Hi,
Assume that a kernel function has an input argument (i.e., a pointer),
and the function will update the content pointed by the pointer during
execution. My question is how to get the updated content using kprobe.
Take the kernel function path_lookupat as example:
static int path_lookupat(struct nameidata *nd, unsigned flags, struct
path *path)
It lookup the path according to a given file name and store the
founded path in the third input arguments (i.e., struct path *path).
My goal is to get the founded path from the third input argument.
I attach my ebpf program to this kernel function using kprobe, and try
to print the content of the path argument. However, the content is
empty, which is reasonable because the function has not beed executed.
The following is the code:
SEC("kprobe/path_lookupat")
int BPF_KPROBE(path_lookupat, struct nameidata *nd, unsigned flags,
struct path *path)
{
char fn[127];
const unsigned char *fn_ptr = BPF_CORE_READ(path, dentry, d_name.name);
bpf_core_read_str(fn, sizeof(fn), fn_ptr);
bpf_printk("path_lookupat: %s\n", fn);
return 0;
}
Then I try to do that by kretprobe where the function has been
executed, but it seems that I cannot get the input arguments in
kretprobe.
Do you have any ideas or suggestions to do that?
Thanks,
rainkin
