Last active
December 15, 2021 07:52
-
-
Save nyrahul/5cb87f8c9a8e29046b3aa763b0b9633f to your computer and use it in GitHub Desktop.
ebpf syscall close does not give the right fd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //https://stackoverflow.com/questions/70344928/bpf-kprobe-macro-provides-unexpected-value-of-function-argument | |
| // Trying without BPF_KPROBE | |
| SEC("kprobe/__x64_sys_close") | |
| int myclose(struct pt_regs *ctx) { | |
| u32 pid = bpf_get_current_pid_tgid() >> 32; | |
| int fd = PT_REGS_PARM1_CORE(ctx); | |
| // filter specific pid for simplicity | |
| if (pid != SRV_PID) { | |
| ¦ return 0; | |
| } | |
| // debug fd arg (expected to be equal to fd returned on accept4) | |
| bpf_printk("closed pid=%d fd=%d", pid, fd); | |
| return 0; | |
| } | |
| // with BPF_KPROBE | |
| SEC("kprobe/__x64_sys_close") | |
| int BPF_KPROBE(close, int fd) { | |
| u64 id = bpf_get_current_pid_tgid(); | |
| u32 pid = id >> 32; | |
| // filter specific pid for simplicity | |
| if (pid != SRV_PID) { | |
| ¦ return 0; | |
| } | |
| // debug fd arg (expected to be equal to fd returned on accept4) | |
| bpf_printk("closed pid=%d fd=%d", pid, fd); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment