[RFC][PATCH 10/10] samples/bpf: Add kprobe-event-fields example

From: Tom Zanussi
Date: Fri Feb 12 2016 - 11:12:21 EST

Next message: Tom Zanussi: "[RFC][PATCH 05/10] eBPF/tracing: Add eBPF trace event field access helpers"
Previous message: Tom Zanussi: "[RFC][PATCH 06/10] tracing: Add kprobe/uprobe support for TRACE_EVENT eBPF progs"
In reply to: Tom Zanussi: "[RFC][PATCH 06/10] tracing: Add kprobe/uprobe support for TRACE_EVENT eBPF progs"
Next in thread: Tom Zanussi: "[RFC][PATCH 05/10] eBPF/tracing: Add eBPF trace event field access helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a simple demonstration of an eBPF program attached to both a
kprobe trace event ("event/kprobe/...") and the same event through a
static trace event ("event/subsys:event". The common_pid, name, and
len fields in the netif_receive_skb static trace event here are the
values grabbed from the event and printed. The common_pid value for
the __netif_receive_skb_core kprobe event here is also the value
grabbed from the kprobe trace event.

Example output:

# ./kprobe-event-fields
ping-4074 [000] d.s1 131.098630: : __netif_receive_skb_core kprobe fields: common_pid = 4074
ping-4074 [000] ..s1 131.098653: : netif_receive_skb trace event fields: common_pid = 4074, name = lo, len 84

Signed-off-by: Tom Zanussi <tom.zanussi@xxxxxxxxxxxxxxx>
---
samples/bpf/Makefile | 4 +++
samples/bpf/kprobe-event-fields_kern.c | 56 ++++++++++++++++++++++++++++++++++
samples/bpf/kprobe-event-fields_user.c | 25 +++++++++++++++
3 files changed, 85 insertions(+)
create mode 100644 samples/bpf/kprobe-event-fields_kern.c
create mode 100644 samples/bpf/kprobe-event-fields_user.c

diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
index d7af8d5..6b9ceae 100644
--- a/samples/bpf/Makefile
+++ b/samples/bpf/Makefile
@@ -17,6 +17,7 @@ hostprogs-y += tracex6
hostprogs-y += trace_output
hostprogs-y += lathist
hostprogs-y += readcounts-by-pid
+hostprogs-y += kprobe-event-fields

test_verifier-objs := test_verifier.o libbpf.o
test_maps-objs := test_maps.o libbpf.o
@@ -34,6 +35,7 @@ tracex6-objs := bpf_load.o libbpf.o tracex6_user.o
trace_output-objs := bpf_load.o libbpf.o trace_output_user.o
lathist-objs := bpf_load.o libbpf.o lathist_user.o
readcounts-by-pid-objs := bpf_load.o libbpf.o readcounts-by-pid_user.o
+kprobe-event-fields-objs := bpf_load.o libbpf.o kprobe-event-fields_user.o

# Tell kbuild to always build the programs
always := $(hostprogs-y)
@@ -50,6 +52,7 @@ always += trace_output_kern.o
always += tcbpf1_kern.o
always += lathist_kern.o
always += readcounts-by-pid_kern.o
+always += kprobe-event-fields_kern.o

HOSTCFLAGS += -I$(objtree)/usr/include

@@ -67,6 +70,7 @@ HOSTLOADLIBES_tracex6 += -lelf
HOSTLOADLIBES_trace_output += -lelf -lrt
HOSTLOADLIBES_lathist += -lelf
HOSTLOADLIBES_readcounts-by-pid += -lelf
+HOSTLOADLIBES_kprobe-event-fields += -lelf

# point this to your LLVM backend with bpf support
LLC=$(srctree)/tools/bpf/llvm/bld/Debug+Asserts/bin/llc
diff --git a/samples/bpf/kprobe-event-fields_kern.c b/samples/bpf/kprobe-event-fields_kern.c
new file mode 100644
index 0000000..3d01e08
--- /dev/null
+++ b/samples/bpf/kprobe-event-fields_kern.c
@@ -0,0 +1,56 @@
+/* Copyright (c) 2016 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ */
+
+#include <uapi/linux/bpf.h>
+#include <linux/version.h>
+#include "bpf_helpers.h"
+
+/*
+ * With kprobes and event/kprobe/xxx, we can access the common trace
+ * event fields:
+ */
+SEC("event/kprobe/__netif_receive_skb_core")
+int bpf_prog1(void *ctx)
+{
+ int common_pid;
+
+ char common_pid_field[] = "common_pid";
+ common_pid = bpf_trace_event_field_read(ctx, common_pid_field);
+
+ char fmt[] = "__netif_receive_skb_core kprobe fields: common_pid = %d\n";
+ bpf_trace_printk(fmt, sizeof(fmt), common_pid);
+
+ return 1;
+}
+
+/*
+ * Without the event/kprobe, we can access all the static trace event
+ * fields:
+ */
+SEC("event/net:netif_receive_skb")
+int bpf_prog2(void *ctx)
+{
+ char name[256] = {};
+ int len, common_pid;
+
+ char len_field[] = "len";
+ len = bpf_trace_event_field_read(ctx, len_field);
+
+ char name_field[] = "name";
+ bpf_trace_event_field_read_string(ctx, name_field, name, sizeof(name));
+
+ char common_pid_field[] = "common_pid";
+ common_pid = bpf_trace_event_field_read(ctx, common_pid_field);
+
+ char fmt[] = "netif_receive_skb trace event fields: common_pid = %d, name = %s, len %d\n";
+ bpf_trace_printk(fmt, sizeof(fmt), common_pid, name, len);
+
+ return 1;
+}
+
+char _license[] SEC("license") = "GPL";
+u32 _version SEC("version") = LINUX_VERSION_CODE;
diff --git a/samples/bpf/kprobe-event-fields_user.c b/samples/bpf/kprobe-event-fields_user.c
new file mode 100644
index 0000000..31a4818
--- /dev/null
+++ b/samples/bpf/kprobe-event-fields_user.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <linux/bpf.h>
+#include <unistd.h>
+#include "libbpf.h"
+#include "bpf_load.h"
+
+int main(int ac, char **argv)
+{
+ FILE *f;
+ char filename[256];
+
+ snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
+
+ if (load_bpf_file(filename)) {
+ printf("%s", bpf_log_buf);
+ return 1;
+ }
+
+ f = popen("taskset 1 ping -c5 localhost", "r");
+ (void) f;
+
+ read_trace_pipe();
+
+ return 0;
+}
--
1.9.3

Next message: Tom Zanussi: "[RFC][PATCH 05/10] eBPF/tracing: Add eBPF trace event field access helpers"
Previous message: Tom Zanussi: "[RFC][PATCH 06/10] tracing: Add kprobe/uprobe support for TRACE_EVENT eBPF progs"
In reply to: Tom Zanussi: "[RFC][PATCH 06/10] tracing: Add kprobe/uprobe support for TRACE_EVENT eBPF progs"
Next in thread: Tom Zanussi: "[RFC][PATCH 05/10] eBPF/tracing: Add eBPF trace event field access helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]