[lttng-dev] lttng kretprobe issue

Mathieu Desnoyers mathieu.desnoyers at efficios.com
Thu Jun 5 14:57:56 EDT 2014 

Please reply to the list. 

I don't know, this is _your_ research :) 

Thanks, 

Mathieu 

----- Original Message -----

> From: "tarek slaymia" <tarek.slaymia at gmail.com>
> To: "Mathieu Desnoyers" <mathieu.desnoyers at efficios.com>
> Sent: Thursday, June 5, 2014 2:50:50 PM
> Subject: Re: [lttng-dev] lttng kretprobe issue

> thanks Mathiew.
> what i'm trying to do exacltly is changing the address of sys_write in the
> sys_call_table by a new function.
> i wanna check if the sys_call_table[__NR_write] contains the address of my
> new function instead of the address of sys_write after loading my module.
> How can i check this change using lttng ?
> Thanks in advance !

> 2014-06-05 13:08 GMT-04:00 Mathieu Desnoyers < mathieu.desnoyers at efficios.com
> > :

> > > From: "tarek slaymia" < tarek.slaymia at gmail.com >
> > 
> 
> > > To: lttng-dev at lists.lttng.org , lttng-dev-request at lists.lttng.org
> > 
> 
> > > Sent: Thursday, May 29, 2014 3:53:10 PM
> > 
> 
> > > Subject: [lttng-dev] lttng kretprobe issue
> > 
> 

> > > Hi all
> > 
> 

> > > when i replace a syscall function address for example sys_write using
> > > this
> > > function in my LKM module :
> > 
> 

> > > xchg(&sys_call_table[__NR_write],my_own_write);
> > 
> 

> > > In the normal case the content of sys_call_table[__NR_write] address
> > > changes
> > > and it displays the address of my_own_write using debug technique .
> > 
> 

> > > I have an issue when tracing this change using lttng kretprobe :
> > 
> 

> > > lttng enable-event sys_write -k --function sys_write
> > 
> 

> > > The ip value of sys_write ( the same address of
> > > sys_call_table[__NR_write]
> > > )
> > > remains the same even after changing it by the new function address
> > > (address
> > > of my_own_write)
> > 
> 
> > > Why the ip value of sys_write syscall displayed in lttng traces remains
> > > the
> > > same even after changing it ?
> > 
> 

> > sys_write is a symbol, and its address does not change. You place the
> 
> > kretprobe on the symbol.
> 

> > What you are overwriting is the content of the sys_call_table array, not
> 
> > the address of the sys_write symbol.
> 

> > So the resulting behavior is very much expected.
> 

> > Thanks,
> 

> > Mathieu
> 

> > > Best regards.
> > 
> 

> > > _______________________________________________
> > 
> 
> > > lttng-dev mailing list
> > 
> 
> > > lttng-dev at lists.lttng.org
> > 
> 
> > > http://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev
> > 
> 

> > --
> 
> > Mathieu Desnoyers
> 
> > EfficiOS Inc.
> 
> > http://www.efficios.com
> 

-- 
Mathieu Desnoyers 
EfficiOS Inc. 
http://www.efficios.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lttng.org/pipermail/lttng-dev/attachments/20140605/78865a4c/attachment.html>

More information about the lttng-dev mailing list