link: implement kprobe.multi link #716
Conversation
|
Do you have a link to the corresponding upstream patch set? Should we support transparent multi attach, with a fallback for old kernels instead of a separate multi attach API? How does libbpf expose this? |
https://patchwork.kernel.org/project/netdevbpf/list/?series=623878&state=* I think there are also some bugfixes which are not part of that set
From what I can see, libbpf doesn't do fallback; I think it doesn't make much sense as the underlying API is different from the one of classic kprobes p.s. I think we need to enable |
|
Thanks for picking this up! (cc @olsajiri)
I've been mulling this over for a while, was thinking the same. There's no straightforward way to make What about unifying them and something like |
|
The following make transparent fallback difficult: https://patchwork.kernel.org/project/netdevbpf/patch/20220316122419.933957-4-jolsa@kernel.org/
This is incompatible with https://patchwork.kernel.org/project/netdevbpf/patch/20220316122419.933957-10-jolsa@kernel.org/ diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 1ca520a29fdb..f3a31478e23b 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -8621,6 +8622,8 @@ static const struct bpf_sec_def section_defs[] = {
SEC_DEF("uprobe/", KPROBE, 0, SEC_NONE),
SEC_DEF("kretprobe/", KPROBE, 0, SEC_NONE, attach_kprobe),
SEC_DEF("uretprobe/", KPROBE, 0, SEC_NONE),
+ SEC_DEF("kprobe.multi/", KPROBE, BPF_TRACE_KPROBE_MULTI, SEC_NONE, attach_kprobe_multi),
+ SEC_DEF("kretprobe.multi/", KPROBE, BPF_TRACE_KPROBE_MULTI, SEC_NONE, attach_kprobe_multi),
SEC_DEF("tc", SCHED_CLS, 0, SEC_NONE),
SEC_DEF("classifier", SCHED_CLS, 0, SEC_NONE | SEC_SLOPPY_PFX | SEC_DEPRECATED),
SEC_DEF("action", SCHED_ACT, 0, SEC_NONE | SEC_SLOPPY_PFX),Multi kprobes have a distinct |
|
not sure fallback is possible.. attaching all symbols by separate kprobe, but that would be real slow, I'd just return error it's looks good, I'm out this week, but next week I'll try to rebase my multi_kprobe tetragon code on top of this and test, thanks |
|
I made first draft in here cilium/tetragon@ebccee5 and I'm able to use the interface in tetragon, there are many loose ends I need to take care of, but the interface is fine for tetragon for now ;-) thanks |
mmat11
force-pushed
the
matt/multikp
branch
4 times, most recently
from
9e00e33
to
2a39fd8
Compare
Before we do that, could you give an example of how that would be used and why? (as opposed to just trying the multi-attach and falling back to perf attach when it fails?) Probably better to make the multi attach itself return ErrNotSupported instead of adding arbitrary feature probes. Ask for forgiveness, not permission etc. |
|
we are going to use kprobe_multi link instead of standard kprobe, I'd call |
there's lot of different configuration code for standard and multi kprobes, |
mmat11
force-pushed
the
matt/multikp
branch
2 times, most recently
from
0ee4bc5
to
3e3109e
Compare
Thanks, looks better! |
lmb
force-pushed
the
matt/multikp
branch
2 times, most recently
from
1894450
to
586b751
Compare
| var _ Link = (*kprobeMultiLink)(nil) | ||
|
|
||
| func (kml *kprobeMultiLink) Update(prog *ebpf.Program) error { | ||
| return fmt.Errorf("update kprobe_multi: %w", ErrNotSupported) |
There was a problem hiding this comment.
Hardcoding ErrNotSupported here for each link type really sucks, we should change the kernel to return a sensible errno.
| } | ||
| defer prog.Close() | ||
|
|
||
| fd, err := sys.LinkCreateKprobeMulti(&sys.LinkCreateKprobeMultiAttr{ |
There was a problem hiding this comment.
Isn't it enough to check that AttachTraceKprobeMulti is accepted by the kernel?
There was a problem hiding this comment.
seems like it's accepted even when not supported
| ProgFd uint32 | ||
| TargetFd uint32 | ||
| AttachType AttachType | ||
| Flags uint32 |
There was a problem hiding this comment.
@joamaki somewhat OT, but why does kprobe_multi not use the existing flags field?
Signed-off-by: Timo Beckers <timo@isovalent.com>
Having both a switch statement to initialize the metadata struct pointer as well as a list of link types was a bit redundant. Signed-off-by: Timo Beckers <timo@isovalent.com>
Co-authored-by: Lorenz Bauer <i@lmb.io>
mmat11
force-pushed
the
matt/multikp
branch
2 times, most recently
from
b7b10a6
to
9208bf5
Compare
As of Linux 5.18, or commit 5a5c11ee3e65 ("Merge branch 'bpf: Add kprobe
multi link'"), attaching multiple k(ret)probes using a single system call
is now possible.
This commit adds support for this through the KprobeMulti() and
KretprobeMulti() APIs in package link.
Co-authored-by: Timo Beckers <timo@isovalent.com>
mmat11
force-pushed
the
matt/multikp
branch
from
9208bf5
to
efd936a
Compare
Leaving as draft until CI supports 5.18.
Also, support for pattern matching and addresses array (which libbpf already supports) is to be evaluated
Edit: I've added support for addresses array, I left "pattern matching" out for now since it's not part of the link_create API