-1

I am trying function count for given executable and pattern. trying to explore latest introduced API bpf_program__attach_uprobe_multi, couldn't find example for the same. below code failing with invalid argument. added prints in libbpf code, looks like path, pattern, variable taken properly ibbpf: func pattern op_* path /data/expr/operations from libbps cnt 2 libbpf: offsets 4521 4538

libbpf: prog 'test_uprobe': failed to attach multi-uprobe: Invalid argument

Not sure what am i missing here.

Below is hardcode in kernel bpf code.

`// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
`int main(int argc, char **argv)
{
        size_t offset1;
        size_t offset2;
        int err, i;
        char filename[256];
        pid_t pid;
        struct bpf_object *obj = NULL;
        struct bpf_program *prog[2];
        static struct bpf_link *bpflinks[2];
        static struct bpf_link *ubpflinks[2];

        if (argc < 2) {
                printf("Error return \n");
                return 0;
        }
        pid = strtoul(argv[1], NULL, 10);
        snprintf(filename, 256, "/proc/%d/exe", pid);
       

        offset1 = get_elf_func_offset("/data/expr/operations", "op_add");
        offset2 = get_elf_func_offset("/data/expr/operations", "op_sub");
       
        snprintf(filename, sizeof(filename), "%s.bpf.o", argv[0]);
        obj = bpf_object__open_file(filename, NULL);
        if (libbpf_get_error(obj)) {
                fprintf(stderr, "ERROR: opening BPF object file failed\n");
                obj = NULL;
                goto cleanup;
        }
    
          /* load BPF program */
        if (bpf_object__load(obj)) {
                fprintf(stderr, "ERROR: loading BPF object file failed\n");
                goto cleanup;
        }
        prog[0] = bpf_object__find_program_by_name(obj, "handle_uprobe_ref_ctr");
       // prog[1] = bpf_object__find_program_by_name(obj, "handle_uretprobe_ref_ctr");

        ubpflinks[0] =
                bpf_program__attach_uprobe(prog[0], false /* not uretprobe */,
                                pid, "/data/expr/operations" , offset1);
        if (!ubpflinks[0])
                printf("failed at link0\n");

        ubpflinks[1] =
                bpf_program__attach_uprobe(prog[0], false /* not uretprobe */,
                                pid, "/data/expr/operations" , offset2);
        if (!ubpflinks[1])
                printf("failed at link1\n");
//      bpflinks[0] = bpf_program__attach(prog[0]);  // do we need to attach already probes attached
      


        getchar();
cleanup:
        bpf_link__destroy(ubpflinks[0]);
        bpf_link__destroy(ubpflinks[1]);
        return -err;
}


char LICENSE[] SEC("license") = "Dual BSD/GPL";

SEC("uprobe")
int handle_uprobe_ref_ctr(struct pt_regs *ctx)
{
    
   const char fmt_str[] = "function fp %lld ip %lld\n";
   bpf_trace_printk(fmt_str, sizeof(fmt_str), (void *)PT_REGS_FP(ctx));

        return 0;
}

SEC("uretprobe")
int handle_uretprobe_ref_ctr(struct pt_regs *ctx)
{
        bpf_printk("handle_uretprobe_ref_ctr \n");
        return 0;
}
`
nullptr
  • 5
  • 3
  • I'm not sure I understand what the blocker is. What did you try and what didn't work? – pchaigno Aug 25 '23 at 08:52
  • updated with code , trying to explore usecase bpf_program__attach_uprobe_multi , program failed with invalid argument. please let me know if there some example for the same @pchaigno – nullptr Aug 28 '23 at 18:02
  • seems like uprobe multi doesn't have kernel support yet. there is patch https://lore.kernel.org/bpf/20230809083440.3209381-1-jolsa@kernel.org/T/ , not sure its merged – nullptr Aug 29 '23 at 04:32
  • Since product we support is starting with kernel 5.0 meaning tool was written in bcc , plan is to move to libbpf. we need to support customers with little older kernels too.how do we achieve above uprobe multi functionality in older kernels. is it possible with bpf_program__attach_uprobe, @pchaigno – nullptr Aug 29 '23 at 05:12

1 Answers1

0

The uprobe multi-attach support has been merged in bpf-next, but hasn't been released yet. I'd expect it to make it into Linux v6.6.

For older kernels, you will have to rely on bpf_program__attach_uprobe:

LIBBPF_API struct bpf_link * bpf_program__attach_uprobe (const struct bpf_program *prog, bool retprobe, pid_t pid, const char *binary_path, size_t func_offset)

Note the bpf_program__attach_uprobe_multi function from libbpf also hasn't been released yet. Libbpf v1.2.2 only has bpf_program__attach_uprobe.

pchaigno
  • 11,313
  • 2
  • 29
  • 54
  • thanks for quick response @pchaigno , got clarity now , will play around with bpf_program__attach_uprobe – nullptr Aug 29 '23 at 10:37
  • You're welcome. – pchaigno Aug 29 '23 at 10:40
  • modified question with bpf_program__attach_uprobe sample , tried this to achieve bpf_program__attach_uprobe_multi , but only one function trigging the uprobe handler. Above example both op_add, op_sub attached to single handler . is there boilerplate code to start with. @pchaigno ( i understand one uses perf_event other mult version uses uprobe_register mechanisrm) – nullptr Aug 29 '23 at 10:58
  • Please don't edit the question after it was answered. That is very confusing for anyone who is going through the same questions. It would be best to open a new question for `bpf_program__attach_uprobe` and I'm happy to take a look. A new question will also give you more visibility (others may know the answer). – pchaigno Aug 29 '23 at 11:08
  • sure, soryy my bad – nullptr Aug 29 '23 at 11:09
  • posted as new question ,https://stackoverflow.com/questions/76999758/use-bpf-program-attach-uprobe-api-multiple-times-with-the-same-program-instan@pchaigno – nullptr Aug 29 '23 at 11:24
  • bpf_program__attach_uprobe works fine to attach multiple target functions but helper routines for parsing lib/executable, function pattern and offsets is not exposed to user in libbpf. bpf_program__attach_uprobe_multi uses most of the helpers like resolve_full_path, elf_resolve_pattern_offsets, elf_resolve_syms_offsets. (code is LGPL-2.1 OR BSD-2-Clause), is it possible to pickup code for commercial use or need to rollout our own. @pchaigno – nullptr Aug 31 '23 at 03:54