Jprobes to the rescue. You can fix this in a few seconds, without recompiling or rebooting the kernel. Note that the jprobe handler needs to have the same prototype as printk. Both functions are marked with the asmlinkage tag that asks them to expect arguments from the stack, rather than from CPU registers. When Listing When this probe is hit, Kprobes replace the saved return address with that of the registered jprobe handler, jprintk.
It then copies a portion of the stack and returns, thus passing control to jprintk with printk 's argument list. A return probe or a kretprobe in Kprobes terminology is another specialized Kprobes helper. It eases the work of inserting a kprobe when you need to probe a function's return point.
If you use vanilla Kprobes to investigate return points, you might need to register them at multiple places because a function can return via multiple code paths. However, if you use return probes, you need to insert only one kretprobe, rather than register, say, 20 Kprobes to cover a function's 20 return paths. A single kretprobe is sufficient to alert you about failures, irrespective of the associated code path. When this probe gets hit, this internal kprobe handler replaces the function return address with that of a special routine called a trampoline in Kprobes terminology.
Kprobes has its limitations. Some of them are obvious. You won't, for example, see desired results if you insert a kprobe inside an inline function. And, of course, you can't probe Kprobes code. The functions used to register and unregister a JProbe are given below. Each probe is described by the struct kprobe structure and stored in a hash table hashed by the address at which the probe is placed.
This spinlock is locked before a new probe is registered, an existing probe is unregistered or when a probe is hit. This prevents these operations from executing simultaneously on a SMP machine. Whenever a probe is hit, the probe handler is called with interrupts disabled. Interrupts are disabled because handling a probe is a multiple step process which involves breakpoint handling and single-step execution of the probed instruction.
There is no easy way to save the state between these operations hence interrupts are kept disabled during probe handling. The manager is composed of these functions which are followed by a simplified description of what they do. These functions are architecture independent. Registration involves copying the instruction at the probe address in a probe specific buffer. On x86 the maximum instruction size is 16 bytes hence 16 bytes are copied at the given address.
Then it replaces the instruction at the probed address with the breakpoint instruction. It restores the original instruction at the address and removes the probe structure from the hash table. JProbes use the KProbes mechanism. After the probes are registered, the addresses at which they are active contain the breakpoint instruction int3 on x This handler notifies KProbes that a breakpoint occurred; KProbes checks if the breakpoint was set by the registration function of KProbes.
If no probe is present at the address at which the probe was hit it simply returns 0. Otherwise the registered probe function is called. A JProbe has to transfer control to another function which has the same prototype as the function on which the probe was placed and then give back control to the original function with the same state as there was before the JProbe was executed. A JProbe leverages the mechanism used by a KProbe.
This is a three-step process. This saves the stack contents and the registers before changing the eip to the address of the user-defined function. On return control reaches the user-defined function to access the arguments of the original function. Possible problems There could be several possible problems which could occur when a probe is handled by KProbes. The first possibility is that several probes are handled in parallel on a SMP system.
However, there's a common hash table shared by all probes which needs to be protected against corruption in such a case. Another problem occurs if a probe is placed inside KProbes code, causing KProbes to enter probe handling code recursively. In this case the recursing probe is disabled silently and control returns back to the previous probe handling code. If preemption occurs when KProbes is executing it can context switch to another process while a probe is being handled.
This may result in disarming the new probe when KProbes discovers it's recursing. To avoid this problem, preemption is disabled when probes are handled.
Similarly, interrupts are disabled by causing the breakpoint handler and the debug handler to be invoked through interrupt gates rather than trap gates. This disables interrupts as soon as control is transferred to the breakpoint or debug handler. Kprobe trigger and processing Kprobe's trigger and processing is passed brk exception and single step Single-step Exception is executed, the context of the abnormality interrupt is modified in each processing function. Other parts that are not detailed Where is the replaced instruction?
Doctor Hacking error-injection Modify the function return value or judgment, so that the code enters the error handling path to improve the test coverage. Debug 4. Kprobe application 1. If omitted, use "kprobes" for it.
Each probe can have up to args. A system-call is done via the syscall instruction. System-calls are limited to six arguments, no argument is passed directly on the stack. Since this uses ftrace, only the root user can use this tool. Trace despite warnings. This option overrides this check. This might expose you to more unsafe functions, which could cause kernel panics or freezes when traced.
0コメント