Skip to content

Error digging out d_name from struct file #188

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
Error digging out d_name from struct file#188
@brendangregg

Description

@brendangregg
brendangregg
opened on Sep 7, 2015

Fetching a file pathname from a struct file should be a common routine, but I can't get it to work.

vfs_read.py:

#!/usr/bin/python

from bcc import BPF

# load BPF program
b = BPF(src_file="vfs_read.c")
b.attach_kprobe(event="vfs_read", fn_name="run_read")

# format output
while 1:
    (task, pid, cpu, flags, ts, msg) = b.trace_fields()
    print("got: %s" % msg)

vfs_read.c:

# cat vfs_read.c
#include <linux/fs.h>

void run_read(struct pt_regs *ctx, struct file *file)
{
    void *name = 0;

    if (file != NULL && file->f_path.dentry != NULL) {
        //bpf_trace_printk("read %s\n", file->f_path.dentry->d_iname);
        bpf_trace_printk("read %s\n", file->f_path.dentry->d_name.name);
    } else {
        bpf_trace_printk("was null");
    }
}

The line commented out works, but when I dig further to the d_name it does this:

# ./vfs_read.py 
bpf: Permission denied
0: (bf) r6 = r1
1: (79) r3 = *(u64 *)(r6 +112)
2: (15) if r3 == 0x0 goto pc+29
 R1=ctx R3=inv R6=ctx R10=fp
3: (b7) r7 = 0
4: (7b) *(u64 *)(r10 -8) = r7
5: (7b) *(u64 *)(r10 -16) = r7
6: (07) r3 += 16
7: (bf) r1 = r10
8: (07) r1 += -16
9: (b7) r2 = 16
10: (85) call 4
11: (79) r1 = *(u64 *)(r10 -8)
12: (15) if r1 == 0x0 goto pc+19
 R0=inv R1=inv R6=ctx R7=imm0 R10=fp
13: (18) r1 = 0x64616572
15: (7b) *(u64 *)(r10 -32) = r1
16: (73) *(u8 *)(r10 -24) = r7
17: (7b) *(u64 *)(r10 -40) = r7
18: (7b) *(u64 *)(r10 -48) = r7
19: (79) r3 = *(u64 *)(r6 +112)
20: (07) r3 += 16
21: (bf) r1 = r10
22: (07) r1 += -48
23: (b7) r2 = 16
24: (85) call 4
25: (79) r1 = *(u64 *)(r10 -40)
26: (79) r3 = *(u64 *)(r1 +40)
R1 invalid mem access 'inv'

Traceback (most recent call last):
  File "./vfs_read.py", line 7, in <module>
    b.attach_kprobe(event="vfs_read", fn_name="run_read")
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 424, in attach_kprobe
    fn = self.load_func(fn_name, BPF.KPROBE)
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 320, in load_func
    raise Exception("Failed to load BPF program %s" % func_name)
Exception: Failed to load BPF program run_read

Maybe I'm doing it wrong?

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions