ply 'kprobe:do_sys_open { printf("%v(%v): %s\n", comm, uid, str(arg1)); }' can not print filename

[wanlon]

hi, I can not print filename in my x86 arch system

[ismhong]

This issue should be related to comment 17864b9 ("ply: Use new read_kernel variants").

According to the definition of do_sys_open below, the argument *filename is declared with attribute __user, so we need to use BPF helper bpf_probe_read_user() / bpf_probe_read_str().

long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode);

For local test, you can just revert the commit 17864b9 ("ply: Use new read_kernel variants"), and it should work correctly.

# sudo ./ply 'kprobe:do_sys_open* { printf("%v(%v): %s\n", comm, uid, str(arg1)); }'
device poll    (1000): /dev/bus/usb
device poll    (1000): /dev/bus/usb/002
device poll    (1000): /dev/bus/usb/002/002
device poll    (1000): /dev/bus/usb/002/001
device poll    (1000): /dev/bus/usb/001
device poll    (1000): /dev/bus/usb/001/003

The solution should be something done in bpftrace below, adding syntax to let user specify the reading source from user/kernel space.

• https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md#27-uptr-annotate-userspace-pointer
• RFC: Probe read split bpftrace/bpftrace#1141

Hi @wkz , could you please give some advice on this? Thank you. :)

This issue should be similar with #85.

[wanlon]

This error not happans in arm64 arch

[wanlon]

hi，I tried again according to your instructions and solved the problem I mentioned

[stschake]

I've been working on bringing back userland probes and as part of that added a "uptr" mechanism:

stschake@31d75fd

(sorry, this commit is not all of it - also needs the prev commit adding the "user" hint)

This allows for a probe like 'kprobe:do_sys_open { printf("%v(%v): %s\n", comm, uid, str(uptr(arg1))); }' and will correctly print the filename.