On Sun, Aug 06, 2023 at 09:31:50PM +0900, Masami Hiramatsu wrote:

Hi Nam,

On Sun, 6 Aug 2023 13:18:28 +0200
Nam Cao [off-list ref] wrote:

quoted

Hello,

I am struggling to understand how kprobes works. It would be very nice if someone
can spare the time to explain to me. I'm confused about this function in particular:

/*
 * Return an optimized kprobe whose optimizing code replaces
 * instructions including 'addr' (exclude breakpoint).
 */
static struct kprobe *get_optimized_kprobe(kprobe_opcode_t *addr)
{
	int i;
	struct kprobe *p = NULL;
	struct optimized_kprobe *op;

	/* Don't check i == 0, since that is a breakpoint case. */
	for (i = 1; !p && i < MAX_OPTIMIZED_LENGTH / sizeof(kprobe_opcode_t); i++)
		p = get_kprobe(addr - i);

	if (p && kprobe_optready(p)) {
		op = container_of(p, struct optimized_kprobe, kp);
		if (arch_within_optimized_kprobe(op, addr))
			return p;
	}

	return NULL;
}

The document mentions something about optimizing by replacing trap instructions
with jump instructions, so I am assuming this function is part of that.

Yes, you're right. 

quoted

But I
fail to see what this function is trying to do exactly. The for loop seems to
call get_kprobe at addresses immediately before "addr". But what for? What are
at addresses before "addr"?

This is for finding a jump optimized kprobe which will modify the instruction
pointed by 'addr'. As you may know, on x86, the software-breakpoint
instruction is 1 byte, but the jump will be 5 bytes. In that case, if we put
something at instruction including 'addr', it will be ignored or it will break
the jump instruction. So it is used for finding such optimized kprobe.

For the kprobe, the jump optimization is optional and hidden from the user. We
should prioritize adding kprobes at specified locations over optimization.
Thus if we find such optimized kprobe, it must be unoptimized.

Thank you so much for the detailed answer, it is clear now.

Best regards,
Nam