On 10/27/21 2:01 AM, Yadunandan Pillai wrote: > I am intercepting sched_wakeup_new and am able to read command line > arguments for an event using active_mm within the current task_struct. > However, the maximum size for these arguments is way beyond the stack > size of an eBPF program. Is there a way to read such a large payload > into userspace? > > I'm trying to maintain backwards compatibility so unfortunately ringbuf > is not an option for the time being. I've tried reading the payload > directly into a hashmap, but unfortunately can't read past 512 bytes > (max buffer size). Is there another way to reserve large amounts of > memory in a separate location and get a direct reference, so I can read > into it with something like bpf_probe_read? > You can use a per-cpu array as a heap storage for that purpose. Please refer to Andrii's blog post ([0]) and a real-world application ([1]). [0]: https://nakryiko.com/posts/bpf-ringbuf/#bpf-perfbuf-bpf-perf-event-output [1]: https://github.com/iovisor/bcc/blob/master/libbpf-tools/mountsnoop.bpf.c Cheers, -- Hengqi
