yongkangli
New Member
Hi,
I ran into some confusing results of Intel Processor Trace (Intel PT) when I want to know every instruction executed in the kernel during a system call. I was not able to align the trace with the kernel code. I am not 100% sure that my understanding regarding linux system call mechanism or Intel PT is completely correct. Any help would be greatly appreciated!
So, according to my understanding, the control flow was like what follows. After the `syscall` instruction, the IP register was set to the value of IA32_LSTAR (which is 0xffffffffa6c00000 on my machine and the kaslr offset is 0x25000000) and the 113510th line of the trace file recorded this. 0xffffffffa6c00000 - 0x25000000 = 0xffffffff81c00000, which is the address of the function `entry_SYSCALL_64`. Then CPU executed each instruction util 0xffffffff81c0000c, which is an unconditional direct jump to 0xffffffff81c00020. Then CPU executed until 0xffffffff81c00077, which is a call to `do_syscall_64` (0xffffffff81bdc3e0). In `do_syscall_64`, the CPU executed until 0xffffffff81bdc3f7, which is a call to `syscall_enter_from_user_mode`(0xffffffff81be0580). In `syscall_enter_from_user_mode`, the CPU executed until 0xffffffff81be0587, which is an indirect call. So I was expecting to read a Target IP packet from Intel PT. However, what I got next is a Taken/NotTaken packet.
Would there be any comments on this? Any guidance would be greatly appreciated!
For your reference, I uploaded the demo program dumped file (demp.dump), the trace file (pt.log) and the kernel dumped file (vmlinux.dump) to dropbox and you could download the files there. The link is as follows.
Thanks!
I ran into some confusing results of Intel Processor Trace (Intel PT) when I want to know every instruction executed in the kernel during a system call. I was not able to align the trace with the kernel code. I am not 100% sure that my understanding regarding linux system call mechanism or Intel PT is completely correct. Any help would be greatly appreciated!
So, according to my understanding, the control flow was like what follows. After the `syscall` instruction, the IP register was set to the value of IA32_LSTAR (which is 0xffffffffa6c00000 on my machine and the kaslr offset is 0x25000000) and the 113510th line of the trace file recorded this. 0xffffffffa6c00000 - 0x25000000 = 0xffffffff81c00000, which is the address of the function `entry_SYSCALL_64`. Then CPU executed each instruction util 0xffffffff81c0000c, which is an unconditional direct jump to 0xffffffff81c00020. Then CPU executed until 0xffffffff81c00077, which is a call to `do_syscall_64` (0xffffffff81bdc3e0). In `do_syscall_64`, the CPU executed until 0xffffffff81bdc3f7, which is a call to `syscall_enter_from_user_mode`(0xffffffff81be0580). In `syscall_enter_from_user_mode`, the CPU executed until 0xffffffff81be0587, which is an indirect call. So I was expecting to read a Target IP packet from Intel PT. However, what I got next is a Taken/NotTaken packet.
Would there be any comments on this? Any guidance would be greatly appreciated!
For your reference, I uploaded the demo program dumped file (demp.dump), the trace file (pt.log) and the kernel dumped file (vmlinux.dump) to dropbox and you could download the files there. The link is as follows.
Thanks!
