1 ==========================
2 Kprobe-based Event Tracing
3 ==========================
4
5 :Author: Masami Hiramatsu
6
7 Overview
8 --------
9 These events are similar to tracepoint-based e
10 this is based on kprobes (kprobe and kretprobe
11 kprobes can probe (this means, all functions e
12 __kprobes/nokprobe_inline annotation and those
13 Unlike the tracepoint-based event, this can be
14 dynamically, on the fly.
15
16 To enable this feature, build your kernel with
17
18 Similar to the event tracer, this doesn't need
19 current_tracer. Instead of that, add probe poi
20 /sys/kernel/tracing/kprobe_events, and enable
21 /sys/kernel/tracing/events/kprobes/<EVENT>/ena
22
23 You can also use /sys/kernel/tracing/dynamic_e
24 kprobe_events. That interface will provide uni
25 dynamic events too.
26
27 Synopsis of kprobe_events
28 -------------------------
29 ::
30
31 p[:[GRP/][EVENT]] [MOD:]SYM[+offs]|MEMADDR [
32 r[MAXACTIVE][:[GRP/][EVENT]] [MOD:]SYM[+0] [
33 p[:[GRP/][EVENT]] [MOD:]SYM[+0]%return [FETC
34 -:[GRP/][EVENT]
35
36 GRP : Group name. If omitted, use
37 EVENT : Event name. If omitted, the
38 based on SYM+offs or MEMADDR
39 MOD : Module name which has given
40 SYM[+offs] : Symbol+offset where the prob
41 SYM%return : Return address of the symbol
42 MEMADDR : Address where the probe is i
43 MAXACTIVE : Maximum number of instances
44 can be probed simultaneously
45 as defined in Documentation/
46
47 FETCHARGS : Arguments. Each probe can ha
48 %REG : Fetch register REG
49 @ADDR : Fetch memory at ADDR (ADDR s
50 @SYM[+|-offs] : Fetch memory at SYM +|- offs
51 $stackN : Fetch Nth entry of stack (N
52 $stack : Fetch stack address.
53 $argN : Fetch the Nth function argum
54 $retval : Fetch return value.(\*2)
55 $comm : Fetch current task comm.
56 +|-[u]OFFS(FETCHARG) : Fetch memory at FETCH
57 \IMM : Store an immediate value to
58 NAME=FETCHARG : Set NAME as the argument nam
59 FETCHARG:TYPE : Set TYPE as the type of FETC
60 (u8/u16/u32/u64/s8/s16/s32/s
61 (x8/x16/x32/x64), VFS layer
62 "string", "ustring", "symbol
63 supported.
64
65 (\*1) only for the probe on function entry (
66 is best effort, because depending on t
67 the stack. But this only support the a
68 (\*2) only for return probe. Note that this
69 return value type, it might be passed
70 accesses one register.
71 (\*3) this is useful for fetching a field of
72 (\*4) "u" means user-space dereference. See
73
74 Function arguments at kretprobe
75 -------------------------------
76 Function arguments can be accessed at kretprob
77 is useful to record the function parameter and
78 trace the difference of structure fields (for
79 correctly updates the given data structure or
80 See the :ref:`sample<fprobetrace_exit_args_sam
81 it works.
82
83 .. _kprobetrace_types:
84
85 Types
86 -----
87 Several types are supported for fetchargs. Kpr
88 by given type. Prefix 's' and 'u' means those
89 respectively. 'x' prefix implies it is unsigne
90 in decimal ('s' and 'u') or hexadecimal ('x').
91 or 'x64' is used depends on the architecture (
92 x86-64 uses x64).
93
94 These value types can be an array. To record a
95 (where N is a fixed number, less than 64) to t
96 E.g. 'x16[4]' means an array of x16 (2-byte he
97 Note that the array can be applied to memory t
98 apply it to registers/stack-entries etc. (for
99 wrong, but '+8($stack):x8[8]' is OK.)
100
101 Char type can be used to show the character va
102
103 String type is a special type, which fetches a
104 kernel space. This means it will fail and stor
105 has been paged out. "ustring" type is an alter
106 See :ref:`user_mem_access` for more info.
107
108 The string array type is a bit different from
109 types, <base-type>[1] is equal to <base-type>
110 as +0(%di):x32.) But string[1] is not equal to
111 represents "char array", but string array type
112 So, for example, +0(%di):string[1] is equal to
113 Bitfield is another special type, which takes
114 offset, and container-size (usually 32). The s
115
116 b<bit-width>@<bit-offset>/<container-size>
117
118 Symbol type('symbol') is an alias of u32 or u6
119 which shows given pointer in "symbol+offset" s
120 On the other hand, symbol-string type ('symstr
121 "symbol+offset/symbolsize" style and stores it
122 With 'symstr' type, you can filter the event w
123 symbols, and you don't need to solve symbol na
124 For $comm, the default type is "string"; any o
125
126 VFS layer common type(%pd/%pD) is a special ty
127 file's name from struct dentry's address or st
128
129 .. _user_mem_access:
130
131 User Memory Access
132 ------------------
133 Kprobe events supports user-space memory acces
134 either user-space dereference syntax or 'ustri
135
136 The user-space dereference syntax allows you t
137 structure in user-space. This is done by addin
138 dereference syntax. For example, +u4(%si) mean
139 address in the register %si offset by 4, and t
140 user-space. You can use this for strings too,
141 a string from the address in the register %si
142 space. 'ustring' is a shortcut way of performi
143 +0(%si):ustring is equivalent to +u0(%si):stri
144
145 Note that kprobe-event provides the user-memor
146 use it transparently. This means if you use no
147 for user memory, it might fail, and may always
148 user has to carefully check if the target data
149
150 Per-Probe Event Filtering
151 -------------------------
152 Per-probe event filtering feature allows you t
153 probe and gives you what arguments will be sho
154 name is specified right after 'p:' or 'r:' in
155 under tracing/events/kprobes/<EVENT>, at the d
156 'enable', 'format', 'filter' and 'trigger'.
157
158 enable:
159 You can enable/disable the probe by writing
160
161 format:
162 This shows the format of this probe event.
163
164 filter:
165 You can write filtering rules of this event.
166
167 id:
168 This shows the id of this probe event.
169
170 trigger:
171 This allows to install trigger commands whic
172 hit (for details, see Documentation/trace/ev
173
174 Event Profiling
175 ---------------
176 You can check the total number of probe hits a
177 /sys/kernel/tracing/kprobe_profile.
178 The first column is event name, the second is
179 the third is the number of probe miss-hits.
180
181 Kernel Boot Parameter
182 ---------------------
183 You can add and enable new kprobe events when
184 "kprobe_event=" parameter. The parameter accep
185 kprobe events, which format is similar to the
186 The difference is that the probe definition pa
187 instead of space. For example, adding myprobe
188
189 p:myprobe do_sys_open dfd=%ax filename=%dx f
190
191 should be below for kernel boot parameter (jus
192
193 p:myprobe,do_sys_open,dfd=%ax,filename=%dx,f
194
195
196 Usage examples
197 --------------
198 To add a probe as a new event, write a new def
199 as below::
200
201 echo 'p:myprobe do_sys_open dfd=%ax filename
202
203 This sets a kprobe on the top of do_sys_open()
204 1st to 4th arguments as "myprobe" event. Note,
205 assigned to each function argument depends on
206 the ABI, please try to use probe subcommand of
207 under tools/perf/).
208 As this example shows, users can choose more f
209 ::
210
211 echo 'r:myretprobe do_sys_open $retval' >> /
212
213 This sets a kretprobe on the return point of d
214 recording return value as "myretprobe" event.
215 You can see the format of these events via
216 /sys/kernel/tracing/events/kprobes/<EVENT>/for
217 ::
218
219 cat /sys/kernel/tracing/events/kprobes/mypro
220 name: myprobe
221 ID: 780
222 format:
223 field:unsigned short common_type;
224 field:unsigned char common_flags;
225 field:unsigned char common_preempt_c
226 field:int common_pid; offset:4;
227
228 field:unsigned long __probe_ip; offs
229 field:int __probe_nargs; offs
230 field:unsigned long dfd; offs
231 field:unsigned long filename; offs
232 field:unsigned long flags; offs
233 field:unsigned long mode; offs
234
235
236 print fmt: "(%lx) dfd=%lx filename=%lx flags
237 REC->dfd, REC->filename, REC->flags, REC->mo
238
239 You can see that the event has 4 arguments as
240 ::
241
242 echo > /sys/kernel/tracing/kprobe_events
243
244 This clears all probe points.
245
246 Or,
247 ::
248
249 echo -:myprobe >> kprobe_events
250
251 This clears probe points selectively.
252
253 Right after definition, each event is disabled
254 events, you need to enable it.
255 ::
256
257 echo 1 > /sys/kernel/tracing/events/kprobes/
258 echo 1 > /sys/kernel/tracing/events/kprobes/
259
260 Use the following command to start tracing in
261 ::
262
263 # echo 1 > tracing_on
264 Open something...
265 # echo 0 > tracing_on
266
267 And you can see the traced information via /sy
268 ::
269
270 cat /sys/kernel/tracing/trace
271 # tracer: nop
272 #
273 # TASK-PID CPU# TIMESTAMP F
274 # | | | |
275 <...>-1447 [001] 1038282.286875:
276 <...>-1447 [001] 1038282.286878:
277 <...>-1447 [001] 1038282.286885:
278 <...>-1447 [001] 1038282.286915:
279 <...>-1447 [001] 1038282.286969:
280 <...>-1447 [001] 1038282.286976:
281
282
283 Each line shows when the kernel hits an event,
284 returns from SYMBOL(e.g. "sys_open+0x1b/0x1d <
285 returns from do_sys_open to sys_open+0x1b).
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.