From 0f7c2de5dd3f5c0ed9603e4ccfb6a3ddc55f46df Mon Sep 17 00:00:00 2001 From: Arnaldo Carvalho de Melo Date: Wed, 7 Nov 2018 14:49:27 -0300 Subject: [PATCH] perf bpf: Reduce the hardcoded .max_entries for pid_maps While working on augmented syscalls I got into this error: # trace -vv --filter-pids 2469,1663 -e tools/perf/examples/bpf/augmented_raw_syscalls.c sleep 1 libbpf: map 0 is "__augmented_syscalls__" libbpf: map 1 is "__bpf_stdout__" libbpf: map 2 is "pids_filtered" libbpf: map 3 is "syscalls" libbpf: collecting relocating info for: '.text' libbpf: relo for 13 value 84 name 133 libbpf: relocation: insn_idx=3 libbpf: relocation: find map 3 (pids_filtered) for insn 3 libbpf: collecting relocating info for: 'raw_syscalls:sys_enter' libbpf: relo for 8 value 0 name 0 libbpf: relocation: insn_idx=1 libbpf: relo for 8 value 0 name 0 libbpf: relocation: insn_idx=3 libbpf: relo for 9 value 28 name 178 libbpf: relocation: insn_idx=36 libbpf: relocation: find map 1 (__augmented_syscalls__) for insn 36 libbpf: collecting relocating info for: 'raw_syscalls:sys_exit' libbpf: relo for 8 value 0 name 0 libbpf: relocation: insn_idx=0 libbpf: relo for 8 value 0 name 0 libbpf: relocation: insn_idx=2 bpf: config program 'raw_syscalls:sys_enter' bpf: config program 'raw_syscalls:sys_exit' libbpf: create map __bpf_stdout__: fd=3 libbpf: create map __augmented_syscalls__: fd=4 libbpf: create map syscalls: fd=5 libbpf: create map pids_filtered: fd=6 libbpf: added 13 insn from .text to prog raw_syscalls:sys_enter libbpf: added 13 insn from .text to prog raw_syscalls:sys_exit libbpf: load bpf program failed: Operation not permitted libbpf: failed to load program 'raw_syscalls:sys_exit' libbpf: failed to load object 'tools/perf/examples/bpf/augmented_raw_syscalls.c' bpf: load objects failed: err=-4009: (Incorrect kernel version) event syntax error: 'tools/perf/examples/bpf/augmented_raw_syscalls.c' \___ Failed to load program for unknown reason (add -v to see detail) Run 'perf list' for a list of valid events Usage: perf trace [] [] or: perf trace [] -- [] or: perf trace record [] [] or: perf trace record [] -- [] -e, --event event/syscall selector. use 'perf list' to list available events If I then try to use strace (perf trace'ing 'perf trace' needs some more work before its possible) to get a bit more info I get: # strace -e bpf trace --filter-pids 2469,1663 -e tools/perf/examples/bpf/augmented_raw_syscalls.c sleep 1 bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=0, map_name="__bpf_stdout__", map_ifindex=0}, 72) = 3 bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=0, map_name="__augmented_sys", map_ifindex=0}, 72) = 4 bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=1, max_entries=500, map_flags=0, inner_map_fd=0, map_name="syscalls", map_ifindex=0}, 72) = 5 bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=4, value_size=1, max_entries=512, map_flags=0, inner_map_fd=0, map_name="pids_filtered", map_ifindex=0}, 72) = 6 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_TRACEPOINT, insn_cnt=57, insns=0x1223f50, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 18, 10), prog_flags=0, prog_name="sys_enter", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 7 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_TRACEPOINT, insn_cnt=18, insns=0x1224120, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 18, 10), prog_flags=0, prog_name="sys_exit", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = -1 EPERM (Operation not permitted) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_TRACEPOINT, insn_cnt=18, insns=0x1224120, license="GPL", log_level=1, log_size=262144, log_buf="", kern_version=KERNEL_VERSION(4, 18, 10), prog_flags=0, prog_name="sys_exit", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = -1 EPERM (Operation not permitted) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=18, insns=0x1224120, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 18, 10), prog_flags=0, prog_name="sys_exit", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = -1 EPERM (Operation not permitted) event syntax error: 'tools/perf/examples/bpf/augmented_raw_syscalls.c' \___ Failed to load program for unknown reason # I managed to create the maps, etc, but then installing the "sys_exit" hook into the "raw_syscalls:sys_exit" tracepoint somehow gets -EPERMed... I then go and try reducing the size of this new table: +++ b/tools/perf/examples/bpf/augmented_raw_syscalls.c @@ -47,6 +47,17 @@ struct augmented_filename { #define SYS_OPEN 2 #define SYS_OPENAT 257 +struct syscall { + bool filtered; +}; + +struct bpf_map SEC("maps") syscalls = { + .type = BPF_MAP_TYPE_ARRAY, + .key_size = sizeof(int), + .value_size = sizeof(struct syscall), + .max_entries = 500, +}; And after reducing that .max_entries a tad, it works. So yeah, the "unknown reason" should be related to the number of bytes all this is taking, reduce the default for pid_map()s so that we can have a "syscalls" map with enough slots for all syscalls in most arches. And take notes about this error message, improve it :-) Cc: Adrian Hunter Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: David Ahern Cc: Edward Cree Cc: Jiri Olsa Cc: Martin KaFai Lau Cc: Namhyung Kim Cc: Wang Nan Cc: Yonghong Song Link: https://lkml.kernel.org/n/tip-yjzhak8asumz9e9hts2dgplp@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/include/bpf/bpf.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tools/perf/include/bpf/bpf.h b/tools/perf/include/bpf/bpf.h index 04ecd42..bd5d7b4 100644 --- a/tools/perf/include/bpf/bpf.h +++ b/tools/perf/include/bpf/bpf.h @@ -18,12 +18,20 @@ struct bpf_map { unsigned int numa_node; }; +/* + * FIXME: this should receive .max_entries as a parameter, as careful + * tuning of these limits is needed to avoid hitting limits that + * prevents other BPF constructs, such as tracepoint handlers, + * to get installed, with cryptic messages from libbpf, etc. + * For the current need, 'perf trace --filter-pids', 64 should + * be good enough, but this surely needs to be revisited. + */ #define pid_map(name, value_type) \ struct bpf_map SEC("maps") name = { \ .type = BPF_MAP_TYPE_HASH, \ .key_size = sizeof(pid_t), \ .value_size = sizeof(value_type), \ - .max_entries = 512, \ + .max_entries = 64, \ } static int (*bpf_map_update_elem)(struct bpf_map *map, void *key, void *value, u64 flags) = (void *)BPF_FUNC_map_update_elem; -- 2.7.4