On Thu, 2023-03-23 at 14:53 +0800, 刘畅 wrote: > Hi all > > I'm developing an ebpf program to capture all descendant processes of > a specific process (e.g., a shell process), so I use kretprobe to > monitor the return of _do_fork() function in kernel. I maintained a > pid_map (BPF_MAP_TYPE_ARRAY) to store the PIDs of the descendant > processes and a ptr_map (BPF_MAP_TYPE_ARRAY with only 1 element) as a > pointer which points to the first empty element in the pid_map. > Everytime the ebpf program is triggered, it will traverse all PIDs > stored in the pid_map to see whether the current process is a > descendant of the initial process, if so, the PID of the newly created > process will be added to the pid_map and the ptr_map is also updated. > Then I realized there are data races, because on an SMP system, ebpf > programs that run on different CPU cores may access the ptr_map > simultaneously. To solve this problem, I searched related docs and > found that spinlock is available in the newest kernel. However, I'm > working on 4.19 kernel which doesn't support spinlock, I wonder if > there is any synchronization mechanism that I can use to solve this > race condition. I'd be appreciate if anyone can help me :) Hi Chang, If all you need is to bump a counter you can probably use __sync_fetch_and_add() intrinsic. Looking trough BPF samples I see it used in the code from 2015, e.g. in samples/bpf/sockex3_kern.c. However, I'm not sure why not simply inspect `struct task_struct::parent` field? Thanks, Eduard > > Thank you! > > Chang Liu
