1

Using bpftool prog show, I can see a list of eBPF programs.

3: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:04-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
4: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:04-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
5: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:06-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
6: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:06-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
7: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:22-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
8: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:22-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
13: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:44-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
14: cgroup_skb  tag 6deef7357e7b4530  gpl
        loaded_at 2023-04-20T05:19:44-0400  uid 0
        xlated 64B  jited 54B  memlock 4096B
29: xdp  name udp_counter  tag 3cc0e629432a3f38  gpl
        loaded_at 2023-04-21T12:41:50-0400  uid 0
        xlated 320B  jited 197B  memlock 4096B  map_ids 3
        btf_id 171
60: kprobe  name udp_sendmsg  tag a8506d7cc4ef8572  gpl
        loaded_at 2023-04-24T05:15:51-0400  uid 0
        xlated 144B  jited 90B  memlock 4096B
        btf_id 180

The last one, udp_sendmsg was attached using

from bcc import BPF
b = BPF(src_file="udpsend.c", debug=0)
b.attach_kprobe(event="udp_sendmsg", fn_name="kprobe__udp_sendmsg")

where the kprobe__udp_sendmsg function is defined in udpsend.c. I have run the code twice, with udpsend.c slightly different each time.

b' systemd-resolve-651     [001] d...1 359619.458762: bpf_trace_printk: udp_sendmsg() called\\n'
b' systemd-resolve-651     [001] d...1 359619.458762: bpf_trace_printk: udp_sendmsg() called\\n'
b' systemd-resolve-651     [001] d...1 359619.460828: bpf_trace_printk: Hello, World!\\n'
b' systemd-resolve-651     [001] d...1 359619.460831: bpf_trace_printk: Hello, World!\\n'
b' systemd-resolve-651     [001] d...1 359619.460832: bpf_trace_printk: udp_sendmsg() called\\n'
b' systemd-resolve-651     [001] d...1 359619.460833: bpf_trace_printk: udp_sendmsg() called\\n'

The first time, it print was designed something like this

// udpsend.c
int kprobe__udp_sendmsg(void *ctx) 
{   
    bpf_trace_printk("Hello, World!\\n");
    return 0;
};

And the second time

int kprobe__udp_sendmsg(void *ctx) 
{   
    bpf_trace_printk("udp_sendmsg() called");
    return 0;
};

So, from what I assume, both eBPF programs are attached (one from the previous), and one from the current. How do I remove an eBPF program when I didn't use BPF.detach_kprobe() initially?

akastack
  • 75
  • 7

0 Answers0