mirror/xdp-project-bpf-examples
1
0
Fork 0
mirror of https://github.com/xdp-project/bpf-examples.git synced 2024-05-06 15:54:53 +00:00
Code Issues Projects Releases Wiki Activity
Files
832bdea23f45f9d13d7950974853c94644c82b18
xdp-project-bpf-examples/ktrace-CO-RE
History
Jesper Dangaard Brouer e70136a68e ktrace-CO-RE: Adjust for newer libbpf API 
‘bpf_program__next’ is deprecated: libbpf v0.7+:
       use bpf_object__next_program() instead

See: https://github.com/libbpf/libbpf/issues/296

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
2022-09-02 14:45:42 +02:00
..
ktrace01_kern.c
ktrace-CO-RE/ktrace01_kern: kprobe changed name to .isra.0
2021-09-10 13:45:42 +02:00
ktrace01.c
ktrace-CO-RE: Adjust for newer libbpf API
2022-09-02 14:45:42 +02:00
Makefile
headers/vmlinux: Add more archs powerpc and arm64
2021-06-01 17:05:28 +02:00
README.org
ktrace-CO-RE: Doc how I used bpftrace as pre-investigate tool
2021-06-11 18:19:46 +02:00

README.org

Example using CO-RE to access ktrace

This is an example that show how CO-RE came be utilised… to learn CO-RE and BTF better.

Compiling kprobes for different CPU architectures

When BPF-tracing kprobes then the header files need to use the correct asm-level C-calling convention for the architecture that this is getting compiled for, as BPF will be hook/tap directly into the kernels function call. These are the raw CPU registers, which we later via BTF demonstrate howto use to CO-RE to get the C-type back.

The header include file <bpf/bpf_tracing.h> takes care of defining macros for accessing the members in kernels struct pt_regs, as the struct member names differ between architectures. This header file is provided by libbpf (or distros libbpf-devel package).

The architecture specific definition of struct pt_regs can be extracted via generating a vmlinux.h file on the ARCH target. To ease getting the structs this git repo contains the arch include files here: ../headers/vmlinux/arch/

You should not include them directly, but instead include vmlinux_local.h to get the surrounding types defined.

Gotcha with target bpf

This git-repo compile with clang -target bpf. This cause issues for ktrace, because the fallback mechanism in header file <bpf/bpf_tracing.h> cannot determine the ARCH from compiler defines.

To solve this our makefile system in ../lib/common.mk detect the ARCH (via uname -m) and defines the __TARGET_ARCH_$(ARCH) in BPF_CFLAGS.

Without this fix the following compile warnings occurs:

 warning: implicit declaration of function 'PT_REGS_PARM1' is invalid in C99
 int BPF_KPROBE(udp_send_skb, struct sk_buff *skb)
     ^
 /usr/include/bpf/bpf_tracing.h:385:20: note: expanded from macro 'BPF_KPROBE'

When loading via libbpf the following error happens:

 libbpf: failed to find BTF for extern 'PT_REGS_PARM1': -2

Bpftrace

Pre-investigations with bpftrace.

Simple bpftrace command to look at callstack for udp_send_skb:

  • bpftrace -e 'kprobe:udp_send_skb { @[kstack] = count() }'
$ sudo bpftrace -e 'kprobe:udp_send_skb { @[kstack] = count() }'
Attaching 1 probe...
^C

@[
    udp_send_skb+1
    udp_sendmsg+2407
    sock_sendmsg+87
    __sys_sendto+238
    __x64_sys_sendto+37
    do_syscall_64+51
    entry_SYSCALL_64_after_hwframe+68
]: 70
Reference in New Issue View Git Blame Copy Permalink