Kernel Probes

Kprobes

Kernel Dynamic Probes (Kprobes) provides a lightweight interface for kernel modules to implant probes and register corresponding probe handlers. A probe is an automated breakpoint that is implanted dynamically in executing (kernel-space) modules without the need to modify their underlying source. Probes are intended to be used as an ad hoc service aid where minimal disruption to the system is required. They are particularly advocated in production environments where the use of interactive debuggers is undesirable. Kprobes also has substantial applicability in test and development environments. During test, faults may be injected or simulated by the probing module. In development, debugging code (for example a printk) may be easily inserted without having to recompile to module under test.

With each probe, a corresponding probe event handler address is specified. Probe event handlers run as extensions to the system breakpoint interrupt handler and are expected to have little or no dependence on system facilities. Because of this design point, probes are able to be implanted in the most hostile environments -- interrupt-time, task-time, disabled, inter-context switch and SMP-enabled code paths -- without adversely skewing system performance.

News

November 2, 2004  A single patch combining user-space probes, kernel watchpoint probes, and a Dprobes interface for Linux 2.6.9-final is released.
November 2, 2004  Individual patches for user-space probes, kernel watchpoint probes and a Dprobes interface for Linux 2.6.9-final is released.
November 2, 2004  Kprobes is now included in the main line kernel. No need to apply kprobes base patches. Download Linux version 2.6.9-rc2 and above.
July 13, 2004  A single patch combining Kprobes and Dprobes for linux-2.6.8-rc1 is released.
July 13, 2004  Kprobes patches for linux-2.6.8-rc1 is released.
June 1, 2004  A single patch combining Kprobes and Dprobes for linux-2.6.7-rc2 is released.

Kprobes Interfaces

Kprobes provide several interfaces for kernel space probes, user space probes and kernel watchpoint probes.

Kernel Space Probes Interface:

register_probe:

Registration defines the probe location, which must be at an instruction boundary that precedes any associated opcode prefixes. It also defines three call-back addresses for the probing module:

register_probe:

The user has to unregister explicitly all registered probes before removing the probe handling module.

User Space Probes Interface:

register_kprobe_user:

Registration of user space probes is defined for a pair of inode and offset within the executable where the probes need to be inserted. It is similar to kernel space probes registration.

unregister_kprobe_user:

Every registered user space probe must be unregistered. This interface must be called after all the probes for a given pair of inode and offset are removed.

insert_kprobe_user:

The user space probes can be inserted into the pages existing in the memory or pages read via readpage routine of the inode's address space operations or swapping in of the process private page. User has to ensure that the page containing the specified address (user->addr) must be present in the memory before calling. User has to first register user space probes for a given pair of of inode and offset before calling this routine to insert probes.

remove_kprobe_user:

This interface is used to remove user space probe from a page at the given address. User has to ensure that the page containing the specified address (user->addr) must be present in the memory before calling this routine. Before unregistering, all the probes inserted at a given inode and offset must be removed.

Kernel Watchpoint Probes Interface:

register_kwatch:

Register the kernel watchpoints and returns the debug register number allocated/used for setting up this watch point.

unregister_kwatch:

Unregisters the kernel watchpoint probes.

Extensions to Kprobes

Kprobes has been developed from the full Dynamic Probes patch. It includes the essential mechanism to enable probes in kernel space. Additional patches on top of Kprobes provide support for kernel space probes, watchpoints and user space probes are also available. The char device interface for user space probes application and the RPN Language Interpreter are part of the dprobes external module.

Documentation

View the Kprobes README

View Kprobes and DProbes white papers, presentations, and articles

Download

Download a single patch combining user-space probes, kernel watchpoint probes, and a Dprobes interface for Linux 2.6.9-final.

Download the full set of Kprobes patches for the 2.6.9-final kernel. It includes user-space probes and watchpoint probes. Also the Dprobes patches built over Kprobes interface are included.
Older releases

Download the Kprobes patches for the 2.4.21 kernel. Only the base kernel space probes patch and dprobes patches built over Kprobes interface are included.

Initial version of Kprobes patches are also available.