How to get the updated content of an argument which is updated in a kernel function by kprobe

How to get the updated content of an argument which is updated in a kernel function by kprobe

[rainkin]

Hi,
Assume that a kernel function has an input argument (i.e., a pointer),
and the function will update the content pointed by the pointer during
execution. My question is how to get the updated content using kprobe.

Take the kernel function path_lookupat as example:
static int path_lookupat(struct nameidata *nd, unsigned flags, struct
path *path)
It lookup the path according to a given file name and store the
founded path in the third input arguments (i.e., struct path *path).

My goal is to get the founded path from the third input argument.

I attach my ebpf program to this kernel function using kprobe, and try
to print the content of the path argument. However, the content is
empty, which is reasonable because the function has not beed executed.
The following is the code:

SEC("kprobe/path_lookupat")
int BPF_KPROBE(path_lookupat, struct nameidata *nd, unsigned flags,
struct path *path)
{
    char fn[127];
    const unsigned char *fn_ptr = BPF_CORE_READ(path, dentry, d_name.name);
     bpf_core_read_str(fn, sizeof(fn), fn_ptr);
     bpf_printk("path_lookupat: %s\n", fn);
     return 0;
}

Then I try to do that by kretprobe where the function has been
executed, but it seems that I cannot get the input arguments in
kretprobe.

Do you have any ideas or suggestions to do that?
Thanks,
rainkin

Re: How to get the updated content of an argument which is updated in a kernel function by kprobe

[Andrii Nakryiko]

On Tue, Jun 8, 2021 at 4:07 AM rainkin <rainkin1993@gmail.com> wrote:
>
> Hi,
> Assume that a kernel function has an input argument (i.e., a pointer),
> and the function will update the content pointed by the pointer during
> execution. My question is how to get the updated content using kprobe.
>
> Take the kernel function path_lookupat as example:
> static int path_lookupat(struct nameidata *nd, unsigned flags, struct
> path *path)
> It lookup the path according to a given file name and store the
> founded path in the third input arguments (i.e., struct path *path).
>
> My goal is to get the founded path from the third input argument.
>
> I attach my ebpf program to this kernel function using kprobe, and try
> to print the content of the path argument. However, the content is
> empty, which is reasonable because the function has not beed executed.
> The following is the code:
>
> SEC("kprobe/path_lookupat")
> int BPF_KPROBE(path_lookupat, struct nameidata *nd, unsigned flags,
> struct path *path)
> {
>     char fn[127];
>     const unsigned char *fn_ptr = BPF_CORE_READ(path, dentry, d_name.name);
>      bpf_core_read_str(fn, sizeof(fn), fn_ptr);
>      bpf_printk("path_lookupat: %s\n", fn);
>      return 0;
> }
>
> Then I try to do that by kretprobe where the function has been
> executed, but it seems that I cannot get the input arguments in
> kretprobe.
>

Yes, you can't access input arguments from kretprobe. What you can do
is either use kprobe to remember the pointer and then read contents in
kretprobe. Or better yet is to use fexit program that has access to
input arguments and just do that in one place.

> Do you have any ideas or suggestions to do that?
> Thanks,
> rainkin