c语言 - 错误：使用 bpf_probe_read_*() 时'inv'内存访问无效

这是问题所在：

我正在编写一个 BPF 程序，使用 kprobe 探测vfs_read()内核函数：

ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)

相关信息(*file内部)是使用BPF_MAP_TYPE_HASH类型的地图收集的。BPF 程序(kern.c)的代码如下：

#define __KERNEL__
#define __TARGET_ARCH_x86 
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
struct data {
char filename[16];
u32 pid;
char comm[16];
};
struct bpf_map_def SEC("maps") my_map = {
.type = BPF_MAP_TYPE_HASH,
.key_size = sizeof(u64),
.value_size = sizeof(struct data),
.max_entries = 120
};
SEC("kprobe/vfs_read")
int vfs_read_probe(struct pt_regs *ctx)
{
struct data value = {};
struct file *f = (struct file *)PT_REGS_PARM1(ctx);
struct dentry *de = f->f_path.dentry;
struct qstr d_name = de->d_name;
bpf_probe_read_kernel_str(&value.filename, sizeof(value.filename), d_name.name);
u64 key = bpf_ktime_get_coarse_ns();
value.pid = (u32)bpf_get_current_pid_tgid();
bpf_get_current_comm(&value.comm, sizeof(value.comm));
bpf_map_update_elem(&my_map, &key, &value, BPF_ANY);
return 0;
}
char _license[] SEC("license") = "GPL";

vmlinux.h使用以下方法生成：

bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h

代码使用以下方法编译：

clang -O2 -target bpf -c kern.c -o kern.o

以下是用于加载kern.o的用户空间程序(user.c)：

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <errno.h> 
#include <string.h>
#include <unistd.h>
#include <sys/resource.h>
#include <bpf/libbpf.h>
#include <bpf/bpf.h>
struct data {
char filename[16];
unsigned int pid;
char comm[16];
};
static int fd;
static void handler(int sig)
{
unsigned long long key = 0, next_key;
struct data value;
while (bpf_map_get_next_key(fd, &key, &next_key) == 0) {
bpf_map_lookup_elem(fd, &next_key, &value);
printf("Key: %llx, Next Key: %llx, PID: %d, COMM: %s, file: %sn", key, next_key, value.pid, value.comm, value.filename);
key = next_key;
}
exit(0);
}
int main()
{
struct bpf_object *obj;
struct bpf_program *prog;
struct bpf_link *link;

struct rlimit rlim = {
.rlim_cur = RLIM_INFINITY,
.rlim_max = RLIM_INFINITY
};
if(setrlimit(RLIMIT_MEMLOCK, &rlim)) {
fprintf(stderr, "ERROR adjusting memlock limitn");
goto cleanup;
}
char path[] = "kern.o";
obj = bpf_object__open(path);
if (libbpf_get_error(obj)) {
fprintf(stderr, "ERROR: opening BPF object file failedn");
obj = NULL;
goto cleanup;
}

prog = bpf_object__find_program_by_title(obj, "kprobe/vfs_read");

if (bpf_object__load(obj)) {
fprintf(stderr, "ERROR: loading BPF object file failedn");
goto cleanup;
}

link = bpf_program__attach(prog);

fd = bpf_object__find_map_fd_by_name(obj, "my_map");
signal(SIGINT, handler);
printf("Press ^C to stopn");
sleep(99999);

bpf_link__destroy(link);
bpf_object__close(obj);

return 0;
cleanup:
bpf_link__destroy(link);
bpf_object__close(obj);
return -1;
}

user.c编译为user.o.

我想从vfs_read()的*file参数中获取文件名，所以我PT_REGS_PARM1(ctx)投struct file *等。

但是当使用user.o加载时，会发生错误：

libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf: 
0: (b7) r2 = 0
1: (63) *(u32 *)(r10 -8) = r2
last_idx 1 first_idx 0
regs=4 stack=0 before 0: (b7) r2 = 0
2: (7b) *(u64 *)(r10 -16) = r2
3: (7b) *(u64 *)(r10 -24) = r2
4: (7b) *(u64 *)(r10 -32) = r2
5: (7b) *(u64 *)(r10 -40) = r2
6: (79) r1 = *(u64 *)(r1 +112)
7: (79) r1 = *(u64 *)(r1 +24)
R1 invalid mem access 'inv'
processed 8 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
libbpf: -- END LOG --
libbpf: failed to load program 'vfs_read_probe'
libbpf: failed to load object 'kern.o'
ERROR: loading BPF object file failed

经过一番分析，我发现只要不用bpf_probe_read_*()和朋友，把一个值硬编码成data.filename，一切都没问题。

我正在使用 Archlinux，内核 5.12.9-zen1-1-zen。

我应该如何正确获取文件名？感谢您的帮助！