1 ================================= 1 =================================
2 Using ftrace to hook to functions 2 Using ftrace to hook to functions
3 ================================= 3 =================================
4 4
5 .. Copyright 2017 VMware Inc. 5 .. Copyright 2017 VMware Inc.
6 .. Author: Steven Rostedt <srostedt@goodmis 6 .. Author: Steven Rostedt <srostedt@goodmis.org>
7 .. License: The GNU Free Documentation Lice 7 .. License: The GNU Free Documentation License, Version 1.2
8 .. (dual licensed under the GPL 8 .. (dual licensed under the GPL v2)
9 9
10 Written for: 4.14 10 Written for: 4.14
11 11
12 Introduction 12 Introduction
13 ============ 13 ============
14 14
15 The ftrace infrastructure was originally creat !! 15 The ftrace infrastructure was originially created to attach callbacks to the
16 beginning of functions in order to record and 16 beginning of functions in order to record and trace the flow of the kernel.
17 But callbacks to the start of a function can h 17 But callbacks to the start of a function can have other use cases. Either
18 for live kernel patching, or for security moni 18 for live kernel patching, or for security monitoring. This document describes
19 how to use ftrace to implement your own functi 19 how to use ftrace to implement your own function callbacks.
20 20
21 21
22 The ftrace context 22 The ftrace context
23 ================== 23 ==================
24 .. warning:: <<
25 24
26 The ability to add a callback to almost any !! 25 WARNING: The ability to add a callback to almost any function within the
27 kernel comes with risks. A callback can be c !! 26 kernel comes with risks. A callback can be called from any context
28 (normal, softirq, irq, and NMI). Callbacks c !! 27 (normal, softirq, irq, and NMI). Callbacks can also be called just before
29 going to idle, during CPU bring up and taked !! 28 going to idle, during CPU bring up and takedown, or going to user space.
30 This requires extra care to what can be done !! 29 This requires extra care to what can be done inside a callback. A callback
31 can be called outside the protective scope o !! 30 can be called outside the protective scope of RCU.
32 31
33 There are helper functions to help against rec !! 32 The ftrace infrastructure has some protections agains recursions and RCU
34 RCU is watching. These are explained below. !! 33 but one must still be very careful how they use the callbacks.
35 34
36 35
37 The ftrace_ops structure 36 The ftrace_ops structure
38 ======================== 37 ========================
39 38
40 To register a function callback, a ftrace_ops 39 To register a function callback, a ftrace_ops is required. This structure
41 is used to tell ftrace what function should be 40 is used to tell ftrace what function should be called as the callback
42 as well as what protections the callback will 41 as well as what protections the callback will perform and not require
43 ftrace to handle. 42 ftrace to handle.
44 43
45 There is only one field that is needed to be s 44 There is only one field that is needed to be set when registering
46 an ftrace_ops with ftrace: !! 45 an ftrace_ops with ftrace::
47 46
48 .. code-block:: c !! 47 .. code-block: c
49 48
50 struct ftrace_ops ops = { 49 struct ftrace_ops ops = {
51 .func = my_callback_ 50 .func = my_callback_func,
52 .flags = MY_FTRACE_FL 51 .flags = MY_FTRACE_FLAGS
53 .private = any_private_ 52 .private = any_private_data_structure,
54 }; 53 };
55 54
56 Both .flags and .private are optional. Only .f 55 Both .flags and .private are optional. Only .func is required.
57 56
58 To enable tracing call:: 57 To enable tracing call::
59 58
60 register_ftrace_function(&ops); !! 59 .. c:function:: register_ftrace_function(&ops);
61 60
62 To disable tracing call:: 61 To disable tracing call::
63 62
64 unregister_ftrace_function(&ops); !! 63 .. c:function:: unregister_ftrace_function(&ops);
65 64
66 The above is defined by including the header:: 65 The above is defined by including the header::
67 66
68 #include <linux/ftrace.h> !! 67 .. c:function:: #include <linux/ftrace.h>
69 68
70 The registered callback will start being calle 69 The registered callback will start being called some time after the
71 register_ftrace_function() is called and befor 70 register_ftrace_function() is called and before it returns. The exact time
72 that callbacks start being called is dependent 71 that callbacks start being called is dependent upon architecture and scheduling
73 of services. The callback itself will have to 72 of services. The callback itself will have to handle any synchronization if it
74 must begin at an exact moment. 73 must begin at an exact moment.
75 74
76 The unregister_ftrace_function() will guarante 75 The unregister_ftrace_function() will guarantee that the callback is
77 no longer being called by functions after the 76 no longer being called by functions after the unregister_ftrace_function()
78 returns. Note that to perform this guarantee, 77 returns. Note that to perform this guarantee, the unregister_ftrace_function()
79 may take some time to finish. 78 may take some time to finish.
80 79
81 80
82 The callback function 81 The callback function
83 ===================== 82 =====================
84 83
85 The prototype of the callback function is as f !! 84 The prototype of the callback function is as follows (as of v4.14)::
86 85
87 .. code-block:: c !! 86 .. code-block: c
88 87
89 void callback_func(unsigned long ip, unsign !! 88 void callback_func(unsigned long ip, unsigned long parent_ip,
90 struct ftrace_ops *op, s !! 89 struct ftrace_ops *op, struct pt_regs *regs);
91 90
92 @ip 91 @ip
93 This is the instruction pointer of th 92 This is the instruction pointer of the function that is being traced.
94 (where the fentry or mcount is within 93 (where the fentry or mcount is within the function)
95 94
96 @parent_ip 95 @parent_ip
97 This is the instruction pointer of the 96 This is the instruction pointer of the function that called the
98 the function being traced (where the c 97 the function being traced (where the call of the function occurred).
99 98
100 @op 99 @op
101 This is a pointer to ftrace_ops that w 100 This is a pointer to ftrace_ops that was used to register the callback.
102 This can be used to pass data to the c 101 This can be used to pass data to the callback via the private pointer.
103 102
104 @regs 103 @regs
105 If the FTRACE_OPS_FL_SAVE_REGS or FTRA 104 If the FTRACE_OPS_FL_SAVE_REGS or FTRACE_OPS_FL_SAVE_REGS_IF_SUPPORTED
106 flags are set in the ftrace_ops struct 105 flags are set in the ftrace_ops structure, then this will be pointing
107 to the pt_regs structure like it would 106 to the pt_regs structure like it would be if an breakpoint was placed
108 at the start of the function where ftr 107 at the start of the function where ftrace was tracing. Otherwise it
109 either contains garbage, or NULL. 108 either contains garbage, or NULL.
110 109
111 Protect your callback <<
112 ===================== <<
113 <<
114 As functions can be called from anywhere, and <<
115 called by a callback may also be traced, and c <<
116 recursion protection must be used. There are t <<
117 can help in this regard. If you start your cod <<
118 <<
119 .. code-block:: c <<
120 <<
121 int bit; <<
122 <<
123 bit = ftrace_test_recursion_trylock(ip <<
124 if (bit < 0) <<
125 return; <<
126 <<
127 and end it with: <<
128 <<
129 .. code-block:: c <<
130 <<
131 ftrace_test_recursion_unlock(bit); <<
132 <<
133 The code in between will be safe to use, even <<
134 function that the callback is tracing. Note, o <<
135 ftrace_test_recursion_trylock() will disable p <<
136 ftrace_test_recursion_unlock() will enable it <<
137 enabled). The instruction pointer (ip) and its <<
138 ftrace_test_recursion_trylock() to record wher <<
139 (if CONFIG_FTRACE_RECORD_RECURSION is set). <<
140 <<
141 Alternatively, if the FTRACE_OPS_FL_RECURSION <<
142 (as explained below), then a helper trampoline <<
143 for recursion for the callback and no recursio <<
144 But this is at the expense of a slightly more <<
145 function call. <<
146 <<
147 If your callback accesses any data or critical <<
148 protection, it is best to make sure that RCU i <<
149 that data or critical section will not be prot <<
150 case add: <<
151 <<
152 .. code-block:: c <<
153 <<
154 if (!rcu_is_watching()) <<
155 return; <<
156 <<
157 Alternatively, if the FTRACE_OPS_FL_RCU flag i <<
158 (as explained below), then a helper trampoline <<
159 for rcu_is_watching for the callback and no ot <<
160 But this is at the expense of a slightly more <<
161 function call. <<
162 <<
163 110
164 The ftrace FLAGS 111 The ftrace FLAGS
165 ================ 112 ================
166 113
167 The ftrace_ops flags are all defined and docum 114 The ftrace_ops flags are all defined and documented in include/linux/ftrace.h.
168 Some of the flags are used for internal infras 115 Some of the flags are used for internal infrastructure of ftrace, but the
169 ones that users should be aware of are the fol 116 ones that users should be aware of are the following:
170 117
171 FTRACE_OPS_FL_SAVE_REGS 118 FTRACE_OPS_FL_SAVE_REGS
172 If the callback requires reading or mo 119 If the callback requires reading or modifying the pt_regs
173 passed to the callback, then it must s 120 passed to the callback, then it must set this flag. Registering
174 a ftrace_ops with this flag set on an 121 a ftrace_ops with this flag set on an architecture that does not
175 support passing of pt_regs to the call 122 support passing of pt_regs to the callback will fail.
176 123
177 FTRACE_OPS_FL_SAVE_REGS_IF_SUPPORTED 124 FTRACE_OPS_FL_SAVE_REGS_IF_SUPPORTED
178 Similar to SAVE_REGS but the registeri 125 Similar to SAVE_REGS but the registering of a
179 ftrace_ops on an architecture that doe 126 ftrace_ops on an architecture that does not support passing of regs
180 will not fail with this flag set. But 127 will not fail with this flag set. But the callback must check if
181 regs is NULL or not to determine if th 128 regs is NULL or not to determine if the architecture supports it.
182 129
183 FTRACE_OPS_FL_RECURSION !! 130 FTRACE_OPS_FL_RECURSION_SAFE
184 By default, it is expected that the ca !! 131 By default, a wrapper is added around the callback to
185 But if the callback is not that worrie !! 132 make sure that recursion of the function does not occur. That is,
186 setting this bit will add the recursio !! 133 if a function that is called as a result of the callback's execution
187 callback by calling a helper function !! 134 is also traced, ftrace will prevent the callback from being called
188 protection and only call the callback !! 135 again. But this wrapper adds some overhead, and if the callback is
189 !! 136 safe from recursion, it can set this flag to disable the ftrace
190 Note, if this flag is not set, and rec !! 137 protection.
191 cause the system to crash, and possibl !! 138
192 !! 139 Note, if this flag is set, and recursion does occur, it could cause
193 Note, if this flag is set, then the ca !! 140 the system to crash, and possibly reboot via a triple fault.
194 with preemption disabled. If it is not !! 141
195 (but not guaranteed) that the callback !! 142 It is OK if another callback traces a function that is called by a
196 preemptable context. !! 143 callback that is marked recursion safe. Recursion safe callbacks
>> 144 must never trace any function that are called by the callback
>> 145 itself or any nested functions that those functions call.
>> 146
>> 147 If this flag is set, it is possible that the callback will also
>> 148 be called with preemption enabled (when CONFIG_PREEMPT is set),
>> 149 but this is not guaranteed.
197 150
198 FTRACE_OPS_FL_IPMODIFY 151 FTRACE_OPS_FL_IPMODIFY
199 Requires FTRACE_OPS_FL_SAVE_REGS set. 152 Requires FTRACE_OPS_FL_SAVE_REGS set. If the callback is to "hijack"
200 the traced function (have another func 153 the traced function (have another function called instead of the
201 traced function), it requires setting 154 traced function), it requires setting this flag. This is what live
202 kernel patches uses. Without this flag 155 kernel patches uses. Without this flag the pt_regs->ip can not be
203 modified. 156 modified.
204 157
205 Note, only one ftrace_ops with FTRACE_ 158 Note, only one ftrace_ops with FTRACE_OPS_FL_IPMODIFY set may be
206 registered to any given function at a 159 registered to any given function at a time.
207 160
208 FTRACE_OPS_FL_RCU 161 FTRACE_OPS_FL_RCU
209 If this is set, then the callback will 162 If this is set, then the callback will only be called by functions
210 where RCU is "watching". This is requi 163 where RCU is "watching". This is required if the callback function
211 performs any rcu_read_lock() operation 164 performs any rcu_read_lock() operation.
212 165
213 RCU stops watching when the system goe 166 RCU stops watching when the system goes idle, the time when a CPU
214 is taken down and comes back online, a 167 is taken down and comes back online, and when entering from kernel
215 to user space and back to kernel space 168 to user space and back to kernel space. During these transitions,
216 a callback may be executed and RCU syn 169 a callback may be executed and RCU synchronization will not protect
217 it. 170 it.
218 171
219 FTRACE_OPS_FL_PERMANENT <<
220 If this is set on any ftrace ops, then <<
221 writing 0 to the proc sysctl ftrace_en <<
222 the flag set cannot be registered if f <<
223 <<
224 Livepatch uses it not to lose the func <<
225 stays protected. <<
226 <<
227 172
228 Filtering which functions to trace 173 Filtering which functions to trace
229 ================================== 174 ==================================
230 175
231 If a callback is only to be called from specif 176 If a callback is only to be called from specific functions, a filter must be
232 set up. The filters are added by name, or ip i 177 set up. The filters are added by name, or ip if it is known.
233 178
234 .. code-block:: c !! 179 .. code-block: c
235 180
236 int ftrace_set_filter(struct ftrace_ops *op !! 181 int ftrace_set_filter(struct ftrace_ops *ops, unsigned char *buf,
237 int len, int reset); !! 182 int len, int reset);
238 183
239 @ops 184 @ops
240 The ops to set the filter with 185 The ops to set the filter with
241 186
242 @buf 187 @buf
243 The string that holds the function fil 188 The string that holds the function filter text.
244 @len 189 @len
245 The length of the string. 190 The length of the string.
246 191
247 @reset 192 @reset
248 Non-zero to reset all filters before a 193 Non-zero to reset all filters before applying this filter.
249 194
250 Filters denote which functions should be enabl 195 Filters denote which functions should be enabled when tracing is enabled.
251 If @buf is NULL and reset is set, all function 196 If @buf is NULL and reset is set, all functions will be enabled for tracing.
252 197
253 The @buf can also be a glob expression to enab 198 The @buf can also be a glob expression to enable all functions that
254 match a specific pattern. 199 match a specific pattern.
255 200
256 See Filter Commands in :file:`Documentation/tr !! 201 See Filter Commands in :file:`Documentation/trace/ftrace.txt`.
257 202
258 To just trace the schedule function: !! 203 To just trace the schedule function::
259 204
260 .. code-block:: c !! 205 .. code-block: c
261 206
262 ret = ftrace_set_filter(&ops, "schedule", s !! 207 ret = ftrace_set_filter(&ops, "schedule", strlen("schedule"), 0);
263 208
264 To add more functions, call the ftrace_set_fil 209 To add more functions, call the ftrace_set_filter() more than once with the
265 @reset parameter set to zero. To remove the cu 210 @reset parameter set to zero. To remove the current filter set and replace it
266 with new functions defined by @buf, have @rese 211 with new functions defined by @buf, have @reset be non-zero.
267 212
268 To remove all the filtered functions and trace !! 213 To remove all the filtered functions and trace all functions::
269 214
270 .. code-block:: c !! 215 .. code-block: c
271 216
272 ret = ftrace_set_filter(&ops, NULL, 0, 1); !! 217 ret = ftrace_set_filter(&ops, NULL, 0, 1);
273 218
274 219
275 Sometimes more than one function has the same 220 Sometimes more than one function has the same name. To trace just a specific
276 function in this case, ftrace_set_filter_ip() 221 function in this case, ftrace_set_filter_ip() can be used.
277 222
278 .. code-block:: c !! 223 .. code-block: c
279 224
280 ret = ftrace_set_filter_ip(&ops, ip, 0, 0); !! 225 ret = ftrace_set_filter_ip(&ops, ip, 0, 0);
281 226
282 Although the ip must be the address where the 227 Although the ip must be the address where the call to fentry or mcount is
283 located in the function. This function is used 228 located in the function. This function is used by perf and kprobes that
284 gets the ip address from the user (usually usi 229 gets the ip address from the user (usually using debug info from the kernel).
285 230
286 If a glob is used to set the filter, functions 231 If a glob is used to set the filter, functions can be added to a "notrace"
287 list that will prevent those functions from ca 232 list that will prevent those functions from calling the callback.
288 The "notrace" list takes precedence over the " 233 The "notrace" list takes precedence over the "filter" list. If the
289 two lists are non-empty and contain the same f 234 two lists are non-empty and contain the same functions, the callback will not
290 be called by any function. 235 be called by any function.
291 236
292 An empty "notrace" list means to allow all fun 237 An empty "notrace" list means to allow all functions defined by the filter
293 to be traced. 238 to be traced.
294 239
295 .. code-block:: c !! 240 .. code-block: c
296 241
297 int ftrace_set_notrace(struct ftrace_ops *o !! 242 int ftrace_set_notrace(struct ftrace_ops *ops, unsigned char *buf,
298 int len, int reset); !! 243 int len, int reset);
299 244
300 This takes the same parameters as ftrace_set_f 245 This takes the same parameters as ftrace_set_filter() but will add the
301 functions it finds to not be traced. This is a 246 functions it finds to not be traced. This is a separate list from the
302 filter list, and this function does not modify 247 filter list, and this function does not modify the filter list.
303 248
304 A non-zero @reset will clear the "notrace" lis 249 A non-zero @reset will clear the "notrace" list before adding functions
305 that match @buf to it. 250 that match @buf to it.
306 251
307 Clearing the "notrace" list is the same as cle 252 Clearing the "notrace" list is the same as clearing the filter list
308 253
309 .. code-block:: c !! 254 .. code-block: c
310 255
311 ret = ftrace_set_notrace(&ops, NULL, 0, 1); 256 ret = ftrace_set_notrace(&ops, NULL, 0, 1);
312 257
313 The filter and notrace lists may be changed at 258 The filter and notrace lists may be changed at any time. If only a set of
314 functions should call the callback, it is best 259 functions should call the callback, it is best to set the filters before
315 registering the callback. But the changes may 260 registering the callback. But the changes may also happen after the callback
316 has been registered. 261 has been registered.
317 262
318 If a filter is in place, and the @reset is non 263 If a filter is in place, and the @reset is non-zero, and @buf contains a
319 matching glob to functions, the switch will ha 264 matching glob to functions, the switch will happen during the time of
320 the ftrace_set_filter() call. At no time will 265 the ftrace_set_filter() call. At no time will all functions call the callback.
321 266
322 .. code-block:: c !! 267 .. code-block: c
323 268
324 ftrace_set_filter(&ops, "schedule", strlen( !! 269 ftrace_set_filter(&ops, "schedule", strlen("schedule"), 1);
325 270
326 register_ftrace_function(&ops); !! 271 register_ftrace_function(&ops);
327 272
328 msleep(10); !! 273 msleep(10);
329 274
330 ftrace_set_filter(&ops, "try_to_wake_up", s !! 275 ftrace_set_filter(&ops, "try_to_wake_up", strlen("try_to_wake_up"), 1);
331 276
332 is not the same as: 277 is not the same as:
333 278
334 .. code-block:: c !! 279 .. code-block: c
335 280
336 ftrace_set_filter(&ops, "schedule", strlen( !! 281 ftrace_set_filter(&ops, "schedule", strlen("schedule"), 1);
337 282
338 register_ftrace_function(&ops); !! 283 register_ftrace_function(&ops);
339 284
340 msleep(10); !! 285 msleep(10);
341 286
342 ftrace_set_filter(&ops, NULL, 0, 1); !! 287 ftrace_set_filter(&ops, NULL, 0, 1);
343 288
344 ftrace_set_filter(&ops, "try_to_wake_up", s !! 289 ftrace_set_filter(&ops, "try_to_wake_up", strlen("try_to_wake_up"), 0);
345 290
346 As the latter will have a short time where all 291 As the latter will have a short time where all functions will call
347 the callback, between the time of the reset, a 292 the callback, between the time of the reset, and the time of the
348 new setting of the filter. 293 new setting of the filter.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.