xref: /freebsd/sys/kern/kern_ktrace.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*-
2  * Copyright (c) 1989, 1993
3  *	The Regents of the University of California.
4  * Copyright (c) 2005 Robert N. M. Watson
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 4. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  *
31  *	@(#)kern_ktrace.c	8.2 (Berkeley) 9/23/93
32  */
33 
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
36 
37 #include "opt_ktrace.h"
38 #include "opt_mac.h"
39 
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/fcntl.h>
43 #include <sys/kernel.h>
44 #include <sys/kthread.h>
45 #include <sys/lock.h>
46 #include <sys/mutex.h>
47 #include <sys/malloc.h>
48 #include <sys/mount.h>
49 #include <sys/namei.h>
50 #include <sys/priv.h>
51 #include <sys/proc.h>
52 #include <sys/unistd.h>
53 #include <sys/vnode.h>
54 #include <sys/ktrace.h>
55 #include <sys/sx.h>
56 #include <sys/sysctl.h>
57 #include <sys/syslog.h>
58 #include <sys/sysproto.h>
59 
60 #include <security/mac/mac_framework.h>
61 
62 /*
63  * The ktrace facility allows the tracing of certain key events in user space
64  * processes, such as system calls, signal delivery, context switches, and
65  * user generated events using utrace(2).  It works by streaming event
66  * records and data to a vnode associated with the process using the
67  * ktrace(2) system call.  In general, records can be written directly from
68  * the context that generates the event.  One important exception to this is
69  * during a context switch, where sleeping is not permitted.  To handle this
70  * case, trace events are generated using in-kernel ktr_request records, and
71  * then delivered to disk at a convenient moment -- either immediately, the
72  * next traceable event, at system call return, or at process exit.
73  *
74  * When dealing with multiple threads or processes writing to the same event
75  * log, ordering guarantees are weak: specifically, if an event has multiple
76  * records (i.e., system call enter and return), they may be interlaced with
77  * records from another event.  Process and thread ID information is provided
78  * in the record, and user applications can de-interlace events if required.
79  */
80 
81 static MALLOC_DEFINE(M_KTRACE, "KTRACE", "KTRACE");
82 
83 #ifdef KTRACE
84 
85 #ifndef KTRACE_REQUEST_POOL
86 #define	KTRACE_REQUEST_POOL	100
87 #endif
88 
89 struct ktr_request {
90 	struct	ktr_header ktr_header;
91 	void	*ktr_buffer;
92 	union {
93 		struct	ktr_syscall ktr_syscall;
94 		struct	ktr_sysret ktr_sysret;
95 		struct	ktr_genio ktr_genio;
96 		struct	ktr_psig ktr_psig;
97 		struct	ktr_csw ktr_csw;
98 	} ktr_data;
99 	STAILQ_ENTRY(ktr_request) ktr_list;
100 };
101 
102 static int data_lengths[] = {
103 	0,					/* none */
104 	offsetof(struct ktr_syscall, ktr_args),	/* KTR_SYSCALL */
105 	sizeof(struct ktr_sysret),		/* KTR_SYSRET */
106 	0,					/* KTR_NAMEI */
107 	sizeof(struct ktr_genio),		/* KTR_GENIO */
108 	sizeof(struct ktr_psig),		/* KTR_PSIG */
109 	sizeof(struct ktr_csw),			/* KTR_CSW */
110 	0					/* KTR_USER */
111 };
112 
113 static STAILQ_HEAD(, ktr_request) ktr_free;
114 
115 static SYSCTL_NODE(_kern, OID_AUTO, ktrace, CTLFLAG_RD, 0, "KTRACE options");
116 
117 static u_int ktr_requestpool = KTRACE_REQUEST_POOL;
118 TUNABLE_INT("kern.ktrace.request_pool", &ktr_requestpool);
119 
120 static u_int ktr_geniosize = PAGE_SIZE;
121 TUNABLE_INT("kern.ktrace.genio_size", &ktr_geniosize);
122 SYSCTL_UINT(_kern_ktrace, OID_AUTO, genio_size, CTLFLAG_RW, &ktr_geniosize,
123     0, "Maximum size of genio event payload");
124 
125 static int print_message = 1;
126 struct mtx ktrace_mtx;
127 static struct sx ktrace_sx;
128 
129 static void ktrace_init(void *dummy);
130 static int sysctl_kern_ktrace_request_pool(SYSCTL_HANDLER_ARGS);
131 static u_int ktrace_resize_pool(u_int newsize);
132 static struct ktr_request *ktr_getrequest(int type);
133 static void ktr_submitrequest(struct thread *td, struct ktr_request *req);
134 static void ktr_freerequest(struct ktr_request *req);
135 static void ktr_writerequest(struct thread *td, struct ktr_request *req);
136 static int ktrcanset(struct thread *,struct proc *);
137 static int ktrsetchildren(struct thread *,struct proc *,int,int,struct vnode *);
138 static int ktrops(struct thread *,struct proc *,int,int,struct vnode *);
139 
140 /*
141  * ktrace itself generates events, such as context switches, which we do not
142  * wish to trace.  Maintain a flag, TDP_INKTRACE, on each thread to determine
143  * whether or not it is in a region where tracing of events should be
144  * suppressed.
145  */
146 static void
147 ktrace_enter(struct thread *td)
148 {
149 
150 	KASSERT(!(td->td_pflags & TDP_INKTRACE), ("ktrace_enter: flag set"));
151 	td->td_pflags |= TDP_INKTRACE;
152 }
153 
154 static void
155 ktrace_exit(struct thread *td)
156 {
157 
158 	KASSERT(td->td_pflags & TDP_INKTRACE, ("ktrace_exit: flag not set"));
159 	td->td_pflags &= ~TDP_INKTRACE;
160 }
161 
162 static void
163 ktrace_assert(struct thread *td)
164 {
165 
166 	KASSERT(td->td_pflags & TDP_INKTRACE, ("ktrace_assert: flag not set"));
167 }
168 
169 static void
170 ktrace_init(void *dummy)
171 {
172 	struct ktr_request *req;
173 	int i;
174 
175 	mtx_init(&ktrace_mtx, "ktrace", NULL, MTX_DEF | MTX_QUIET);
176 	sx_init(&ktrace_sx, "ktrace_sx");
177 	STAILQ_INIT(&ktr_free);
178 	for (i = 0; i < ktr_requestpool; i++) {
179 		req = malloc(sizeof(struct ktr_request), M_KTRACE, M_WAITOK);
180 		STAILQ_INSERT_HEAD(&ktr_free, req, ktr_list);
181 	}
182 }
183 SYSINIT(ktrace_init, SI_SUB_KTRACE, SI_ORDER_ANY, ktrace_init, NULL);
184 
185 static int
186 sysctl_kern_ktrace_request_pool(SYSCTL_HANDLER_ARGS)
187 {
188 	struct thread *td;
189 	u_int newsize, oldsize, wantsize;
190 	int error;
191 
192 	/* Handle easy read-only case first to avoid warnings from GCC. */
193 	if (!req->newptr) {
194 		mtx_lock(&ktrace_mtx);
195 		oldsize = ktr_requestpool;
196 		mtx_unlock(&ktrace_mtx);
197 		return (SYSCTL_OUT(req, &oldsize, sizeof(u_int)));
198 	}
199 
200 	error = SYSCTL_IN(req, &wantsize, sizeof(u_int));
201 	if (error)
202 		return (error);
203 	td = curthread;
204 	ktrace_enter(td);
205 	mtx_lock(&ktrace_mtx);
206 	oldsize = ktr_requestpool;
207 	newsize = ktrace_resize_pool(wantsize);
208 	mtx_unlock(&ktrace_mtx);
209 	ktrace_exit(td);
210 	error = SYSCTL_OUT(req, &oldsize, sizeof(u_int));
211 	if (error)
212 		return (error);
213 	if (wantsize > oldsize && newsize < wantsize)
214 		return (ENOSPC);
215 	return (0);
216 }
217 SYSCTL_PROC(_kern_ktrace, OID_AUTO, request_pool, CTLTYPE_UINT|CTLFLAG_RW,
218     &ktr_requestpool, 0, sysctl_kern_ktrace_request_pool, "IU", "");
219 
220 static u_int
221 ktrace_resize_pool(u_int newsize)
222 {
223 	struct ktr_request *req;
224 	int bound;
225 
226 	mtx_assert(&ktrace_mtx, MA_OWNED);
227 	print_message = 1;
228 	bound = newsize - ktr_requestpool;
229 	if (bound == 0)
230 		return (ktr_requestpool);
231 	if (bound < 0)
232 		/* Shrink pool down to newsize if possible. */
233 		while (bound++ < 0) {
234 			req = STAILQ_FIRST(&ktr_free);
235 			if (req == NULL)
236 				return (ktr_requestpool);
237 			STAILQ_REMOVE_HEAD(&ktr_free, ktr_list);
238 			ktr_requestpool--;
239 			mtx_unlock(&ktrace_mtx);
240 			free(req, M_KTRACE);
241 			mtx_lock(&ktrace_mtx);
242 		}
243 	else
244 		/* Grow pool up to newsize. */
245 		while (bound-- > 0) {
246 			mtx_unlock(&ktrace_mtx);
247 			req = malloc(sizeof(struct ktr_request), M_KTRACE,
248 			    M_WAITOK);
249 			mtx_lock(&ktrace_mtx);
250 			STAILQ_INSERT_HEAD(&ktr_free, req, ktr_list);
251 			ktr_requestpool++;
252 		}
253 	return (ktr_requestpool);
254 }
255 
256 static struct ktr_request *
257 ktr_getrequest(int type)
258 {
259 	struct ktr_request *req;
260 	struct thread *td = curthread;
261 	struct proc *p = td->td_proc;
262 	int pm;
263 
264 	ktrace_enter(td);	/* XXX: In caller instead? */
265 	mtx_lock(&ktrace_mtx);
266 	if (!KTRCHECK(td, type)) {
267 		mtx_unlock(&ktrace_mtx);
268 		ktrace_exit(td);
269 		return (NULL);
270 	}
271 	req = STAILQ_FIRST(&ktr_free);
272 	if (req != NULL) {
273 		STAILQ_REMOVE_HEAD(&ktr_free, ktr_list);
274 		req->ktr_header.ktr_type = type;
275 		if (p->p_traceflag & KTRFAC_DROP) {
276 			req->ktr_header.ktr_type |= KTR_DROP;
277 			p->p_traceflag &= ~KTRFAC_DROP;
278 		}
279 		mtx_unlock(&ktrace_mtx);
280 		microtime(&req->ktr_header.ktr_time);
281 		req->ktr_header.ktr_pid = p->p_pid;
282 		req->ktr_header.ktr_tid = td->td_tid;
283 		bcopy(td->td_name, req->ktr_header.ktr_comm, MAXCOMLEN + 1);
284 		req->ktr_buffer = NULL;
285 		req->ktr_header.ktr_len = 0;
286 	} else {
287 		p->p_traceflag |= KTRFAC_DROP;
288 		pm = print_message;
289 		print_message = 0;
290 		mtx_unlock(&ktrace_mtx);
291 		if (pm)
292 			printf("Out of ktrace request objects.\n");
293 		ktrace_exit(td);
294 	}
295 	return (req);
296 }
297 
298 /*
299  * Some trace generation environments don't permit direct access to VFS,
300  * such as during a context switch where sleeping is not allowed.  Under these
301  * circumstances, queue a request to the thread to be written asynchronously
302  * later.
303  */
304 static void
305 ktr_enqueuerequest(struct thread *td, struct ktr_request *req)
306 {
307 
308 	mtx_lock(&ktrace_mtx);
309 	STAILQ_INSERT_TAIL(&td->td_proc->p_ktr, req, ktr_list);
310 	mtx_unlock(&ktrace_mtx);
311 	ktrace_exit(td);
312 }
313 
314 /*
315  * Drain any pending ktrace records from the per-thread queue to disk.  This
316  * is used both internally before committing other records, and also on
317  * system call return.  We drain all the ones we can find at the time when
318  * drain is requested, but don't keep draining after that as those events
319  * may me approximately "after" the current event.
320  */
321 static void
322 ktr_drain(struct thread *td)
323 {
324 	struct ktr_request *queued_req;
325 	STAILQ_HEAD(, ktr_request) local_queue;
326 
327 	ktrace_assert(td);
328 	sx_assert(&ktrace_sx, SX_XLOCKED);
329 
330 	STAILQ_INIT(&local_queue);	/* XXXRW: needed? */
331 
332 	if (!STAILQ_EMPTY(&td->td_proc->p_ktr)) {
333 		mtx_lock(&ktrace_mtx);
334 		STAILQ_CONCAT(&local_queue, &td->td_proc->p_ktr);
335 		mtx_unlock(&ktrace_mtx);
336 
337 		while ((queued_req = STAILQ_FIRST(&local_queue))) {
338 			STAILQ_REMOVE_HEAD(&local_queue, ktr_list);
339 			ktr_writerequest(td, queued_req);
340 			ktr_freerequest(queued_req);
341 		}
342 	}
343 }
344 
345 /*
346  * Submit a trace record for immediate commit to disk -- to be used only
347  * where entering VFS is OK.  First drain any pending records that may have
348  * been cached in the thread.
349  */
350 static void
351 ktr_submitrequest(struct thread *td, struct ktr_request *req)
352 {
353 
354 	ktrace_assert(td);
355 
356 	sx_xlock(&ktrace_sx);
357 	ktr_drain(td);
358 	ktr_writerequest(td, req);
359 	ktr_freerequest(req);
360 	sx_xunlock(&ktrace_sx);
361 
362 	ktrace_exit(td);
363 }
364 
365 static void
366 ktr_freerequest(struct ktr_request *req)
367 {
368 
369 	if (req->ktr_buffer != NULL)
370 		free(req->ktr_buffer, M_KTRACE);
371 	mtx_lock(&ktrace_mtx);
372 	STAILQ_INSERT_HEAD(&ktr_free, req, ktr_list);
373 	mtx_unlock(&ktrace_mtx);
374 }
375 
376 void
377 ktrsyscall(code, narg, args)
378 	int code, narg;
379 	register_t args[];
380 {
381 	struct ktr_request *req;
382 	struct ktr_syscall *ktp;
383 	size_t buflen;
384 	char *buf = NULL;
385 
386 	buflen = sizeof(register_t) * narg;
387 	if (buflen > 0) {
388 		buf = malloc(buflen, M_KTRACE, M_WAITOK);
389 		bcopy(args, buf, buflen);
390 	}
391 	req = ktr_getrequest(KTR_SYSCALL);
392 	if (req == NULL) {
393 		if (buf != NULL)
394 			free(buf, M_KTRACE);
395 		return;
396 	}
397 	ktp = &req->ktr_data.ktr_syscall;
398 	ktp->ktr_code = code;
399 	ktp->ktr_narg = narg;
400 	if (buflen > 0) {
401 		req->ktr_header.ktr_len = buflen;
402 		req->ktr_buffer = buf;
403 	}
404 	ktr_submitrequest(curthread, req);
405 }
406 
407 void
408 ktrsysret(code, error, retval)
409 	int code, error;
410 	register_t retval;
411 {
412 	struct ktr_request *req;
413 	struct ktr_sysret *ktp;
414 
415 	req = ktr_getrequest(KTR_SYSRET);
416 	if (req == NULL)
417 		return;
418 	ktp = &req->ktr_data.ktr_sysret;
419 	ktp->ktr_code = code;
420 	ktp->ktr_error = error;
421 	ktp->ktr_retval = retval;		/* what about val2 ? */
422 	ktr_submitrequest(curthread, req);
423 }
424 
425 /*
426  * When a process exits, drain per-process asynchronous trace records.
427  */
428 void
429 ktrprocexit(struct thread *td)
430 {
431 
432 	ktrace_enter(td);
433 	sx_xlock(&ktrace_sx);
434 	ktr_drain(td);
435 	sx_xunlock(&ktrace_sx);
436 	ktrace_exit(td);
437 }
438 
439 /*
440  * When a thread returns, drain any asynchronous records generated by the
441  * system call.
442  */
443 void
444 ktruserret(struct thread *td)
445 {
446 
447 	ktrace_enter(td);
448 	sx_xlock(&ktrace_sx);
449 	ktr_drain(td);
450 	sx_xunlock(&ktrace_sx);
451 	ktrace_exit(td);
452 }
453 
454 void
455 ktrnamei(path)
456 	char *path;
457 {
458 	struct ktr_request *req;
459 	int namelen;
460 	char *buf = NULL;
461 
462 	namelen = strlen(path);
463 	if (namelen > 0) {
464 		buf = malloc(namelen, M_KTRACE, M_WAITOK);
465 		bcopy(path, buf, namelen);
466 	}
467 	req = ktr_getrequest(KTR_NAMEI);
468 	if (req == NULL) {
469 		if (buf != NULL)
470 			free(buf, M_KTRACE);
471 		return;
472 	}
473 	if (namelen > 0) {
474 		req->ktr_header.ktr_len = namelen;
475 		req->ktr_buffer = buf;
476 	}
477 	ktr_submitrequest(curthread, req);
478 }
479 
480 void
481 ktrgenio(fd, rw, uio, error)
482 	int fd;
483 	enum uio_rw rw;
484 	struct uio *uio;
485 	int error;
486 {
487 	struct ktr_request *req;
488 	struct ktr_genio *ktg;
489 	int datalen;
490 	char *buf;
491 
492 	if (error) {
493 		free(uio, M_IOV);
494 		return;
495 	}
496 	uio->uio_offset = 0;
497 	uio->uio_rw = UIO_WRITE;
498 	datalen = imin(uio->uio_resid, ktr_geniosize);
499 	buf = malloc(datalen, M_KTRACE, M_WAITOK);
500 	error = uiomove(buf, datalen, uio);
501 	free(uio, M_IOV);
502 	if (error) {
503 		free(buf, M_KTRACE);
504 		return;
505 	}
506 	req = ktr_getrequest(KTR_GENIO);
507 	if (req == NULL) {
508 		free(buf, M_KTRACE);
509 		return;
510 	}
511 	ktg = &req->ktr_data.ktr_genio;
512 	ktg->ktr_fd = fd;
513 	ktg->ktr_rw = rw;
514 	req->ktr_header.ktr_len = datalen;
515 	req->ktr_buffer = buf;
516 	ktr_submitrequest(curthread, req);
517 }
518 
519 void
520 ktrpsig(sig, action, mask, code)
521 	int sig;
522 	sig_t action;
523 	sigset_t *mask;
524 	int code;
525 {
526 	struct ktr_request *req;
527 	struct ktr_psig	*kp;
528 
529 	req = ktr_getrequest(KTR_PSIG);
530 	if (req == NULL)
531 		return;
532 	kp = &req->ktr_data.ktr_psig;
533 	kp->signo = (char)sig;
534 	kp->action = action;
535 	kp->mask = *mask;
536 	kp->code = code;
537 	ktr_enqueuerequest(curthread, req);
538 }
539 
540 void
541 ktrcsw(out, user)
542 	int out, user;
543 {
544 	struct ktr_request *req;
545 	struct ktr_csw *kc;
546 
547 	req = ktr_getrequest(KTR_CSW);
548 	if (req == NULL)
549 		return;
550 	kc = &req->ktr_data.ktr_csw;
551 	kc->out = out;
552 	kc->user = user;
553 	ktr_enqueuerequest(curthread, req);
554 }
555 #endif /* KTRACE */
556 
557 /* Interface and common routines */
558 
559 #ifndef _SYS_SYSPROTO_H_
560 struct ktrace_args {
561 	char	*fname;
562 	int	ops;
563 	int	facs;
564 	int	pid;
565 };
566 #endif
567 /* ARGSUSED */
568 int
569 ktrace(td, uap)
570 	struct thread *td;
571 	register struct ktrace_args *uap;
572 {
573 #ifdef KTRACE
574 	register struct vnode *vp = NULL;
575 	register struct proc *p;
576 	struct pgrp *pg;
577 	int facs = uap->facs & ~KTRFAC_ROOT;
578 	int ops = KTROP(uap->ops);
579 	int descend = uap->ops & KTRFLAG_DESCEND;
580 	int nfound, ret = 0;
581 	int flags, error = 0, vfslocked;
582 	struct nameidata nd;
583 	struct ucred *cred;
584 
585 	/*
586 	 * Need something to (un)trace.
587 	 */
588 	if (ops != KTROP_CLEARFILE && facs == 0)
589 		return (EINVAL);
590 
591 	ktrace_enter(td);
592 	if (ops != KTROP_CLEAR) {
593 		/*
594 		 * an operation which requires a file argument.
595 		 */
596 		NDINIT(&nd, LOOKUP, NOFOLLOW | MPSAFE, UIO_USERSPACE,
597 		    uap->fname, td);
598 		flags = FREAD | FWRITE | O_NOFOLLOW;
599 		error = vn_open(&nd, &flags, 0, NULL);
600 		if (error) {
601 			ktrace_exit(td);
602 			return (error);
603 		}
604 		vfslocked = NDHASGIANT(&nd);
605 		NDFREE(&nd, NDF_ONLY_PNBUF);
606 		vp = nd.ni_vp;
607 		VOP_UNLOCK(vp, 0);
608 		if (vp->v_type != VREG) {
609 			(void) vn_close(vp, FREAD|FWRITE, td->td_ucred, td);
610 			VFS_UNLOCK_GIANT(vfslocked);
611 			ktrace_exit(td);
612 			return (EACCES);
613 		}
614 		VFS_UNLOCK_GIANT(vfslocked);
615 	}
616 	/*
617 	 * Clear all uses of the tracefile.
618 	 */
619 	if (ops == KTROP_CLEARFILE) {
620 		int vrele_count;
621 
622 		vrele_count = 0;
623 		sx_slock(&allproc_lock);
624 		FOREACH_PROC_IN_SYSTEM(p) {
625 			PROC_LOCK(p);
626 			if (p->p_tracevp == vp) {
627 				if (ktrcanset(td, p)) {
628 					mtx_lock(&ktrace_mtx);
629 					cred = p->p_tracecred;
630 					p->p_tracecred = NULL;
631 					p->p_tracevp = NULL;
632 					p->p_traceflag = 0;
633 					mtx_unlock(&ktrace_mtx);
634 					vrele_count++;
635 					crfree(cred);
636 				} else
637 					error = EPERM;
638 			}
639 			PROC_UNLOCK(p);
640 		}
641 		sx_sunlock(&allproc_lock);
642 		if (vrele_count > 0) {
643 			vfslocked = VFS_LOCK_GIANT(vp->v_mount);
644 			while (vrele_count-- > 0)
645 				vrele(vp);
646 			VFS_UNLOCK_GIANT(vfslocked);
647 		}
648 		goto done;
649 	}
650 	/*
651 	 * do it
652 	 */
653 	sx_slock(&proctree_lock);
654 	if (uap->pid < 0) {
655 		/*
656 		 * by process group
657 		 */
658 		pg = pgfind(-uap->pid);
659 		if (pg == NULL) {
660 			sx_sunlock(&proctree_lock);
661 			error = ESRCH;
662 			goto done;
663 		}
664 		/*
665 		 * ktrops() may call vrele(). Lock pg_members
666 		 * by the proctree_lock rather than pg_mtx.
667 		 */
668 		PGRP_UNLOCK(pg);
669 		nfound = 0;
670 		LIST_FOREACH(p, &pg->pg_members, p_pglist) {
671 			PROC_LOCK(p);
672 			if (p_cansee(td, p) != 0) {
673 				PROC_UNLOCK(p);
674 				continue;
675 			}
676 			PROC_UNLOCK(p);
677 			nfound++;
678 			if (descend)
679 				ret |= ktrsetchildren(td, p, ops, facs, vp);
680 			else
681 				ret |= ktrops(td, p, ops, facs, vp);
682 		}
683 		if (nfound == 0) {
684 			sx_sunlock(&proctree_lock);
685 			error = ESRCH;
686 			goto done;
687 		}
688 	} else {
689 		/*
690 		 * by pid
691 		 */
692 		p = pfind(uap->pid);
693 		if (p == NULL) {
694 			sx_sunlock(&proctree_lock);
695 			error = ESRCH;
696 			goto done;
697 		}
698 		error = p_cansee(td, p);
699 		/*
700 		 * The slock of the proctree lock will keep this process
701 		 * from going away, so unlocking the proc here is ok.
702 		 */
703 		PROC_UNLOCK(p);
704 		if (error) {
705 			sx_sunlock(&proctree_lock);
706 			goto done;
707 		}
708 		if (descend)
709 			ret |= ktrsetchildren(td, p, ops, facs, vp);
710 		else
711 			ret |= ktrops(td, p, ops, facs, vp);
712 	}
713 	sx_sunlock(&proctree_lock);
714 	if (!ret)
715 		error = EPERM;
716 done:
717 	if (vp != NULL) {
718 		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
719 		(void) vn_close(vp, FWRITE, td->td_ucred, td);
720 		VFS_UNLOCK_GIANT(vfslocked);
721 	}
722 	ktrace_exit(td);
723 	return (error);
724 #else /* !KTRACE */
725 	return (ENOSYS);
726 #endif /* KTRACE */
727 }
728 
729 /* ARGSUSED */
730 int
731 utrace(td, uap)
732 	struct thread *td;
733 	register struct utrace_args *uap;
734 {
735 
736 #ifdef KTRACE
737 	struct ktr_request *req;
738 	void *cp;
739 	int error;
740 
741 	if (!KTRPOINT(td, KTR_USER))
742 		return (0);
743 	if (uap->len > KTR_USER_MAXLEN)
744 		return (EINVAL);
745 	cp = malloc(uap->len, M_KTRACE, M_WAITOK);
746 	error = copyin(uap->addr, cp, uap->len);
747 	if (error) {
748 		free(cp, M_KTRACE);
749 		return (error);
750 	}
751 	req = ktr_getrequest(KTR_USER);
752 	if (req == NULL) {
753 		free(cp, M_KTRACE);
754 		return (ENOMEM);
755 	}
756 	req->ktr_buffer = cp;
757 	req->ktr_header.ktr_len = uap->len;
758 	ktr_submitrequest(td, req);
759 	return (0);
760 #else /* !KTRACE */
761 	return (ENOSYS);
762 #endif /* KTRACE */
763 }
764 
765 #ifdef KTRACE
766 static int
767 ktrops(td, p, ops, facs, vp)
768 	struct thread *td;
769 	struct proc *p;
770 	int ops, facs;
771 	struct vnode *vp;
772 {
773 	struct vnode *tracevp = NULL;
774 	struct ucred *tracecred = NULL;
775 
776 	PROC_LOCK(p);
777 	if (!ktrcanset(td, p)) {
778 		PROC_UNLOCK(p);
779 		return (0);
780 	}
781 	mtx_lock(&ktrace_mtx);
782 	if (ops == KTROP_SET) {
783 		if (p->p_tracevp != vp) {
784 			/*
785 			 * if trace file already in use, relinquish below
786 			 */
787 			tracevp = p->p_tracevp;
788 			VREF(vp);
789 			p->p_tracevp = vp;
790 		}
791 		if (p->p_tracecred != td->td_ucred) {
792 			tracecred = p->p_tracecred;
793 			p->p_tracecred = crhold(td->td_ucred);
794 		}
795 		p->p_traceflag |= facs;
796 		if (priv_check(td, PRIV_KTRACE) == 0)
797 			p->p_traceflag |= KTRFAC_ROOT;
798 	} else {
799 		/* KTROP_CLEAR */
800 		if (((p->p_traceflag &= ~facs) & KTRFAC_MASK) == 0) {
801 			/* no more tracing */
802 			p->p_traceflag = 0;
803 			tracevp = p->p_tracevp;
804 			p->p_tracevp = NULL;
805 			tracecred = p->p_tracecred;
806 			p->p_tracecred = NULL;
807 		}
808 	}
809 	mtx_unlock(&ktrace_mtx);
810 	PROC_UNLOCK(p);
811 	if (tracevp != NULL) {
812 		int vfslocked;
813 
814 		vfslocked = VFS_LOCK_GIANT(tracevp->v_mount);
815 		vrele(tracevp);
816 		VFS_UNLOCK_GIANT(vfslocked);
817 	}
818 	if (tracecred != NULL)
819 		crfree(tracecred);
820 
821 	return (1);
822 }
823 
824 static int
825 ktrsetchildren(td, top, ops, facs, vp)
826 	struct thread *td;
827 	struct proc *top;
828 	int ops, facs;
829 	struct vnode *vp;
830 {
831 	register struct proc *p;
832 	register int ret = 0;
833 
834 	p = top;
835 	sx_assert(&proctree_lock, SX_LOCKED);
836 	for (;;) {
837 		ret |= ktrops(td, p, ops, facs, vp);
838 		/*
839 		 * If this process has children, descend to them next,
840 		 * otherwise do any siblings, and if done with this level,
841 		 * follow back up the tree (but not past top).
842 		 */
843 		if (!LIST_EMPTY(&p->p_children))
844 			p = LIST_FIRST(&p->p_children);
845 		else for (;;) {
846 			if (p == top)
847 				return (ret);
848 			if (LIST_NEXT(p, p_sibling)) {
849 				p = LIST_NEXT(p, p_sibling);
850 				break;
851 			}
852 			p = p->p_pptr;
853 		}
854 	}
855 	/*NOTREACHED*/
856 }
857 
858 static void
859 ktr_writerequest(struct thread *td, struct ktr_request *req)
860 {
861 	struct ktr_header *kth;
862 	struct vnode *vp;
863 	struct proc *p;
864 	struct ucred *cred;
865 	struct uio auio;
866 	struct iovec aiov[3];
867 	struct mount *mp;
868 	int datalen, buflen, vrele_count;
869 	int error, vfslocked;
870 
871 	/*
872 	 * We hold the vnode and credential for use in I/O in case ktrace is
873 	 * disabled on the process as we write out the request.
874 	 *
875 	 * XXXRW: This is not ideal: we could end up performing a write after
876 	 * the vnode has been closed.
877 	 */
878 	mtx_lock(&ktrace_mtx);
879 	vp = td->td_proc->p_tracevp;
880 	if (vp != NULL)
881 		VREF(vp);
882 	cred = td->td_proc->p_tracecred;
883 	if (cred != NULL)
884 		crhold(cred);
885 	mtx_unlock(&ktrace_mtx);
886 
887 	/*
888 	 * If vp is NULL, the vp has been cleared out from under this
889 	 * request, so just drop it.  Make sure the credential and vnode are
890 	 * in sync: we should have both or neither.
891 	 */
892 	if (vp == NULL) {
893 		KASSERT(cred == NULL, ("ktr_writerequest: cred != NULL"));
894 		return;
895 	}
896 	KASSERT(cred != NULL, ("ktr_writerequest: cred == NULL"));
897 
898 	kth = &req->ktr_header;
899 	datalen = data_lengths[(u_short)kth->ktr_type & ~KTR_DROP];
900 	buflen = kth->ktr_len;
901 	auio.uio_iov = &aiov[0];
902 	auio.uio_offset = 0;
903 	auio.uio_segflg = UIO_SYSSPACE;
904 	auio.uio_rw = UIO_WRITE;
905 	aiov[0].iov_base = (caddr_t)kth;
906 	aiov[0].iov_len = sizeof(struct ktr_header);
907 	auio.uio_resid = sizeof(struct ktr_header);
908 	auio.uio_iovcnt = 1;
909 	auio.uio_td = td;
910 	if (datalen != 0) {
911 		aiov[1].iov_base = (caddr_t)&req->ktr_data;
912 		aiov[1].iov_len = datalen;
913 		auio.uio_resid += datalen;
914 		auio.uio_iovcnt++;
915 		kth->ktr_len += datalen;
916 	}
917 	if (buflen != 0) {
918 		KASSERT(req->ktr_buffer != NULL, ("ktrace: nothing to write"));
919 		aiov[auio.uio_iovcnt].iov_base = req->ktr_buffer;
920 		aiov[auio.uio_iovcnt].iov_len = buflen;
921 		auio.uio_resid += buflen;
922 		auio.uio_iovcnt++;
923 	}
924 
925 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
926 	vn_start_write(vp, &mp, V_WAIT);
927 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
928 	(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
929 #ifdef MAC
930 	error = mac_vnode_check_write(cred, NOCRED, vp);
931 	if (error == 0)
932 #endif
933 		error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
934 	VOP_UNLOCK(vp, 0);
935 	vn_finished_write(mp);
936 	vrele(vp);
937 	VFS_UNLOCK_GIANT(vfslocked);
938 	if (!error)
939 		return;
940 	/*
941 	 * If error encountered, give up tracing on this vnode.  We defer
942 	 * all the vrele()'s on the vnode until after we are finished walking
943 	 * the various lists to avoid needlessly holding locks.
944 	 */
945 	log(LOG_NOTICE, "ktrace write failed, errno %d, tracing stopped\n",
946 	    error);
947 	vrele_count = 0;
948 	/*
949 	 * First, clear this vnode from being used by any processes in the
950 	 * system.
951 	 * XXX - If one process gets an EPERM writing to the vnode, should
952 	 * we really do this?  Other processes might have suitable
953 	 * credentials for the operation.
954 	 */
955 	cred = NULL;
956 	sx_slock(&allproc_lock);
957 	FOREACH_PROC_IN_SYSTEM(p) {
958 		PROC_LOCK(p);
959 		if (p->p_tracevp == vp) {
960 			mtx_lock(&ktrace_mtx);
961 			p->p_tracevp = NULL;
962 			p->p_traceflag = 0;
963 			cred = p->p_tracecred;
964 			p->p_tracecred = NULL;
965 			mtx_unlock(&ktrace_mtx);
966 			vrele_count++;
967 		}
968 		PROC_UNLOCK(p);
969 		if (cred != NULL) {
970 			crfree(cred);
971 			cred = NULL;
972 		}
973 	}
974 	sx_sunlock(&allproc_lock);
975 
976 	/*
977 	 * We can't clear any pending requests in threads that have cached
978 	 * them but not yet committed them, as those are per-thread.  The
979 	 * thread will have to clear it itself on system call return.
980 	 */
981 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
982 	while (vrele_count-- > 0)
983 		vrele(vp);
984 	VFS_UNLOCK_GIANT(vfslocked);
985 }
986 
987 /*
988  * Return true if caller has permission to set the ktracing state
989  * of target.  Essentially, the target can't possess any
990  * more permissions than the caller.  KTRFAC_ROOT signifies that
991  * root previously set the tracing status on the target process, and
992  * so, only root may further change it.
993  */
994 static int
995 ktrcanset(td, targetp)
996 	struct thread *td;
997 	struct proc *targetp;
998 {
999 
1000 	PROC_LOCK_ASSERT(targetp, MA_OWNED);
1001 	if (targetp->p_traceflag & KTRFAC_ROOT &&
1002 	    priv_check(td, PRIV_KTRACE))
1003 		return (0);
1004 
1005 	if (p_candebug(td, targetp) != 0)
1006 		return (0);
1007 
1008 	return (1);
1009 }
1010 
1011 #endif /* KTRACE */
1012