VMware {code} Community
nitingupta
Contributor
Contributor

Fix for linux26-32-process.emt

I noticed junk returned by curprocname() defined in linux26-32-process.emt (included in vprobe-toolkit)

Following patch fixes it:

$ diff -u /tmp/linux26-32-process.emt vp/linux26-32-process.emt
--- /tmp/linux26-32-process.emt 2009-04-04 00:03:42.182700000 +0530
+++ vp/linux26-32-process.emt   2009-04-03 23:58:58.436700000 +0530
@@ -45,7 +45,7 @@
       _pidOffset = offatret("sys_getpid");
       _nameOffset = offatstrcpy("get_task_comm");
    }
-   return RSP & 0xffffe000;
+   return RSP & 0xfffff000;
 }

This is because all recent Linux kernels have 4K per-process kernel stack.

$ cat /boot/config-2.6.27.19-170.2.35.fc10.i686 | grep 4KSTACKS

CONFIG_4KSTACKS=y

BTW, where can I find documentation for 'offatret()' and 'offatstrcpy()' used in curthrptr() ?

Thanks,

Nitin

Reply
0 Kudos
1 Reply
ecollins
Contributor
Contributor

Hi Nitin,

Thanks for the bug fix, checked it into the vprobe toolkit.

Apologies for the limited documetation of offat, there should be more thorough vp docs in the next release. These functions are used to fish out the offset of a struct member from the guest. e.g. offatret("sys_getpid") resolves the function address for sys_getpid (using the mapping provided by the vprobe.guestSyms vmx option), looks for the last instruction in the function that did a mov to RAX (where the return value is placed) and returns the offset used in the mov. eg in "movslq 0x108(%rax),%rax" it would return 0x108, this is the offset of the member we're looking for (RAX points to the struct and 0x108 is the offset of the member in that struct). We can then read the value of the member by using getguest and using this offset and the pointer to a struct (eg the current thread pointer). The offat functions work similarly.

Thanks,

Eli

Reply
0 Kudos