From 8ced8896fe832af52b749d429b8eceb872a83d1b Mon Sep 17 00:00:00 2001 From: Francis Deslauriers Date: Thu, 23 Jan 2020 17:47:17 -0500 Subject: [PATCH] Implement event notifiers for syscalls Signed-off-by: Francis Deslauriers Change-Id: Ic8f17feb45aef6e933252908c761d3241123cfe4 --- .../syscalls/headers/syscalls_unknown.h | 20 ++ include/lttng/events.h | 50 ++++ src/lttng-abi.c | 3 +- src/lttng-events.c | 53 +++- src/lttng-syscalls.c | 237 +++++++++++++++++- 5 files changed, 351 insertions(+), 12 deletions(-) diff --git a/include/instrumentation/syscalls/headers/syscalls_unknown.h b/include/instrumentation/syscalls/headers/syscalls_unknown.h index 64e53792..38add19f 100644 --- a/include/instrumentation/syscalls/headers/syscalls_unknown.h +++ b/include/instrumentation/syscalls/headers/syscalls_unknown.h @@ -28,6 +28,26 @@ LTTNG_TRACEPOINT_EVENT(compat_syscall_entry_unknown, ) ) +#undef TP_PROBE_CB +#define TP_PROBE_CB(_template) &syscall_entry_event_notifier_probe + +LTTNG_TRACEPOINT_EVENT(syscall_notifier_entry_unknown, + TP_PROTO(int id, unsigned long *args), + TP_ARGS(id, args), + TP_FIELDS( + ctf_integer(int, id, id) + ctf_array(unsigned long, args, args, UNKNOWN_SYSCALL_NRARGS) + ) +) +LTTNG_TRACEPOINT_EVENT(compat_syscall_notifier_entry_unknown, + TP_PROTO(int id, unsigned long *args), + TP_ARGS(id, args), + TP_FIELDS( + ctf_integer(int, id, id) + ctf_array(unsigned long, args, args, UNKNOWN_SYSCALL_NRARGS) + ) +) + #undef TP_PROBE_CB #define TP_PROBE_CB(_template) &syscall_exit_event_probe diff --git a/include/lttng/events.h b/include/lttng/events.h index bee47105..61d37d70 100644 --- a/include/lttng/events.h +++ b/include/lttng/events.h @@ -299,6 +299,12 @@ enum lttng_syscall_abi { LTTNG_SYSCALL_ABI_COMPAT, }; +struct lttng_syscall { + struct list_head node; /* chain registered syscall event_notifier */ + unsigned int syscall_id; + bool is_compat; +}; + /* * lttng_event structure is referred to by the tracing fast path. It must be * kept small. @@ -351,6 +357,7 @@ struct lttng_event_notifier { union { struct lttng_kprobe kprobe; struct lttng_uprobe uprobe; + struct lttng_syscall syscall; } u; /* Backward references: list of lttng_enabler_ref (ref to enablers) */ @@ -629,6 +636,12 @@ struct lttng_event_notifier_group { struct lib_ring_buffer *buf; /* Ring buffer for event notifier group. */ wait_queue_head_t read_wait; struct irq_work wakeup_pending; /* Pending wakeup irq work. */ + + struct list_head *event_notifier_syscall_dispatch; + struct list_head *event_notifier_compat_syscall_dispatch; + + unsigned int syscall_all:1, + sys_enter_registered:1; }; struct lttng_metadata_cache { @@ -770,6 +783,9 @@ int lttng_session_list_tracker_ids(struct lttng_session *session, void lttng_clock_ref(void); void lttng_clock_unref(void); +int lttng_desc_match_enabler(const struct lttng_event_desc *desc, + struct lttng_enabler *enabler); + #if defined(CONFIG_HAVE_SYSCALL_TRACEPOINTS) int lttng_syscalls_register_event(struct lttng_channel *chan, void *filter); int lttng_syscalls_unregister_event(struct lttng_channel *chan); @@ -781,6 +797,14 @@ int lttng_syscall_filter_disable_event(struct lttng_channel *chan, long lttng_channel_syscall_mask(struct lttng_channel *channel, struct lttng_kernel_syscall_mask __user *usyscall_mask); +int lttng_syscalls_register_event_notifier( + struct lttng_event_notifier_enabler *event_notifier_enabler, + void *filter); +int lttng_syscals_create_matching_event_notifiers( + struct lttng_event_notifier_enabler *event_notifier_enabler, void *filter); +int lttng_syscalls_unregister_event_notifier(struct lttng_event_notifier_group *group); +int lttng_syscall_filter_enable_event_notifier(struct lttng_event_notifier *event_notifier); +int lttng_syscall_filter_disable_event_notifier(struct lttng_event_notifier *event_notifier); #else static inline int lttng_syscalls_register_event( struct lttng_channel *chan, void *filter) @@ -816,6 +840,32 @@ static inline long lttng_channel_syscall_mask(struct lttng_channel *channel, return -ENOSYS; } +static inline int lttng_syscalls_register_event_notifier( + struct lttng_event_notifier_group *group, void *filter) +{ + return -ENOSYS; +} + +static inline int lttng_syscalls_unregister_event_notifier( + struct lttng_event_notifier_group *group) +{ + return 0; +} + +static inline int lttng_syscall_filter_enable_event_notifier( + struct lttng_event_notifier_group *group, + const char *name) +{ + return -ENOSYS; +} + +static inline int lttng_syscall_filter_disable_event_notifier( + struct lttng_event_notifier_group *group, + const char *name) +{ + return -ENOSYS; +} + #endif void lttng_filter_sync_state(struct lttng_bytecode_runtime *runtime); diff --git a/src/lttng-abi.c b/src/lttng-abi.c index f9e4422d..68ea7ac3 100644 --- a/src/lttng-abi.c +++ b/src/lttng-abi.c @@ -1824,11 +1824,12 @@ int lttng_abi_create_event_notifier(struct file *event_notifier_group_file, case LTTNG_KERNEL_KPROBE: event_notifier_param->event.u.kprobe.symbol_name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0'; break; + case LTTNG_KERNEL_SYSCALL: + break; case LTTNG_KERNEL_KRETPROBE: /* Placing an event notifier on kretprobe is not supported. */ case LTTNG_KERNEL_FUNCTION: case LTTNG_KERNEL_NOOP: - case LTTNG_KERNEL_SYSCALL: default: ret = -EINVAL; goto inval_instr; diff --git a/src/lttng-events.c b/src/lttng-events.c index 41fea850..176c3832 100644 --- a/src/lttng-events.c +++ b/src/lttng-events.c @@ -329,6 +329,9 @@ void lttng_event_notifier_group_destroy( mutex_lock(&sessions_mutex); + ret = lttng_syscalls_unregister_event_notifier(event_notifier_group); + WARN_ON(ret); + list_for_each_entry_safe(event_notifier, tmpevent_notifier, &event_notifier_group->event_notifiers_head, list) { ret = _lttng_event_notifier_unregister(event_notifier); @@ -612,13 +615,13 @@ int lttng_event_notifier_enable(struct lttng_event_notifier *event_notifier) } switch (event_notifier->instrumentation) { case LTTNG_KERNEL_TRACEPOINT: + case LTTNG_KERNEL_SYSCALL: ret = -EINVAL; break; case LTTNG_KERNEL_KPROBE: case LTTNG_KERNEL_UPROBE: WRITE_ONCE(event_notifier->enabled, 1); break; - case LTTNG_KERNEL_SYSCALL: case LTTNG_KERNEL_FUNCTION: case LTTNG_KERNEL_NOOP: case LTTNG_KERNEL_KRETPROBE: @@ -642,13 +645,13 @@ int lttng_event_notifier_disable(struct lttng_event_notifier *event_notifier) } switch (event_notifier->instrumentation) { case LTTNG_KERNEL_TRACEPOINT: + case LTTNG_KERNEL_SYSCALL: ret = -EINVAL; break; case LTTNG_KERNEL_KPROBE: case LTTNG_KERNEL_UPROBE: WRITE_ONCE(event_notifier->enabled, 0); break; - case LTTNG_KERNEL_SYSCALL: case LTTNG_KERNEL_FUNCTION: case LTTNG_KERNEL_NOOP: case LTTNG_KERNEL_KRETPROBE: @@ -1009,12 +1012,12 @@ struct lttng_event_notifier *_lttng_event_notifier_create( break; case LTTNG_KERNEL_KPROBE: case LTTNG_KERNEL_UPROBE: + case LTTNG_KERNEL_SYSCALL: event_name = event_notifier_param->event.name; break; case LTTNG_KERNEL_KRETPROBE: case LTTNG_KERNEL_FUNCTION: case LTTNG_KERNEL_NOOP: - case LTTNG_KERNEL_SYSCALL: default: WARN_ON_ONCE(1); ret = -EINVAL; @@ -1086,6 +1089,20 @@ struct lttng_event_notifier *_lttng_event_notifier_create( ret = try_module_get(event_notifier->desc->owner); WARN_ON_ONCE(!ret); break; + case LTTNG_KERNEL_NOOP: + case LTTNG_KERNEL_SYSCALL: + /* + * Needs to be explicitly enabled after creation, since + * we may want to apply filters. + */ + event_notifier->enabled = 0; + event_notifier->registered = 0; + event_notifier->desc = event_desc; + if (!event_notifier->desc) { + ret = -EINVAL; + goto register_error; + } + break; case LTTNG_KERNEL_UPROBE: /* * Needs to be explicitly enabled after creation, since @@ -1111,8 +1128,6 @@ struct lttng_event_notifier *_lttng_event_notifier_create( break; case LTTNG_KERNEL_KRETPROBE: case LTTNG_KERNEL_FUNCTION: - case LTTNG_KERNEL_NOOP: - case LTTNG_KERNEL_SYSCALL: default: WARN_ON_ONCE(1); ret = -EINVAL; @@ -1257,11 +1272,13 @@ void register_event_notifier(struct lttng_event_notifier *event_notifier) desc->event_notifier_callback, event_notifier); break; + case LTTNG_KERNEL_SYSCALL: + ret = lttng_syscall_filter_enable_event_notifier(event_notifier); + break; case LTTNG_KERNEL_KPROBE: case LTTNG_KERNEL_UPROBE: ret = 0; break; - case LTTNG_KERNEL_SYSCALL: case LTTNG_KERNEL_KRETPROBE: case LTTNG_KERNEL_FUNCTION: case LTTNG_KERNEL_NOOP: @@ -1297,9 +1314,11 @@ int _lttng_event_notifier_unregister( lttng_uprobes_unregister_event_notifier(event_notifier); ret = 0; break; + case LTTNG_KERNEL_SYSCALL: + ret = lttng_syscall_filter_disable_event_notifier(event_notifier); + break; case LTTNG_KERNEL_KRETPROBE: case LTTNG_KERNEL_FUNCTION: - case LTTNG_KERNEL_SYSCALL: case LTTNG_KERNEL_NOOP: default: WARN_ON_ONCE(1); @@ -1357,14 +1376,15 @@ void _lttng_event_notifier_destroy(struct lttng_event_notifier *event_notifier) module_put(event_notifier->desc->owner); lttng_kprobes_destroy_event_notifier_private(event_notifier); break; + case LTTNG_KERNEL_NOOP: + case LTTNG_KERNEL_SYSCALL: + break; case LTTNG_KERNEL_UPROBE: module_put(event_notifier->desc->owner); lttng_uprobes_destroy_event_notifier_private(event_notifier); break; case LTTNG_KERNEL_KRETPROBE: case LTTNG_KERNEL_FUNCTION: - case LTTNG_KERNEL_NOOP: - case LTTNG_KERNEL_SYSCALL: default: WARN_ON_ONCE(1); } @@ -1647,7 +1667,6 @@ int lttng_match_enabler_name(const char *desc_name, return 1; } -static int lttng_desc_match_enabler(const struct lttng_event_desc *desc, struct lttng_enabler *enabler) { @@ -1901,6 +1920,17 @@ void lttng_create_syscall_event_if_missing(struct lttng_event_enabler *event_ena WARN_ON_ONCE(ret); } +static +void lttng_create_syscall_event_notifier_if_missing(struct lttng_event_notifier_enabler *event_notifier_enabler) +{ + int ret; + + ret = lttng_syscalls_register_event_notifier(event_notifier_enabler, NULL); + WARN_ON_ONCE(ret); + ret = lttng_syscals_create_matching_event_notifiers(event_notifier_enabler, NULL); + WARN_ON_ONCE(ret); +} + /* * Create struct lttng_event if it is missing and present in the list of * tracepoint probes. @@ -1995,6 +2025,9 @@ void lttng_create_event_notifier_if_missing(struct lttng_event_notifier_enabler case LTTNG_KERNEL_TRACEPOINT: lttng_create_tracepoint_event_notifier_if_missing(event_notifier_enabler); break; + case LTTNG_KERNEL_SYSCALL: + lttng_create_syscall_event_notifier_if_missing(event_notifier_enabler); + break; default: WARN_ON_ONCE(1); break; diff --git a/src/lttng-syscalls.c b/src/lttng-syscalls.c index 3139a556..c18a1418 100644 --- a/src/lttng-syscalls.c +++ b/src/lttng-syscalls.c @@ -29,6 +29,7 @@ #include #include #include +#include #ifndef CONFIG_COMPAT # ifndef is_compat_task @@ -63,6 +64,10 @@ void syscall_entry_event_probe(void *__data, struct pt_regs *regs, long id); static void syscall_exit_event_probe(void *__data, struct pt_regs *regs, long ret); +static +void syscall_entry_event_notifier_probe(void *__data, struct pt_regs *regs, + long id); + /* * Forward declarations for old kernels. */ @@ -285,6 +290,7 @@ typedef __kernel_old_time_t time_t; struct trace_syscall_entry { void *event_func; + void *event_notifier_func; const struct lttng_event_desc *desc; const struct lttng_event_field *fields; unsigned int nrargs; @@ -301,6 +307,7 @@ struct trace_syscall_entry { #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs) \ [ _nr ] = { \ .event_func = __event_probe__syscall_entry_##_template, \ + .event_notifier_func = __event_notifier_probe__syscall_entry_##_template, \ .nrargs = (_nrargs), \ .fields = __event_fields___syscall_entry_##_template, \ .desc = &__event_desc___syscall_entry_##_name, \ @@ -316,6 +323,7 @@ static const struct trace_syscall_entry sc_table[] = { #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs) \ [ _nr ] = { \ .event_func = __event_probe__compat_syscall_entry_##_template, \ + .event_notifier_func = __event_notifier_probe__compat_syscall_entry_##_template, \ .nrargs = (_nrargs), \ .fields = __event_fields___compat_syscall_entry_##_template, \ .desc = &__event_desc___compat_syscall_entry_##_name, \ @@ -338,6 +346,7 @@ const struct trace_syscall_entry compat_sc_table[] = { #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs) \ [ _nr ] = { \ .event_func = __event_probe__syscall_exit_##_template, \ + .event_notifier_func = __event_notifier_probe__syscall_exit_##_template, \ .nrargs = (_nrargs), \ .fields = __event_fields___syscall_exit_##_template, \ .desc = &__event_desc___syscall_exit_##_name, \ @@ -353,6 +362,7 @@ static const struct trace_syscall_entry sc_exit_table[] = { #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs) \ [ _nr ] = { \ .event_func = __event_probe__compat_syscall_exit_##_template, \ + .event_notifier_func = __event_notifier_probe__compat_syscall_exit_##_template, \ .nrargs = (_nrargs), \ .fields = __event_fields___compat_syscall_exit_##_template, \ .desc = &__event_desc___compat_syscall_exit_##_name, \ @@ -387,6 +397,20 @@ static void syscall_entry_event_unknown(struct lttng_event *event, __event_probe__syscall_entry_unknown(event, id, args); } +static void syscall_entry_event_notifier_unknown( + struct lttng_event_notifier_group *notifier_group, + struct pt_regs *regs, unsigned int id) +{ + unsigned long args[LTTNG_SYSCALL_NR_ARGS]; + struct lttng_event *event; + + lttng_syscall_get_arguments(current, regs, args); + if (unlikely(in_compat_syscall())) + __event_probe__compat_syscall_notifier_entry_unknown(event, id, args); + else + __event_probe__syscall_notifier_entry_unknown(event, id, args); +} + static __always_inline void syscall_entry_call_func(void *func, unsigned int nrargs, void *data, struct pt_regs *regs) @@ -526,6 +550,44 @@ void syscall_entry_event_probe(void *__data, struct pt_regs *regs, long id) syscall_entry_call_func(entry->event_func, entry->nrargs, event, regs); } +void syscall_entry_event_notifier_probe(void *__data, struct pt_regs *regs, long id) +{ + struct lttng_event_notifier_group *event_notifier_group = __data; + const struct trace_syscall_entry *entry; + struct list_head *dispatch_list; + struct lttng_event_notifier *iter; + size_t table_len; + + if (unlikely(in_compat_syscall())) { + table_len = ARRAY_SIZE(compat_sc_table); + if (unlikely(id < 0 || id >= table_len)) { + return; + } + entry = &compat_sc_table[id]; + dispatch_list = &event_notifier_group->event_notifier_compat_syscall_dispatch[id]; + } else { + table_len = ARRAY_SIZE(sc_table); + if (unlikely(id < 0 || id >= table_len)) { + return; + } + entry = &sc_table[id]; + dispatch_list = &event_notifier_group->event_notifier_syscall_dispatch[id]; + } + + if (unlikely(id < 0 || id >= table_len)) { + syscall_entry_event_notifier_unknown(event_notifier_group, regs, id); + return; + } + + /* TODO handle unknown syscall */ + + list_for_each_entry_rcu(iter, dispatch_list, u.syscall.node) { + BUG_ON(iter->u.syscall.syscall_id != id); + syscall_entry_call_func(entry->event_notifier_func, + entry->nrargs, iter, regs); + } +} + static void syscall_exit_event_unknown(struct lttng_event *event, struct pt_regs *regs, int id, long ret) { @@ -918,8 +980,157 @@ int lttng_syscalls_register_event(struct lttng_channel *chan, void *filter) } /* - * Only called at session destruction. + * Should be called with sessions lock held. */ +int lttng_syscalls_register_event_notifier(struct lttng_event_notifier_enabler *event_notifier_enabler, void *filter) +{ + struct lttng_event_notifier_group *group = event_notifier_enabler->group; + unsigned int i; + int ret = 0; + + wrapper_vmalloc_sync_mappings(); + + if (!group->event_notifier_syscall_dispatch) { + group->event_notifier_syscall_dispatch = kzalloc(sizeof(struct list_head) + * ARRAY_SIZE(sc_table), GFP_KERNEL); + if (!group->event_notifier_syscall_dispatch) + return -ENOMEM; + + /* Initialize all list_head */ + for (i = 0; i < ARRAY_SIZE(sc_table); i++) + INIT_LIST_HEAD(&group->event_notifier_syscall_dispatch[i]); + } + +#ifdef CONFIG_COMPAT + if (!group->event_notifier_compat_syscall_dispatch) { + group->event_notifier_compat_syscall_dispatch = kzalloc(sizeof(struct list_head) + * ARRAY_SIZE(compat_sc_table), GFP_KERNEL); + if (!group->event_notifier_syscall_dispatch) + return -ENOMEM; + + /* Initialize all list_head */ + for (i = 0; i < ARRAY_SIZE(compat_sc_table); i++) + INIT_LIST_HEAD(&group->event_notifier_compat_syscall_dispatch[i]); + } +#endif + + if (!group->sys_enter_registered) { + ret = lttng_wrapper_tracepoint_probe_register("sys_enter", + (void *) syscall_entry_event_notifier_probe, group); + if (ret) + return ret; + group->sys_enter_registered = 1; + } + + return ret; +} + +static int create_matching_event_notifiers(struct lttng_event_notifier_enabler *event_notifier_enabler, + void *filter, const struct trace_syscall_entry *table, + size_t table_len, bool is_compat) +{ + struct lttng_event_notifier_group *group = event_notifier_enabler->group; + const struct lttng_event_desc *desc; + uint64_t user_token = event_notifier_enabler->base.user_token; + unsigned int i; + int ret = 0; + + /* iterate over all syscall and create event_notifier that match */ + for (i = 0; i < table_len; i++) { + struct lttng_event_notifier *event_notifier; + struct lttng_kernel_event_notifier event_notifier_param; + struct hlist_head *head; + int found = 0; + + desc = table[i].desc; + if (!desc) { + /* Unknown syscall */ + continue; + } + + if (!lttng_desc_match_enabler(desc, + lttng_event_notifier_enabler_as_enabler(event_notifier_enabler))) + continue; + + /* + * Check if already created. + */ + head = utils_borrow_hash_table_bucket(group->event_notifiers_ht.table, + LTTNG_EVENT_NOTIFIER_HT_SIZE, desc->name); + lttng_hlist_for_each_entry(event_notifier, head, hlist) { + if (event_notifier->desc == desc + && event_notifier->user_token == event_notifier_enabler->base.user_token) + found = 1; + } + if (found) + continue; + + memset(&event_notifier_param, 0, sizeof(event_notifier_param)); + strncat(event_notifier_param.event.name, desc->name, + LTTNG_KERNEL_SYM_NAME_LEN - strlen(event_notifier_param.event.name) - 1); + event_notifier_param.event.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0'; + event_notifier_param.event.instrumentation = LTTNG_KERNEL_SYSCALL; + + event_notifier = _lttng_event_notifier_create(desc, user_token, group, + &event_notifier_param, filter, + event_notifier_param.event.instrumentation); + if (IS_ERR(event_notifier)) { + printk(KERN_INFO "Unable to create event_notifier %s\n", + desc->name); + ret = -ENOMEM; + goto end; + } + + event_notifier->u.syscall.syscall_id = i; + event_notifier->u.syscall.is_compat = is_compat; + } +end: + return ret; + +} + +int lttng_syscals_create_matching_event_notifiers(struct lttng_event_notifier_enabler *event_notifier_enabler, void *filter) +{ + int ret; + + ret = create_matching_event_notifiers(event_notifier_enabler, filter, sc_table, + ARRAY_SIZE(sc_table), false); + if (ret) + goto end; + + ret = create_matching_event_notifiers(event_notifier_enabler, filter, compat_sc_table, + ARRAY_SIZE(compat_sc_table), true); +end: + return ret; +} + +/* + * Unregister the syscall event_notifier probes from the callsites. + */ +int lttng_syscalls_unregister_event_notifier(struct lttng_event_notifier_group *event_notifier_group) +{ + int ret; + + /* + * Only register the event_notifier probe on the `sys_enter` callsite for now. + * At the moment, we don't think it's desirable to have one fired + * event_notifier for the entry and one for the exit of a syscall. + */ + if (event_notifier_group->sys_enter_registered) { + ret = lttng_wrapper_tracepoint_probe_unregister("sys_enter", + (void *) syscall_entry_event_notifier_probe, event_notifier_group); + if (ret) + return ret; + event_notifier_group->sys_enter_registered = 0; + } + + kfree(event_notifier_group->event_notifier_syscall_dispatch); +#ifdef CONFIG_COMPAT + kfree(event_notifier_group->event_notifier_compat_syscall_dispatch); +#endif + return 0; +} + int lttng_syscalls_unregister_event(struct lttng_channel *chan) { int ret; @@ -1099,6 +1310,23 @@ int lttng_syscall_filter_enable_event(struct lttng_channel *chan, return 0; } +int lttng_syscall_filter_enable_event_notifier( + struct lttng_event_notifier *event_notifier) +{ + struct lttng_event_notifier_group *group = event_notifier->group; + unsigned int syscall_id = event_notifier->u.syscall.syscall_id; + struct list_head *dispatch_list; + + if (event_notifier->u.syscall.is_compat) + dispatch_list = &group->event_notifier_compat_syscall_dispatch[syscall_id]; + else + dispatch_list = &group->event_notifier_syscall_dispatch[syscall_id]; + + list_add_rcu(&event_notifier->u.syscall.node, dispatch_list); + + return 0; +} + int lttng_syscall_filter_disable_event(struct lttng_channel *chan, struct lttng_event *event) { @@ -1159,6 +1387,13 @@ int lttng_syscall_filter_disable_event(struct lttng_channel *chan, return 0; } +int lttng_syscall_filter_disable_event_notifier( + struct lttng_event_notifier *event_notifier) +{ + list_del_rcu(&event_notifier->u.syscall.node); + return 0; +} + static const struct trace_syscall_entry *syscall_list_get_entry(loff_t *pos) { -- 2.34.1