tools/opensnoop: Bugfix for a full path contains multiple mountpoints #4285
Conversation
xingfeng2510
requested review from
brendangregg,
goldshtn and
davemarchevsky
as code owners
| int i; | ||
|
|
||
| task = (struct task_struct *)bpf_get_current_task_btf(); | ||
| task = (struct task_struct *)bpf_get_current_task(); |
There was a problem hiding this comment.
We may have some verification with newer kernel. Which kernel did you test?
There was a problem hiding this comment.
I tested on kernel 5.4/5.14/5.15. When I switched to bpf_get_current_task_btf(), it failed with such error messages:
84: (85) call bpf_get_current_task_btf#158
85: (b7) r6 = 31
; dentry = task->fs->pwd.dentry;
86: (79) r9 = *(u64 *)(r0 +2768)
; vfsmnt = task->fs->pwd.mnt;
87: (79) r8 = *(u64 *)(r9 +40)
; dentry = task->fs->pwd.dentry;
88: (07) r9 += 48
; mnt_parent = mnt->mnt_parent;
89: (79) r7 = *(u64 *)(r8 -16)
R8 is ptr_vfsmount invalid negative access: off=-16
processed 87 insns (limit 1000000) max_states_per_insn 0 total_states 4 peak_states 4 mark_read 3
There was a problem hiding this comment.
btw, other tools still use bpf_get_current_task(), and bpf_get_current_task_btf() looks not stable, I didn't analyze it yet.
|
any suggestions or feedback ? |
|
should be addressed by #5153 |
#5153 unwind dentry by reading for example, when reading such a link file /proc/793073/fd/4, it converts dentry to full path |
For a pathname contains multiple mountpoints, -F option only dumps first mount point, not full path.
For example, an application try to open a.txt (located at /home/app/), while '/home' is a mount point, opensnoop will dump '/app/a.txt' rather than '/home/app/a.txt'.
This patch try to fix it.
@yonghong-song Please have a look, thanks.