From 11430421b440427e10dfb4bd2bdc418fab0ff166 Mon Sep 17 00:00:00 2001 From: "Daniel T. Lee" Date: Fri, 18 Aug 2023 18:01:15 +0900 Subject: [PATCH] samples/bpf: make tracing programs to be more CO-RE centric The existing tracing programs have been developed for a considerable period of time and, as a result, do not properly incorporate the features of the current libbpf, such as CO-RE. This is evident in frequent usage of functions like PT_REGS* and the persistence of "hack" methods using underscore-style bpf_probe_read_kernel from the past. These programs are far behind the current level of libbpf and can potentially confuse users. Therefore, this commit aims to convert the outdated BPF programs to be more CO-RE centric. Signed-off-by: Daniel T. Lee Link: https://lore.kernel.org/r/20230818090119.477441-6-danieltimlee@gmail.com Signed-off-by: Alexei Starovoitov --- samples/bpf/offwaketime.bpf.c | 18 +++++------------- samples/bpf/test_overhead_kprobe.bpf.c | 20 +++++++------------- samples/bpf/tracex1.bpf.c | 17 +++++------------ samples/bpf/tracex5.bpf.c | 5 +++-- 4 files changed, 20 insertions(+), 40 deletions(-) diff --git a/samples/bpf/offwaketime.bpf.c b/samples/bpf/offwaketime.bpf.c index 3200a0f..4a65ba7 100644 --- a/samples/bpf/offwaketime.bpf.c +++ b/samples/bpf/offwaketime.bpf.c @@ -8,18 +8,12 @@ #include #include #include +#include #ifndef PERF_MAX_STACK_DEPTH #define PERF_MAX_STACK_DEPTH 127 #endif -#define _(P) \ - ({ \ - typeof(P) val; \ - bpf_probe_read_kernel(&val, sizeof(val), &(P)); \ - val; \ - }) - #define MINBLOCK_US 1 #define MAX_ENTRIES 10000 @@ -68,11 +62,9 @@ struct { SEC("kprobe/try_to_wake_up") int waker(struct pt_regs *ctx) { - struct task_struct *p = (void *) PT_REGS_PARM1(ctx); + struct task_struct *p = (void *)PT_REGS_PARM1_CORE(ctx); + u32 pid = BPF_CORE_READ(p, pid); struct wokeby_t woke; - u32 pid; - - pid = _(p->pid); bpf_get_current_comm(&woke.name, sizeof(woke.name)); woke.ret = bpf_get_stackid(ctx, &stackmap, STACKID_FLAGS); @@ -121,9 +113,9 @@ int oncpu(struct trace_event_raw_sched_switch *ctx) SEC("kprobe.multi/finish_task_switch*") int oncpu(struct pt_regs *ctx) { - struct task_struct *p = (void *) PT_REGS_PARM1(ctx); + struct task_struct *p = (void *)PT_REGS_PARM1_CORE(ctx); /* record previous thread sleep time */ - u32 pid = _(p->pid); + u32 pid = BPF_CORE_READ(p, pid); #endif u64 delta, ts, *tsp; diff --git a/samples/bpf/test_overhead_kprobe.bpf.c b/samples/bpf/test_overhead_kprobe.bpf.c index c352873..668cf52 100644 --- a/samples/bpf/test_overhead_kprobe.bpf.c +++ b/samples/bpf/test_overhead_kprobe.bpf.c @@ -8,13 +8,7 @@ #include #include #include - -#define _(P) \ - ({ \ - typeof(P) val = 0; \ - bpf_probe_read_kernel(&val, sizeof(val), &(P)); \ - val; \ - }) +#include SEC("kprobe/__set_task_comm") int prog(struct pt_regs *ctx) @@ -26,14 +20,14 @@ int prog(struct pt_regs *ctx) u16 oom_score_adj; u32 pid; - tsk = (void *)PT_REGS_PARM1(ctx); + tsk = (void *)PT_REGS_PARM1_CORE(ctx); - pid = _(tsk->pid); - bpf_probe_read_kernel_str(oldcomm, sizeof(oldcomm), &tsk->comm); - bpf_probe_read_kernel_str(newcomm, sizeof(newcomm), + pid = BPF_CORE_READ(tsk, pid); + bpf_core_read_str(oldcomm, sizeof(oldcomm), &tsk->comm); + bpf_core_read_str(newcomm, sizeof(newcomm), (void *)PT_REGS_PARM2(ctx)); - signal = _(tsk->signal); - oom_score_adj = _(signal->oom_score_adj); + signal = BPF_CORE_READ(tsk, signal); + oom_score_adj = BPF_CORE_READ(signal, oom_score_adj); return 0; } diff --git a/samples/bpf/tracex1.bpf.c b/samples/bpf/tracex1.bpf.c index f3be14a..0ab39d7 100644 --- a/samples/bpf/tracex1.bpf.c +++ b/samples/bpf/tracex1.bpf.c @@ -8,15 +8,9 @@ #include "net_shared.h" #include #include +#include #include -#define _(P) \ - ({ \ - typeof(P) val = 0; \ - bpf_probe_read_kernel(&val, sizeof(val), &(P)); \ - val; \ - }) - /* kprobe is NOT a stable ABI * kernel functions can be removed, renamed or completely change semantics. * Number of arguments and their positions can change, etc. @@ -34,12 +28,11 @@ int bpf_prog1(struct pt_regs *ctx) struct sk_buff *skb; int len; - /* non-portable! works for the given kernel only */ - bpf_probe_read_kernel(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx)); - dev = _(skb->dev); - len = _(skb->len); + bpf_core_read(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx)); + dev = BPF_CORE_READ(skb, dev); + len = BPF_CORE_READ(skb, len); - bpf_probe_read_kernel(devname, sizeof(devname), dev->name); + BPF_CORE_READ_STR_INTO(&devname, dev, name); if (devname[0] == 'l' && devname[1] == 'o') { char fmt[] = "skb %p len %d\n"; diff --git a/samples/bpf/tracex5.bpf.c b/samples/bpf/tracex5.bpf.c index 8cd697e..4d3d6c9 100644 --- a/samples/bpf/tracex5.bpf.c +++ b/samples/bpf/tracex5.bpf.c @@ -10,6 +10,7 @@ #include #include #include +#include #define __stringify(x) #x #define PROG(F) SEC("kprobe/"__stringify(F)) int bpf_func_##F @@ -46,7 +47,7 @@ PROG(SYS__NR_write)(struct pt_regs *ctx) { struct seccomp_data sd; - bpf_probe_read_kernel(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); + bpf_core_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); if (sd.args[2] == 512) { char fmt[] = "write(fd=%d, buf=%p, size=%d)\n"; bpf_trace_printk(fmt, sizeof(fmt), @@ -59,7 +60,7 @@ PROG(SYS__NR_read)(struct pt_regs *ctx) { struct seccomp_data sd; - bpf_probe_read_kernel(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); + bpf_core_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); if (sd.args[2] > 128 && sd.args[2] <= 1024) { char fmt[] = "read(fd=%d, buf=%p, size=%d)\n"; bpf_trace_printk(fmt, sizeof(fmt), -- 2.7.4