diff options
Diffstat (limited to 'Documentation/kprobes.txt')
-rw-r--r-- | Documentation/kprobes.txt | 81 |
1 files changed, 42 insertions, 39 deletions
diff --git a/Documentation/kprobes.txt b/Documentation/kprobes.txt index 0ea5a0c6e827..2c3b1eae4280 100644 --- a/Documentation/kprobes.txt +++ b/Documentation/kprobes.txt | |||
@@ -136,17 +136,20 @@ Kprobes, jprobes, and return probes are implemented on the following | |||
136 | architectures: | 136 | architectures: |
137 | 137 | ||
138 | - i386 | 138 | - i386 |
139 | - x86_64 (AMD-64, E64MT) | 139 | - x86_64 (AMD-64, EM64T) |
140 | - ppc64 | 140 | - ppc64 |
141 | - ia64 (Support for probes on certain instruction types is still in progress.) | 141 | - ia64 (Does not support probes on instruction slot1.) |
142 | - sparc64 (Return probes not yet implemented.) | 142 | - sparc64 (Return probes not yet implemented.) |
143 | 143 | ||
144 | 3. Configuring Kprobes | 144 | 3. Configuring Kprobes |
145 | 145 | ||
146 | When configuring the kernel using make menuconfig/xconfig/oldconfig, | 146 | When configuring the kernel using make menuconfig/xconfig/oldconfig, |
147 | ensure that CONFIG_KPROBES is set to "y". Under "Kernel hacking", | 147 | ensure that CONFIG_KPROBES is set to "y". Under "Instrumentation |
148 | look for "Kprobes". You may have to enable "Kernel debugging" | 148 | Support", look for "Kprobes". |
149 | (CONFIG_DEBUG_KERNEL) before you can enable Kprobes. | 149 | |
150 | So that you can load and unload Kprobes-based instrumentation modules, | ||
151 | make sure "Loadable module support" (CONFIG_MODULES) and "Module | ||
152 | unloading" (CONFIG_MODULE_UNLOAD) are set to "y". | ||
150 | 153 | ||
151 | You may also want to ensure that CONFIG_KALLSYMS and perhaps even | 154 | You may also want to ensure that CONFIG_KALLSYMS and perhaps even |
152 | CONFIG_KALLSYMS_ALL are set to "y", since kallsyms_lookup_name() | 155 | CONFIG_KALLSYMS_ALL are set to "y", since kallsyms_lookup_name() |
@@ -262,18 +265,18 @@ at any time after the probe has been registered. | |||
262 | 265 | ||
263 | 5. Kprobes Features and Limitations | 266 | 5. Kprobes Features and Limitations |
264 | 267 | ||
265 | As of Linux v2.6.12, Kprobes allows multiple probes at the same | 268 | Kprobes allows multiple probes at the same address. Currently, |
266 | address. Currently, however, there cannot be multiple jprobes on | 269 | however, there cannot be multiple jprobes on the same function at |
267 | the same function at the same time. | 270 | the same time. |
268 | 271 | ||
269 | In general, you can install a probe anywhere in the kernel. | 272 | In general, you can install a probe anywhere in the kernel. |
270 | In particular, you can probe interrupt handlers. Known exceptions | 273 | In particular, you can probe interrupt handlers. Known exceptions |
271 | are discussed in this section. | 274 | are discussed in this section. |
272 | 275 | ||
273 | For obvious reasons, it's a bad idea to install a probe in | 276 | The register_*probe functions will return -EINVAL if you attempt |
274 | the code that implements Kprobes (mostly kernel/kprobes.c and | 277 | to install a probe in the code that implements Kprobes (mostly |
275 | arch/*/kernel/kprobes.c). A patch in the v2.6.13 timeframe instructs | 278 | kernel/kprobes.c and arch/*/kernel/kprobes.c, but also functions such |
276 | Kprobes to reject such requests. | 279 | as do_page_fault and notifier_call_chain). |
277 | 280 | ||
278 | If you install a probe in an inline-able function, Kprobes makes | 281 | If you install a probe in an inline-able function, Kprobes makes |
279 | no attempt to chase down all inline instances of the function and | 282 | no attempt to chase down all inline instances of the function and |
@@ -290,18 +293,14 @@ from the accidental ones. Don't drink and probe. | |||
290 | 293 | ||
291 | Kprobes makes no attempt to prevent probe handlers from stepping on | 294 | Kprobes makes no attempt to prevent probe handlers from stepping on |
292 | each other -- e.g., probing printk() and then calling printk() from a | 295 | each other -- e.g., probing printk() and then calling printk() from a |
293 | probe handler. As of Linux v2.6.12, if a probe handler hits a probe, | 296 | probe handler. If a probe handler hits a probe, that second probe's |
294 | that second probe's handlers won't be run in that instance. | 297 | handlers won't be run in that instance, and the kprobe.nmissed member |
295 | 298 | of the second probe will be incremented. | |
296 | In Linux v2.6.12 and previous versions, Kprobes' data structures are | 299 | |
297 | protected by a single lock that is held during probe registration and | 300 | As of Linux v2.6.15-rc1, multiple handlers (or multiple instances of |
298 | unregistration and while handlers are run. Thus, no two handlers | 301 | the same handler) may run concurrently on different CPUs. |
299 | can run simultaneously. To improve scalability on SMP systems, | 302 | |
300 | this restriction will probably be removed soon, in which case | 303 | Kprobes does not use mutexes or allocate memory except during |
301 | multiple handlers (or multiple instances of the same handler) may | ||
302 | run concurrently on different CPUs. Code your handlers accordingly. | ||
303 | |||
304 | Kprobes does not use semaphores or allocate memory except during | ||
305 | registration and unregistration. | 304 | registration and unregistration. |
306 | 305 | ||
307 | Probe handlers are run with preemption disabled. Depending on the | 306 | Probe handlers are run with preemption disabled. Depending on the |
@@ -316,11 +315,18 @@ address instead of the real return address for kretprobed functions. | |||
316 | (As far as we can tell, __builtin_return_address() is used only | 315 | (As far as we can tell, __builtin_return_address() is used only |
317 | for instrumentation and error reporting.) | 316 | for instrumentation and error reporting.) |
318 | 317 | ||
319 | If the number of times a function is called does not match the | 318 | If the number of times a function is called does not match the number |
320 | number of times it returns, registering a return probe on that | 319 | of times it returns, registering a return probe on that function may |
321 | function may produce undesirable results. We have the do_exit() | 320 | produce undesirable results. We have the do_exit() case covered. |
322 | and do_execve() cases covered. do_fork() is not an issue. We're | 321 | do_execve() and do_fork() are not an issue. We're unaware of other |
323 | unaware of other specific cases where this could be a problem. | 322 | specific cases where this could be a problem. |
323 | |||
324 | If, upon entry to or exit from a function, the CPU is running on | ||
325 | a stack other than that of the current task, registering a return | ||
326 | probe on that function may produce undesirable results. For this | ||
327 | reason, Kprobes doesn't support return probes (or kprobes or jprobes) | ||
328 | on the x86_64 version of __switch_to(); the registration functions | ||
329 | return -EINVAL. | ||
324 | 330 | ||
325 | 6. Probe Overhead | 331 | 6. Probe Overhead |
326 | 332 | ||
@@ -347,14 +353,12 @@ k = 0.77 usec; j = 1.31; r = 1.26; kr = 1.45; jr = 1.99 | |||
347 | 353 | ||
348 | 7. TODO | 354 | 7. TODO |
349 | 355 | ||
350 | a. SystemTap (http://sourceware.org/systemtap): Work in progress | 356 | a. SystemTap (http://sourceware.org/systemtap): Provides a simplified |
351 | to provide a simplified programming interface for probe-based | 357 | programming interface for probe-based instrumentation. Try it out. |
352 | instrumentation. | 358 | b. Kernel return probes for sparc64. |
353 | b. Improved SMP scalability: Currently, work is in progress to handle | 359 | c. Support for other architectures. |
354 | multiple kprobes in parallel. | 360 | d. User-space probes. |
355 | c. Kernel return probes for sparc64. | 361 | e. Watchpoint probes (which fire on data references). |
356 | d. Support for other architectures. | ||
357 | e. User-space probes. | ||
358 | 362 | ||
359 | 8. Kprobes Example | 363 | 8. Kprobes Example |
360 | 364 | ||
@@ -411,8 +415,7 @@ int init_module(void) | |||
411 | printk("Couldn't find %s to plant kprobe\n", "do_fork"); | 415 | printk("Couldn't find %s to plant kprobe\n", "do_fork"); |
412 | return -1; | 416 | return -1; |
413 | } | 417 | } |
414 | ret = register_kprobe(&kp); | 418 | if ((ret = register_kprobe(&kp) < 0)) { |
415 | if (ret < 0) { | ||
416 | printk("register_kprobe failed, returned %d\n", ret); | 419 | printk("register_kprobe failed, returned %d\n", ret); |
417 | return -1; | 420 | return -1; |
418 | } | 421 | } |