diff --git a/GPL/Events/File/Probe.bpf.c b/GPL/Events/File/Probe.bpf.c index 2898ad88..f5e1c093 100644 --- a/GPL/Events/File/Probe.bpf.c +++ b/GPL/Events/File/Probe.bpf.c @@ -123,7 +123,7 @@ static int vfs_unlink__exit(int ret) ebpf_pid_info__fill(&event->pids, task); struct path p; - p.dentry = &state->unlink.de; + p.dentry = state->unlink.de; p.mnt = state->unlink.mnt; event->mntns = mntns(task); bpf_get_current_comm(event->comm, TASK_COMM_LEN); @@ -162,7 +162,7 @@ int BPF_KRETPROBE(kretprobe__vfs_unlink, int ret) return vfs_unlink__exit(ret); } -static int vfs_unlink__enter(struct dentry de) +static int vfs_unlink__enter(struct dentry *de) { struct ebpf_events_state *state = ebpf_events_state__get(EBPF_EVENTS_STATE_UNLINK); if (!state || state->unlink.step != UNLINK_STATE_MOUNT_SET) { @@ -180,18 +180,15 @@ static int vfs_unlink__enter(struct dentry de) SEC("fentry/vfs_unlink") int BPF_PROG(fentry__vfs_unlink) { - struct dentry *tmp = FUNC_ARG_READ(___type(tmp), vfs_unlink, dentry); - struct dentry de; - bpf_core_read(&de, sizeof(de), tmp); + struct dentry *de = FUNC_ARG_READ(___type(de), vfs_unlink, dentry); return vfs_unlink__enter(de); } SEC("kprobe/vfs_unlink") int BPF_KPROBE(kprobe__vfs_unlink) { - struct dentry de; - int err = FUNC_ARG_READ_PTREGS(de, vfs_unlink, dentry); - if (err) { + struct dentry *de; + if (FUNC_ARG_READ_PTREGS(de, vfs_unlink, dentry)) { bpf_printk("kprobe__vfs_unlink: error reading dentry\n"); return 0; } @@ -346,7 +343,6 @@ int BPF_PROG(fentry__vfs_rename) SEC("kprobe/vfs_rename") int BPF_KPROBE(kprobe__vfs_rename) { - int err; struct dentry *old_dentry, *new_dentry; if (FUNC_ARG_EXISTS(vfs_rename, rd)) { @@ -357,13 +353,11 @@ int BPF_KPROBE(kprobe__vfs_rename) new_dentry = rd.new_dentry; } else { /* Dentries are accessible from ctx */ - err = FUNC_ARG_READ_PTREGS_NODEREF(old_dentry, vfs_rename, old_dentry); - if (err) { + if (FUNC_ARG_READ_PTREGS(old_dentry, vfs_rename, old_dentry)) { bpf_printk("kprobe__vfs_rename: error reading old_dentry\n"); return 0; } - err = FUNC_ARG_READ_PTREGS_NODEREF(new_dentry, vfs_rename, new_dentry); - if (err) { + if (FUNC_ARG_READ_PTREGS(new_dentry, vfs_rename, new_dentry)) { bpf_printk("kprobe__vfs_rename: error reading new_dentry\n"); return 0; } diff --git a/GPL/Events/Helpers.h b/GPL/Events/Helpers.h index 9045cd86..2772e262 100644 --- a/GPL/Events/Helpers.h +++ b/GPL/Events/Helpers.h @@ -31,11 +31,9 @@ const volatile int consumer_pid = 0; }) /* - * Reads the specified argument from struct pt_regs without dereferencing it - * (unlike FUNC_ARG_READ_PTREGS) (i.e. we get a pointer to the argument, not - * the argument itself). Note that we first have to read the value in struct - * pt_regs into a volatile temporary (_dst). Without this, LLVM can generate - * code like the following, which will fail to verify: + * Reads the specified argument from struct pt_regs without dereferencing it. Note that + * we first have to read the value in struct pt_regs into a volatile temporary (_dst). + * Without this, LLVM can generate code like the following, which will fail to verify: * * r3 = 8 # The register value we want to read is at offset 8 in the context * r2 = r1 # r1 = ctx pointer @@ -52,7 +50,7 @@ const volatile int consumer_pid = 0; * r3 = *(u64 *)(r2 + 8) # Dereference it, putting the increment in the dereference insn * ...pass r3 to a function */ -#define FUNC_ARG_READ_PTREGS_NODEREF(dst, func, arg) \ +#define FUNC_ARG_READ_PTREGS(dst, func, arg) \ ({ \ int ret = 0; \ volatile typeof(dst) _dst; \ @@ -80,32 +78,6 @@ const volatile int consumer_pid = 0; ret; \ }) -#define FUNC_ARG_READ_PTREGS(dst, func, arg) \ - ({ \ - int ret = 0; \ - switch (arg__##func##__##arg##__) { \ - case 0: \ - bpf_core_read(&dst, sizeof(dst), (void *)PT_REGS_PARM1(ctx)); \ - break; \ - case 1: \ - bpf_core_read(&dst, sizeof(dst), (void *)PT_REGS_PARM2(ctx)); \ - break; \ - case 2: \ - bpf_core_read(&dst, sizeof(dst), (void *)PT_REGS_PARM3(ctx)); \ - break; \ - case 3: \ - bpf_core_read(&dst, sizeof(dst), (void *)PT_REGS_PARM4(ctx)); \ - break; \ - case 4: \ - bpf_core_read(&dst, sizeof(dst), (void *)PT_REGS_PARM5(ctx)); \ - break; \ - default: \ - ret = -1; \ - }; \ - barrier(); \ - ret; \ - }) - #define DECL_FUNC_RET(func) const volatile int ret__##func##__ = 0; #define FUNC_RET_READ(type, func) \ ({ \ diff --git a/GPL/Events/State.h b/GPL/Events/State.h index 6507c729..8ad6cb2b 100644 --- a/GPL/Events/State.h +++ b/GPL/Events/State.h @@ -32,7 +32,7 @@ enum ebpf_events_unlink_state_step { struct ebpf_events_unlink_state { enum ebpf_events_unlink_state_step step; struct vfsmount *mnt; - struct dentry de; + struct dentry *de; }; enum ebpf_events_rename_state_step {