Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fs_watcher:修复跟踪write系统调用时的错误 #928

Closed
wants to merge 1 commit into from
Closed

fs_watcher:修复跟踪write系统调用时的错误 #928

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 6 additions & 8 deletions eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,13 @@ struct {
SEC("kprobe/do_sys_openat2")
int BPF_KPROBE(do_sys_openat2)
{
int value = 1;
struct fs_t *e;
pid_t pid;

pid = bpf_get_current_pid_tgid() >> 32;

int fd = PT_REGS_RC(ctx);
if(fd >= 0){
//将PID和文件描述符存入哈希映射
e->fd = fd;
bpf_map_update_elem(&data,&pid,&value,BPF_ANY);
bpf_map_update_elem(&data,&pid,&fd,BPF_ANY);
}
return 0;
}
Expand All @@ -49,14 +46,14 @@ int kprobe_vfs_write(struct pt_regs *ctx)

//探测的是第三个参数,要写入的字节数
size_t count = (size_t)PT_REGS_PARM3(ctx);

//这是vfs_write的返回值,它是一个实际写入的字节数
size_t real_count = PT_REGS_RC(ctx);

pid = bpf_get_current_pid_tgid() >> 32;

fd_ptr = bpf_map_lookup_elem(&data,&pid);

e = bpf_ringbuf_reserve(&rb,sizeof(*e),0);

if(!e)
Expand All @@ -68,6 +65,7 @@ int kprobe_vfs_write(struct pt_regs *ctx)
e->real_count = real_count;
e->count = count;
e->pid = pid;
bpf_ringbuf_submit(e, 0);
}
return 0;
}
Loading