New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
link: implement kprobe.multi link #716
Conversation
Do you have a link to the corresponding upstream patch set? Should we support transparent multi attach, with a fallback for old kernels instead of a separate multi attach API? How does libbpf expose this? |
https://patchwork.kernel.org/project/netdevbpf/list/?series=623878&state=* I think there are also some bugfixes which are not part of that set
From what I can see, libbpf doesn't do fallback; I think it doesn't make much sense as the underlying API is different from the one of classic kprobes p.s. I think we need to enable |
Thanks for picking this up! (cc @olsajiri)
I've been mulling this over for a while, was thinking the same. There's no straightforward way to make What about unifying them and something like |
The following make transparent fallback difficult: https://patchwork.kernel.org/project/netdevbpf/patch/20220316122419.933957-4-jolsa@kernel.org/
This is incompatible with https://patchwork.kernel.org/project/netdevbpf/patch/20220316122419.933957-10-jolsa@kernel.org/ diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 1ca520a29fdb..f3a31478e23b 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -8621,6 +8622,8 @@ static const struct bpf_sec_def section_defs[] = {
SEC_DEF("uprobe/", KPROBE, 0, SEC_NONE),
SEC_DEF("kretprobe/", KPROBE, 0, SEC_NONE, attach_kprobe),
SEC_DEF("uretprobe/", KPROBE, 0, SEC_NONE),
+ SEC_DEF("kprobe.multi/", KPROBE, BPF_TRACE_KPROBE_MULTI, SEC_NONE, attach_kprobe_multi),
+ SEC_DEF("kretprobe.multi/", KPROBE, BPF_TRACE_KPROBE_MULTI, SEC_NONE, attach_kprobe_multi),
SEC_DEF("tc", SCHED_CLS, 0, SEC_NONE),
SEC_DEF("classifier", SCHED_CLS, 0, SEC_NONE | SEC_SLOPPY_PFX | SEC_DEPRECATED),
SEC_DEF("action", SCHED_ACT, 0, SEC_NONE | SEC_SLOPPY_PFX), Multi kprobes have a distinct |
not sure fallback is possible.. attaching all symbols by separate kprobe, but that would be real slow, I'd just return error it's looks good, I'm out this week, but next week I'll try to rebase my multi_kprobe tetragon code on top of this and test, thanks |
I made first draft in here cilium/tetragon@ebccee5 and I'm able to use the interface in tetragon, there are many loose ends I need to take care of, but the interface is fine for tetragon for now ;-) thanks |
9e00e33
to
2a39fd8
Compare
Before we do that, could you give an example of how that would be used and why? (as opposed to just trying the multi-attach and falling back to perf attach when it fails?) Probably better to make the multi attach itself return ErrNotSupported instead of adding arbitrary feature probes. Ask for forgiveness, not permission etc. |
we are going to use kprobe_multi link instead of standard kprobe,
I'd call |
there's lot of different configuration code for standard and multi kprobes, |
0ee4bc5
to
3e3109e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed offline, leaving this review to highlight the main points I'd liked to see differently while hacking on this code. Mostly cleaned up the middle part of kprobeMulti
and moved all input validation to the top. Will push my changes shortly.
Thanks, looks better! |
1894450
to
586b751
Compare
var _ Link = (*kprobeMultiLink)(nil) | ||
|
||
func (kml *kprobeMultiLink) Update(prog *ebpf.Program) error { | ||
return fmt.Errorf("update kprobe_multi: %w", ErrNotSupported) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hardcoding ErrNotSupported here for each link type really sucks, we should change the kernel to return a sensible errno.
} | ||
defer prog.Close() | ||
|
||
fd, err := sys.LinkCreateKprobeMulti(&sys.LinkCreateKprobeMultiAttr{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't it enough to check that AttachTraceKprobeMulti is accepted by the kernel?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems like it's accepted even when not supported
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh boy...
ProgFd uint32 | ||
TargetFd uint32 | ||
AttachType AttachType | ||
Flags uint32 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joamaki somewhat OT, but why does kprobe_multi not use the existing flags field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: Timo Beckers <timo@isovalent.com>
Having both a switch statement to initialize the metadata struct pointer as well as a list of link types was a bit redundant. Signed-off-by: Timo Beckers <timo@isovalent.com>
Co-authored-by: Lorenz Bauer <i@lmb.io>
b7b10a6
to
9208bf5
Compare
As of Linux 5.18, or commit 5a5c11ee3e65 ("Merge branch 'bpf: Add kprobe multi link'"), attaching multiple k(ret)probes using a single system call is now possible. This commit adds support for this through the KprobeMulti() and KretprobeMulti() APIs in package link. Co-authored-by: Timo Beckers <timo@isovalent.com>
9208bf5
to
efd936a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Leaving as draft until CI supports 5.18.
Also, support for pattern matching and addresses array (which libbpf already supports) is to be evaluated
Edit: I've added support for addresses array, I left "pattern matching" out for now since it's not part of the link_create API