On Wed, 17 Sep 2025 15:22:39 +0800 Fuyu Zhao <[email protected]> wrote:
> Hi everyone, > > This patchset introduces a new BPF program type that allows overriding > a tracepoint probe function registered via register_trace_*. > > Motivation > ---------- > Tracepoint probe functions registered via register_trace_* in the kernel > cannot be dynamically modified, changing a probe function requires recompiling > the kernel and rebooting. Nor can BPF programs change an existing > probe function. I'm confused by what you mean by "tracepoint probe function"? You mean the function callback that gets called via the "register_trace_*()"? > > Overiding tracepoint supports a way to apply patches into kernel quickly > (such as applying security ones), through predefined static tracepoints, > without waiting for upstream integration. This sounds way out of scope for tracepoints. Please provide a solid example for this. > > This patchset demonstrates the way to override probe functions by BPF program. > > Overview > -------- > This patchset adds BPF_PROG_TYPE_RAW_TRACEPOINT_OVERRIDE program type. > When this type of BPF program attaches, it overrides the target tracepoint > probe function. > > And it also extends a new struct type "tracepoint_func_snapshot", which > extends > the tracepoint structure. It is used to record the original probe function > registered by kernel after BPF program being attached and restore from it > after detachment. The tracepoint structure exists for every tracepoint in the kernel. By adding a pointer to it, you just increased the size of the tracepoint. I'm already complaining that each tracepoint causes around 5K of memory overhead, and I'd like to make it smaller. -- Steve
