On Mon, Oct 25, 2021 at 5:06 AM Tal Lossos <tallossos@xxxxxxxxx> wrote: > > Hello! > After reading Andrii's new blog post regarding BPF CO-RE, which was > really lovely and well written, I came up with a small question: > When you gave the example for BPF_CORE_READ, you've accessed the > executable pointer under linux_binfmt struct. > Is it a mistake with linux_binprm struct? or maybe I'm missing something. Yeah, totally a mistake, sorry. I've fixed it. It should be t->mm->exe_file->fpath.dentry->d_name.name (one pointer dereference step shorter). Thanks for reading carefully and reporting the problem! > > Another thing, maybe you could add a little explanation about how > libbpf validates the structs offsets with the help of BTF? It's a key > part of CO-RE so it would be nice to have a little deep-dive in the > blog post about it :) This felt like repeating some low-level things from previous blog posts and describing BTF rather than CO-RE mechanics itself. This topic was described in previous BPF CO-RE post in more detail ([0]), BTF itself was described (along the dedup algo) in [1]. CO-RE relocation format I don't think I've ever described in detail, but this comment ([2]) in libbpf source code should give you a pretty good idea, I hope. [0] https://nakryiko.com/posts/bpf-portability-and-co-re/#compiler-support [1] https://nakryiko.com/posts/btf-dedup/#bpf-and-type-information [2] https://github.com/libbpf/libbpf/blob/master/src/relo_core.h#L25-L70 > > Thanks.
