Introduce bpf_get_branch_trace(), which allows tracing pogram to get
branch trace from hardware (e.g. Intel LBR). To use the feature, the
user need to create perf_event with proper branch_record filtering
on each cpu, and then calls bpf_get_branch_trace in the bpf function.
On Intel CPUs, VLBR event (raw event 0x1b00) can be use for this.
Signed-off-by: Song Liu <songliubraving@xxxxxx>
---
include/linux/filter.h | 3 ++-
include/uapi/linux/bpf.h | 16 ++++++++++++++++
kernel/bpf/trampoline.c | 15 +++++++++++++++
kernel/bpf/verifier.c | 7 +++++++
kernel/trace/bpf_trace.c | 30 ++++++++++++++++++++++++++++++
tools/include/uapi/linux/bpf.h | 16 ++++++++++++++++
6 files changed, 86 insertions(+), 1 deletion(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 7d248941ecea3..8c30712f56ab2 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -575,7 +575,8 @@ struct bpf_prog {
has_callchain_buf:1, /* callchain buffer allocated? */
enforce_expected_attach_type:1, /* Enforce expected_attach_type checking at attach time */
call_get_stack:1, /* Do we call bpf_get_stack() or bpf_get_stackid() */
- call_get_func_ip:1; /* Do we call get_func_ip() */
+ call_get_func_ip:1, /* Do we call get_func_ip() */
+ call_get_branch:1; /* Do we call get_branch_trace() */
enum bpf_prog_type type; /* Type of BPF program */
enum bpf_attach_type expected_attach_type; /* For some prog types */
u32 len; /* Number of filter blocks */
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 191f0b286ee39..4b1ddb76603a5 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -4871,6 +4871,21 @@ union bpf_attr {
* Return
* Value specified by user at BPF link creation/attachment time
* or 0, if it was not specified.
+ *
+ * long bpf_get_branch_trace(void *entries, u32 size)
+ * Description
+ * Get branch trace from hardware engines like Intel LBR. The
+ * branch trace is taken soon after the trigger point of the
+ * BPF program, so it may contain some entries after the
+ * trigger point. The user need to filter these entries
+ * accordingly.
+ *
+ * The data is stored as struct perf_branch_entry into output
+ * buffer *entries*. *size* is the size of *entries* in bytes.
+ *
+ * Return
+ * > 0, number of valid output entries.
+ * **-EOPNOTSUP**, the hardware/kernel does not support this function
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -5048,6 +5063,7 @@ union bpf_attr {
FN(timer_cancel), \
FN(get_func_ip), \
FN(get_attach_cookie), \
+ FN(get_branch_trace), \
/* */
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index fe1e857324e66..c36d3d7366cc9 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -10,6 +10,7 @@
#include <linux/rcupdate_trace.h>
#include <linux/rcupdate_wait.h>
#include <linux/module.h>
+#include <linux/static_call.h>
/* dummy _ops. The verifier will operate on target program's ops. */
const struct bpf_verifier_ops bpf_extension_verifier_ops = {
@@ -564,6 +565,20 @@ static void notrace inc_misses_counter(struct bpf_prog *prog)
u64 notrace __bpf_prog_enter(struct bpf_prog *prog)
__acquires(RCU)
{
+ /* Calling migrate_disable costs two entries in the LBR. To save
+ * some entries, we call perf_snapshot_branch_stack before
+ * migrate_disable to save some entries. This is OK because we
+ * care about the branch trace before entering the BPF program.
+ * If migrate happens exactly here, there isn't much we can do to
+ * preserve the data.
+ */
+ if (prog->call_get_branch) {
+#ifdef CONFIG_HAVE_STATIC_CALL
+ static_call(perf_snapshot_branch_stack)();
+#else
+ perf_snapshot_branch_stack();
+#endif
+ }
rcu_read_lock();
migrate_disable();
if (unlikely(__this_cpu_inc_return(*(prog->active)) != 1)) {
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f5a0077c99811..292d2b471892a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6446,6 +6446,13 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
env->prog->call_get_func_ip = true;
}
+ if (func_id == BPF_FUNC_get_branch_trace) {
+ if (env->prog->aux->sleepable) {
+ verbose(env, "sleepable progs cannot call get_branch_trace\n");
+ return -ENOTSUPP;
+ }
+ env->prog->call_get_branch = true;
+ }
if (changes_data)
clear_all_pkt_pointers(env);
return 0;
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index cbc73c08c4a4e..fe0a653190a5f 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1002,6 +1002,19 @@ static const struct bpf_func_proto bpf_get_attach_cookie_proto_pe = {
.arg1_type = ARG_PTR_TO_CTX,
};
+BPF_CALL_2(bpf_get_branch_trace, void *, buf, u32, size)
+{
+ return perf_read_branch_snapshot(buf, size);
+}
+
+static const struct bpf_func_proto bpf_get_branch_trace_proto = {
+ .func = bpf_get_branch_trace,
+ .gpl_only = true,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_UNINIT_MEM,
+ .arg2_type = ARG_CONST_SIZE_OR_ZERO,
+};
+
static const struct bpf_func_proto *
bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{
@@ -1115,6 +1128,8 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_snprintf_proto;
case BPF_FUNC_get_func_ip:
return &bpf_get_func_ip_proto_tracing;
+ case BPF_FUNC_get_branch_trace:
+ return &bpf_get_branch_trace_proto;
default:
return bpf_base_func_proto(func_id);
}
@@ -1849,6 +1864,21 @@ void bpf_put_raw_tracepoint(struct bpf_raw_event_map *btp)
static __always_inline
void __bpf_trace_run(struct bpf_prog *prog, u64 *args)
{
+ /* Calling migrate_disable costs two entries in the LBR. To save
+ * some entries, we call perf_snapshot_branch_stack before
+ * migrate_disable to save some entries. This is OK because we
+ * care about the branch trace before entering the BPF program.
+ * If migrate happens exactly here, there isn't much we can do to
+ * preserve the data.
+ */
+ if (prog->call_get_branch) {
+#ifdef CONFIG_HAVE_STATIC_CALL
+ static_call(perf_snapshot_branch_stack)();
+#else
+ perf_snapshot_branch_stack();
+#endif
+ }
+
cant_sleep();
rcu_read_lock();
(void) bpf_prog_run(prog, args);
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 191f0b286ee39..4b1ddb76603a5 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -4871,6 +4871,21 @@ union bpf_attr {
* Return
* Value specified by user at BPF link creation/attachment time
* or 0, if it was not specified.
+ *
+ * long bpf_get_branch_trace(void *entries, u32 size)
+ * Description
+ * Get branch trace from hardware engines like Intel LBR. The
+ * branch trace is taken soon after the trigger point of the
+ * BPF program, so it may contain some entries after the
+ * trigger point. The user need to filter these entries
+ * accordingly.
+ *
+ * The data is stored as struct perf_branch_entry into output
+ * buffer *entries*. *size* is the size of *entries* in bytes.
+ *
+ * Return
+ * > 0, number of valid output entries.
+ * **-EOPNOTSUP**, the hardware/kernel does not support this function
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -5048,6 +5063,7 @@ union bpf_attr {
FN(timer_cancel), \
FN(get_func_ip), \
FN(get_attach_cookie), \
+ FN(get_branch_trace), \
/* */
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
--
2.30.2
