System information

Kernel Probes 89

6.2.2 Jprobe

Jprobe is implemented through the kprobe mechanism. It is inserted on a function's

entry point and allows direct access to the arguments of the function which is being

probed. Its handler routine must have the same argument list and return value as the

probed function. It also has to end by calling the jprobe_return() function.

When jprobe is hit, the processor registers are saved, and the instruction pointer is

directed to the jprobe handler routine. The control then passes to the handler with

the same register contents as the function being probed. Finally, the handler calls the

jprobe_return() function, and switches the control back to the control function.

In general, you can insert multiple probes on one function. Jprobe is, however, limited

to only one instance per function.

6.2.3 Return Probe

Return probes are also implemented through kprobes. When the

register_kretprobe() function is called, a kprobe is attached to the entry of

the probed function. After hitting the probe, the Kernel probes mechanism saves the

probed function return address and calls a user-defined return handler. The control is

then passed back to the probed function.

Before you call register_kretprobe(), you need to set a maxactive argu-

ment, which specifies how many instances of the function can be probed at the same

time. If set too low, you will miss a certain number of probes.

6.3 Kernel probes API

Kprobe's programming interface consists of functions, which are used to register and

unregister all used kernel probes, and associated probe handlers. For a more detailed

description of these functions and their arguments, see the information sources in

Section6.5, “For More Information” (page91).

register_kprobe()

Inserts a break-point on a specified address. When the break-point is hit, the

pre_handler and post_handler are called.