On Fri, Nov 3, 2023 at 1:57 AM sunil hasbe <sunilhasbe@xxxxxxxxx> wrote: > > > Check what error bpf_probe_read_user() returns. If it's -EFAULT, then > > it's probably the case that user memory is not physically present in > > memory and needs to be paged in, which is not allowed for > > non-sleepable BPF programs. So you'd need to make use of > > bpf_copy_from_user() and use sleepable BPF programs. > > Hi Andrii, > > We have tried using bpf_probe_read_user and it does not seem to be > returning any error, instead it returns 0. We are using a if bpf_probe_read_user() didn't return an error, then read data should be valid. If that data is all zeros (empty string?), then I guess env is empty. I don't know why, you'd need to debug this, but this isn't an BPF issue, most probably. > non-sleepable bpf program. > This looks like a very special case where it is unable to fetch a few > arguments. This is the same > behaviour in opensnoop as well. We have tested the test on the 6.2 > kernel as well and seeing the > same behaviour. > > Do you suggest any alternative method to capture arguments in the ebpf > hooks? Or should we file > a bug in the kernel ebpf subsystem?
