bpf: Add kprobe-event-fields example

Tom Zanussi Fri, 12 Feb 2016 08:13:21 -0800

This is a simple demonstration of an eBPF program attached to both a
kprobe trace event ("event/kprobe/...") and the same event through a
static trace event ("event/subsys:event".  The common_pid, name, and
len fields in the netif_receive_skb static trace event here are the
values grabbed from the event and printed.  The common_pid value for
the __netif_receive_skb_core kprobe event here is also the value
grabbed from the kprobe trace event.


Example output:

  # ./kprobe-event-fields
              ping-4074  [000] d.s1   131.098630: : __netif_receive_skb_core 
kprobe fields:  common_pid = 4074
              ping-4074  [000] ..s1   131.098653: : netif_receive_skb trace 
event fields:  common_pid = 4074, name = lo, len 84

Signed-off-by: Tom Zanussi <[email protected]>
---
 samples/bpf/Makefile                   |  4 +++
 samples/bpf/kprobe-event-fields_kern.c | 56 ++++++++++++++++++++++++++++++++++
 samples/bpf/kprobe-event-fields_user.c | 25 +++++++++++++++
 3 files changed, 85 insertions(+)
 create mode 100644 samples/bpf/kprobe-event-fields_kern.c
 create mode 100644 samples/bpf/kprobe-event-fields_user.c

diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
index d7af8d5..6b9ceae 100644
--- a/samples/bpf/Makefile
+++ b/samples/bpf/Makefile
@@ -17,6 +17,7 @@ hostprogs-y += tracex6
 hostprogs-y += trace_output
 hostprogs-y += lathist
 hostprogs-y += readcounts-by-pid
+hostprogs-y += kprobe-event-fields
 
 test_verifier-objs := test_verifier.o libbpf.o
 test_maps-objs := test_maps.o libbpf.o
@@ -34,6 +35,7 @@ tracex6-objs := bpf_load.o libbpf.o tracex6_user.o
 trace_output-objs := bpf_load.o libbpf.o trace_output_user.o
 lathist-objs := bpf_load.o libbpf.o lathist_user.o
 readcounts-by-pid-objs := bpf_load.o libbpf.o readcounts-by-pid_user.o
+kprobe-event-fields-objs := bpf_load.o libbpf.o kprobe-event-fields_user.o
 
 # Tell kbuild to always build the programs
 always := $(hostprogs-y)
@@ -50,6 +52,7 @@ always += trace_output_kern.o
 always += tcbpf1_kern.o
 always += lathist_kern.o
 always += readcounts-by-pid_kern.o
+always += kprobe-event-fields_kern.o
 
 HOSTCFLAGS += -I$(objtree)/usr/include
 
@@ -67,6 +70,7 @@ HOSTLOADLIBES_tracex6 += -lelf
 HOSTLOADLIBES_trace_output += -lelf -lrt
 HOSTLOADLIBES_lathist += -lelf
 HOSTLOADLIBES_readcounts-by-pid += -lelf
+HOSTLOADLIBES_kprobe-event-fields += -lelf
 
 # point this to your LLVM backend with bpf support
 LLC=$(srctree)/tools/bpf/llvm/bld/Debug+Asserts/bin/llc
diff --git a/samples/bpf/kprobe-event-fields_kern.c 
b/samples/bpf/kprobe-event-fields_kern.c
new file mode 100644
index 0000000..3d01e08
--- /dev/null
+++ b/samples/bpf/kprobe-event-fields_kern.c
@@ -0,0 +1,56 @@
+/* Copyright (c) 2016 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ */
+
+#include <uapi/linux/bpf.h>
+#include <linux/version.h>
+#include "bpf_helpers.h"
+
+/*
+ * With kprobes and event/kprobe/xxx, we can access the common trace
+ * event fields:
+ */
+SEC("event/kprobe/__netif_receive_skb_core")
+int bpf_prog1(void *ctx)
+{
+       int common_pid;
+
+       char common_pid_field[] = "common_pid";
+       common_pid = bpf_trace_event_field_read(ctx, common_pid_field);
+
+       char fmt[] = "__netif_receive_skb_core kprobe fields:  common_pid = 
%d\n";
+       bpf_trace_printk(fmt, sizeof(fmt), common_pid);
+
+       return 1;
+}
+
+/*
+ * Without the event/kprobe, we can access all the static trace event
+ * fields:
+ */
+SEC("event/net:netif_receive_skb")
+int bpf_prog2(void *ctx)
+{
+       char name[256] = {};
+       int len, common_pid;
+
+       char len_field[] = "len";
+       len = bpf_trace_event_field_read(ctx, len_field);
+
+       char name_field[] = "name";
+       bpf_trace_event_field_read_string(ctx, name_field, name, sizeof(name));
+
+       char common_pid_field[] = "common_pid";
+       common_pid = bpf_trace_event_field_read(ctx, common_pid_field);
+
+       char fmt[] = "netif_receive_skb trace event fields:  common_pid = %d, 
name = %s, len %d\n";
+       bpf_trace_printk(fmt, sizeof(fmt), common_pid, name, len);
+
+       return 1;
+}
+
+char _license[] SEC("license") = "GPL";
+u32 _version SEC("version") = LINUX_VERSION_CODE;
diff --git a/samples/bpf/kprobe-event-fields_user.c 
b/samples/bpf/kprobe-event-fields_user.c
new file mode 100644
index 0000000..31a4818
--- /dev/null
+++ b/samples/bpf/kprobe-event-fields_user.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <linux/bpf.h>
+#include <unistd.h>
+#include "libbpf.h"
+#include "bpf_load.h"
+
+int main(int ac, char **argv)
+{
+       FILE *f;
+       char filename[256];
+
+       snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
+
+       if (load_bpf_file(filename)) {
+               printf("%s", bpf_log_buf);
+               return 1;
+       }
+
+       f = popen("taskset 1 ping -c5 localhost", "r");
+       (void) f;
+
+       read_trace_pipe();
+
+       return 0;
+}
-- 
1.9.3

[RFC][PATCH 10/10] samples/bpf: Add kprobe-event-fields example

Reply via email to