1 Reply Latest reply on May 4, 2009 7:18 PM by ecollins

    Fix for linux26-32-process.emt

    nitingupta Novice

      I noticed junk returned by curprocname() defined in linux26-32-process.emt (included in vprobe-toolkit)


      Following patch fixes it:

      $ diff -u /tmp/linux26-32-process.emt vp/linux26-32-process.emt
      --- /tmp/linux26-32-process.emt 2009-04-04 00:03:42.182700000 +0530
      +++ vp/linux26-32-process.emt   2009-04-03 23:58:58.436700000 +0530
      @@ -45,7 +45,7 @@
             _pidOffset = offatret("sys_getpid");
             _nameOffset = offatstrcpy("get_task_comm");
      -   return RSP & 0xffffe000;
      +   return RSP & 0xfffff000;



      This is because all recent Linux kernels have 4K per-process kernel stack.

      $ cat /boot/config- | grep 4KSTACKS



      BTW, where can I find documentation for 'offatret()' and 'offatstrcpy()' used in curthrptr() ?




        • 1. Re: Fix for linux26-32-process.emt
          ecollins Lurker

          Hi Nitin,


          Thanks for the bug fix, checked it into the vprobe toolkit. 


          Apologies for the limited documetation of offat, there should be more thorough vp docs in the next release. These functions are used to fish out the offset of a struct member from the guest.  e.g. offatret("sys_getpid") resolves the function address for sys_getpid (using the mapping provided by the vprobe.guestSyms vmx option), looks for the last instruction in the function that did a mov to RAX (where the return value is placed) and returns the offset used in the mov. eg in "movslq 0x108(%rax),%rax" it would return 0x108, this is the offset of the member we're looking for (RAX points to the struct and 0x108 is the offset of the member in that struct). We can then read the value of the member by using getguest and using this offset and the pointer to a struct (eg the current thread pointer). The offat functions work similarly.