Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp784163rwj; Sat, 17 Dec 2022 18:05:23 -0800 (PST) X-Google-Smtp-Source: AA0mqf5gsQfTEyc/OSdspGMdCD92sHnzmqfl+Az3/LCPW7Lmt7Hr2r3I46gJRdaobyVd6S82OWDD X-Received: by 2002:a17:907:90d4:b0:7c0:db61:dbd5 with SMTP id gk20-20020a17090790d400b007c0db61dbd5mr27658416ejb.62.1671329123701; Sat, 17 Dec 2022 18:05:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671329123; cv=none; d=google.com; s=arc-20160816; b=cAqHybwYq12aUJrlh/2Ijl9mTgmkNLv05Y2JE8Ntr8RQpxg9rclfc8TaTeJpmKgGHv rT5d4MdY56lZYj/96S5oaTjApN0WNeKWxJOT1hVqh434m5UfWj+GuFFK+lPm1xT8mKO+ +D0cubtxllKKAU5aGPzxC9gtHWBv+TqatMZk1S3phkeOYqqy/WCCO0TOD6b369uojmni 7s7NEd0f/jYfpz30J5M8I/Pg8JbWI16YvkQCRxQWCQ8/J7d0fwLBbUxEQQxKUzSZomZZ 7f+kHkmxjlGAiYuFOAgktHB3+t/UAfcpm0BnSN4gLhiHpC/HV/6s6ifrD0eHFdW5mmNa JPKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=pwVufVQGcd5orVDLbdv86oLDFELSJLqvhvkItLrbhZI=; b=I4FREAGgX8Qq4lFZO1eqUztw81STw0b1e6UYptddz28lrxI+VamJfV9cR6nzobRaHB +vIGe+mAZlFhrG6xO/leIt6Ol995N1ecUYeadgpo6PTaLM9yTLfG7++tq34QDxnZo0a/ chEOpKey1TEgjlYGz9GgfRZvI27up811ZRWbV3DHuHPYxPLGyUDd+zvtLzSvxwXxImiu 6pDt4oVGS1xT+d1CWou7PI4QgWxuOS6k58xRdCfaut6DCdYFosh4hPFkO2P+hIJOb7bk wFCwHYg92CojNe1VoR32iB0GH4nT3LPlIj10FmBAEyVi24vpFp+u/covQDxu/gmbkSiV 45Aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="FKJxk/39"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t18-20020a1709063e5200b0078d4b605b71si5081664eji.338.2022.12.17.18.05.06; Sat, 17 Dec 2022 18:05:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="FKJxk/39"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229705AbiLRBho (ORCPT + 70 others); Sat, 17 Dec 2022 20:37:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229480AbiLRBhn (ORCPT ); Sat, 17 Dec 2022 20:37:43 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8DAAC75E; Sat, 17 Dec 2022 17:37:41 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 91826B80B32; Sun, 18 Dec 2022 01:37:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D46B8C433D2; Sun, 18 Dec 2022 01:37:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1671327459; bh=sKHU/fAJPUmVv2ocnyFAS0lc9qCVTuQMrs4sxilAG8A=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=FKJxk/39ZxubCE1djFaKluonV6+b0mYhqKzz0qZS3LZdpaJ2HYwPJ//mXQ6ub57cV 8fvElQcMj+NPtW1ZInz8vj5AtwwqWKzZtKT1LlW3maXx4079+d38DxxX2NS519ELrN jkCv0fmng4uwlLxegyLIjvuQw6rEQLW4BiTjzQfcwdNSy8RjszOrSHjdNUE+hMhZBf zAFdvFWm/ZgJQ+oayRMfFFKFNL6sow8f0bpRfE5TjqRHyYIh5EHHCo+784rQ+ZJ9FF lHVYzmPKtFok7XaMnJDTV6HxNOvpDSwAJxpfxivXZys5JtScE5VkzCticVxQvnjk4+ NS3TYZEF95Dvw== Date: Sun, 18 Dec 2022 10:37:35 +0900 From: Masami Hiramatsu (Google) To: Steven Rostedt Cc: LKML , Linux Trace Kernel , Masami Hiramatsu , Andrew Morton , Ross Zwisler , Tom Zanussi Subject: Re: [PATCH] tracing: Add a way to filter function addresses to function names Message-Id: <20221218103735.bb9bb37529e5fb489bca3a75@kernel.org> In-Reply-To: <20221214125209.09d736dd@gandalf.local.home> References: <20221214125209.09d736dd@gandalf.local.home> X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Steve, On Wed, 14 Dec 2022 12:52:09 -0500 Steven Rostedt wrote: > From: "Steven Rostedt (Google)" > > There's been several times where an event records a function address in > its field and I needed to filter on that address for a specific function > name. It required looking up the function in kallsyms, finding its size, > and doing a compare of "field >= function_start && field < function_end". > > But this would change from boot to boot and is unreliable in scripts. > Also, it is useful to have this at boot up, where the addresses will not > be known. For example, on the boot command line: > > trace_trigger="initcall_finish.traceoff if initcall_finish.function == acpi_init" > > To implement this, add a ".function" prefix, that will check that the > field is of size long, and the only operations allowed (so far) are "==" > and "!=". This looks nice! BTW, can you also add a test case for this feature? Thus we can ensure this works both with symbols or function addresses. Thank you, > > Signed-off-by: Steven Rostedt (Google) > --- > [ Resending due to claws-mail messing up the format of the > original patch ] > > Documentation/trace/events.rst | 12 +++++ > kernel/trace/trace_events.c | 2 +- > kernel/trace/trace_events_filter.c | 79 +++++++++++++++++++++++++++++- > 3 files changed, 91 insertions(+), 2 deletions(-) > > diff --git a/Documentation/trace/events.rst b/Documentation/trace/events.rst > index c47f381d0c00..d0fd5c7220b7 100644 > --- a/Documentation/trace/events.rst > +++ b/Documentation/trace/events.rst > @@ -207,6 +207,18 @@ field name:: > As the kernel will have to know how to retrieve the memory that the pointer > is at from user space. > > +You can convert any long type to a function address and search by function name:: > + > + call_site.function == security_prepare_creds > + > +The above will filter when the field "call_site" falls on the address within > +"security_prepare_creds". That is, it will compare the value of "call_site" and > +the filter will return true if it is greater than or equal to the start of > +the function "security_prepare_creds" and less than the end of that function. > + > +The ".function" postfix can only be attached to values of size long, and can only > +be compared with "==" or "!=". > + > 5.2 Setting filters > ------------------- > > diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c > index 33e0b4f8ebe6..db6e2f399440 100644 > --- a/kernel/trace/trace_events.c > +++ b/kernel/trace/trace_events.c > @@ -2822,7 +2822,7 @@ static __init int setup_trace_triggers(char *str) > if (!trigger) > break; > bootup_triggers[i].event = strsep(&trigger, "."); > - bootup_triggers[i].trigger = strsep(&trigger, "."); > + bootup_triggers[i].trigger = strsep(&trigger, ""); > if (!bootup_triggers[i].trigger) > break; > } > diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c > index 96acc2b71ac7..eef6426051bb 100644 > --- a/kernel/trace/trace_events_filter.c > +++ b/kernel/trace/trace_events_filter.c > @@ -64,6 +64,7 @@ enum filter_pred_fn { > FILTER_PRED_FN_PCHAR_USER, > FILTER_PRED_FN_PCHAR, > FILTER_PRED_FN_CPU, > + FILTER_PRED_FN_FUNCTION, > FILTER_PRED_FN_, > FILTER_PRED_TEST_VISITED, > }; > @@ -71,6 +72,7 @@ enum filter_pred_fn { > struct filter_pred { > enum filter_pred_fn fn_num; > u64 val; > + u64 val2; > struct regex regex; > unsigned short *ops; > struct ftrace_event_field *field; > @@ -103,6 +105,7 @@ struct filter_pred { > C(INVALID_FILTER, "Meaningless filter expression"), \ > C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \ > C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \ > + C(NO_FUNCTION, "Function not found"), \ > C(ERRNO, "Error"), \ > C(NO_FILTER, "No filter found") > > @@ -876,6 +879,17 @@ static int filter_pred_comm(struct filter_pred *pred, void *event) > return cmp ^ pred->not; > } > > +/* Filter predicate for functions. */ > +static int filter_pred_function(struct filter_pred *pred, void *event) > +{ > + unsigned long *addr = (unsigned long *)(event + pred->offset); > + unsigned long start = (unsigned long)pred->val; > + unsigned long end = (unsigned long)pred->val2; > + int ret = *addr >= start && *addr < end; > + > + return pred->op == OP_EQ ? ret : !ret; > +} > + > /* > * regex_match_foo - Basic regex callbacks > * > @@ -1335,6 +1349,8 @@ static int filter_pred_fn_call(struct filter_pred *pred, void *event) > return filter_pred_pchar(pred, event); > case FILTER_PRED_FN_CPU: > return filter_pred_cpu(pred, event); > + case FILTER_PRED_FN_FUNCTION: > + return filter_pred_function(pred, event); > case FILTER_PRED_TEST_VISITED: > return test_pred_visited_fn(pred, event); > default: > @@ -1350,8 +1366,13 @@ static int parse_pred(const char *str, void *data, > struct trace_event_call *call = data; > struct ftrace_event_field *field; > struct filter_pred *pred = NULL; > + unsigned long offset; > + unsigned long size; > + unsigned long ip; > char num_buf[24]; /* Big enough to hold an address */ > char *field_name; > + char *name; > + bool function = false; > bool ustring = false; > char q; > u64 val; > @@ -1393,6 +1414,12 @@ static int parse_pred(const char *str, void *data, > i += len; > } > > + /* See if the field is a user space string */ > + if ((len = str_has_prefix(str + i, ".function"))) { > + function = true; > + i += len; > + } > + > while (isspace(str[i])) > i++; > > @@ -1423,7 +1450,57 @@ static int parse_pred(const char *str, void *data, > pred->offset = field->offset; > pred->op = op; > > - if (ftrace_event_is_function(call)) { > + if (function) { > + /* The field must be the same size as long */ > + if (field->size != sizeof(long)) { > + parse_error(pe, FILT_ERR_ILLEGAL_FIELD_OP, pos + i); > + goto err_free; > + } > + > + /* Function only works with '==' or '!=' and an unquoted string */ > + switch (op) { > + case OP_NE: > + case OP_EQ: > + break; > + default: > + parse_error(pe, FILT_ERR_INVALID_OP, pos + i); > + goto err_free; > + } > + > + if (isdigit(str[i])) { > + ret = kstrtol(num_buf, 0, &ip); > + if (ret) { > + parse_error(pe, FILT_ERR_INVALID_VALUE, pos + i); > + goto err_free; > + } > + } else { > + s = i; > + for (; str[i] && !isspace(str[i]); i++) > + ; > + > + len = i - s; > + name = kmemdup_nul(str + s, len, GFP_KERNEL); > + if (!name) > + goto err_mem; > + ip = kallsyms_lookup_name(name); > + kfree(name); > + if (!ip) { > + parse_error(pe, FILT_ERR_NO_FUNCTION, pos + i); > + goto err_free; > + } > + } > + > + /* Now find the function start and end address */ > + if (!kallsyms_lookup_size_offset(ip, &size, &offset)) { > + parse_error(pe, FILT_ERR_NO_FUNCTION, pos + i); > + goto err_free; > + } > + > + pred->fn_num = FILTER_PRED_FN_FUNCTION; > + pred->val = ip - offset; > + pred->val2 = pred->val + size; > + > + } else if (ftrace_event_is_function(call)) { > /* > * Perf does things different with function events. > * It only allows an "ip" field, and expects a string. > -- > 2.35.1 > -- Masami Hiramatsu (Google)