0

How to print all kernel functions associated with a process a.out when it enters in kernel mode. i.e.; I want to filter out the kernel functions for a specific pid/execname. Following is an stap script I created to trace the kernel functions associated with mm when process executes in kernel mode. This never succeed for me and I guess this is due to the volume of symbols stap is trying to track.

root@test:~/systemtap# cat test9.stp
#! /usr/bin/env stap

global traces

probe kernel.function("*@mm/*.c") {
  traces[pid(), pexecname(), backtrace()] ++
}
probe end {
  foreach ([pid, name, stack] in traces-) {
    printf ("traces[%d,%s,\n", pid, name)
    print_stack (stack)
    printf ("] = %d\n", traces[pid, name, stack]);
  }
}
root@test:~/systemtap# stap test9.stp
WARNING: probe kernel.function("is_errata93@/build/linux-pm2SeW/linux-5.15.0/arch/x86/mm/fault.c:417") (address 0xffffffffb329ebd4) registration error [man warning::pass5] (rc -22)
WARNING: probe kernel.function("do_sigbus@/build/linux-pm2SeW/linux-5.15.0/arch/x86/mm/fault.c:934") (address 0xffffffffb329ef28) registration error [man warning::pass5] (rc -22)
WARNING: probe kernel.function("spurious_kernel_fault@/build/linux-pm2SeW/linux-5.15.0/arch/x86/mm/fault.c:1007") (address 0xffffffffb329ef40) registration error [man warning::pass5] (rc -22)
WARNING: probe kernel.function("exc_page_fault@/build/linux-pm2SeW/linux-5.15.0/arch/x86/mm/fault.c:1497") (address 0xffffffffb3f9e780) registration error [man warning::pass5] (rc -22)
WARNING: probe kernel.function("do_user_addr_fault@/build/linux-pm2SeW/linux-5.15.0/arch/x86/mm/fault.c:1220") (address 0xffffffffb329e8d0) registration error [man warning::pass5] (rc -22)
WARNING: probe kernel.function("do_kern_addr_fault@/build/linux-pm2SeW/linux-5.15.0/arch/x86/mm/fault.c:1147") (address 0xffffffffb329f170) registration error [man warning::pass5] (rc -22)
WARNING: Missing unwind data for a module, rerun with 'stap -d kernel'
WARNING: too many pending (warning) messages
ERROR: too many pending (error) messages
WARNING: Number of errors: 1, skipped probes: 1891693
WARNING: /usr/bin/staprun exited with status: 1
Pass 5: run failed.  [man error::pass5]
Number of similar warning messages suppressed: 38.
Rerun with -v to see them.
Franc
  • 229
  • 3
  • 15
  • just to confirm, you mean *system calls*, when you say "kernel functions", right? The amount of "kernel function" would strictly talking be *none*, because userland processes cannot directly do a function call into the kernel space. (there's also things that are kind of in the middle, VDSO, but let's not go there.) – Marcus Müller Oct 26 '22 at 09:24
  • @MarcusMüller, it is possible to get in systemtap information about kernel functions that are triggered by a process. System calls are just interfaces to the kernel, where the actual things get done. So generally speaking the question is valid. Practically, a process might trigger hundreds or even thousands of kernel functions in short time. Tracking *ALL* of them might generate so much information that the systemtap script would probably generate a runtime error (in the best case), or even crash the machine. You would need to focus on specific kernel modules/source files to limit the volume. – aviro Oct 26 '22 at 10:08
  • @aviro true, I might have interpreted "as part of a process" too literally. And I also agree: the signal-to-noise ratio would effectively render the data useless, unless you *really* know how to get that trace amount out of the kernel quickly enough. – Marcus Müller Oct 26 '22 at 10:17
  • @aviro, right. I am looking for the kernel functions when the process switch to kernel mode. I agree, tracking ALL would generate a lot of information or script may fail. At least can we track a specific kernel function with a filter for a specific pid/execname. – Franc Oct 26 '22 at 12:59
  • I mean that EVEN you just filter specific pid, you'll have the same problem. systemtap will still need to probe ALL of the kernel functions - and there are thousands of them (probably more), and the load on probing all of them would probably kill the system (I'm telling you that from experience). And even if it won't, the volume of the output would be huge and you won't be able to understand anything. Why do you need this data? What are you trying to achieve? – aviro Oct 26 '22 at 13:12
  • I am trying to track a kernel function alloc_pages() being called when process in kernel mode. When I track without any filter, it prints a lot of alloc_pages() called from many other applications which I am not interested in. – Franc Oct 26 '22 at 13:27
  • Please [edit](https://unix.stackexchange.com/posts/722492/edit) your question and add there the script you already have. I'll tell you how to filter it by pid. – aviro Oct 26 '22 at 13:37
  • @aviro, I edited my question – Franc Oct 26 '22 at 14:08

1 Answers1

0

systemtap has the following flag:

   -x PID Sets target() to PID. This allows scripts to  be  written  that  filter  on  a  specific
          process. Scripts run independent of the PID's lifespan.

If you run your script with -x <pid> flag, calling target() inside the script will return the pid you provided.

stap test9.stp -x <pid>

Then you can use it the following way inside your script:

probe kernel.function("*@mm/*.c") {
  if (pid() == target()) {
    traces[pid(), pexecname(), backtrace()] ++
  }
}
aviro
  • 3,683
  • 9
  • 21