sample: bpf: syscall_tp_kern: add dfd before filename

Song Chen · Nobody · commit c665dcef678c · 2022-04-03T18:21:43.000-07:00
When i was writing my eBPF program, i copied some pieces of code from
syscall_tp, syscall_tp_kern only records how many files are opened, but
mine needs to print file name.I reused struct syscalls_enter_open_args,
which is defined as:

struct syscalls_enter_open_args {
	unsigned long long unused;
	long syscall_nr;
	long filename_ptr;
        long flags;
        long mode;
};

I tried to use filename_ptr, but it's not the pointer of filename, flags
turns out to be the pointer I'm looking for, there might be something
missed in the struct.

I read the ftrace log, found the missed one is dfd, which is supposed to be
placed in between syscall_nr and filename_ptr.

Actually syscall_tp has nothing to do with dfd, it can run anyway without
it, but it's better to have it to make it a better eBPF sample, especially
to new eBPF programmers, then i fixed it.

Signed-off-by: Song Chen &lt;chensong_2000@189.cn&gt;
diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c
@@ -7,6 +7,7 @@
 struct syscalls_enter_open_args {
 	unsigned long long unused;
 	long syscall_nr;
+	long dfd_ptr;
 	long filename_ptr;
 	long flags;
 	long mode;
