Jackie Liu wrote:
> From: Jackie Liu <liuyun01@xxxxxxxxxx>
>
> When using regular expression matching with "kprobe multi", it scans all
> the functions under "/proc/kallsyms" that can be matched. However, not all
> of them can be traced by kprobe.multi. If any one of the functions fails
> to be traced, it will result in the failure of all functions. The best
> approach is to filter out the functions that cannot be traced to ensure
> proper tracking of the functions.
>
> Suggested-by: Jiri Olsa <jolsa@xxxxxxxxxx>
> Suggested-by: Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx>
> Signed-off-by: Jackie Liu <liuyun01@xxxxxxxxxx>
> ---
> tools/lib/bpf/libbpf.c | 121 ++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 108 insertions(+), 13 deletions(-)
>
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 214f828ece6b..e26afcd1ff2d 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -10224,6 +10224,12 @@ static const char *tracefs_uprobe_events(void)
> return use_debugfs() ? DEBUGFS"/uprobe_events" : TRACEFS"/uprobe_events";
> }
>
> +static const char *tracefs_available_filter_functions(void)
> +{
> + return use_debugfs() ? DEBUGFS"/available_filter_functions" :
> + TRACEFS"/available_filter_functions";
> +}
> +
> static void gen_kprobe_legacy_event_name(char *buf, size_t buf_sz,
> const char *kfunc_name, size_t offset)
> {
> @@ -10539,23 +10545,112 @@ struct kprobe_multi_resolve {
> size_t cnt;
> };
>
> -static int
> -resolve_kprobe_multi_cb(unsigned long long sym_addr, char sym_type,
> - const char *sym_name, void *ctx)
> +static int qsort_compare_function(const void *a, const void *b)
> {
> - struct kprobe_multi_resolve *res = ctx;
> - int err;
> + return strcmp(*(const char **)a, *(const char **)b);
> +}
>
> - if (!glob_match(sym_name, res->pattern))
> - return 0;
> +static int bsearch_compare_function(const void *a, const void *b)
> +{
> + return strcmp((const char *)a, *(const char **)b);
> +}
>
> - err = libbpf_ensure_mem((void **) &res->addrs, &res->cap, sizeof(unsigned long),
> - res->cnt + 1);
> - if (err)
> +static int libbpf_available_kallsyms_parse(struct kprobe_multi_resolve *res)
> +{
> + char sym_name[256];
> + const char *available_functions_file = tracefs_available_filter_functions();
> + FILE *f;
> + int err = 0, ret, i;
> + struct function_info {
> + const char **syms;
> + size_t cap;
> + size_t cnt;
> + } infos = {};
> +
> + f = fopen(available_functions_file, "r");
> + if (!f) {
> + err = -errno;
> + pr_warn("failed to open %s\n", available_functions_file);
> return err;
> + }
>
> - res->addrs[res->cnt++] = (unsigned long) sym_addr;
> - return 0;
> + while (true) {
> + char *name;
> +
> + ret = fscanf(f, "%s%*[^\n]\n", sym_name);
> + if (ret == EOF && feof(f))
> + break;
> +
> + if (ret != 1) {
> + pr_warn("failed to read available function file entry: %d\n",
> + ret);
> + err = -EINVAL;
> + break;
Should this goto cleanup? Setting the 'err' here is a bit awkward at
least because its changed below or you might complete with an err?
> + }
> +
> + if (!glob_match(sym_name, res->pattern))
> + continue;
> +
> + err = libbpf_ensure_mem((void **)&infos.syms, &infos.cap,
> + sizeof(void *), infos.cnt + 1);
> + if (err)
fclose(f) needed?
> + goto cleanup;
> +
> + name = strdup(sym_name);
> + if (!name) {
> + err = -errno;
same, fclose(f)?
> + goto cleanup;
> + }
> +
> + infos.syms[infos.cnt++] = name;
> + }
> + fclose(f);
> +
> + /* sort available functions */
> + qsort(infos.syms, infos.cnt, sizeof(void *), qsort_compare_function);
Didn't follow this back entirely, but seems we are doing this in attach
path. Any idea of the overhead we are adding here? Should we have
an init() op to do this qsort if we are going to be calling attach
repeatedly? OTOH most of our progs are memory constrained and
attach operations done infrequently so we release memory aggressively
for cached things so likely wouldn't use it myself. For example we
release the BTF cached object and just repopulate as needed. Just
a thought.
> +
> + f = fopen("/proc/kallsyms", "r");
> + if (!f) {
> + err = -errno;
> + pr_warn("failed to open /proc/kallsyms\n");
> + goto cleanup;
> + }
> +
> + while (true) {
> + unsigned long long sym_addr;
> +
> + ret = fscanf(f, "%llx %*c %499s%*[^\n]\n", &sym_addr, sym_name);
> + if (ret == EOF && feof(f))
> + break;
> +
> + if (ret != 2) {
> + pr_warn("failed to read kallsyms entry: %d\n", ret);
> + err = -EINVAL;
> + break;
> + }
> +
> + if (!glob_match(sym_name, res->pattern))
> + continue;
> +
> + if (!bsearch(&sym_name, infos.syms, infos.cnt, sizeof(void *),
> + bsearch_compare_function))
> + continue;
> +
> + err = libbpf_ensure_mem((void **)&res->addrs, &res->cap,
> + sizeof(unsigned long), res->cnt + 1);
> + if (err)
> + break;
> +
> + res->addrs[res->cnt++] = (unsigned long)sym_addr;
> + }
> + fclose(f);
> +
> +cleanup:
> + for (i = 0; i < infos.cnt; i++)
> + free((char *)infos.syms[i]);
> + free(infos.syms);
> +
> + return err;
> }
>
> struct bpf_link *
> @@ -10594,7 +10689,7 @@ bpf_program__attach_kprobe_multi_opts(const struct bpf_program *prog,
> return libbpf_err_ptr(-EINVAL);
>
> if (pattern) {
> - err = libbpf_kallsyms_parse(resolve_kprobe_multi_cb, &res);
> + err = libbpf_available_kallsyms_parse(&res);
> if (err)
> goto error;
> if (!res.cnt) {
> --
> 2.25.1
>
>
