When i was writing my eBPF program, i copied some pieces of code from
syscall_tp, syscall_tp_kern only records how many files are opened, but
mine needs to print file name.I reused struct syscalls_enter_open_args,
which is defined as:
struct syscalls_enter_open_args {
unsigned long long unused;
long syscall_nr;
long filename_ptr;
long flags;
long mode;
};
I tried to use filename_ptr, but it's not the pointer of filename, flags
turns out to be the pointer I'm looking for, there might be something
missed in the struct.
I read the ftrace log, found the missed one is dfd, which is supposed to be
placed in between syscall_nr and filename_ptr.
Actually syscall_tp has nothing to do with dfd, it can run anyway without
it, but it's better to have it to make it a better eBPF sample, especially
to new eBPF programmers, then i fixed it.
Signed-off-by: Song Chen <chensong_2000@xxxxxx>
---
samples/bpf/syscall_tp_kern.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c
index 50231c2eff9c..e4ac818aee57 100644
--- a/samples/bpf/syscall_tp_kern.c
+++ b/samples/bpf/syscall_tp_kern.c
@@ -7,6 +7,7 @@
struct syscalls_enter_open_args {
unsigned long long unused;
long syscall_nr;
+ long dfd_ptr;
long filename_ptr;
long flags;
long mode;
--
2.25.1
