Kprobes: move kprobe examples to samples/

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Move kprobes examples from Documentation/kprobes.txt to under samples/.
Patch originally by Randy Dunlap.

o Updated the patch to apply on 2.6.25-rc3
o Modified examples code to build on multiple architectures. Currently,
the kprobe and jprobe examples code works for x86 and powerpc
o Cleaned up unneeded #includes
o Cleaned up Kconfig per Sam Ravnborg's suggestions to fix build break
on archs that don't have kretprobes
o Implemented suggestions by Mathieu Desnoyers on CONFIG_KRETPROBES
o Included Andrew Morton's cleanup based on x86-git
o Modified kretprobe_example to act as a arch-agnostic module to
determine routine execution times:
Use 'modprobe kretprobe_example func=<func_name>' to determine
execution time of func_name in nanoseconds.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Acked-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Ananth N Mavinakayanahalli and committed by

Linus Torvalds 18 years ago 804defea 9edddaa2

+287 -239

7 changed files

expand all

Documentation

kprobes.txt

samples

Kconfig

Makefile

kprobes

Makefile

jprobe_example.c

kprobe_example.c

kretprobe_example.c

+5 -238

Documentation/kprobes.txt

··· 192 192 The Kprobes API includes a "register" function and an "unregister" 193 193 function for each type of probe. Here are terse, mini-man-page 194 194 specifications for these functions and the associated probe handlers 195 - that you'll write. See the latter half of this document for examples. 195 + that you'll write. See the files in the samples/kprobes/ sub-directory 196 + for examples. 196 197 197 198 4.1 register_kprobe 198 199 ··· 421 420 422 421 8. Kprobes Example 423 422 424 - Here's a sample kernel module showing the use of kprobes to dump a 425 - stack trace and selected i386 registers when do_fork() is called. 426 - ----- cut here ----- 427 - /*kprobe_example.c*/ 428 - #include <linux/kernel.h> 429 - #include <linux/module.h> 430 - #include <linux/kprobes.h> 431 - #include <linux/sched.h> 432 - 433 - /*For each probe you need to allocate a kprobe structure*/ 434 - static struct kprobe kp; 435 - 436 - /*kprobe pre_handler: called just before the probed instruction is executed*/ 437 - int handler_pre(struct kprobe *p, struct pt_regs *regs) 438 - { 439 - printk("pre_handler: p->addr=0x%p, eip=%lx, eflags=0x%lx\n", 440 - p->addr, regs->eip, regs->eflags); 441 - dump_stack(); 442 - return 0; 443 - } 444 - 445 - /*kprobe post_handler: called after the probed instruction is executed*/ 446 - void handler_post(struct kprobe *p, struct pt_regs *regs, unsigned long flags) 447 - { 448 - printk("post_handler: p->addr=0x%p, eflags=0x%lx\n", 449 - p->addr, regs->eflags); 450 - } 451 - 452 - /* fault_handler: this is called if an exception is generated for any 453 - * instruction within the pre- or post-handler, or when Kprobes 454 - * single-steps the probed instruction. 455 - */ 456 - int handler_fault(struct kprobe *p, struct pt_regs *regs, int trapnr) 457 - { 458 - printk("fault_handler: p->addr=0x%p, trap #%dn", 459 - p->addr, trapnr); 460 - /* Return 0 because we don't handle the fault. */ 461 - return 0; 462 - } 463 - 464 - static int __init kprobe_init(void) 465 - { 466 - int ret; 467 - kp.pre_handler = handler_pre; 468 - kp.post_handler = handler_post; 469 - kp.fault_handler = handler_fault; 470 - kp.symbol_name = "do_fork"; 471 - 472 - ret = register_kprobe(&kp); 473 - if (ret < 0) { 474 - printk("register_kprobe failed, returned %d\n", ret); 475 - return ret; 476 - } 477 - printk("kprobe registered\n"); 478 - return 0; 479 - } 480 - 481 - static void __exit kprobe_exit(void) 482 - { 483 - unregister_kprobe(&kp); 484 - printk("kprobe unregistered\n"); 485 - } 486 - 487 - module_init(kprobe_init) 488 - module_exit(kprobe_exit) 489 - MODULE_LICENSE("GPL"); 490 - ----- cut here ----- 491 - 492 - You can build the kernel module, kprobe-example.ko, using the following 493 - Makefile: 494 - ----- cut here ----- 495 - obj-m := kprobe-example.o 496 - KDIR := /lib/modules/$(shell uname -r)/build 497 - PWD := $(shell pwd) 498 - default: 499 - $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules 500 - clean: 501 - rm -f *.mod.c *.ko *.o 502 - ----- cut here ----- 503 - 504 - $ make 505 - $ su - 506 - ... 507 - # insmod kprobe-example.ko 508 - 509 - You will see the trace data in /var/log/messages and on the console 510 - whenever do_fork() is invoked to create a new process. 423 + See samples/kprobes/kprobe_example.c 511 424 512 425 9. Jprobes Example 513 426 514 - Here's a sample kernel module showing the use of jprobes to dump 515 - the arguments of do_fork(). 516 - ----- cut here ----- 517 - /*jprobe-example.c */ 518 - #include <linux/kernel.h> 519 - #include <linux/module.h> 520 - #include <linux/fs.h> 521 - #include <linux/uio.h> 522 - #include <linux/kprobes.h> 523 - 524 - /* 525 - * Jumper probe for do_fork. 526 - * Mirror principle enables access to arguments of the probed routine 527 - * from the probe handler. 528 - */ 529 - 530 - /* Proxy routine having the same arguments as actual do_fork() routine */ 531 - long jdo_fork(unsigned long clone_flags, unsigned long stack_start, 532 - struct pt_regs *regs, unsigned long stack_size, 533 - int __user * parent_tidptr, int __user * child_tidptr) 534 - { 535 - printk("jprobe: clone_flags=0x%lx, stack_size=0x%lx, regs=0x%p\n", 536 - clone_flags, stack_size, regs); 537 - /* Always end with a call to jprobe_return(). */ 538 - jprobe_return(); 539 - /*NOTREACHED*/ 540 - return 0; 541 - } 542 - 543 - static struct jprobe my_jprobe = { 544 - .entry = jdo_fork 545 - }; 546 - 547 - static int __init jprobe_init(void) 548 - { 549 - int ret; 550 - my_jprobe.kp.symbol_name = "do_fork"; 551 - 552 - if ((ret = register_jprobe(&my_jprobe)) <0) { 553 - printk("register_jprobe failed, returned %d\n", ret); 554 - return -1; 555 - } 556 - printk("Planted jprobe at %p, handler addr %p\n", 557 - my_jprobe.kp.addr, my_jprobe.entry); 558 - return 0; 559 - } 560 - 561 - static void __exit jprobe_exit(void) 562 - { 563 - unregister_jprobe(&my_jprobe); 564 - printk("jprobe unregistered\n"); 565 - } 566 - 567 - module_init(jprobe_init) 568 - module_exit(jprobe_exit) 569 - MODULE_LICENSE("GPL"); 570 - ----- cut here ----- 571 - 572 - Build and insert the kernel module as shown in the above kprobe 573 - example. You will see the trace data in /var/log/messages and on 574 - the console whenever do_fork() is invoked to create a new process. 575 - (Some messages may be suppressed if syslogd is configured to 576 - eliminate duplicate messages.) 427 + See samples/kprobes/jprobe_example.c 577 428 578 429 10. Kretprobes Example 579 430 580 - Here's a sample kernel module showing the use of return probes to 581 - report failed calls to sys_open(). 582 - ----- cut here ----- 583 - /*kretprobe-example.c*/ 584 - #include <linux/kernel.h> 585 - #include <linux/module.h> 586 - #include <linux/kprobes.h> 587 - #include <linux/ktime.h> 588 - 589 - /* per-instance private data */ 590 - struct my_data { 591 - ktime_t entry_stamp; 592 - }; 593 - 594 - static const char *probed_func = "sys_open"; 595 - 596 - /* Timestamp function entry. */ 597 - static int entry_handler(struct kretprobe_instance *ri, struct pt_regs *regs) 598 - { 599 - struct my_data *data; 600 - 601 - if(!current->mm) 602 - return 1; /* skip kernel threads */ 603 - 604 - data = (struct my_data *)ri->data; 605 - data->entry_stamp = ktime_get(); 606 - return 0; 607 - } 608 - 609 - /* If the probed function failed, log the return value and duration. 610 - * Duration may turn out to be zero consistently, depending upon the 611 - * granularity of time accounting on the platform. */ 612 - static int return_handler(struct kretprobe_instance *ri, struct pt_regs *regs) 613 - { 614 - int retval = regs_return_value(regs); 615 - struct my_data *data = (struct my_data *)ri->data; 616 - s64 delta; 617 - ktime_t now; 618 - 619 - if (retval < 0) { 620 - now = ktime_get(); 621 - delta = ktime_to_ns(ktime_sub(now, data->entry_stamp)); 622 - printk("%s: return val = %d (duration = %lld ns)\n", 623 - probed_func, retval, delta); 624 - } 625 - return 0; 626 - } 627 - 628 - static struct kretprobe my_kretprobe = { 629 - .handler = return_handler, 630 - .entry_handler = entry_handler, 631 - .data_size = sizeof(struct my_data), 632 - .maxactive = 20, /* probe up to 20 instances concurrently */ 633 - }; 634 - 635 - static int __init kretprobe_init(void) 636 - { 637 - int ret; 638 - my_kretprobe.kp.symbol_name = (char *)probed_func; 639 - 640 - if ((ret = register_kretprobe(&my_kretprobe)) < 0) { 641 - printk("register_kretprobe failed, returned %d\n", ret); 642 - return -1; 643 - } 644 - printk("Kretprobe active on %s\n", my_kretprobe.kp.symbol_name); 645 - return 0; 646 - } 647 - 648 - static void __exit kretprobe_exit(void) 649 - { 650 - unregister_kretprobe(&my_kretprobe); 651 - printk("kretprobe unregistered\n"); 652 - /* nmissed > 0 suggests that maxactive was set too low. */ 653 - printk("Missed probing %d instances of %s\n", 654 - my_kretprobe.nmissed, probed_func); 655 - } 656 - 657 - module_init(kretprobe_init) 658 - module_exit(kretprobe_exit) 659 - MODULE_LICENSE("GPL"); 660 - ----- cut here ----- 661 - 662 - Build and insert the kernel module as shown in the above kprobe 663 - example. You will see the trace data in /var/log/messages and on the 664 - console whenever sys_open() returns a negative value. (Some messages 665 - may be suppressed if syslogd is configured to eliminate duplicate 666 - messages.) 431 + See samples/kprobes/kretprobe_example.c 667 432 668 433 For additional information on Kprobes, refer to the following URLs: 669 434 http://www-106.ibm.com/developerworks/library/l-kprobes.html?ca=dgr-lnxw42Kprobe

+11

samples/Kconfig

··· 22 22 23 23 If in doubt, say "N" here. 24 24 25 + config SAMPLE_KPROBES 26 + tristate "Build kprobes examples -- loadable modules only" 27 + depends on KPROBES && m 28 + help 29 + This build several kprobes example modules. 30 + 31 + config SAMPLE_KRETPROBES 32 + tristate "Build kretprobes example -- loadable modules only" 33 + default m 34 + depends on SAMPLE_KPROBES && KRETPROBES 35 + 25 36 endif # SAMPLES 26 37

+1 -1

samples/Makefile

··· 1 1 # Makefile for Linux samples code 2 2 3 - obj-$(CONFIG_SAMPLES) += markers/ kobject/ 3 + obj-$(CONFIG_SAMPLES) += markers/ kobject/ kprobes/

samples/kprobes/Makefile

··· 1 + # builds the kprobes example kernel modules; 2 + # then to use one (as root): insmod <module_name.ko> 3 + 4 + obj-$(CONFIG_SAMPLE_KPROBES) += kprobe_example.o jprobe_example.o 5 + obj-$(CONFIG_SAMPLE_KRETPROBES) += kretprobe_example.o

+68

samples/kprobes/jprobe_example.c

··· 1 + /* 2 + * Here's a sample kernel module showing the use of jprobes to dump 3 + * the arguments of do_fork(). 4 + * 5 + * For more information on theory of operation of jprobes, see 6 + * Documentation/kprobes.txt 7 + * 8 + * Build and insert the kernel module as done in the kprobe example. 9 + * You will see the trace data in /var/log/messages and on the 10 + * console whenever do_fork() is invoked to create a new process. 11 + * (Some messages may be suppressed if syslogd is configured to 12 + * eliminate duplicate messages.) 13 + */ 14 + 15 + #include <linux/kernel.h> 16 + #include <linux/module.h> 17 + #include <linux/kprobes.h> 18 + 19 + /* 20 + * Jumper probe for do_fork. 21 + * Mirror principle enables access to arguments of the probed routine 22 + * from the probe handler. 23 + */ 24 + 25 + /* Proxy routine having the same arguments as actual do_fork() routine */ 26 + static long jdo_fork(unsigned long clone_flags, unsigned long stack_start, 27 + struct pt_regs *regs, unsigned long stack_size, 28 + int __user *parent_tidptr, int __user *child_tidptr) 29 + { 30 + printk(KERN_INFO "jprobe: clone_flags = 0x%lx, stack_size = 0x%lx," 31 + " regs = 0x%p\n", 32 + clone_flags, stack_size, regs); 33 + 34 + /* Always end with a call to jprobe_return(). */ 35 + jprobe_return(); 36 + return 0; 37 + } 38 + 39 + static struct jprobe my_jprobe = { 40 + .entry = jdo_fork, 41 + .kp = { 42 + .symbol_name = "do_fork", 43 + }, 44 + }; 45 + 46 + static int __init jprobe_init(void) 47 + { 48 + int ret; 49 + 50 + ret = register_jprobe(&my_jprobe); 51 + if (ret < 0) { 52 + printk(KERN_INFO "register_jprobe failed, returned %d\n", ret); 53 + return -1; 54 + } 55 + printk(KERN_INFO "Planted jprobe at %p, handler addr %p\n", 56 + my_jprobe.kp.addr, my_jprobe.entry); 57 + return 0; 58 + } 59 + 60 + static void __exit jprobe_exit(void) 61 + { 62 + unregister_jprobe(&my_jprobe); 63 + printk(KERN_INFO "jprobe at %p unregistered\n", my_jprobe.kp.addr); 64 + } 65 + 66 + module_init(jprobe_init) 67 + module_exit(jprobe_exit) 68 + MODULE_LICENSE("GPL");

+91

samples/kprobes/kprobe_example.c

··· 1 + /* 2 + * NOTE: This example is works on x86 and powerpc. 3 + * Here's a sample kernel module showing the use of kprobes to dump a 4 + * stack trace and selected registers when do_fork() is called. 5 + * 6 + * For more information on theory of operation of kprobes, see 7 + * Documentation/kprobes.txt 8 + * 9 + * You will see the trace data in /var/log/messages and on the console 10 + * whenever do_fork() is invoked to create a new process. 11 + */ 12 + 13 + #include <linux/kernel.h> 14 + #include <linux/module.h> 15 + #include <linux/kprobes.h> 16 + 17 + /* For each probe you need to allocate a kprobe structure */ 18 + static struct kprobe kp = { 19 + .symbol_name = "do_fork", 20 + }; 21 + 22 + /* kprobe pre_handler: called just before the probed instruction is executed */ 23 + static int handler_pre(struct kprobe *p, struct pt_regs *regs) 24 + { 25 + #ifdef CONFIG_X86 26 + printk(KERN_INFO "pre_handler: p->addr = 0x%p, ip = %lx," 27 + " flags = 0x%lx\n", 28 + p->addr, regs->ip, regs->flags); 29 + #endif 30 + #ifdef CONFIG_PPC 31 + printk(KERN_INFO "pre_handler: p->addr = 0x%p, nip = 0x%lx," 32 + " msr = 0x%lx\n", 33 + p->addr, regs->nip, regs->msr); 34 + #endif 35 + 36 + /* A dump_stack() here will give a stack backtrace */ 37 + return 0; 38 + } 39 + 40 + /* kprobe post_handler: called after the probed instruction is executed */ 41 + static void handler_post(struct kprobe *p, struct pt_regs *regs, 42 + unsigned long flags) 43 + { 44 + #ifdef CONFIG_X86 45 + printk(KERN_INFO "post_handler: p->addr = 0x%p, flags = 0x%lx\n", 46 + p->addr, regs->flags); 47 + #endif 48 + #ifdef CONFIG_PPC 49 + printk(KERN_INFO "post_handler: p->addr = 0x%p, msr = 0x%lx\n", 50 + p->addr, regs->msr); 51 + #endif 52 + } 53 + 54 + /* 55 + * fault_handler: this is called if an exception is generated for any 56 + * instruction within the pre- or post-handler, or when Kprobes 57 + * single-steps the probed instruction. 58 + */ 59 + static int handler_fault(struct kprobe *p, struct pt_regs *regs, int trapnr) 60 + { 61 + printk(KERN_INFO "fault_handler: p->addr = 0x%p, trap #%dn", 62 + p->addr, trapnr); 63 + /* Return 0 because we don't handle the fault. */ 64 + return 0; 65 + } 66 + 67 + static int __init kprobe_init(void) 68 + { 69 + int ret; 70 + kp.pre_handler = handler_pre; 71 + kp.post_handler = handler_post; 72 + kp.fault_handler = handler_fault; 73 + 74 + ret = register_kprobe(&kp); 75 + if (ret < 0) { 76 + printk(KERN_INFO "register_kprobe failed, returned %d\n", ret); 77 + return ret; 78 + } 79 + printk(KERN_INFO "Planted kprobe at %p\n", kp.addr); 80 + return 0; 81 + } 82 + 83 + static void __exit kprobe_exit(void) 84 + { 85 + unregister_kprobe(&kp); 86 + printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr); 87 + } 88 + 89 + module_init(kprobe_init) 90 + module_exit(kprobe_exit) 91 + MODULE_LICENSE("GPL");

+106

samples/kprobes/kretprobe_example.c

··· 1 + /* 2 + * kretprobe_example.c 3 + * 4 + * Here's a sample kernel module showing the use of return probes to 5 + * report the return value and total time taken for probed function 6 + * to run. 7 + * 8 + * usage: insmod kretprobe_example.ko func=<func_name> 9 + * 10 + * If no func_name is specified, do_fork is instrumented 11 + * 12 + * For more information on theory of operation of kretprobes, see 13 + * Documentation/kprobes.txt 14 + * 15 + * Build and insert the kernel module as done in the kprobe example. 16 + * You will see the trace data in /var/log/messages and on the console 17 + * whenever the probed function returns. (Some messages may be suppressed 18 + * if syslogd is configured to eliminate duplicate messages.) 19 + */ 20 + 21 + #include <linux/kernel.h> 22 + #include <linux/module.h> 23 + #include <linux/kprobes.h> 24 + #include <linux/ktime.h> 25 + #include <linux/limits.h> 26 + 27 + static char func_name[NAME_MAX] = "do_fork"; 28 + module_param_string(func, func_name, NAME_MAX, S_IRUGO); 29 + MODULE_PARM_DESC(func, "Function to kretprobe; this module will report the" 30 + " function's execution time"); 31 + 32 + /* per-instance private data */ 33 + struct my_data { 34 + ktime_t entry_stamp; 35 + }; 36 + 37 + /* Here we use the entry_hanlder to timestamp function entry */ 38 + static int entry_handler(struct kretprobe_instance *ri, struct pt_regs *regs) 39 + { 40 + struct my_data *data; 41 + 42 + if (!current->mm) 43 + return 1; /* Skip kernel threads */ 44 + 45 + data = (struct my_data *)ri->data; 46 + data->entry_stamp = ktime_get(); 47 + return 0; 48 + } 49 + 50 + /* 51 + * Return-probe handler: Log the return value and duration. Duration may turn 52 + * out to be zero consistently, depending upon the granularity of time 53 + * accounting on the platform. 54 + */ 55 + static int ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs) 56 + { 57 + int retval = regs_return_value(regs); 58 + struct my_data *data = (struct my_data *)ri->data; 59 + s64 delta; 60 + ktime_t now; 61 + 62 + now = ktime_get(); 63 + delta = ktime_to_ns(ktime_sub(now, data->entry_stamp)); 64 + printk(KERN_INFO "%s returned %d and took %lld ns to execute\n", 65 + func_name, retval, (long long)delta); 66 + return 0; 67 + } 68 + 69 + static struct kretprobe my_kretprobe = { 70 + .handler = ret_handler, 71 + .entry_handler = entry_handler, 72 + .data_size = sizeof(struct my_data), 73 + /* Probe up to 20 instances concurrently. */ 74 + .maxactive = 20, 75 + }; 76 + 77 + static int __init kretprobe_init(void) 78 + { 79 + int ret; 80 + 81 + my_kretprobe.kp.symbol_name = func_name; 82 + ret = register_kretprobe(&my_kretprobe); 83 + if (ret < 0) { 84 + printk(KERN_INFO "register_kretprobe failed, returned %d\n", 85 + ret); 86 + return -1; 87 + } 88 + printk(KERN_INFO "Planted return probe at %s: %p\n", 89 + my_kretprobe.kp.symbol_name, my_kretprobe.kp.addr); 90 + return 0; 91 + } 92 + 93 + static void __exit kretprobe_exit(void) 94 + { 95 + unregister_kretprobe(&my_kretprobe); 96 + printk(KERN_INFO "kretprobe at %p unregistered\n", 97 + my_kretprobe.kp.addr); 98 + 99 + /* nmissed > 0 suggests that maxactive was set too low. */ 100 + printk(KERN_INFO "Missed probing %d instances of %s\n", 101 + my_kretprobe.nmissed, my_kretprobe.kp.symbol_name); 102 + } 103 + 104 + module_init(kretprobe_init) 105 + module_exit(kretprobe_exit) 106 + MODULE_LICENSE("GPL");