From nobody Sat Feb 7 09:04:32 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBE1F6EB7C; Fri, 6 Sep 2024 19:50:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725652231; cv=none; b=hpDebYqHSzE3Ezg6enRYgVK0gFUd45dCbGCujNqNUYks4fFlWyInc3ZidUEXojiBipv5huLko7W6JmRWKRybnvtc82gLhW95zwCYOIZEhl3U3pSBRQzUn+0lQcMkhgUas5ZfqVOs6OEHdkv4jpwo+AfiEhA9gfC72FYUpkwwtPU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725652231; c=relaxed/simple; bh=RBOfFtIfaBzbZk1V1Wn7nJAMmGniCI6WDUhM9EGwzuo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pi7xwf/P2ddmuJ07ZcHA4G8LcEwYLHp/z1Cy+PhXdtrZ4GmTjLF6P1ZWzh1Kb+ZltDzjaozmNAk1+S0F7/kvNkYOd68YU7570TLxDG7ryDHI26vSonrlnifHxdKs+fmVp/i047XCV/kDwPw9GXzFtsEauS9ZoPi1wCIFPOtCDA0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=YCaGpExI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="YCaGpExI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 35D80C4CEC7; Fri, 6 Sep 2024 19:50:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1725652231; bh=RBOfFtIfaBzbZk1V1Wn7nJAMmGniCI6WDUhM9EGwzuo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YCaGpExIluIecU8/BLryuZIDkx1qP3Ac7oaspBFM9FmjeiAZ020wQDHGpsQF4RDdx wOlFWAbOqsIfnXCfrQm1yzPGLccfjj50jjxrOj3a8iG7WHSPzfMwRLNd2ofBWrlpqZ ib+hNXGNW/jzIbRHekPeXFmz5SH/aVTJN+YJ/w2rX7Kzp4gzjMZ68kVFQtDJRS8MZA l/1AIq4KmMGexBXxZ4ZhRgl7GRJc8WJLmrMw0w35/bfrY26vcOFwsrlPC4IKAHvv5G 3fvVwIgMoUNysRk/SH0cTaGVbCFOL27zwpGxaDo4aYjWQ6aIX8PmuieMj+Q7viRAnB SpQhmx4ZzA+GA== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , Jiri Olsa , Ian Rogers , Adrian Hunter , Kan Liang , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , Alan Maguire , Howard Chu , Andrii Nakryiko Subject: [PATCH 1/2] perf trace augmented_syscalls.bpf: Move the renameat augmenter to renameat2, temporarily Date: Fri, 6 Sep 2024 16:50:19 -0300 Message-ID: <20240906195020.481841-2-acme@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240906195020.481841-1-acme@kernel.org> References: <20240906195020.481841-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo While trying to shape Howard Chu's generic BPF augmenter transition into the codebase I got stuck with the renameat2 syscall. Until I noticed that the attempt at reusing augmenters were making it use the 'openat' syscall augmenter, that collect just one string syscall arg, for the 'renameat2' syscall, that takes two strings. So, for the moment, just to help in this transition period, since 'renameat2' is what is used these days in the 'mv' utility, just make the BPF collector be associated with the more widely used syscall, hopefully the transition to Howard's generic BPF augmenter will cure this, so get this out of the way for now! So now we still have that odd "reuse", but for something we're not testing so won't get in the way anymore: root@number:~# rm -f 987654 ; touch 123456 ; perf trace -vv -e rename* mv= 123456 987654 |& grep renameat Reusing "openat" BPF sys_enter augmenter for "renameat" 0.000 ( 0.079 ms): mv/1158612 renameat2(olddfd: CWD, oldname: "12345= 6", newdfd: CWD, newname: "987654", flags: NOREPLACE) =3D 0 root@number:~# Cc: Adrian Hunter Cc: Howard Chu Cc: Ian Rogers Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: Alan Maguire Signed-off-by: Arnaldo Carvalho de Melo Reviewed-by: Ian Rogers --- tools/perf/util/bpf_skel/augmented_raw_syscalls.bpf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/perf/util/bpf_skel/augmented_raw_syscalls.bpf.c b/tools/= perf/util/bpf_skel/augmented_raw_syscalls.bpf.c index 0acbd74e8c760956..0f9bd2690d4e5295 100644 --- a/tools/perf/util/bpf_skel/augmented_raw_syscalls.bpf.c +++ b/tools/perf/util/bpf_skel/augmented_raw_syscalls.bpf.c @@ -260,8 +260,8 @@ int sys_enter_rename(struct syscall_enter_args *args) return augmented__output(args, augmented_args, len); } =20 -SEC("tp/syscalls/sys_enter_renameat") -int sys_enter_renameat(struct syscall_enter_args *args) +SEC("tp/syscalls/sys_enter_renameat2") +int sys_enter_renameat2(struct syscall_enter_args *args) { struct augmented_args_payload *augmented_args =3D augmented_args_payload(= ); const void *oldpath_arg =3D (const void *)args->args[1], --=20 2.46.0 From nobody Sat Feb 7 09:04:32 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F3E26EB7C; Fri, 6 Sep 2024 19:50:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725652235; cv=none; b=OjCEEndnYz5cGSKrm0y1Wakn9YrgucTrTe6Sw5gy5UEMjMTu7fcxOw1ny3Ppg6wa364r+/8ZCEfvND3Z5B7fJ72DJuMrajKcaWxJVl8sJvpcnAh8T9UOzj3e5V7Ls1VmlUKyX2RYc0d1PcT/BthUtXI+3gszC2KQuwaREwt1kAU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725652235; c=relaxed/simple; bh=Y4+4R6aK6O0cVzHKiYd83Bg4mKJvI/Gln27GtwXMpEw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CFS2WGJnHPUq0vdsZodFzn99J+ML2iimPg1PH+CEGXNdZtopv58si+4C5RUFq8nF9GC9eWZUmxuwVK75/22FImcHwaqm4fK2lKqFoM5MpZFZ3fNFeSksLi8QY36TyjaydAKg3H1T7Qv4H15Air3cVBovuCB4HUVfDS6yXcOsxSQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=F1xcwyPw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="F1xcwyPw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB5D0C4CEC4; Fri, 6 Sep 2024 19:50:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1725652234; bh=Y4+4R6aK6O0cVzHKiYd83Bg4mKJvI/Gln27GtwXMpEw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F1xcwyPwgnhqmDoQZ106QrD7WB47NDr2GlS3GrVysLaqJAZ6IbGgs5qhniAzipwHZ S6K2zjeyhyiCwFfHvtqCbivgBdPJ3f+pXpxdOri0vGiLgOY+vxb7ARLN08mPJb1VNm pvmaFva6YMRI9KTNuRWxWJI9OiX+skWO296FLF8R1IQTNZwJCwW/5EjZydqeshyUJa GwIQDxCFCRthtVmP9ahWZSCcqsXwfO1DQIONSSPqP72Hs5yGysR73rNcM9h4p+u/J5 OcEsTy0zD7F0hqFNseMCyb4hT2s4Mn0nTY1ELXRuGfLH56vqRsMMb7Bnptw7MTWxud Zy3c7q9yLG16Q== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , Jiri Olsa , Ian Rogers , Adrian Hunter , Kan Liang , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , Howard Chu , Andrii Nakryiko , Alan Maguire Subject: [PATCH 2/2] perf trace: Use a common encoding for augmented arguments, with size + error + payload Date: Fri, 6 Sep 2024 16:50:20 -0300 Message-ID: <20240906195020.481841-3-acme@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240906195020.481841-1-acme@kernel.org> References: <20240906195020.481841-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo We were using a more compact format, without explicitely encoding the size and possible error in the payload for an argument. To do it generically, at least as Howard Chu did in his GSoC activities, it is more convenient to use the same model that was being used for string arguments, passing { size, error, payload }. So use that for the non string syscall args we have so far: struct timespec struct perf_event_attr struct sockaddr (this one has even a variable size) With this in place we have the userspace pretty printers: perf_event_attr___scnprintf() syscall_arg__scnprintf_augmented_sockaddr() syscall_arg__scnprintf_augmented_timespec() Ready to have the generic BPF collector in tools/perf/util/bpf_skel/augment= ed_raw_syscalls.bpf.c sending its generic payload and thus we'll use them instead of a generic libbpf btf_dump interface that doesn't know about about the sockaddr mux, perf_event_attr non-trivial fields (sample_type, etc), leaving it as a (useful) fallback that prints just basic types until we put in place a more sophisticated pretty printer infrastructure that associates synthesized enums to struct fields using the header scrapers we have in tools/perf/trace/beauty/, some of them in this list: $ ls tools/perf/trace/beauty/*.sh tools/perf/trace/beauty/arch_errno_names.sh tools/perf/trace/beauty/kcmp_type.sh tools/perf/trace/beauty/perf_ioctl.sh tools/perf/trace/beauty/statx_mask.sh tools/perf/trace/beauty/clone.sh tools/perf/trace/beauty/kvm_ioctl.sh tools/perf/trace/beauty/pkey_alloc_access_rights.sh tools/perf/trace/beauty/sync_file_range.sh tools/perf/trace/beauty/drm_ioctl.sh tools/perf/trace/beauty/madvise_behavior.sh tools/perf/trace/beauty/prctl_option.sh tools/perf/trace/beauty/usbdevfs_ioctl.sh tools/perf/trace/beauty/fadvise.sh tools/perf/trace/beauty/mmap_flags.sh tools/perf/trace/beauty/rename_flags.sh tools/perf/trace/beauty/vhost_virtio_ioctl.sh tools/perf/trace/beauty/fs_at_flags.sh tools/perf/trace/beauty/mmap_prot.sh tools/perf/trace/beauty/sndrv_ctl_ioctl.sh tools/perf/trace/beauty/x86_arch_prctl.sh tools/perf/trace/beauty/fsconfig.sh tools/perf/trace/beauty/mount_flags.sh tools/perf/trace/beauty/sndrv_pcm_ioctl.sh tools/perf/trace/beauty/fsmount.sh tools/perf/trace/beauty/move_mount_flags.sh tools/perf/trace/beauty/sockaddr.sh tools/perf/trace/beauty/fspick.sh tools/perf/trace/beauty/mremap_flags.sh tools/perf/trace/beauty/socket.sh $ Testing it: root@number:~# rm -f 987654 ; touch 123456 ; perf trace -e rename* mv 123= 456 987654 0.000 ( 0.031 ms): mv/1193096 renameat2(olddfd: CWD, oldname: "123456"= , newdfd: CWD, newname: "987654", flags: NOREPLACE) =3D 0 root@number:~# perf trace -e *nanosleep sleep 1.2345678901 0.000 (1234.654 ms): sleep/1192697 clock_nanosleep(rqtp: { .tv_sec: = 1, .tv_nsec: 234567891 }, rmtp: 0x7ffe1ea80460) =3D 0 root@number:~# perf trace -e perf_event_open* perf stat -e cpu-clock slee= p 1 0.000 ( 0.011 ms): perf/1192701 perf_event_open(attr_uptr: { type: 1= (software), size: 136, config: 0 (PERF_COUNT_SW_CPU_CLOCK), sample_type: I= DENTIFIER, read_format: TOTAL_TIME_ENABLED|TOTAL_TIME_RUNNING, disabled: 1,= inherit: 1, enable_on_exec: 1, exclude_guest: 1 }, pid: 1192702 (perf), cp= u: -1, group_fd: -1, flags: FD_CLOEXEC) =3D 3 Performance counter stats for 'sleep 1': 0.51 msec cpu-clock # 0.001 CPUs = utilized 1.001242090 seconds time elapsed 0.000000000 seconds user 0.001010000 seconds sys root@number:~# perf trace -e connect* ping -c 1 bsky.app 0.000 ( 0.130 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= LOCAL, path: /run/systemd/resolve/io.systemd.Resolve }, addrlen: 42) =3D 0 23.907 ( 0.006 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 3.20.108.158 }, addrlen: 16) =3D 0 23.915 PING bsky.app (3.20.108.158) 56(84) bytes of data. ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family: UNSPEC }, = addrlen: 16) =3D 0 23.917 ( 0.002 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 3.12.170.30 }, addrlen: 16) =3D 0 23.921 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= UNSPEC }, addrlen: 16) =3D 0 23.923 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 18.217.70.179 }, addrlen: 16) =3D 0 23.925 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= UNSPEC }, addrlen: 16) =3D 0 23.927 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 3.132.20.46 }, addrlen: 16) =3D 0 23.930 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= UNSPEC }, addrlen: 16) =3D 0 23.931 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 3.142.89.165 }, addrlen: 16) =3D 0 23.934 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= UNSPEC }, addrlen: 16) =3D 0 23.935 ( 0.002 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 18.119.147.159 }, addrlen: 16) =3D 0 23.938 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= UNSPEC }, addrlen: 16) =3D 0 23.940 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 3.22.38.164 }, addrlen: 16) =3D 0 23.942 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= UNSPEC }, addrlen: 16) =3D 0 23.944 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 0, addr: 3.13.14.133 }, addrlen: 16) =3D 0 23.956 ( 0.001 ms): ping/1192740 connect(fd: 5, uservaddr: { .family:= INET, port: 1025, addr: 3.20.108.158 }, addrlen: 16) =3D 0 ^C --- bsky.app ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@number:~# Cc: Adrian Hunter Cc: Howard Chu Cc: Ian Rogers Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: Alan Maguire Signed-off-by: Arnaldo Carvalho de Melo Reviewed-by: Ian Rogers --- tools/perf/trace/beauty/perf_event_open.c | 2 +- tools/perf/trace/beauty/sockaddr.c | 2 +- tools/perf/trace/beauty/timespec.c | 2 +- .../bpf_skel/augmented_raw_syscalls.bpf.c | 104 +++++++++++------- 4 files changed, 66 insertions(+), 44 deletions(-) diff --git a/tools/perf/trace/beauty/perf_event_open.c b/tools/perf/trace/b= eauty/perf_event_open.c index 01ee15fe9d0c7a98..632237128640dbb4 100644 --- a/tools/perf/trace/beauty/perf_event_open.c +++ b/tools/perf/trace/beauty/perf_event_open.c @@ -76,7 +76,7 @@ static size_t perf_event_attr___scnprintf(struct perf_eve= nt_attr *attr, char *bf =20 static size_t syscall_arg__scnprintf_augmented_perf_event_attr(struct sysc= all_arg *arg, char *bf, size_t size) { - return perf_event_attr___scnprintf((void *)arg->augmented.args, bf, size,= arg->trace->show_zeros); + return perf_event_attr___scnprintf((void *)arg->augmented.args->value, bf= , size, arg->trace->show_zeros); } =20 static size_t syscall_arg__scnprintf_perf_event_attr(char *bf, size_t size= , struct syscall_arg *arg) diff --git a/tools/perf/trace/beauty/sockaddr.c b/tools/perf/trace/beauty/s= ockaddr.c index 2e0e867c0c1b879a..a17a27ac2a6ff1c4 100644 --- a/tools/perf/trace/beauty/sockaddr.c +++ b/tools/perf/trace/beauty/sockaddr.c @@ -47,7 +47,7 @@ static size_t (*af_scnprintfs[])(struct sockaddr *sa, cha= r *bf, size_t size) =3D { =20 static size_t syscall_arg__scnprintf_augmented_sockaddr(struct syscall_arg= *arg, char *bf, size_t size) { - struct sockaddr *sa =3D (struct sockaddr *)arg->augmented.args; + struct sockaddr *sa =3D (struct sockaddr *)&arg->augmented.args->value; char family[32]; size_t printed; =20 diff --git a/tools/perf/trace/beauty/timespec.c b/tools/perf/trace/beauty/t= imespec.c index e1a61f092aad8b23..b14ab72a2738efd9 100644 --- a/tools/perf/trace/beauty/timespec.c +++ b/tools/perf/trace/beauty/timespec.c @@ -7,7 +7,7 @@ =20 static size_t syscall_arg__scnprintf_augmented_timespec(struct syscall_arg= *arg, char *bf, size_t size) { - struct timespec *ts =3D (struct timespec *)arg->augmented.args; + struct timespec *ts =3D (struct timespec *)arg->augmented.args->value; =20 return scnprintf(bf, size, "{ .tv_sec: %" PRIu64 ", .tv_nsec: %" PRIu64 "= }", ts->tv_sec, ts->tv_nsec); } diff --git a/tools/perf/util/bpf_skel/augmented_raw_syscalls.bpf.c b/tools/= perf/util/bpf_skel/augmented_raw_syscalls.bpf.c index 0f9bd2690d4e5295..9c7d2f8552945695 100644 --- a/tools/perf/util/bpf_skel/augmented_raw_syscalls.bpf.c +++ b/tools/perf/util/bpf_skel/augmented_raw_syscalls.bpf.c @@ -10,6 +10,9 @@ #include #include =20 +#define PERF_ALIGN(x, a) __PERF_ALIGN_MASK(x, (typeof(x))(a)-1) +#define __PERF_ALIGN_MASK(x, mask) (((x)+(mask))&~(mask)) + /** * is_power_of_2() - check if a value is a power of two * @n: the value to check @@ -66,19 +69,6 @@ struct syscall_exit_args { long ret; }; =20 -struct augmented_arg { - unsigned int size; - int err; - char value[PATH_MAX]; -}; - -struct pids_filtered { - __uint(type, BPF_MAP_TYPE_HASH); - __type(key, pid_t); - __type(value, bool); - __uint(max_entries, 64); -} pids_filtered SEC(".maps"); - /* * Desired design of maximum size and alignment (see RFC2553) */ @@ -105,17 +95,27 @@ struct sockaddr_storage { }; }; =20 -struct augmented_args_payload { - struct syscall_enter_args args; - union { - struct { - struct augmented_arg arg, arg2; - }; +struct augmented_arg { + unsigned int size; + int err; + union { + char value[PATH_MAX]; struct sockaddr_storage saddr; - char __data[sizeof(struct augmented_arg)]; }; }; =20 +struct pids_filtered { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, pid_t); + __type(value, bool); + __uint(max_entries, 64); +} pids_filtered SEC(".maps"); + +struct augmented_args_payload { + struct syscall_enter_args args; + struct augmented_arg arg, arg2; // We have to reserve space for two argum= ents (rename, etc) +}; + // We need more tmp space than the BPF stack can give us struct augmented_args_tmp { __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); @@ -182,15 +182,17 @@ int sys_enter_connect(struct syscall_enter_args *args) struct augmented_args_payload *augmented_args =3D augmented_args_payload(= ); const void *sockaddr_arg =3D (const void *)args->args[1]; unsigned int socklen =3D args->args[2]; - unsigned int len =3D sizeof(augmented_args->args); + unsigned int len =3D sizeof(u64) + sizeof(augmented_args->args); // the s= ize + err in all 'augmented_arg' structs =20 if (augmented_args =3D=3D NULL) return 1; /* Failure: don't filter */ =20 - _Static_assert(is_power_of_2(sizeof(augmented_args->saddr)), "sizeof(augm= ented_args->saddr) needs to be a power of two"); - socklen &=3D sizeof(augmented_args->saddr) - 1; + _Static_assert(is_power_of_2(sizeof(augmented_args->arg.saddr)), "sizeof(= augmented_args->arg.saddr) needs to be a power of two"); + socklen &=3D sizeof(augmented_args->arg.saddr) - 1; =20 - bpf_probe_read_user(&augmented_args->saddr, socklen, sockaddr_arg); + bpf_probe_read_user(&augmented_args->arg.saddr, socklen, sockaddr_arg); + augmented_args->arg.size =3D socklen; + augmented_args->arg.err =3D 0; =20 return augmented__output(args, augmented_args, len + socklen); } @@ -201,14 +203,14 @@ int sys_enter_sendto(struct syscall_enter_args *args) struct augmented_args_payload *augmented_args =3D augmented_args_payload(= ); const void *sockaddr_arg =3D (const void *)args->args[4]; unsigned int socklen =3D args->args[5]; - unsigned int len =3D sizeof(augmented_args->args); + unsigned int len =3D sizeof(u64) + sizeof(augmented_args->args); // the s= ize + err in all 'augmented_arg' structs =20 if (augmented_args =3D=3D NULL) return 1; /* Failure: don't filter */ =20 - socklen &=3D sizeof(augmented_args->saddr) - 1; + socklen &=3D sizeof(augmented_args->arg.saddr) - 1; =20 - bpf_probe_read_user(&augmented_args->saddr, socklen, sockaddr_arg); + bpf_probe_read_user(&augmented_args->arg.saddr, socklen, sockaddr_arg); =20 return augmented__output(args, augmented_args, len + socklen); } @@ -249,13 +251,23 @@ int sys_enter_rename(struct syscall_enter_args *args) struct augmented_args_payload *augmented_args =3D augmented_args_payload(= ); const void *oldpath_arg =3D (const void *)args->args[0], *newpath_arg =3D (const void *)args->args[1]; - unsigned int len =3D sizeof(augmented_args->args), oldpath_len; + unsigned int len =3D sizeof(augmented_args->args), oldpath_len, newpath_l= en; =20 if (augmented_args =3D=3D NULL) return 1; /* Failure: don't filter */ =20 + len +=3D 2 * sizeof(u64); // The overhead of size and err, just before th= e payload... + oldpath_len =3D augmented_arg__read_str(&augmented_args->arg, oldpath_arg= , sizeof(augmented_args->arg.value)); - len +=3D oldpath_len + augmented_arg__read_str((void *)(&augmented_args->= arg) + oldpath_len, newpath_arg, sizeof(augmented_args->arg.value)); + augmented_args->arg.size =3D PERF_ALIGN(oldpath_len + 1, sizeof(u64)); + len +=3D augmented_args->arg.size; + + struct augmented_arg *arg2 =3D (void *)&augmented_args->arg.value + augme= nted_args->arg.size; + + newpath_len =3D augmented_arg__read_str(arg2, newpath_arg, sizeof(augment= ed_args->arg.value)); + arg2->size =3D newpath_len; + + len +=3D newpath_len; =20 return augmented__output(args, augmented_args, len); } @@ -266,13 +278,23 @@ int sys_enter_renameat2(struct syscall_enter_args *ar= gs) struct augmented_args_payload *augmented_args =3D augmented_args_payload(= ); const void *oldpath_arg =3D (const void *)args->args[1], *newpath_arg =3D (const void *)args->args[3]; - unsigned int len =3D sizeof(augmented_args->args), oldpath_len; + unsigned int len =3D sizeof(augmented_args->args), oldpath_len, newpath_l= en; =20 if (augmented_args =3D=3D NULL) return 1; /* Failure: don't filter */ =20 + len +=3D 2 * sizeof(u64); // The overhead of size and err, just before th= e payload... + oldpath_len =3D augmented_arg__read_str(&augmented_args->arg, oldpath_arg= , sizeof(augmented_args->arg.value)); - len +=3D oldpath_len + augmented_arg__read_str((void *)(&augmented_args->= arg) + oldpath_len, newpath_arg, sizeof(augmented_args->arg.value)); + augmented_args->arg.size =3D PERF_ALIGN(oldpath_len + 1, sizeof(u64)); + len +=3D augmented_args->arg.size; + + struct augmented_arg *arg2 =3D (void *)&augmented_args->arg.value + augme= nted_args->arg.size; + + newpath_len =3D augmented_arg__read_str(arg2, newpath_arg, sizeof(augment= ed_args->arg.value)); + arg2->size =3D newpath_len; + + len +=3D newpath_len; =20 return augmented__output(args, augmented_args, len); } @@ -293,26 +315,26 @@ int sys_enter_perf_event_open(struct syscall_enter_ar= gs *args) { struct augmented_args_payload *augmented_args =3D augmented_args_payload(= ); const struct perf_event_attr_size *attr =3D (const struct perf_event_attr= _size *)args->args[0], *attr_read; - unsigned int len =3D sizeof(augmented_args->args); + unsigned int len =3D sizeof(u64) + sizeof(augmented_args->args); // the s= ize + err in all 'augmented_arg' structs =20 if (augmented_args =3D=3D NULL) goto failure; =20 - if (bpf_probe_read_user(&augmented_args->__data, sizeof(*attr), attr) < 0) + if (bpf_probe_read_user(&augmented_args->arg.value, sizeof(*attr), attr) = < 0) goto failure; =20 - attr_read =3D (const struct perf_event_attr_size *)augmented_args->__data; + attr_read =3D (const struct perf_event_attr_size *)augmented_args->arg.va= lue; =20 __u32 size =3D attr_read->size; =20 if (!size) size =3D PERF_ATTR_SIZE_VER0; =20 - if (size > sizeof(augmented_args->__data)) + if (size > sizeof(augmented_args->arg.value)) goto failure; =20 // Now that we read attr->size and tested it against the size limits, rea= d it completely - if (bpf_probe_read_user(&augmented_args->__data, size, attr) < 0) + if (bpf_probe_read_user(&augmented_args->arg.value, size, attr) < 0) goto failure; =20 return augmented__output(args, augmented_args, len + size); @@ -325,16 +347,16 @@ int sys_enter_clock_nanosleep(struct syscall_enter_ar= gs *args) { struct augmented_args_payload *augmented_args =3D augmented_args_payload(= ); const void *rqtp_arg =3D (const void *)args->args[2]; - unsigned int len =3D sizeof(augmented_args->args); + unsigned int len =3D sizeof(u64) + sizeof(augmented_args->args); // the s= ize + err in all 'augmented_arg' structs __u32 size =3D sizeof(struct timespec64); =20 if (augmented_args =3D=3D NULL) goto failure; =20 - if (size > sizeof(augmented_args->__data)) + if (size > sizeof(augmented_args->arg.value)) goto failure; =20 - bpf_probe_read_user(&augmented_args->__data, size, rqtp_arg); + bpf_probe_read_user(&augmented_args->arg.value, size, rqtp_arg); =20 return augmented__output(args, augmented_args, len + size); failure: @@ -352,10 +374,10 @@ int sys_enter_nanosleep(struct syscall_enter_args *ar= gs) if (augmented_args =3D=3D NULL) goto failure; =20 - if (size > sizeof(augmented_args->__data)) + if (size > sizeof(augmented_args->arg.value)) goto failure; =20 - bpf_probe_read_user(&augmented_args->__data, size, req_arg); + bpf_probe_read_user(&augmented_args->arg.value, size, req_arg); =20 return augmented__output(args, augmented_args, len + size); failure: --=20 2.46.0