To set a probe we use the following syntax:
<type>:<event name> <symbol> <fetch arguments>
Let's explain each of the mentioned parameters:
- type: This is either p for kprobe or r for a return probe.
- event name: This is optional and has the format <group/event>. If the group name is omitted, it defaults to kprobes, and if the event name is omitted, it is autogenerated based on the symbol. When an event name is given, it adds a directory under /sys/kernel/debug/tracing/events/kprobes/ with the following content:
- id: This is the ID of the probe event
- filter: This specifies user filtering rules
- format: This is the format of the probe event
- enabled: This is used to enable or disable the probe event
- symbol: This is either the symbol name plus an optional offset or the memory address where the probe is to be inserted.
- fetch arguments: These are optional and represent the information to extract with a maximum of 128 arguments. They have the following format:
<name>=<offset>(<argument>):<type>
Lets explain each of the mentioned parameters:
- name: This sets the argument name
- offset: This adds an offset to the address argument
- argument: This can be of the following format:
- %<register>: This fetches the specified register. For ARM these are:
- r0 to r10
- fp
- ip
- sp
- lr
- pc
- cpsr
- ORIG_r0
- @<address>: This fetches the memory at the specified kernel address
- @<symbol><offset>: This fetches the memory at the specified symbol and optional offset
- $stack: This fetches the stack address
- $stack<N>: This fetches the nth entry of the stack
- %<register>: This fetches the specified register. For ARM these are:
And for return probes we have:
-
- $retval: This fetches the return value
- type: This one sets the argument type used by kprobe to access the memory from the following options:
- u8, u16, u32, u64, for unsigned types
- s8, s16, s32, s64, for signed types
- string, for null terminated strings
- bitfield, with the following format:
b<bit-width>@<bit-offset>/<container-size>