iovisor-dev@lists.iovisor.org | Access to struct with kprobe

Home Messages Hashtags Subgroups

Date Date 1 - 5 of 5

Access to struct with kprobe

Bilal #1288 Dear all I'm a student at Paris-VI Univercity and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence. If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ? (exp: *kprobe__inet_sendmsg(struct pt_regs ctx, struct sock sk)* //int inet_sendmsg(struct socket *sock, struct msghdr msg, size_t* size) // I know that we can access to the "struct sock" through the "struct socket" ) Thanks in advance for your help , Best regards Bilal ,
More All Messages By This Member
Yonghong Song #1292 On Wed, Apr 18, 2018 at 9:17 AM, Aharram Bilal via iovisor-dev <iovisor-dev@...> wrote: Dear all I'm a student at Paris-VI Univercity and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence. If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ? You can access through arguments or through "current" task pointer. What exactly you want access on which kprobe? More information will help people to understand your problems. (exp: kprobe__inet_sendmsg(struct pt_regs ctx, struct sock sk) // int inet_sendmsg(struct socket sock, struct msghdr msg, size_t size) // I know that we can access to the "struct sock" through the "struct socket" ) Thanks in advance for your help , Best regards Bilal , _______________________________________________ iovisor-dev mailing list iovisor-dev@... https://lists.iovisor.org/mailman/listinfo/iovisor-dev
More All Messages By This Member
Teng Qin #1289 BPF does not understand function signature. BPF program has access to the register context (struct pt_regs ctx). If you use BCC, when you initiate (compile) your BPF program, the compiler rewrites the function argument accesses to the corresponding access to registers according to the calling convention (see https://github.com/iovisor/bcc/blob/master/src/cc/export/helpers.h#L639 for different archs). For example, on x64 and your inet_sendmsg function, your access to sock->some_field will be translated to (ctx->di + offsetof(struct socket, some_field)). To answer your question in short word, if you are accessing third argument and it doesn't exist, you will be equivalently accessing the register like ctx->dx on x64, and get whatever value it contains. On Wed, Apr 18, 2018 at 12:17 PM, Aharram Bilal via iovisor-dev <iovisor-dev@...> wrote: Dear all I'm a student at Paris-VI Univercity and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence. If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ? (exp: kprobe__inet_sendmsg(struct pt_regs ctx, struct sock sk) // int inet_sendmsg(struct socket sock, struct msghdr msg, size_t size) // I know that we can access to the "struct sock" through the "struct socket" ) Thanks in advance for your help , Best regards Bilal , _______________________________________________ iovisor-dev mailing list iovisor-dev@... https://lists.iovisor.org/mailman/listinfo/iovisor-dev
More All Messages By This Member
Paul Chaignon #1290 On Wed, Apr 18, 2018 at 6:17 PM, Aharram Bilal via iovisor-dev <iovisor-dev@...> wrote: Dear all I'm a student at Paris-VI Univercity and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence. If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ? From the "kprobe__" syntax, I'm guessing that you're using bcc. The bcc rewriter will replace the second argument of your function with a dereference on ctx (ctx->di on x86) [1]. It won't check that the type is coherent. Then, when reading from sk, you will retrieve incorrect values and the verifier may even reject your program because you're trying to do with struct sock something that is invalid with struct socket. 1 - https://github.com/iovisor/bcc/blob/e01c993aca6c1ff620f1419da3ba5352d72e9578/src/cc/frontends/clang/b_frontend_action.cc#L314-L316 (exp: *kprobe__inet_sendmsg(struct pt_regs ctx, struct sock sk)* //int inet_sendmsg(struct socket *sock, struct msghdr msg, size_t* size) // I know that we can access to the "struct sock" through the "struct socket" ) Thanks in advance for your help , Best regards Bilal , _______________________________________________ iovisor-dev mailing list iovisor-dev@... https://lists.iovisor.org/mailman/listinfo/iovisor-dev
More All Messages By This Member
Bilal #1291 Thank you very much for your reply . it is more clear now. Best regards toggle quoted message Show quoted text Le mer. 18 avr. 2018 18:17, Aharram Bilal <bilal.aharram@...> a écrit : Dear all I'm a student at Paris-VI Univercity and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence. If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ? (exp: *kprobe__inet_sendmsg(struct pt_regs ctx, struct sock sk)* //int inet_sendmsg(struct socket *sock, struct msghdr msg, size_t* size) // I know that we can access to the "struct sock" through the "struct socket" ) Thanks in advance for your help , Best regards Bilal ,
More All Messages By This Member

1 - 5 of 5

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms