4

I am using kprobe command to trace some kernel functions. The command I use is:

kprobe "p:balance_pgdat"

But getting following errors:

ERROR: func balance_pgdat not in 

/sys/kernel/debug/tracing/available_filter_functions.
Either it doesn't exist, or, it might be unsafe to kprobe. Existing. Use -F to override.

I have checked that balance_pgdat is not in available_filter_functions. But, based on my understanding, the functions can not be traced are kept in /sys/kernel/debug/kprobes/blacklist, why are there other functions are not working for kprobe ?

Appreciate anyone's help!

Chen Wei
  • 392
  • 2
  • 12
  • 1
    You have checked that the function is available in the kernel, right? If not, see what `grep balance_pgdat /proc/kallsyms` outputs. On my system, `balance_pgdat()` seems to be inlined into its callers and does not exist as an independent entity. – Eugene Aug 22 '17 at 08:41
  • Another things is that, from my understanding, `/sys/kernel/debug/tracing/available_filter_functions` lists only the functions where Ftrace can be used. Some functions, however, may have no Ftrace hooks. Such functions will not be listed there. Kprobes can utilize Ftrace but can be used independently too. One has to place them using a kernel module in that case though (example: http://elixir.free-electrons.com/linux/v4.12/source/samples/kprobes/kprobe_example.c). – Eugene Aug 22 '17 at 08:47
  • @Eugene or one can use an eBPF program (e.g., http://elixir.free-electrons.com/linux/latest/source/samples/bpf/tracex2_kern.c). – pchaigno Aug 22 '17 at 09:08
  • @pchaigno: Yes, eBPF programs can be used with Kprobes. Still, I suspect `balance_pgdat` is simply inlined / optimized away by the compiler in that kernel. However, neither kernel version nor distro were specified, so it is up to the author of this question to check that. – Eugene Aug 22 '17 at 14:01
  • hi, all thanks for all your help. The kernel version I used was 4.12.8. I have checked /pro/kallsyms and it did not show up there. Can I use "attribute((noinline))" to prevent it from inlining ? How can I identify a function is inline or optimized by the compiler ?(I can only tell by inline decralative). – Chen Wei Aug 22 '17 at 15:53
  • 1
    Yes, you can try "attribute((noinline))" or, more convenient, [noinline macro](http://elixir.free-electrons.com/linux/v4.12.9/source/include/linux/compiler-gcc.h#L88) which is defined exactly that way. IIRC, it does not always guarantee that GCC will not inline that function but it does in many cases. After you have built the kernel, you can use `nm` or, say, `objdump` on the relevant binaries to check which functions are present there and which are not. – Eugene Aug 27 '17 at 08:53

0 Answers0