Chinaunix首页 | 论坛 | 博客

瀚海书香forever.blog.chinaunix.net

首页 |  博文目录 |  关于我

瀚海书香

  • 博客访问: 3926625
  • 博文数量: 93
  • 博客积分: 3189
  • 博客等级: 中校
  • 技术积分: 4229
  • 用 户 组: 普通用户
  • 注册时间: 2009-02-02 13:29
个人简介

出没于杭州和青岛的程序猿一枚,对内核略懂一二

文章分类

全部博文(93)

文章存档

2016年(2)

2015年(3)

2014年(11)

2013年(29)

2012年(16)

2011年(5)

2010年(5)

2009年(22)

我的朋友
最近访客
推荐博文
相关博文
Linux内核kprobe机制实现浅析

分类: LINUX

2013-07-10 12:18:13

原文地址:Linux内核kprobe机制实现浅析 作者:luoyan_xy

   Kprobe机制是内核提供的一种调试机制,它提供了一种方法,能够在不修改现有代码的基础上,灵活的跟踪内核函数的执行。它的基本工作原理是:用户指定一个探测点,并把一个用户定义的处理函数关联到该探测点,当内核执行到该探测点时,相应的关联函数被执行,然后继续执行正常的代码路径。
     Kprobe提供了三种形式的探测点,一种是最基本的kprobe,能够在指定代码执行前、执行后进行探测,但此时不能访问被探测函数内的相关变量信息;一种是jprobe,用于探测某一函数的入口,并且能够访问对应的函数参数;一种是kretprobe,用于完成指定函数返回值的探测功能。其中最基本的就是kprobe机制,jprobe以及kretprobe的实现都依赖于kprobe,但其代码的实现都很巧妙,强烈建议每一个内核爱好者阅读。
    
    好了,闲话少叙,开始上代码:
  首先是struct kprobe结构,每一个探测点的基本结构

点击(此处)折叠或打开

  1. struct kprobe {
  2.     /*用于保存kprobe的全局hash表,以被探测的addr为key*/
  3.     struct hlist_node hlist;

  5.     /* list of kprobes for multi-handler support */
  6.     /*当对同一个探测点存在多个探测函数时,所有的函数挂在这条链上*/
  7.     struct list_head list;

  9.     /*count the number of times this probe was temporarily disarmed */
  10.     unsigned long nmissed;

  12.     /* location of the probe point */
  13.     /*被探测的目标地址*/
  14.     kprobe_opcode_t *addr;

  16.     /* Allow user to indicate symbol name of the probe point */
  17.     /*symblo_name的存在,允许用户指定函数名而非确定的地址*/
  18.     const char *symbol_name;

  20.     /* Offset into the symbol */
  21.     /*如果被探测点为函数内部某个指令,需要使用addr + offset的方式*/
  22.     unsigned int offset;

  24.     /* Called before addr is executed. */
  25.     /*探测函数,在目标探测点执行之前调用*/
  26.     kprobe_pre_handler_t pre_handler;

  28.     /* Called after addr is executed, unless... */
  29.     /*探测函数,在目标探测点执行之后调用*/
  30.     kprobe_post_handler_t post_handler;

  32.     /*
  33.      * ... called if executing addr causes a fault (eg. page fault).
  34.      * Return 1 if it handled fault, otherwise kernel will see it.
  35.      */
  36.     kprobe_fault_handler_t fault_handler;

  38.     /*
  39.      * ... called if breakpoint trap occurs in probe handler.
  40.      * Return 1 if it handled break, otherwise kernel will see it.
  41.      */
  42.     kprobe_break_handler_t break_handler;

  44.     /*opcode 以及 ainsn 用于保存被替换的指令码*/
  45.     
  46.     /* Saved opcode (which has been replaced with breakpoint) */
  47.     kprobe_opcode_t opcode;

  49.     /* copy of the original instruction */
  50.     struct arch_specific_insn ainsn;

  52.     /*
  53.      * Indicates various status flags.
  54.      * Protected by kprobe_mutex after this kprobe is registered.
  55.      */
  56.     u32 flags;
  57. };
    对于kprobe功能的实现主要利用了内核中的两个功能特性:异常(尤其是int 3),单步执行(EFLAGS中的TF标志)。
    大概的流程:
 1)在注册探测点的时候,对被探测函数的指令码进行替换,替换为int 3的指令码;
 2)在执行int 3的异常执行中,通过通知链的方式调用kprobe的异常处理函数;
 3)在kprobe的异常出来函数中,判断是否存在pre_handler钩子,存在则执行;
 4)执行完后,准备进入单步调试,通过设置EFLAGS中的TF标志位,并且把异常返回的地址修改为保存的原指令码;
 5)代码返回,执行原有指令,执行结束后触发单步异常;
 6)在单步异常的处理中,清除单步标志,执行post_handler流程,并最终返回;

    下面又进入代码时间,首先看一下kprobe模块的初始化代码,初始化代码主要做了两件事:标记出哪些代码是不能被探测的,这些代码属于kprobe实现的关键代码;注册通知链到die_notifier,用于接收异常通知。

点击(此处)折叠或打开

  1. 初始化代码位于kernel/kprobes.c中
  2. static int __init init_kprobes(void)
  3. {
  4.     int i, err = 0;
  5.         ....

  7.      /*kprobe_blacklist中保存的是kprobe实现的关键代码路径,这些函数不应该被kprobe探测*/
  8.     /*
  9.      * Lookup and populate the kprobe_blacklist.
  10.      *
  11.      * Unlike the kretprobe blacklist, we'll need to determine
  12.      * the range of addresses that belong to the said functions,
  13.      * since a kprobe need not necessarily be at the beginning
  14.      * of a function.
  15.      */
  16.     for (kb = kprobe_blacklist; kb->name != NULL; kb++) {
  17.         kprobe_lookup_name(kb->name, addr);
  18.         if (!addr)
  19.             continue;

  21.         kb->start_addr = (unsigned long)addr;
  22.         symbol_name = kallsyms_lookup(kb->start_addr,
  23.                 &size, &offset, &modname, namebuf);
  24.         if (!symbol_name)
  25.             kb->range = 0;
  26.         else
  27.             kb->range = size;
  28.     }
  29.         ....
  30.     if (!err)
  31.         /*注册通知链到die_notifier,用于接收int 3的异常信息*/
  32.         err = register_die_notifier(&kprobe_exceptions_nb);
  33.          ....
  34. }
  35. 其中的通知链:
  36. static struct notifier_block kprobe_exceptions_nb = {
  37.     .notifier_call = kprobe_exceptions_notify,
  38.     /*优先级最高,保证最先执行*/
  39.     .priority = 0x7fffffff /* we need to be notified first */
  40. };
    kprobe的注册流程register_kprobe。

点击(此处)折叠或打开

  1. int __kprobes register_kprobe(struct kprobe *p)
  2. {
  3.     int ret = 0;
  4.     struct kprobe *old_p;
  5.     struct module *probed_mod;
  6.     kprobe_opcode_t *addr;

  8.     /*获取被探测点的地址,指定了symbol_name,则从kallsyms中获取;指定了offset,则返回addr + offset*/
  9.     addr = kprobe_addr(p);
  10.     if (!addr)
  11.         return -EINVAL;
  12.     p->addr = addr;

  14.     /*判断同一个kprobe是否被重复注册*/
  15.     ret = check_kprobe_rereg(p);
  16.     if (ret)
  17.         return ret;

  19.     jump_label_lock();
  20.     preempt_disable();
  21.     /*判断被注册的函数是否位于内核的代码段内,或位于不能探测的kprobe实现路径中*/
  22.     if (!kernel_text_address((unsigned long) p->addr) ||
  23.      in_kprobes_functions((unsigned long) p->addr) ||
  24.      ftrace_text_reserved(p->addr, p->addr) ||
  25.      jump_label_text_reserved(p->addr, p->addr))
  26.         goto fail_with_jump_label;

  28.     /* User can pass only KPROBE_FLAG_DISABLED to register_kprobe */
  29.     p->flags &= KPROBE_FLAG_DISABLED;

  31.     /*
  32.      * Check if are we probing a module.
  33.      */
  34.     /*判断被探测的地址是否属于某一个模块,并且位于模块的text section内*/
  35.     probed_mod = __module_text_address((unsigned long) p->addr);
  36.     if (probed_mod) {
  37.         /*如果被探测的为模块地址,首先要增加模块的引用计数*/
  38.         /*
  39.          * We must hold a refcount of the probed module while updating
  40.          * its code to prohibit unexpected unloading.
  41.          */
  42.         if (unlikely(!try_module_get(probed_mod)))
  43.             goto fail_with_jump_label;

  45.         /*
  46.          * If the module freed .init.text, we couldn't insert
  47.          * kprobes in there.
  48.          */
  49.         /*如果被探测的地址位于模块的init地址段内,但该段代码区间已被释放,则直接退出*/
  50.         if (within_module_init((unsigned long)p->addr, probed_mod) &&
  51.          probed_mod->state != MODULE_STATE_COMING) {
  52.             module_put(probed_mod);
  53.             goto fail_with_jump_label;
  54.         }
  55.     }
  56.     preempt_enable();
  57.     jump_label_unlock();

  59.     p->nmissed = 0;
  60.     INIT_LIST_HEAD(&p->list);
  61.     mutex_lock(&kprobe_mutex);

  63.     jump_label_lock(); /* needed to call jump_label_text_reserved() */

  65.     get_online_cpus();    /* For avoiding text_mutex deadlock. */
  66.     mutex_lock(&text_mutex);

  68.     /*判断在同一个探测点是否已经注册了其他的探测函数*/
  69.     old_p = get_kprobe(p->addr);
  70.     if (old_p) {
  71.         /* Since this may unoptimize old_p, locking text_mutex. */
  72.         /*如果已经存在注册过的kprobe,则将探测点的函数修改为aggr_pre_handler,并将所有的handler挂载到其链表上,由其负责所有handler函数的执行*/
  73.         ret = register_aggr_kprobe(old_p, p);
  74.         goto out;
  75.     }

  77.     /* 分配特定的内存地址用于保存原有的指令
  78.      * 按照内核注释,被分配的地址必须must be on special executable page on x86.
  79.      * 该地址被保存在kprobe->ainsn.insn
  80.      */
  81.     ret = arch_prepare_kprobe(p);
  82.     if (ret)
  83.         goto out;

  85.     /*将kprobe加入到相应的hash表内*/
  86.     INIT_HLIST_NODE(&p->hlist);
  87.     hlist_add_head_rcu(&p->hlist,
  88.          &kprobe_table[hash_ptr(p->addr, KPROBE_HASH_BITS)]);

  90.     if (!kprobes_all_disarmed && !kprobe_disabled(p))
  91. /*将探测点的指令码修改为int 3指令*/
  92.         __arm_kprobe(p);

  94.     /* Try to optimize kprobe */
  95.     try_to_optimize_kprobe(p);

  97. out:
  98.     mutex_unlock(&text_mutex);
  99.     put_online_cpus();
  100.     jump_label_unlock();
  101.     mutex_unlock(&kprobe_mutex);

  103.     if (probed_mod)
  104.         module_put(probed_mod);

  106.     return ret;

  108. fail_with_jump_label:
  109.     preempt_enable();
  110.     jump_label_unlock();
  111.     return -EINVAL;
    注册完毕,就开始kprobe的执行流程了。对于该探测点,由于其起始指令已经被修改为int3,因此在执行到该地址时,必然会触发3号中断向量的处理流程do_int3.

点击(此处)折叠或打开

  1. /* May run on IST stack. */
  2. dotraplinkage void __kprobes do_int3(struct pt_regs *regs, long error_code)
  3. {
  4. #ifdef CONFIG_KGDB_LOW_LEVEL_TRAP
  5.     if (kgdb_ll_trap(DIE_INT3, "int3", regs, error_code, 3, SIGTRAP)
  6.             == NOTIFY_STOP)
  7.         return;
  8. #endif /* CONFIG_KGDB_LOW_LEVEL_TRAP */
  9. #ifdef CONFIG_KPROBES
  10.     /*在这里以DIE_INT3,通知kprobe注册的通知链*/
  11.     if (notify_die(DIE_INT3, "int3", regs, error_code, 3, SIGTRAP)
  12.             == NOTIFY_STOP)
  13.         return;
  14. #else
  15.     if (notify_die(DIE_TRAP, "int3", regs, error_code, 3, SIGTRAP)
  16.             == NOTIFY_STOP)
  17.         return;
  18. #endif

  20.     preempt_conditional_sti(regs);
  21.     do_trap(3, SIGTRAP, "int3", regs, error_code, NULL);
  22.     preempt_conditional_cli(regs);
  23. }
    在do_int3中触发kprobe注册的通知链函数,kprobe_exceptions_notify。由于kprobe以及jprobe等机制的处理核心都在此函数内,这里只针对kprobe的流程进行分析:进入函数的原因是DIE_INT3,并且是第一次进入该函数。

点击(此处)折叠或打开

  1. int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
  2.                  unsigned long val, void *data)
  3. {
  4.     struct die_args *args = data;
  5.     int ret = NOTIFY_DONE;

  7.     if (args->regs && user_mode_vm(args->regs))
  8.         return ret;

  10.     switch (val) {
  11.     case DIE_INT3:
  12. /*对于kprobe,进入kprobe_handle*/
  13.         if (kprobe_handler(args->regs))
  14.             ret = NOTIFY_STOP;
  15.         break;
  16.     case DIE_DEBUG:
  17.         if (post_kprobe_handler(args->regs)) {
  18.             /*
  19.              * Reset the BS bit in dr6 (pointed by args->err) to
  20.              * denote completion of processing
  21.              */
  22.             (*(unsigned long *)ERR_PTR(args->err)) &= ~DR_STEP;
  23.             ret = NOTIFY_STOP;
  24.         }
  25.         break;
  26.     case DIE_GPF:
  27.         /*
  28.          * To be potentially processing a kprobe fault and to
  29.          * trust the result from kprobe_running(), we have
  30.          * be non-preemptible.
  31.          */
  32.         if (!preemptible() && kprobe_running() &&
  33.          kprobe_fault_handler(args->regs, args->trapnr))
  34.             ret = NOTIFY_STOP;
  35.         break;
  36.     default:
  37.         break;
  38.     }
  39.     return ret;
  40. }

点击(此处)折叠或打开

  1. static int __kprobes kprobe_handler(struct pt_regs *regs)
  2. {
  3.     kprobe_opcode_t *addr;
  4.     struct kprobe *p;
  5.     struct kprobe_ctlblk *kcb;

  7.     /*对于int 3中断,其被Intel定义为Trap,那么异常发生时EIP寄存器内指向的为异常指令的后一条指令*/
  8.     addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
  9.     /*
  10.      * We don't want to be preempted for the entire
  11.      * duration of kprobe processing. We conditionally
  12.      * re-enable preemption at the end of this function,
  13.      * and also in reenter_kprobe() and setup_singlestep().
  14.      */
  15.     preempt_disable();

  17.     kcb = get_kprobe_ctlblk();
  18.     /*获取addr对应的kprobe*/
  19.     p = get_kprobe(addr);

  21.     if (p) {
  22. /*如果异常的进入是由kprobe导致,则进入reenter_kprobe(jprobe需要,到时候分析)*/
  23.         if (kprobe_running()) {
  24.             if (reenter_kprobe(p, regs, kcb))
  25.                 return 1;
  26.         } else {
  27.             set_current_kprobe(p, regs, kcb);
  28.             kcb->kprobe_status = KPROBE_HIT_ACTIVE;

  30.             /*
  31.              * If we have no pre-handler or it returned 0, we
  32.              * continue with normal processing. If we have a
  33.              * pre-handler and it returned non-zero, it prepped
  34.              * for calling the break_handler below on re-entry
  35.              * for jprobe processing, so get out doing nothing
  36.              * more here.
  37.              */
  38.     /*执行在此地址上挂载的pre_handle函数*/
  39.             if (!p->pre_handler || !p->pre_handler(p, regs))
  40. /*设置单步调试模式,为post_handle函数的执行做准备*/
  41.                 setup_singlestep(p, regs, kcb, 0);
  42.             return 1;
  43.         }
  44.     } else if (*addr != BREAKPOINT_INSTRUCTION) {
  45.         /*
  46.          * The breakpoint instruction was removed right
  47.          * after we hit it. Another cpu has removed
  48.          * either a probepoint or a debugger breakpoint
  49.          * at this address. In either case, no further
  50.          * handling of this interrupt is appropriate.
  51.          * Back up over the (now missing) int3 and run
  52.          * the original instruction.
  53.          */
  54.         regs->ip = (unsigned long)addr;
  55.         preempt_enable_no_resched();
  56.         return 1;
  57.     } else if (kprobe_running()) {
  58.         p = __this_cpu_read(current_kprobe);
  59.         if (p->break_handler && p->break_handler(p, regs)) {
  60.             setup_singlestep(p, regs, kcb, 0);
  61.             return 1;
  62.         }
  63.     } /* else: not a kprobe fault; let the kernel handle it */

  65.     preempt_enable_no_resched();
  66.     return 0;
  67. }

点击(此处)折叠或打开

  1. static void __kprobes setup_singlestep(struct kprobe *p, struct pt_regs *regs,
  2.                  struct kprobe_ctlblk *kcb, int reenter)
  3. {
  4.     if (setup_detour_execution(p, regs, reenter))
  5.         return;

  7. #if !defined(CONFIG_PREEMPT)
  8.     if (p->ainsn.boostable == 1 && !p->post_handler) {
  9.         /* Boost up -- we can execute copied instructions directly */
  10.         if (!reenter)
  11.             reset_current_kprobe();
  12.         /*
  13.          * Reentering boosted probe doesn't reset current_kprobe,
  14.          * nor set current_kprobe, because it doesn't use single
  15.          * stepping.
  16.          */
  17.         regs->ip = (unsigned long)p->ainsn.insn;
  18.         preempt_enable_no_resched();
  19.         return;
  20.     }
  21. #endif
  22.     /*jprobe*/
  23.     if (reenter) {
  24.         save_previous_kprobe(kcb);
  25.         set_current_kprobe(p, regs, kcb);
  26.         kcb->kprobe_status = KPROBE_REENTER;
  27.     } else
  28.         kcb->kprobe_status = KPROBE_HIT_SS;
  29.     /* Prepare real single stepping */
  30.     /*准备单步模式,设置EFLAGS的TF标志位,清楚IF标志位(禁止中断)*/
  31.     clear_btf();
  32.     regs->flags |= X86_EFLAGS_TF;
  33.     regs->flags &= ~X86_EFLAGS_IF;
  34.     /* single step inline if the instruction is an int3 */
  35.     if (p->opcode == BREAKPOINT_INSTRUCTION)
  36.         regs->ip = (unsigned long)p->addr;
  37.     else
  38. /*设置异常返回的指令为保存的被探测点的指令*/
  39.         regs->ip = (unsigned long)p->ainsn.insn;
  40. }
     对应kprobe,pre_handle的执行就结束了,按照代码,程序开始执行保存的被探测点的指令,由于开启了单步调试模式,执行完指令后会继续触发异常,这次的是do_debug异常处理流程。

点击(此处)折叠或打开

  1. dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
  2. {
  3.     ....

  5.     /*在do_debug中,以DIE_DEBUG再一次触发kprobe的通知链*/
  6.     if (notify_die(DIE_DEBUG, "debug", regs, PTR_ERR(&dr6), error_code,
  7.                             SIGTRAP) == NOTIFY_STOP)
  8.         return;
  9.    
  10.     ....
  11.     return;
  12. }

点击(此处)折叠或打开

  1. /*对于kprobe_exceptions_notify,其DIE_DEBUG处理流程*/
  2. case DIE_DEBUG:
  3.         if (post_kprobe_handler(args->regs)) {
  4.             /*
  5.              * Reset the BS bit in dr6 (pointed by args->err) to
  6.              * denote completion of processing
  7.              */
  8.             (*(unsigned long *)ERR_PTR(args->err)) &= ~DR_STEP;
  9.             ret = NOTIFY_STOP;
  10.         }
  11.         break;

  13. static int __kprobes post_kprobe_handler(struct pt_regs *regs)
  14. {
  15.     struct kprobe *cur = kprobe_running();
  16.     struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();

  18.     if (!cur)
  19.         return 0;

  21.     /*设置异常返回的EIP为下一条需要执行的指令*/
  22.     resume_execution(cur, regs, kcb);
  23.     /*恢复异常执行前的EFLAGS*/
  24.     regs->flags |= kcb->kprobe_saved_flags;

  26.     /*执行post_handler函数*/
  27.     if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
  28.         kcb->kprobe_status = KPROBE_HIT_SSDONE;
  29.         cur->post_handler(cur, regs, 0);
  30.     }

  32.     /* Restore back the original saved kprobes variables and continue. */
  33.     if (kcb->kprobe_status == KPROBE_REENTER) {
  34.         restore_previous_kprobe(kcb);
  35.         goto out;
  36.     }
  37.     reset_current_kprobe();
  38. out:
  39.     preempt_enable_no_resched();

  41.     /*
  42.      * if somebody else is singlestepping across a probe point, flags
  43.      * will have TF set, in which case, continue the remaining processing
  44.      * of do_debug, as if this is not a probe hit.
  45.      */
  46.     if (regs->flags & X86_EFLAGS_TF)
  47.         return 0;

  49.     return 1;
  50. }
    至此,一个典型的kprobe的流程已经执行完毕了。

阅读(7118) | 评论(0) | 转发(0) |
1

上一篇:应用层创建socket,内核模块通过该socket发送数据包

下一篇:linux多网卡绑定bonding

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6