Hi, On Tue, 16 May 2023 17:36:28 -0700 Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > BPF progs have three ways to access kernel tracepoints: > 1. traditional tracepoint This is the trace_events, which is used by ftrace, right? > 2. raw tracepoint > 3. raw tracepoint with BTF > > 1 was added first and now rarely used (only by old tools), since it's slow. > 2 was added later to address performance concerns. > 3 was added after BTF was introduced to provide accurate types. > > 3 is the only one that bpf community recommends and is the one that is used most often. > > As far as I know trace_events were never connected to bpf. > Unless somebody sneaked the code in without us seeing it. With this design, I understand that you may not want to connect BPF directly to user_events. It needs a different model. > > I think you're trying to model user_events+bpf as 1. > Which means that you'll be repeating the same mistakes. The user_events is completely different from the traceppoint and must have no BTF with it. Also, all information must be sent in the user-written data packet. (No data structure, event if there is a structure, it must be fully contained in the packet.) For the tracepoint, there is a function call with some values or pointers of data structure. So it is meaningful to skip using the traceevent (which converts all pointers to actual field values of the data structure and store it to ftrace buffer) because most of the values can be ignored in the BPF prog. However, for the user_events, the data is just passed from the user as a data packet, and BPF prog can access to the data packet (to avoid accessing malicious data, data validator can not be skipped). So this seems like 1. but actually you can access to the validated data on perf buffer. Maybe we can allow BPF to hook the write syscall and access user-space data, but it may not safe. I think this is the safest way to do that. Thank you, -- Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
