opensnoop on ARM64 fails to read filename #2253

joelagnel · 2019-03-05T20:38:39Z

BCC's eBPF-based opensnoop tool [1] installs a
kprobe on do_sys_open to monitor calls to the open syscall globally.

do_sys_open() has prototype:

long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode);

This causes a "blank" filename to be displayed by opensnoop when I run it on
my Pixel 3 (arm64), possibly because this is a user pointer. However, it
works fine on x86-64.

So it seems to me that on arm64, reading user pointers directly still doesn't
work even if there is a distinction between user/kernel addresses. In that
case reading the user pointer using user accessors (possibly using
bpf_probe_user_read helper) should be needed to fix this issue

joelagnel · 2019-03-05T20:39:03Z

(this is being discussed upstream and Yonghong will fix it upstream, I just opened it here to track it)

yonghong-song · 2019-03-05T21:45:54Z

Looks like this is the case. https://lkml.org/lkml/2019/2/28/1369
I am working on this now.

joelagnel · 2019-04-03T20:46:30Z

Yonghong, any updates on this? Thanks a lot.

yonghong-song · 2019-04-04T05:46:38Z

On Wed, Apr 3, 2019 at 1:46 PM Joel ***@***.***> wrote: Yonghong, any updates on this? Thanks a lot.

Not yet. Full automatic detection through BTF is long way to go. Full automatic detection support needs llvm/gcc support. Maybe we can wait the following patch land https://lore.kernel.org/patchwork/cover/1051586/ and then we introduction new bpf_probe_read_user() helper.

joelagnel · 2019-04-04T16:39:57Z

May be I am missing something. This changes does not depend on BTF as far as I know. We are already know that the pointer is __user, we don't need to do any automatic detection. All that is needed is to call bpf_probe_read_user. If you want, I can work on a patch for that. I really need this since our users are complaining that opensnoop is not working on arm On Thu, Apr 4, 2019 at 1:46 AM yonghong-song <notifications@github.com> wrote:

…

On Wed, Apr 3, 2019 at 1:46 PM Joel ***@***.***> wrote: > > Yonghong, any updates on this? Thanks a lot. Not yet. Full automatic detection through BTF is long way to go. Full automatic detection support needs llvm/gcc support. Maybe we can wait the following patch land https://lore.kernel.org/patchwork/cover/1051586/ and then we introduction new bpf_probe_read_user() helper. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2253 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AACSVLfv5e-zKPNvhM5sEW5mUPqpQBs8ks5vdZHMgaJpZM4bfdEb> .

yonghong-song · 2019-04-04T17:02:20Z

On Thu, Apr 4, 2019 at 9:40 AM Joel ***@***.***> wrote: May be I am missing something. This changes does not depend on BTF as far as I know. We are already know that the pointer is __user, we don't need to do any automatic detection. All that is needed is to call bpf_probe_read_user. If you want, I can work on a patch for that. I really need this since our users are complaining that opensnoop is not working on arm

Sorry for confusion. Your above proposal is what I mean. Waiting for Masami Hiramatsu <https://lore.kernel.org/patchwork/project/lkml/list/?submitter=20377>'s patch and then implement bpf_probe_read_user, no need for BTF at this point. Please go ahead to work on such a patch. We may or may not need his patch. Thanks!

…

On Thu, Apr 4, 2019 at 1:46 AM yonghong-song ***@***.***> wrote: > On Wed, Apr 3, 2019 at 1:46 PM Joel ***@***.***> wrote: > > > > Yonghong, any updates on this? Thanks a lot. > > Not yet. Full automatic detection through BTF is long way to go. Full > automatic detection support needs llvm/gcc support. Maybe we can wait > the following patch land > https://lore.kernel.org/patchwork/cover/1051586/ and then we > introduction new bpf_probe_read_user() helper. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#2253 (comment)>, or mute > the thread > < https://github.com/notifications/unsubscribe-auth/AACSVLfv5e-zKPNvhM5sEW5mUPqpQBs8ks5vdZHMgaJpZM4bfdEb > > . > — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2253 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ALq6oo9hhVH0A1S4n33WsDHgLfPTs57pks5vdirngaJpZM4bfdEb> .

joelagnel changed the title ~~opensnoop on ARM fails to read filename~~ opensnoop on ARM64 fails to read filename Mar 5, 2019

mmisono mentioned this issue Feb 11, 2020

ARM64: several test case failure in runtime-tests.sh bpftrace/bpftrace#1137

Closed

Youlor mentioned this issue Sep 13, 2020

Android bpf_probe_read_kernel Failed #3094

Closed

vadimkotov mentioned this issue Nov 19, 2020

bpf_probe_read_user returns error (-14) on Android 11, Kernel 4.14, ARM64 #3175

Open

cfc4n mentioned this issue Jun 22, 2022

tls module cannot to capture payload on Aarch64 kernel 4.18 gojue/ecapture#108

Closed

chenhengqi mentioned this issue Aug 4, 2022

opensnoop and trace path arg is empty #4146

Closed

eiffel-fl mentioned this issue Sep 2, 2022

trace open does not display PATH on AKS Ubuntu18 with arm64 nodes inspektor-gadget/inspektor-gadget#827

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

opensnoop on ARM64 fails to read filename #2253

opensnoop on ARM64 fails to read filename #2253

joelagnel commented Mar 5, 2019

joelagnel commented Mar 5, 2019

yonghong-song commented Mar 5, 2019

joelagnel commented Apr 3, 2019

yonghong-song commented Apr 4, 2019 via email

joelagnel commented Apr 4, 2019 via email

yonghong-song commented Apr 4, 2019 via email

opensnoop on ARM64 fails to read filename #2253

opensnoop on ARM64 fails to read filename #2253

Comments

joelagnel commented Mar 5, 2019

joelagnel commented Mar 5, 2019

yonghong-song commented Mar 5, 2019

joelagnel commented Apr 3, 2019

yonghong-song commented Apr 4, 2019 via email

joelagnel commented Apr 4, 2019 via email

yonghong-song commented Apr 4, 2019 via email