[RFC][Patch 0/2]kprobe: kprobe-booster against 2.6.14-mm1 for i386

[Masami Hiramatsu <hiramatu at sdl dot hitachi dot co dot jp>]

Hi,

I publish a couple of patches of kprobe-booster in next mails.
 With kprobe-booster patch, kprobes execute a copied
instruction directly and (if need) jump back to original code.
 This direct execution is executed when the kprobe don’t have
both post_handler and break_handler, and the copied instruction
can be executed directly.

What kinds of instructions can be executed directly or not?
- Call instructions are NG. We should correct the return
  address pushed into top of stack.
- Indirect instructions except for absolute indirect-jumps
  are NG. Those instructions changes EIP randomly. We should
  check EIP and correct it.
- Instructions that change EIP beyond the range of the
  instruction buffer are NG.
- Instructions that change EIP to tail 5 bytes of the
  instruction buffer (it is the size of a jump instruction).
  We must write a jump instruction which backs to original
  kernel code in the instruction buffer.
- Break point instruction is NG. We should not touch EIP and
  pass to other handlers.
- Absolute direct/indirect jumps are OK.
- Other instructions are OK. But those instructions need a
  jump back code.

Kprobe-booster checks instructions at resume_execution()
function. If it can be executed directly, it sets “boostable”
flag.
In kprobe_handler(), kprobe checks the “boostable” flag.
If the flag is set, it resets current kprobe and executes
instruction buffer directly instead of single stepping.

Best Regards,

-- 
Masami HIRAMATSU
2nd Research Dept.
Hitachi, Ltd., Systems Development Laboratory
E-mail: hiramatu@sdl.hitachi.co.jp