Re: [PATCH v2 1/2] tracing: Add task_prctl_unknown tracepoint

From: Mathieu Desnoyers
Date: Thu Nov 07 2024 - 10:54:16 EST

Next message: Alexander Stein: "Re: [PATCH 2/3] arm64: dts: freescale: Add i.MX91 dtsi support"
Previous message: Steven Rostedt: "Re: [PATCH v2 1/2] tracing: Add task_prctl_unknown tracepoint"
In reply to: Steven Rostedt: "Re: [PATCH v2 1/2] tracing: Add task_prctl_unknown tracepoint"
Next in thread: Marco Elver: "Re: [PATCH v2 1/2] tracing: Add task_prctl_unknown tracepoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2024-11-07 10:46, Marco Elver wrote:

On Thu, 7 Nov 2024 at 16:45, Mathieu Desnoyers
<mathieu.desnoyers@xxxxxxxxxxxx> wrote:

On 2024-11-07 07:25, Marco Elver wrote:

prctl() is a complex syscall which multiplexes its functionality based
on a large set of PR_* options. Currently we count 64 such options. The
return value of unknown options is -EINVAL, and doesn't distinguish from
known options that were passed invalid args that also return -EINVAL.

To understand if programs are attempting to use prctl() options not yet
available on the running kernel, provide the task_prctl_unknown
tracepoint.

Note, this tracepoint is in an unlikely cold path, and would therefore
be suitable for continuous monitoring (e.g. via perf_event_open).

While the above is likely the simplest usecase, additionally this
tracepoint can help unlock some testing scenarios (where probing
sys_enter or sys_exit causes undesirable performance overheads):

a. unprivileged triggering of a test module: test modules may register a
probe to be called back on task_prctl_unknown, and pick a very large
unknown prctl() option upon which they perform a test function for an
unprivileged user;

b. unprivileged triggering of an eBPF program function: similar
as idea (a).

Example trace_pipe output:

test-484 [000] ..... 631.748104: task_prctl_unknown: comm=test option=1234 arg2=101 arg3=102 arg4=103 arg5=104

My concern is that we start adding tons of special-case
tracepoints to the implementation of system calls which
are redundant with the sys_enter/exit tracepoints.

Why favor this approach rather than hooking on sys_enter/exit ?

It's __extremely__ expensive when deployed at scale. See note in
commit description above.

I suspect you base the overhead analysis on the x86-64 implementation
of sys_enter/exit tracepoint and especially the overhead caused by
the SYSCALL_WORK_SYSCALL_TRACEPOINT thread flag, am I correct ?

If that is causing a too large overhead, we should investigate if
those can be improved instead of adding tracepoints in the
implementation of system calls.

Thanks,

Mathieu

--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

Next message: Alexander Stein: "Re: [PATCH 2/3] arm64: dts: freescale: Add i.MX91 dtsi support"
Previous message: Steven Rostedt: "Re: [PATCH v2 1/2] tracing: Add task_prctl_unknown tracepoint"
In reply to: Steven Rostedt: "Re: [PATCH v2 1/2] tracing: Add task_prctl_unknown tracepoint"
Next in thread: Marco Elver: "Re: [PATCH v2 1/2] tracing: Add task_prctl_unknown tracepoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]