1=========================================
2user_events: User-based Event Tracing
3=========================================
4
5:Author: Beau Belgrave
6
7Overview
8--------
9User based trace events allow user processes to create events and trace data
10that can be viewed via existing tools, such as ftrace and perf.
11To enable this feature, build your kernel with CONFIG_USER_EVENTS=y.
12
13Programs can view status of the events via
14/sys/kernel/tracing/user_events_status and can both register and write
15data out via /sys/kernel/tracing/user_events_data.
16
17Typically programs will register a set of events that they wish to expose to
18tools that can read trace_events (such as ftrace and perf). The registration
19process tells the kernel which address and bit to reflect if any tool has
20enabled the event and data should be written. The registration will give back
21a write index which describes the data when a write() or writev() is called
22on the /sys/kernel/tracing/user_events_data file.
23
24The structures referenced in this document are contained within the
25/include/uapi/linux/user_events.h file in the source tree.
26
27**NOTE:** *Both user_events_status and user_events_data are under the tracefs
28filesystem and may be mounted at different paths than above.*
29
30Registering
31-----------
32Registering within a user process is done via ioctl() out to the
33/sys/kernel/tracing/user_events_data file. The command to issue is
34DIAG_IOCSREG.
35
36This command takes a packed struct user_reg as an argument::
37
38  struct user_reg {
39        /* Input: Size of the user_reg structure being used */
40        __u32 size;
41
42        /* Input: Bit in enable address to use */
43        __u8 enable_bit;
44
45        /* Input: Enable size in bytes at address */
46        __u8 enable_size;
47
48        /* Input: Flags for future use, set to 0 */
49        __u16 flags;
50
51        /* Input: Address to update when enabled */
52        __u64 enable_addr;
53
54        /* Input: Pointer to string with event name, description and flags */
55        __u64 name_args;
56
57        /* Output: Index of the event to use when writing data */
58        __u32 write_index;
59  } __attribute__((__packed__));
60
61The struct user_reg requires all the above inputs to be set appropriately.
62
63+ size: This must be set to sizeof(struct user_reg).
64
65+ enable_bit: The bit to reflect the event status at the address specified by
66  enable_addr.
67
68+ enable_size: The size of the value specified by enable_addr.
69  This must be 4 (32-bit) or 8 (64-bit). 64-bit values are only allowed to be
70  used on 64-bit kernels, however, 32-bit can be used on all kernels.
71
72+ flags: The flags to use, if any. For the initial version this must be 0.
73  Callers should first attempt to use flags and retry without flags to ensure
74  support for lower versions of the kernel. If a flag is not supported -EINVAL
75  is returned.
76
77+ enable_addr: The address of the value to use to reflect event status. This
78  must be naturally aligned and write accessible within the user program.
79
80+ name_args: The name and arguments to describe the event, see command format
81  for details.
82
83Upon successful registration the following is set.
84
85+ write_index: The index to use for this file descriptor that represents this
86  event when writing out data. The index is unique to this instance of the file
87  descriptor that was used for the registration. See writing data for details.
88
89User based events show up under tracefs like any other event under the
90subsystem named "user_events". This means tools that wish to attach to the
91events need to use /sys/kernel/tracing/events/user_events/[name]/enable
92or perf record -e user_events:[name] when attaching/recording.
93
94**NOTE:** The event subsystem name by default is "user_events". Callers should
95not assume it will always be "user_events". Operators reserve the right in the
96future to change the subsystem name per-process to accommodate event isolation.
97
98Command Format
99^^^^^^^^^^^^^^
100The command string format is as follows::
101
102  name[:FLAG1[,FLAG2...]] [Field1[;Field2...]]
103
104Supported Flags
105^^^^^^^^^^^^^^^
106None yet
107
108Field Format
109^^^^^^^^^^^^
110::
111
112  type name [size]
113
114Basic types are supported (__data_loc, u32, u64, int, char, char[20], etc).
115User programs are encouraged to use clearly sized types like u32.
116
117**NOTE:** *Long is not supported since size can vary between user and kernel.*
118
119The size is only valid for types that start with a struct prefix.
120This allows user programs to describe custom structs out to tools, if required.
121
122For example, a struct in C that looks like this::
123
124  struct mytype {
125    char data[20];
126  };
127
128Would be represented by the following field::
129
130  struct mytype myname 20
131
132Deleting
133--------
134Deleting an event from within a user process is done via ioctl() out to the
135/sys/kernel/tracing/user_events_data file. The command to issue is
136DIAG_IOCSDEL.
137
138This command only requires a single string specifying the event to delete by
139its name. Delete will only succeed if there are no references left to the
140event (in both user and kernel space). User programs should use a separate file
141to request deletes than the one used for registration due to this.
142
143**NOTE:** By default events will auto-delete when there are no references left
144to the event. Flags in the future may change this logic.
145
146Unregistering
147-------------
148If after registering an event it is no longer wanted to be updated then it can
149be disabled via ioctl() out to the /sys/kernel/tracing/user_events_data file.
150The command to issue is DIAG_IOCSUNREG. This is different than deleting, where
151deleting actually removes the event from the system. Unregistering simply tells
152the kernel your process is no longer interested in updates to the event.
153
154This command takes a packed struct user_unreg as an argument::
155
156  struct user_unreg {
157        /* Input: Size of the user_unreg structure being used */
158        __u32 size;
159
160        /* Input: Bit to unregister */
161        __u8 disable_bit;
162
163        /* Input: Reserved, set to 0 */
164        __u8 __reserved;
165
166        /* Input: Reserved, set to 0 */
167        __u16 __reserved2;
168
169        /* Input: Address to unregister */
170        __u64 disable_addr;
171  } __attribute__((__packed__));
172
173The struct user_unreg requires all the above inputs to be set appropriately.
174
175+ size: This must be set to sizeof(struct user_unreg).
176
177+ disable_bit: This must be set to the bit to disable (same bit that was
178  previously registered via enable_bit).
179
180+ disable_addr: This must be set to the address to disable (same address that was
181  previously registered via enable_addr).
182
183**NOTE:** Events are automatically unregistered when execve() is invoked. During
184fork() the registered events will be retained and must be unregistered manually
185in each process if wanted.
186
187Status
188------
189When tools attach/record user based events the status of the event is updated
190in realtime. This allows user programs to only incur the cost of the write() or
191writev() calls when something is actively attached to the event.
192
193The kernel will update the specified bit that was registered for the event as
194tools attach/detach from the event. User programs simply check if the bit is set
195to see if something is attached or not.
196
197Administrators can easily check the status of all registered events by reading
198the user_events_status file directly via a terminal. The output is as follows::
199
200  Name [# Comments]
201  ...
202
203  Active: ActiveCount
204  Busy: BusyCount
205
206For example, on a system that has a single event the output looks like this::
207
208  test
209
210  Active: 1
211  Busy: 0
212
213If a user enables the user event via ftrace, the output would change to this::
214
215  test # Used by ftrace
216
217  Active: 1
218  Busy: 1
219
220Writing Data
221------------
222After registering an event the same fd that was used to register can be used
223to write an entry for that event. The write_index returned must be at the start
224of the data, then the remaining data is treated as the payload of the event.
225
226For example, if write_index returned was 1 and I wanted to write out an int
227payload of the event. Then the data would have to be 8 bytes (2 ints) in size,
228with the first 4 bytes being equal to 1 and the last 4 bytes being equal to the
229value I want as the payload.
230
231In memory this would look like this::
232
233  int index;
234  int payload;
235
236User programs might have well known structs that they wish to use to emit out
237as payloads. In those cases writev() can be used, with the first vector being
238the index and the following vector(s) being the actual event payload.
239
240For example, if I have a struct like this::
241
242  struct payload {
243        int src;
244        int dst;
245        int flags;
246  } __attribute__((__packed__));
247
248It's advised for user programs to do the following::
249
250  struct iovec io[2];
251  struct payload e;
252
253  io[0].iov_base = &write_index;
254  io[0].iov_len = sizeof(write_index);
255  io[1].iov_base = &e;
256  io[1].iov_len = sizeof(e);
257
258  writev(fd, (const struct iovec*)io, 2);
259
260**NOTE:** *The write_index is not emitted out into the trace being recorded.*
261
262Example Code
263------------
264See sample code in samples/user_events.
265