Let`s see which tracepoints it using:
sudo ./lkmem -d -c -t ~/krnl/curr ~/krnl/System.map-5.11.0-37-generic __tracepoint_sched_process_exit at 0xffffffffa47140c0: enabled 1 cnt 1 [0] 0xffffffffa2ed3b40 - kernel!perf_trace_sched_process_template __tracepoint_sys_exit at 0xffffffffa4714ae0: enabled 1 cnt 1 regfunc: 0xffffffffa2fa3350 - kernel!syscall_regfunc unregfunc: 0xffffffffa2fa3410 - kernel!syscall_unregfunc [0] 0xffffffffa2f37f90 - kernel!__bpf_trace_sys_exit __tracepoint_sys_enter at 0xffffffffa4714b40: enabled 1 cnt 1 regfunc: 0xffffffffa2fa3350 - kernel!syscall_regfunc unregfunc: 0xffffffffa2fa3410 - kernel!syscall_unregfunc [0] 0xffffffffa2f37e30 - kernel!__bpf_trace_sys_enter
- my favorite 1bit patch - zero tracepoint->key.enabled
- remove BPF client from funcs list
- find trace_event_call and install your own event_filter
Комментариев нет:
Отправить комментарий