kprobe

Always get 0 session ID in BPF program

走远了吗. 提交于 2020-01-11 13:05:31
问题 I am trying to write a BPF program that examines the session ID of any process that calls the tty_write kernel function. I am trying to do this by retrieving a field from the current task_struct struct. My code is as follows: SEC("kprobe/tty_write") int kprobe__tty_write(struct pt_regs *ctx) { struct task_struct *task; struct task_struct *group_leader; struct pid_link pid_link; struct pid pid; int sessionid; // get current sessionid task = (struct task_struct *)bpf_get_current_task(); bpf

Always get 0 session ID in BPF program

守給你的承諾、 提交于 2020-01-11 13:04:22
问题 I am trying to write a BPF program that examines the session ID of any process that calls the tty_write kernel function. I am trying to do this by retrieving a field from the current task_struct struct. My code is as follows: SEC("kprobe/tty_write") int kprobe__tty_write(struct pt_regs *ctx) { struct task_struct *task; struct task_struct *group_leader; struct pid_link pid_link; struct pid pid; int sessionid; // get current sessionid task = (struct task_struct *)bpf_get_current_task(); bpf

kprobe handler not getting triggered for specific function

 ̄綄美尐妖づ 提交于 2019-12-24 09:24:27
问题 Am trying to intercept below function in module using kprobes. "register_kprobe" passed for this function but Kprobe handler is not getting triggered when function is called. Strangely it starts working (kprobe handler gets called) if I print function address inside probing function. It works for other functions in kernel as well. Why is kprobe handler not getting triggered and what difference printing function address is making? system has 3.10 kernel on x86_64 installed. Not working code:

kprobe handler not getting triggered for specific function

故事扮演 提交于 2019-12-24 09:21:13
问题 Am trying to intercept below function in module using kprobes. "register_kprobe" passed for this function but Kprobe handler is not getting triggered when function is called. Strangely it starts working (kprobe handler gets called) if I print function address inside probing function. It works for other functions in kernel as well. Why is kprobe handler not getting triggered and what difference printing function address is making? system has 3.10 kernel on x86_64 installed. Not working code:

Are tracepoints redundant in Linux kernel after kprobes support for ftrace?

半世苍凉 提交于 2019-12-23 13:59:07
问题 What are the use-cases for using tracepoint events when kprobe events support for ftrace is available in Linux kernel? It seems everything that is possible to be done using 'tracepoint events' is possible using kprobe events, since one can set up a kprobe event to at the same point where tracepoint event is available. Am I missing something? 回答1: Since kprobes trace arbitrary functions, tools relying on them may easily break from one Linux version to the next . For instance, the name of the

How to invoke any kernel function?

夙愿已清 提交于 2019-12-22 14:47:42
问题 I know that Kprobes can be used to probe any kernel function. But after going through its documents I realise that it is mostly a kind of passive entity. It simply puts a probe in the middle of an execution sequence. But what if I want to invoke any kernel function directly without bothering about the execution sequence. How can I achieve that? Updated : Note: I want to invoke any kernel function inside my kernel module and not from any user space application. 回答1: what if I want to invoke

kprobe not working for some functions

梦想与她 提交于 2019-12-11 16:17:12
问题 I am trying to use kprobe to track handle_pte_fault function calls in linux kernel. I can probe handle_mm_fault but when I try to probe handle_pte_dault , kprobe's handler for handle_pte_fault doesn't print anything. Using this I figured that i can't probe a function which is inline and also maybe static. So, I changed the definition of the handle_pte_fault function as following and recompiled the kernel. From: static int handle_pte_fault(struct vm_fault *vmf) to: noinline int handle_pte

How Can I Count malloc in linux kernel with kprobe

浪子不回头ぞ 提交于 2019-12-08 05:16:07
问题 I want to count the malloc system call with Kprobe in fedora. I know that malloc is not a system call and is implemented in user space, but I want to count malloc with kprobe if its possible. What is the name of system call that I must give to Kprobe? For example for do_work: kp.addr = (kprobe_opcode_t *) kallsyms_lookup_name("do_fork"); 回答1: This is not possible with kprobes because, as you said, malloc is not a system call. You can, however, use USDTs to trace userspace processes. The bcc

How Can I Count malloc in linux kernel with kprobe

爱⌒轻易说出口 提交于 2019-12-06 16:31:59
I want to count the malloc system call with Kprobe in fedora. I know that malloc is not a system call and is implemented in user space, but I want to count malloc with kprobe if its possible. What is the name of system call that I must give to Kprobe? For example for do_work: kp.addr = (kprobe_opcode_t *) kallsyms_lookup_name("do_fork"); This is not possible with kprobes because, as you said, malloc is not a system call. You can, however, use USDTs to trace userspace processes. The bcc tools contain an example with uobjnew . It traces object allocations in the given process: $ ./uobjnew -h
订阅 kprobe