyms.c
> ===================================================================
> --- linux-2.6.orig/arch/ia64/kernel/ia64_ksyms.c
> +++ linux-2.6/arch/ia64/kernel/ia64_ksyms.c
> @@ -108,3 +108,6 @@
>
> extern char ia64_ivt[];
> EXPORT_SYMBOL(ia64_ivt);
> +
> +extern unsigned long sys_call_table[];
> +EXPORT_SYMBOL(sys_call_table);
> Index: linux-2.6/arch/ia64/kernel/syscall-probes.c
> ===================================================================
> --- /dev/null
> +++ linux-2.6/arch/ia64/kernel/syscall-probes.c
> @@ -0,0 +1,88 @@
> +/*
> + * This file is subject to the terms and conditions of the GNU General Public
> + * License. See the file "COPYING" in the main directory of this archive
> + * for more details.
> + */
> +
> +#include <linux/module.h>
> +#include <linux/kernel.h>
> +#include <linux/fs.h>
> +#include <linux/uio.h>
> +#include <linux/kprobes.h>
> +#include <linux/kallsyms.h>
> +#include <asm/unistd.h>
> +
> +static int count;
> +
> +
> +static int
> +syscall_enter_pre_handler(struct kprobe *probe, struct pt_regs *regs)
> +{
> + if (count++ < 25)
> + printk(KERN_DEBUG "syscall me harder! r15\n");
> +
> + return 0;
> +}
> +
> +static int probe_fault_handler(struct kprobe *probe,
> + struct pt_regs *regs, int trap)
> +{
> + printk(KERN_DEBUG "probe_fault_handler: addr %p, trap %i\n",
> + probe->addr, trap);
> + return 0;
> +}
> +
> +extern unsigned long sys_call_table[];
> +
> +static int install_syscall_enter_probe(void)
> +{
> + int ret, i, j;
> + struct kprobe *p;
> +
> + printk(KERN_DEBUG "installing syscall_enter probe!\n");
> +
> + for (i = 1, j = 0; i < NR_syscalls; i++) {
> + /*
> + * entry 0 is always a ni_syscall
> + */
> + if (sys_call_table[i] != sys_call_table[0]) {
> + p = kmalloc(sizeof(struct kprobe), GFP_KERNEL);
> + BUG_ON(!p);
> +
> + p->pre_handler = syscall_enter_pre_handler;
> + p->fault_handler = probe_fault_handler;
> + p->addr = (void *)sys_call_table[i];
(Disclaimer: I know nothing about IA64 :) Would changing the above to
p->addr = (kprobe_opcode_t *)sys_call_table[i];
make any difference? kprobe_opcode_t on ia64 is a struct with one
element of type bundle_t (and I see bundle_t is a big struct in itself)
Ananth
> +
> + ret = register_kprobe(p);
> + if (ret)
> + BUG();
> + j++;
> + }
> + }
> +
> +
> + printk(KERN_DEBUG "installed %i syscall probes\n", j);
> + return ret;
> +}
> +
> +
> +static int init_syscall_probes(void)
> +{
> + /* kprobes */
> + install_syscall_enter_probe();
> + return 0;
> +};
> +
> +static void exit_syscall_probes(void)
> +{
> +#if 0
> + unregister_kprobe(&syscall_enter_probe);
> + printk(KERN_DEBUG "syscall probe be gone!\n");
> +#endif
> +};
> +
> +
> +module_init(init_syscall_probes);
> +module_exit(exit_syscall_probes);
> +
> +MODULE_LICENSE("GPL");
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ia64 kprobes on syscalls
2006-02-24 10:51 ` Ananth N Mavinakayanahalli
@ 2006-02-24 10:54 ` Jes Sorensen
0 siblings, 0 replies; 4+ messages in thread
From: Jes Sorensen @ 2006-02-24 10:54 UTC (permalink / raw)
To: ananth; +Cc: systemtap
>>>>> "Ananth" == Ananth N Mavinakayanahalli <ananth@in.ibm.com> writes:
Ananth> On Fri, Feb 24, 2006 at 04:54:47AM -0500, Jes Sorensen wrote:
>> Has anyone done this successfully on ia64? Is it supposed to work?
>> I was speaking to Suparna who said there were some systemtap
>> scripts to do this, so I a presume it has at least been working at
>> some point for the x86?
Ananth> There is some work going on, on instrumenting syscalls using
Ananth> systemtap, but AFAIK, the targets are currently i386 and
Ananth> x86_64 ...
Thanks for the pointers. At least that indicates that it is meant to
work as there is no mention of additional patches for the kernel part
of it.
Cheers,
Jes
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ia64 kprobes on syscalls
2006-02-24 9:54 ia64 kprobes on syscalls Jes Sorensen
2006-02-24 10:51 ` Ananth N Mavinakayanahalli
@ 2006-02-24 11:46 ` Jes Sorensen
1 sibling, 0 replies; 4+ messages in thread
From: Jes Sorensen @ 2006-02-24 11:46 UTC (permalink / raw)
To: systemtap
>>>>> "Jes" == Jes Sorensen <jes@trained-monkey.org> writes:
Jes> Has anyone done this successfully on ia64? Is it supposed to
Jes> work? I was speaking to Suparna who said there were some
Jes> systemtap scripts to do this, so I a presume it has at least been
Jes> working at some point for the x86?
Jes> I've attached a simple test case below if anyone wishes to
Jes> comment upon it (or tell me why I am utterly stupid ;) Ignore the
Jes> fact that this thing is leaking struct kprobe's left right and
Jes> center.
Well before anyone shames me in public, let me face up to that part
first - changing the kmalloc to kzalloc improves the situation
somewhat ;-)
Anyone got a stash of brown paper bags for sale for a reasonable
price?
I am still puzzled why it blew up the box when I try and probe
directly on the syscall entry code though ....
Sorry for the noise.
Cheers,
Jes
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-02-24 11:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-02-24 9:54 ia64 kprobes on syscalls Jes Sorensen
2006-02-24 10:51 ` Ananth N Mavinakayanahalli
2006-02-24 10:54 ` Jes Sorensen
2006-02-24 11:46 ` Jes Sorensen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).