How to find hook points for USB device additions and removals
Yang Hanlin
mattoncis at hotmail.com
Thu Aug 25 08:49:51 EDT 2022
Hi all,
I am learning about the Linux kernel, especially the eBPF subsystem, for
various observability and networking applications. As a practice, I am
developing a simple utility that detects additions and removals of USB devices
and performs actions accordingly. For the sake of practicing eBPF, I plan to
implement this utility by instrumenting kernel functions with kprobes rather
than writing udev rules etc.
However, I found it not that easy to find the correct hook points. From the
kernel documentation for writing USB device drivers
(https://www.kernel.org/doc/html/latest/driver-api/usb/writing_usb_driver.html),
I learned that there is a `probe` function and a `disconnect` function
provided by a driver (in a `usb_driver` struct,
https://github.com/torvalds/linux/blob/e146caf303493c4f2458173d7f1598b76a9b1396/include/linux/usb.h#L1186-L1189)
for the kernel to call on additions and removals of USB devices respectively.
So I thought finding callers to `probe` and `disconnect` might help; but I did
not find such callers, either by searching `.probe(` in the repository or
using static analysis provided by an IDE.
Is there anything wrong with the methods I am using? How can I find
appropriate hook points for USB device additions & removals in the kernel? Or
is there an alternative solution using eBPF (such as instrumenting udev with a
uprobe)?
Thanks in advance.
More information about the Kernelnewbies
mailing list