| Message ID | 20221215113937.113936-1-danieltimlee@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | samples: bpf: enhance syscall tracing program | expand |
On 12/15/22 3:39 AM, Daniel T. Lee wrote: > Syscall tracing using kprobe is quite unstable. Since it uses the exact > name of the kernel function, the program might broke due to the rename > of a function. The problem can also be caused by a changes in the > arguments of the function to which the kprobe connects. This commit > enhances syscall tracing program with the following instruments. > > In this patchset, ksyscall is used instead of kprobe. By using > ksyscall, libbpf will detect the appropriate kernel function name. > (e.g. sys_write -> __s390_sys_write). This eliminates the need to worry > about which wrapper function to attach in order to parse arguments. > Also ksyscall provides more fine method with attaching system call, the > coarse SYSCALL helper at trace_common.h can be removed. > > Next, BPF_SYSCALL is used to reduce the inconvenience of parsing > arguments. Since the nature of SYSCALL_WRAPPER function wraps the > argument once, additional process of argument extraction is required > to properly parse the argument. The BPF_SYSCALL macro will reduces the > hassle of parsing arguments from pt_regs. > > Lastly, vmlinux.h is applied to syscall tracing program. This change > allows the bpf program to refer to the internal structure as a single > "vmlinux.h" instead of including each header referenced by the bpf > program. > > Additionally, this patchset changes the suffix of _kern to .bpf to make > use of the new compile rule (CLANG-BPF) which is more simple and neat. > By just changing the _kern suffix to .bpf will inherit the benefit of > the new CLANG-BPF compile target. > > Daniel T. Lee (5): > samples: bpf: use kyscall instead of kprobe in syscall tracing program > samples: bpf: use vmlinux.h instead of implicit headers in syscall > tracing program > samples: bpf: change _kern suffix to .bpf with syscall tracing program > samples: bpf: fix tracex2 by using BPF_KSYSCALL macro > samples: bpf: use BPF_KSYSCALL macro in syscall tracing programs Please change 'samples: bpf" to "samples/bpf". Also, bpf CI reported some new warnings and failures: https://github.com/kernel-patches/bpf/actions/runs/3708274678/jobs/6285674300 CLANG-bpf /tmp/work/bpf/bpf/samples/bpf/tracex4_kern.o /tmp/work/bpf/bpf/samples/bpf/xdp_fwd_user.c: In function ‘main’: /tmp/work/bpf/bpf/samples/bpf/xdp_fwd_user.c:85:44: warning: ‘_prog’ directive output may be truncated writing 5 bytes into a region of size between 2 and 9 [-Wformat-truncation=] 85 | snprintf(prog_name, sizeof(prog_name), "%s_prog", app_name); | ^~~~~ In file included from /usr/include/stdio.h:867, from /tmp/work/bpf/bpf/samples/bpf/xdp_fwd_user.c:19: /usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: ‘__builtin___snprintf_chk’ output between 13 and 20 bytes into a destination of size 16 67 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 68 | __bos (__s), __fmt, __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CC /tmp/work/bpf/bpf/samples/bpf/syscall_nrs.s ... CLANG-BPF /tmp/work/bpf/bpf/samples/bpf/test_current_task_under_cgroup.bpf.o In file included from /tmp/work/bpf/bpf/samples/bpf/test_probe_write_user.bpf.c:8: In file included from /usr/include/string.h:26: In file included from /usr/include/x86_64-linux-gnu/bits/libc-header-start.h:33: In file included from /usr/include/features.h:485: /usr/include/x86_64-linux-gnu/gnu/stubs.h:7:11: fatal error: 'gnu/stubs-32.h' file not found # include <gnu/stubs-32.h> ^~~~~~~~~~~~~~~~ 1 error generated. make[3]: *** [/tmp/work/bpf/bpf/samples/bpf/Makefile:394: /tmp/work/bpf/bpf/samples/bpf/test_probe_write_user.bpf.o] Error 1 make[3]: *** Waiting for unfinished jobs.... In file included from /tmp/work/bpf/bpf/samples/bpf/map_perf_test.bpf.c:8: In file included from /usr/include/errno.h:25: In file included from /usr/include/features.h:485: /usr/include/x86_64-linux-gnu/gnu/stubs.h:7:11: fatal error: 'gnu/stubs-32.h' file not found # include <gnu/stubs-32.h> ^~~~~~~~~~~~~~~~ 1 error generated. make[3]: *** [/tmp/work/bpf/bpf/samples/bpf/Makefile:394: /tmp/work/bpf/bpf/samples/bpf/map_perf_test.bpf.o] Error 1 make[2]: *** [/tmp/work/bpf/bpf/Makefile:1994: /tmp/work/bpf/bpf/samples/bpf] Error 2 make[2]: Leaving directory '/tmp/work/bpf/bpf/kbuild-output' make[1]: *** [Makefile:231: __sub-make] Error 2 make[1]: Leaving directory '/tmp/work/bpf/bpf' make: *** [Makefile:269: all] Error 2 make: Leaving directory '/tmp/work/bpf/bpf/samples/bpf' Error: Process completed with exit code 2. Please check bpf ci https://github.com/kernel-patches/bpf and fix the above issues properly. > > samples/bpf/Makefile | 10 ++-- > ...p_perf_test_kern.c => map_perf_test.bpf.c} | 48 ++++++++----------- > samples/bpf/map_perf_test_user.c | 2 +- > ...c => test_current_task_under_cgroup.bpf.c} | 11 ++--- > .../bpf/test_current_task_under_cgroup_user.c | 2 +- > samples/bpf/test_map_in_map_kern.c | 1 - > ...ser_kern.c => test_probe_write_user.bpf.c} | 20 ++++---- > samples/bpf/test_probe_write_user_user.c | 2 +- > samples/bpf/trace_common.h | 13 ----- > ...trace_output_kern.c => trace_output.bpf.c} | 6 +-- > samples/bpf/trace_output_user.c | 2 +- > samples/bpf/{tracex2_kern.c => tracex2.bpf.c} | 13 ++--- > samples/bpf/tracex2_user.c | 2 +- > 13 files changed, 51 insertions(+), 81 deletions(-) > rename samples/bpf/{map_perf_test_kern.c => map_perf_test.bpf.c} (85%) > rename samples/bpf/{test_current_task_under_cgroup_kern.c => test_current_task_under_cgroup.bpf.c} (84%) > rename samples/bpf/{test_probe_write_user_kern.c => test_probe_write_user.bpf.c} (71%) > delete mode 100644 samples/bpf/trace_common.h > rename samples/bpf/{trace_output_kern.c => trace_output.bpf.c} (82%) > rename samples/bpf/{tracex2_kern.c => tracex2.bpf.c} (89%) >
Syscall tracing using kprobe is quite unstable. Since it uses the exact name of the kernel function, the program might broke due to the rename of a function. The problem can also be caused by a changes in the arguments of the function to which the kprobe connects. This commit enhances syscall tracing program with the following instruments. In this patchset, ksyscall is used instead of kprobe. By using ksyscall, libbpf will detect the appropriate kernel function name. (e.g. sys_write -> __s390_sys_write). This eliminates the need to worry about which wrapper function to attach in order to parse arguments. Also ksyscall provides more fine method with attaching system call, the coarse SYSCALL helper at trace_common.h can be removed. Next, BPF_SYSCALL is used to reduce the inconvenience of parsing arguments. Since the nature of SYSCALL_WRAPPER function wraps the argument once, additional process of argument extraction is required to properly parse the argument. The BPF_SYSCALL macro will reduces the hassle of parsing arguments from pt_regs. Lastly, vmlinux.h is applied to syscall tracing program. This change allows the bpf program to refer to the internal structure as a single "vmlinux.h" instead of including each header referenced by the bpf program. Additionally, this patchset changes the suffix of _kern to .bpf to make use of the new compile rule (CLANG-BPF) which is more simple and neat. By just changing the _kern suffix to .bpf will inherit the benefit of the new CLANG-BPF compile target. Daniel T. Lee (5): samples: bpf: use kyscall instead of kprobe in syscall tracing program samples: bpf: use vmlinux.h instead of implicit headers in syscall tracing program samples: bpf: change _kern suffix to .bpf with syscall tracing program samples: bpf: fix tracex2 by using BPF_KSYSCALL macro samples: bpf: use BPF_KSYSCALL macro in syscall tracing programs samples/bpf/Makefile | 10 ++-- ...p_perf_test_kern.c => map_perf_test.bpf.c} | 48 ++++++++----------- samples/bpf/map_perf_test_user.c | 2 +- ...c => test_current_task_under_cgroup.bpf.c} | 11 ++--- .../bpf/test_current_task_under_cgroup_user.c | 2 +- samples/bpf/test_map_in_map_kern.c | 1 - ...ser_kern.c => test_probe_write_user.bpf.c} | 20 ++++---- samples/bpf/test_probe_write_user_user.c | 2 +- samples/bpf/trace_common.h | 13 ----- ...trace_output_kern.c => trace_output.bpf.c} | 6 +-- samples/bpf/trace_output_user.c | 2 +- samples/bpf/{tracex2_kern.c => tracex2.bpf.c} | 13 ++--- samples/bpf/tracex2_user.c | 2 +- 13 files changed, 51 insertions(+), 81 deletions(-) rename samples/bpf/{map_perf_test_kern.c => map_perf_test.bpf.c} (85%) rename samples/bpf/{test_current_task_under_cgroup_kern.c => test_current_task_under_cgroup.bpf.c} (84%) rename samples/bpf/{test_probe_write_user_kern.c => test_probe_write_user.bpf.c} (71%) delete mode 100644 samples/bpf/trace_common.h rename samples/bpf/{trace_output_kern.c => trace_output.bpf.c} (82%) rename samples/bpf/{tracex2_kern.c => tracex2.bpf.c} (89%)