6

I wrote a simple kernel module that loops through all processes and extracts their registers saved when these were descheduled (especially EIP).

If I'm not wrong, what I need is saved on the kernel stack pointed by sp0 in the thread_struct of every process. This is what I do:

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>

int init_module(void){
    struct task_struct *t;
    struct pt_regs regs;
    for_each_process(t){
       memcpy(&regs, (unsigned long*)(t->thread.sp0-sizeof(struct pt_regs)), sizeof(struct pt_regs));
       printk(KERN_INFO "%s eip: %lx\n", t->comm, regs.ip);
    }
    return 0;
}

void cleanup_module(void){
}

MODULE_LICENSE("GPL");

Now, the output about user-level processes seems legit:

[ 3558.322088] bash eip: b770b430

BUT all I get from kernel threads is always 0.

[ 3558.322095] kworker/0:0 eip: 0

I don't get it. Does the kernel save registers somewhere else when it comes to kernel threads?
Is it by chance related to kernel preemption?

I'm on a 3.14-1-486 kernel.

Thank you in advance.

progacci
  • 61
  • 4
  • Added the missing struct keyword before pt_regs in my edit. Is this code copy-paste from your source file? I have tried your code on 3.2.0-4-amd64 and the eip values were not null. – Nikopol Aug 12 '14 at 18:47
  • @Nikopol Oh well :D it was partially copy-paste, that's why I forgot the `struct` keyword here. Anyway, I've just tried on 3.2.0-67-generic (ubuntu) and 3.14-1-amd64 (debian) and I still get eip:0 for kernel threads :( – progacci Aug 13 '14 at 09:34
  • Could you add more details to your code sample? I'm particularly interested where you are calling this code and what are your included headers. – Nikopol Aug 13 '14 at 10:09
  • @Nikopol here you are. It's just an ordinary kernel module anyway. – progacci Aug 13 '14 at 11:25

1 Answers1

2

thread.sp0 is the userland SP. The kernel SP is thread.sp (and kernel ip is just thread.ip; this seems to exist on x86-32, but not x86-64).

A context switch always happens in kernel in the switch_to (one of definitions) macro, called from context_switch called from schedule. So the IP and SP used there point to kernel space.

When returning to userland, another SP and IP are needed. That is what you are reading.

kworker is a thread created internally in kernel for scheduling things that shouldn't be done in interrupts and don't have any particular process in context of which they would run. As such it does not have any userland code and therefore it's userland SP and IP are both zero. You can look at the kernel SP and IP, they should be non-zero (the IP should almost always be the same, pointing to the same place in context_switch)

Jan Hudec
  • 73,652
  • 13
  • 125
  • 172
  • Sorry, I'm confused. Yeah, I see that switch_to uses thread.sp, but I also read this about `__switch_to` [from Understanding Linux Kernel 3rd Ed]: "As we have described in step 3 of the __switch_to() function (...) at every process switch the kernel saves the kernel stack pointer of the current process in the esp0 field of the local TSS." – progacci Aug 13 '14 at 21:39