search

iovisor / bcc

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Apache License 2.0
20.36k stars 3.86k forks source link

how to get vfs_rename old_dentry? #5056

Open gamawangzi opened 2 months ago

gamawangzi commented 2 months ago

`int trace_file_rename(struct pt_regs* ctx){

struct dentry old_dentry = (struct dentry )PT_REGS_PARM1(ctx); struct dentry new_dentry = (struct dentry )PT_REGS_PARM3(ctx);

struct qstr d_name_old = old_dentry->d_name;
char filename_old[DNAME_INLINE_LEN];
bpf_probe_read_user(filename_old, sizeof(filename_old), d_name_old.name);
bpf_trace_printk("this is d_name_old: %s\n", d_name_old.name);

struct qstr d_name_new = new_dentry->d_name;
char filename_new[DNAME_INLINE_LEN];
bpf_probe_read_user(filename_new, sizeof(filename_new), d_name_new.name);
bpf_trace_printk("this is d_name_new: %s\n", d_name_new.name);

}`

I can get the infomation of "new_dentry = (struct dentry *)PT_REGS_PARM3(ctx)" ,but "the d_name_old print" always is a empty ("")