Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libbpf-tools/execsnoop: fix ret type of bpf_probe_read_user*. #4674

Merged
merged 1 commit into from
Aug 5, 2023
Merged

libbpf-tools/execsnoop: fix ret type of bpf_probe_read_user*. #4674

merged 1 commit into from
Aug 5, 2023

Conversation

opsnull
Copy link

@opsnull opsnull commented Jul 18, 2023
edited
Loading

The bpf_probe_read_user_str* manpage says:

On success, the strictly positive length of the output string, including the trailing NUL character. On error, a negative value.

@yonghong-song
Copy link
Collaborator

The current code seems okay. The code churn with the same functionality seems not necessary.
The following is an explanation.

For helper like bpf_probe_read_user*, return a negative value means failure. But typical all negative error
code is with range of [-4096, -1], so a 'unsigned int' means the error code is a pretty big unsigned int number,
much larger than typical argsize, so comparison like 'unsigned_ret > argsize' means a failure.

Also, if bpf_probe_read_user* failed, the dest buffer will be zero out, it can be tested as well in indicate that
it might be a true end, or it might be an error case. In any case, the arg processing can be stopped.

@opsnull
Copy link
Author

opsnull commented Aug 2, 2023

Thanks for the explanation! Although the result is correct, the code is not straightforward to understand. Moreover, these two cases do not seem to conform to general programming practices, such as comparing signed and unsigned types at the same time, not directly checking the return value of the function but relying on internal implementation details.

yonghong-song
yonghong-song reviewed Aug 2, 2023
View reviewed changes
libbpf-tools/execsnoop.bpf.c Outdated
@@ -73,6 +73,9 @@ int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx
event->args_size = 0;

ret = bpf_probe_read_user_str(event->args, ARGSIZE, (const char*)ctx->args[0]);
if (ret < 0) {
return 0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I changed my mind. Let us try to code based on uapi specification.
Have you compiled the code before submit the patch? There is a missing ';' in the above return statement.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha, sloppy, fixed, compile and self-test pass.

libbpf-tools/execsnoop: fix ret type of bpf_probe_read_user*.
e85f0b7 
The bpf_probe_read_user_str* manpage says: On success, the strictly positive length of the output string, including the trailing NUL
character. On error, a negative value.

Signed-off-by: opsnull <[email protected]>
@yonghong-song yonghong-song merged commit 37c1300 into iovisor:master Aug 5, 2023
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yonghong-song yonghong-song yonghong-song left review comments

@drzaeus77 drzaeus77 Awaiting requested review from drzaeus77 drzaeus77 is a code owner

@goldshtn goldshtn Awaiting requested review from goldshtn goldshtn is a code owner

@4ast 4ast Awaiting requested review from 4ast 4ast is a code owner

@brendangregg brendangregg Awaiting requested review from brendangregg brendangregg is a code owner

@davemarchevsky davemarchevsky Awaiting requested review from davemarchevsky davemarchevsky is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@opsnull @yonghong-song