Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1080417pxb; Wed, 6 Apr 2022 08:14:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJztioOLbemVrBHQ/c414ZFDOBuPF7yFokl8QQapgrCw7CPgmTwMN7a3g5SK3nZiFOWfRyD5 X-Received: by 2002:a63:4a25:0:b0:382:2f93:546a with SMTP id x37-20020a634a25000000b003822f93546amr7605993pga.116.1649258096007; Wed, 06 Apr 2022 08:14:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649258096; cv=none; d=google.com; s=arc-20160816; b=vtuD1nI+U0QSQj3RolYbNiCqmVWIfk6rrNzwEWZlLGyHBkj0qnb126ccgJ9p1AudNq IVETdwdPaEAwpsPbDgIPSvH50/YT/f9EA6/EyEIKeA0pIZBzZQJFQR5zzsqhdcZtcExK OJsxuUuUqewIcMCD9iXE+moXoS4MI2VdQYA85gdgItDaSzTP1EQjW/JIUP97Wb6cNkQA 4oup2OHLwZWERzeDUo4XLOAvf/E4hV/G/eqoM4CKnV99u4CKwUE3EkgvNntTiOVmLtW1 56qPETgf52CNUJTWu1AFOGaISdhitCpWwPxCvfk+FStVA/krR2CjUNXFplWj2K8R2pZS tv/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:sender:hmm_source_type:hmm_attache_num :hmm_source_ip; bh=48a/FcksTFkjIYFMY70ZYigkXp3ZHKjMDrgT3Ct5LQQ=; b=hQR4j6tfBlY089bIxazOzduBYyJx8FYM0lqxTUGq6l6bLQDVlnRlvrdxR6y7F5OP8w c6hGgdJf9juchxq0trRuSLZhsmjw0kN6/8J2yt9dSCEQtJZhMMo0ANjGY/m0y2JEc4Fr wwWJyjOBZLp9IKbHvQVAKgbuNijvmRBeuDUfR8WkI9NQAt1ug3/wGY6kPrTW5n8E8yBw lL2zHLCX0vg2DYZl/hme5I1sj/rYyfxwaHoiRP/1JbgyOoYrVFSKRGtiHIhJn/VHi8KC V/yIE01Rt41ikiG/sW1upmGcJrYyzPQ7plW4gaPbicivGYXbXJPXpK9gc3umhtBiTLUC NuwA== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id t5-20020a6549c5000000b003816043f137si17449770pgs.812.2022.04.06.08.14.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 08:14:55 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C8B3C1BE0F4; Wed, 6 Apr 2022 06:04:31 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232158AbiDFNGT (ORCPT + 99 others); Wed, 6 Apr 2022 09:06:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231450AbiDFNFp (ORCPT ); Wed, 6 Apr 2022 09:05:45 -0400 Received: from 189.cn (ptr.189.cn [183.61.185.104]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC4A24096A5; Tue, 5 Apr 2022 18:35:52 -0700 (PDT) HMM_SOURCE_IP: 10.64.8.31:54096.784187684 HMM_ATTACHE_NUM: 0000 HMM_SOURCE_TYPE: SMTP Received: from clientip-123.150.8.42 (unknown [10.64.8.31]) by 189.cn (HERMES) with SMTP id 51B6C1002AE; Wed, 6 Apr 2022 09:35:48 +0800 (CST) Received: from ([172.27.8.53]) by gateway-151646-dep-b7fbf7d79-bwdqx with ESMTP id a29d35676fba41b29fedbb3bbd7277bc for andrii.nakryiko@gmail.com; Wed, 06 Apr 2022 09:35:51 CST X-Transaction-ID: a29d35676fba41b29fedbb3bbd7277bc X-Real-From: chensong_2000@189.cn X-Receive-IP: 172.27.8.53 X-MEDUSA-Status: 0 Sender: chensong_2000@189.cn Message-ID: <529149bc-d095-8161-11be-b36d7d63b7ed@189.cn> Date: Wed, 6 Apr 2022 09:35:45 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH] sample: bpf: syscall_tp_kern: add dfd before filename Content-Language: en-US To: Andrii Nakryiko Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin Lau , Song Liu , Yonghong Song , john fastabend , KP Singh , Networking , bpf , open list References: <1648777246-21352-1-git-send-email-chensong_2000@189.cn> From: Song Chen In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, SPOOFED_FREEMAIL_NO_RDNS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, 在 2022/4/5 06:17, Andrii Nakryiko 写道: > On Thu, Mar 31, 2022 at 6:34 PM Song Chen wrote: >> >> When i was writing my eBPF program, i copied some pieces of code from >> syscall_tp, syscall_tp_kern only records how many files are opened, but >> mine needs to print file name.I reused struct syscalls_enter_open_args, >> which is defined as: >> >> struct syscalls_enter_open_args { >> unsigned long long unused; >> long syscall_nr; >> long filename_ptr; >> long flags; >> long mode; >> }; >> >> I tried to use filename_ptr, but it's not the pointer of filename, flags >> turns out to be the pointer I'm looking for, there might be something >> missed in the struct. >> >> I read the ftrace log, found the missed one is dfd, which is supposed to be >> placed in between syscall_nr and filename_ptr. >> >> Actually syscall_tp has nothing to do with dfd, it can run anyway without >> it, but it's better to have it to make it a better eBPF sample, especially >> to new eBPF programmers, then i fixed it. >> >> Signed-off-by: Song Chen >> --- >> samples/bpf/syscall_tp_kern.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c >> index 50231c2eff9c..e4ac818aee57 100644 >> --- a/samples/bpf/syscall_tp_kern.c >> +++ b/samples/bpf/syscall_tp_kern.c >> @@ -7,6 +7,7 @@ >> struct syscalls_enter_open_args { >> unsigned long long unused; >> long syscall_nr; >> + long dfd_ptr; >> long filename_ptr; >> long flags; >> long mode; > > Here's what I see on latest bpf-next: > > # cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_open/format > name: sys_enter_open > ID: 613 > format: > field:unsigned short common_type; offset:0; > size:2; signed:0; > field:unsigned char common_flags; offset:2; > size:1; signed:0; > field:unsigned char common_preempt_count; offset:3; > size:1; signed:0; > field:int common_pid; offset:4; size:4; signed:1; > > field:int __syscall_nr; offset:8; size:4; signed:1; > field:const char * filename; offset:16; size:8; signed:0; > field:int flags; offset:24; size:8; signed:0; > field:umode_t mode; offset:32; size:8; signed:0; > > This layout doesn't correspond either to before or after state of > syscalls_enter_open_args. Not sure what's going on, but it doesn't > seem that struct syscalls_enter_open_args is correct anyways. > sys_enter_open is not enabled in my system somehow and i haven't figured out why, then i used sys_enter_openat, whose format is: name: sys_enter_openat ID: 647 format: field:unsigned short common_type; offset:0; size:2; signed:0; field:unsigned char common_flags; offset:2; size:1; signed:0; field:unsigned char common_preempt_count; offset:3; size:1; signed:0; field:int common_pid; offset:4; size:4; signed:1; field:int __syscall_nr; offset:8; size:4; signed:1; field:int dfd; offset:16; size:8; signed:0; field:const char * filename; offset:24; size:8; signed:0; field:int flags; offset:32; size:8; signed:0; field:umode_t mode; offset:40; size:8; signed:0; print fmt: "dfd: 0x%08lx, filename: 0x%08lx, flags: 0x%08lx, mode: 0x%08lx", ((unsigned long)(REC->dfd)), ((unsigned long)(REC->filename)), ((unsigned long)(REC->flags)), ((unsigned long)(REC->mode)) I think in this case syscalls_enter_open_args is not applicable for sys_enter_openat, how about we introduce a new struct specific for sys_enter_openat with dfd in it? /Song > >> -- >> 2.25.1 >> >