@@ -184,18 +184,24 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size)
#ifdef __x86_64__
if (strncmp(event, "sys_", 4) == 0) {
- snprintf(buf, sizeof(buf), "%c:__x64_%s __x64_%s",
- is_kprobe ? 'p' : 'r', event, event);
+ if (is_kprobe)
+ event_prefix = "__x64_enter_";
+ else
+ event_prefix = "__x64_exit_";
+ snprintf(buf, sizeof(buf), "%c:%s%s __x64_%s",
+ is_kprobe ? 'p' : 'r', event_prefix, event, event);
err = write_kprobe_events(buf);
- if (err >= 0) {
+ if (err >= 0)
need_normal_check = false;
- event_prefix = "__x64_";
- }
}
#endif
if (need_normal_check) {
- snprintf(buf, sizeof(buf), "%c:%s %s",
- is_kprobe ? 'p' : 'r', event, event);
+ if (is_kprobe)
+ event_prefix = "enter_";
+ else
+ event_prefix = "exit_";
+ snprintf(buf, sizeof(buf), "%c:%s%s %s",
+ is_kprobe ? 'p' : 'r', event_prefix, event, event);
err = write_kprobe_events(buf);
if (err < 0) {
printf("failed to create kprobe '%s' error '%s'\n",
Currently, in bpf_load.c, the function write_kprobe_events sets the function name to probe as the probe name. Even though it's valid to set one kprobe on enter and another on exit, bpf_load.c won't handle it, and will return an error 'File exists'. Add a prefix to the event name to indicate if it's on enter or exit, so both an enter and an exit kprobes can be attached. Signed-off-by: Lior Ribak <liorribak@gmail.com> --- samples/bpf/bpf_load.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-)