内核实现原理"/>
kprobe 内核实现原理
kprobe是linux内核的一个重要的特性,是其他内核调试工具(perf,systemtap)的基础设施,同时内核BPF也是依赖于kprobe。
Kprobe结构体
< include/linux/kprobe.h >
struct kprobe {struct hlist_node hlist; /* 所有注册的kprobe都会添加到kprobe_table哈希表中,hlist成员用来链接到某个槽位中 *//* list of kprobes for multi-handler support */struct list_head list; /* 链接一个地址上注册的多个kprobe *//*count the number of times this probe was temporarily disarmed */unsigned long nmissed; * 记录当前的probe没有被处理的次数 *//* location of the probe point */kprobe_opcode_t *addr; /* 探测点地址 *//* Allow user to indicate symbol name of the probe point */const char *symbol_name; /* 探测点函数名 *//* Offset into the symbol */unsigned int offset; /* 探测点在函数内的偏移 *//* Called before addr is executed. */kprobe_pre_handler_t pre_handler; /* 在单步执行原始的指令前会被调用 *//* Called after addr is executed, unless... */kprobe_post_handler_t post_handler; /* 在单步执行原始的指令后会被调用 *//* Saved opcode (which has been replaced with breakpoint) */kprobe_opcode_t opcode;/* copy of the original instruction */struct arch_specific_insn ainsn; /* 保存平台相关的被探测指令和下一条指令 *//** Indicates various status flags.* Protected by kprobe_mutex after this kprobe is registered.*/u32 flags; /* 状态标记 */
};源码分析
init_kprobes()
初始化入口
< kernel/kprobe.c >
static int __init init_kprobes(void)
{int i, err = 0;/* FIXME allocate the probe table, currently defined statically *//* initialize all list heads */for (i = 0; i < KPROBE_TABLE_SIZE; i++)INIT_HLIST_HEAD(&kprobe_table[i]); /* 初始化用于存储 kprobe 模块的哈希表 */err = populate_kprobe_blacklist(__start_kprobe_blacklist,__stop_kprobe_blacklist);if (err)pr_err("Failed to populate blacklist (error %d), kprobes not restricted, be careful using them!\n", err);if (kretprobe_blacklist_size) {/* lookup the function address from its name */for (i = 0; kretprobe_blacklist[i].name != NULL; i++) {kretprobe_blacklist[i].addr =kprobe_lookup_name(kretprobe_blacklist[i].name, 0);if (!kretprobe_blacklist[i].addr)pr_err("Failed to lookup symbol '%s' for kretprobe blacklist. Maybe the target function is removed or renamed.\n",kretprobe_blacklist[i].name);}}/* By default, kprobes are armed */kprobes_all_disarmed = false;#if defined(CONFIG_OPTPROBES) && defined(__ARCH_WANT_KPROBES_INSN_SLOT)/* Init 'kprobe_optinsn_slots' for allocation */kprobe_optinsn_slots.insn_size = MAX_OPTINSN_SIZE;
#endiferr = arch_init_kprobes(); /* 初始化CPU架构相关 */if (!err)err = register_die_notifier(&kprobe_exceptions_nb); /* 注册die通知链*/if (!err)err = register_module_notifier(&kprobe_module_nb); /* 注册模块通知链 */kprobes_initialized = (err == 0);kprobe_sysctls_init();return err;
}注册kprobe总体流程
以arm为例:
register_kprobe() -> arm_kprobe() -> __arm_kprobe() -> arch_arm_kprobe()
register_kprobe()
< kernel/kprobe.c >
int register_kprobe(struct kprobe *p)
{int ret;struct kprobe *old_p;struct module *probed_mod;kprobe_opcode_t *addr;bool on_func_entry;/* Adjust probe address from symbol */addr = _kprobe_addr(p->addr, p->symbol_name, p->offset, &on_func_entry);if (IS_ERR(addr))return PTR_ERR(addr);p->addr = addr;ret = warn_kprobe_rereg(p); /* 防止同一个kprobe被重复注册 */if (ret)return ret;/* User can pass only KPROBE_FLAG_DISABLED to register_kprobe */p->flags &= KPROBE_FLAG_DISABLED;p->nmissed = 0;INIT_LIST_HEAD(&p->list);/* 1. 判断被注册的函数是否位于内核的代码段内,或位于不能探测的kprobe实现路径中 * 2. 判断被探测的地址是否属于某一个模块,并且位于模块的text section内* 3. 如果被探测的地址位于模块的init地址段内,但该段代码区间已被释放,则直接退出 */ret = check_kprobe_address_safe(p, &probed_mod);if (ret)return ret;mutex_lock(&kprobe_mutex);if (on_func_entry)p->flags |= KPROBE_FLAG_ON_FUNC_ENTRY;old_p = get_kprobe(p->addr); /* 判断在同一个探测点是否已经注册了其他的探测函数 */if (old_p) {/* Since this may unoptimize 'old_p', locking 'text_mutex'. */ret = register_aggr_kprobe(old_p, p); goto out;}cpus_read_lock();/* Prevent text modification */mutex_lock(&text_mutex);ret = prepare_kprobe(p); /* 保存被跟踪指令的值 */mutex_unlock(&text_mutex);cpus_read_unlock();if (ret)goto out;INIT_HLIST_NODE(&p->hlist);hlist_add_head_rcu(&p->hlist,&kprobe_table[hash_ptr(p->addr, KPROBE_HASH_BITS)]); /* 将kprobe加入到相应的hash表内 */if (!kprobes_all_disarmed && !kprobe_disabled(p)) {ret = arm_kprobe(p); /* 将探测点的指令码修改为arm_kprobe */if (ret) {hlist_del_rcu(&p->hlist);synchronize_rcu();goto out;}}/* Try to optimize kprobe */try_to_optimize_kprobe(p);
out:mutex_unlock(&kprobe_mutex);if (probed_mod)module_put(probed_mod);return ret;
}arm_kprobe()
< kernel/kprobes.c >
static int arm_kprobe(struct kprobe *kp)
{if (unlikely(kprobe_ftrace(kp)))return arm_kprobe_ftrace(kp);cpus_read_lock();mutex_lock(&text_mutex);__arm_kprobe(kp);mutex_unlock(&text_mutex);cpus_read_unlock();return 0;
}__arm_kprobe()
< kernel/kprobes.c >
/* Put a breakpoint for a probe. */
static void __arm_kprobe(struct kprobe *p)
{struct kprobe *_p;lockdep_assert_held(&text_mutex);/* Find the overlapping optimized kprobes. */_p = get_optimized_kprobe(p->addr);if (unlikely(_p))/* Fallback to unoptimized kprobe */unoptimize_kprobe(_p, true);arch_arm_kprobe(p); /* 替换探测点指令为BRK64_OPCODE_KPROBES指令 */optimize_kprobe(p); /* Try to optimize (add kprobe to a list) */
}在函数arch_arm_kprobe(p);之前,都是通用的注册流程,然后就是和体系结构相关的实现了
prepare_kprobe()
< kernel/kprobes.c >
static int prepare_kprobe(struct kprobe *p)
{/* Must ensure p->addr is really on ftrace */if (kprobe_ftrace(p))return arch_prepare_kprobe_ftrace(p);return arch_prepare_kprobe(p);
}arch_prepare_kprobe()
< arch/arm64/kernel/kprobes/kprobes.c >
int __kprobes arch_prepare_kprobe(struct kprobe *p)
{unsigned long probe_addr = (unsigned long)p->addr;if (probe_addr & 0x3)return -EINVAL;/* copy instruction */p->opcode = le32_to_cpu(*p->addr);if (search_exception_tables(probe_addr))return -EINVAL;/* decode instruction */switch (arm_kprobe_decode_insn(p->addr, &p->ainsn)) {case INSN_REJECTED: /* insn not supported */return -EINVAL;case INSN_GOOD_NO_SLOT: /* insn need simulation */p->ainsn.api.insn = NULL;break;case INSN_GOOD: /* instruction uses slot */p->ainsn.api.insn = get_insn_slot();if (!p->ainsn.api.insn)return -ENOMEM;break;}/* prepare the instruction */if (p->ainsn.api.insn)arch_prepare_ss_slot(p); /* 将指令存放到slot中,记录下一条指令到p->ainsn.api.insn */elsearch_prepare_simulate(p);return 0;
}arch_arm_kprobe()
< arch/arm64/kernel/kprobes/kprobes.c >
/* arm kprobe: install breakpoint in text */
void __kprobes arch_arm_kprobe(struct kprobe *p)
{void *addr = p->addr; /* 原地址 */u32 insn = BRK64_OPCODE_KPROBES; /* 替换后的指令 */aarch64_insn_patch_text(&addr, &insn, 1);
}X86系统实现方式
x86系统kprobe是通过arch_arm_kprobe实现最终注册功能
这里留意下细节,名字里带着arm,难怪搜arch_x86_kprobe 搜不到
arch_arm_kprobe()
< arch/x86/kernel/kprobes/core.c >
void arch_arm_kprobe(struct kprobe *p)
{u8 int3 = INT3_INSN_OPCODE; /* 替换后的指令 */text_poke(p->addr, &int3, 1);text_poke_sync();perf_event_text_poke(p->addr, &p->opcode, 1, &int3, 1);
}这个函数主要作用是要安装断点,这里安装断点的原理和GDB断点应该是一样的,
GDB安装断点的原理
在执行gdb ./test后,gdb就会fork出一个子进程,这个子进程首先调用ptrace然后执test程序,这样就准备好调试环境了。
gdb在断点中执行两件事
-
对源码所对应断点处代码存储到断点链表中。
-
然后插入中断指令INT3,也就是说:汇编代码中的原来指令被替换为INT3。
addr对应位置的指令修改为INT3指令,进程在执行时,发现是INT3指令,于是操作系统就发送一个SIGTRAP信号给test进程。
操作系统发给test的任何信号,都被gdb接管了,也就是说gdb会首先接收到这SIGTRAP个信号,gdb发现当前汇编代码执行的是INT3指令,
于是gdb又做了2个操作:
-
将INT3指令替换为断点处注册的执行函数,执行完成后,再执行被INT3替换的指令。
-
x86系统,INT3_INSN_OPCODE是要替换的指令,然后进一步替换为要执行的函数地址
这些都执行完成后,再执行最初被替换的指令
触发kprobe探测和回调
debug_traps_init()
kprobe的触发和处理是通过brk exception和single step单步exception执行的
< arch/arm/kernel/debug-monitors.c >
void __init debug_traps_init(void)
{hook_debug_fault_code(DBG_ESR_EVT_HWSS, single_step_handler, SIGTRAP,TRAP_TRACE, "single-step handler");hook_debug_fault_code(DBG_ESR_EVT_BRK, brk_handler, SIGTRAP,TRAP_BRKPT, "BRK handler");
}kprobe_handler()
< arch/arm64/kernel/kprobes/kprobes.c >
static void __kprobes kprobe_handler(struct pt_regs *regs)
{struct kprobe *p, *cur_kprobe;struct kprobe_ctlblk *kcb;unsigned long addr = instruction_pointer(regs);kcb = get_kprobe_ctlblk();cur_kprobe = kprobe_running();p = get_kprobe((kprobe_opcode_t *) addr);if (p) {if (cur_kprobe) {if (reenter_kprobe(p, regs, kcb))return;} else {/* Probe hit */set_current_kprobe(p);kcb->kprobe_status = KPROBE_HIT_ACTIVE;/** If we have no pre-handler or it returned 0, we* continue with normal processing. If we have a* pre-handler and it returned non-zero, it will* modify the execution path and no need to single* stepping. Let's just reset current kprobe and exit.*/if (!p->pre_handler || !p->pre_handler(p, regs)) {setup_singlestep(p, regs, kcb, 0);} elsereset_current_kprobe();}}/** The breakpoint instruction was removed right* after we hit it. Another cpu has removed* either a probepoint or a debugger breakpoint* at this address. In either case, no further* handling of this interrupt is appropriate.* Return back to original instruction, and continue.*/
}kprobe的使用方法
方法一:
要编写一个 kprobe 内核模块。
方法二:
基于Ftrace的/sys/kernel/debug/tracing/kprobe_events接口。
方法三:
通过perf工具。
方法四:
使用eBPF。
更多推荐
kprobe 内核实现原理
发布评论