Daniel T. Lee wrote:
> Currently from syscall entry, argument can't be fetched correctly as a
> result of register cleanup.
>
> commit 6b8cf5cc9965 ("x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface")
>
> For example in upper commit, registers are cleaned prior to syscall.
> To be more specific, sys_write syscall has count size as a third argument.
> But this can't be fetched from __x64_sys_enter/__s390x_sys_enter due to
> register cleanup. (e.g. [x86] xorl %r8d, %r8d / [s390x] xgr %r7, %r7)
>
> This commit fix this problem by modifying the trace event to ksys_write
> instead of sys_write syscall entry.
>
> # Wrong example of 'write()' syscall argument fetching
> # ./tracex2
> ...
> pid 50909 cmd dd uid 0
> syscall write() stats
> byte_size : count distribution
> 1 -> 1 : 4968837 |************************************* |
>
> # Successful example of 'write()' syscall argument fetching
> # (dd's write bytes at a time defaults to 512)
> # ./tracex2
> ...
> pid 3095 cmd dd uid 0
> syscall write() stats
> byte_size : count distribution
> ...
> 256 -> 511 : 0 | |
> 512 -> 1023 : 4968844 |************************************* |
>
> Signed-off-by: Daniel T. Lee <danieltimlee@xxxxxxxxx>
> ---
> samples/bpf/tracex2_kern.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/samples/bpf/tracex2_kern.c b/samples/bpf/tracex2_kern.c
> index 5bc696bac27d..96dff3bea227 100644
> --- a/samples/bpf/tracex2_kern.c
> +++ b/samples/bpf/tracex2_kern.c
> @@ -78,7 +78,7 @@ struct {
> __uint(max_entries, 1024);
> } my_hist_map SEC(".maps");
>
> -SEC("kprobe/" SYSCALL(sys_write))
> +SEC("kprobe/ksys_write")
> int bpf_prog3(struct pt_regs *ctx)
> {
> long write_size = PT_REGS_PARM3(ctx);
> --
> 2.32.0
>
LGTM
Acked-by: John Fastabend <john.fastabend@xxxxxxxxx>
