Re: [PATCH bpf-next v4 1/2] libbpf: clarify raw-address single kprobe attach behavior

[Andrii Nakryiko]

On Tue, Mar 31, 2026 at 8:25 AM Hoyeon Lee <hoyeon.lee@xxxxxxxx> wrote:
>
> bpf_program__attach_kprobe_opts() documents single-kprobe attach
> through func_name, with an optional offset. For the PMU-based
> non-legacy path, func_name = NULL with an absolute address in offset
> already works as well, but that is not described in the API.
>
> This commit clarifies this existing non-legacy behavior. For PMU-based
> attach, callers can use func_name = NULL with an absolute address in
> offset as the raw-address form. For legacy tracefs/debugfs kprobes,
> reject this form explicitly.
>
> Signed-off-by: Hoyeon Lee <hoyeon.lee@xxxxxxxx>
> ---
>  tools/lib/bpf/libbpf.c | 21 ++++++++++++---------
>  tools/lib/bpf/libbpf.h |  3 ++-
>  2 files changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 9ea41f40dc82..9083f542a3b0 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -11523,7 +11523,8 @@ static int determine_uprobe_retprobe_bit(void)
>  #define PERF_UPROBE_REF_CTR_OFFSET_SHIFT 32
>
>  static int perf_event_open_probe(bool uprobe, bool retprobe, const char *name,
> -                                uint64_t offset, int pid, size_t ref_ctr_off)
> +                                uint64_t offset_or_addr, int pid,

don't rename it, keep it as "offset"

> +                                size_t ref_ctr_off)
>  {
>         const size_t attr_sz = sizeof(struct perf_event_attr);
>         struct perf_event_attr attr;
> @@ -11558,7 +11559,7 @@ static int perf_event_open_probe(bool uprobe, bool retprobe, const char *name,
>         attr.type = type;
>         attr.config |= (__u64)ref_ctr_off << PERF_UPROBE_REF_CTR_OFFSET_SHIFT;
>         attr.config1 = ptr_to_u64(name); /* kprobe_func or uprobe_path */
> -       attr.config2 = offset;           /* kprobe_addr or probe_offset */
> +       attr.config2 = offset_or_addr;   /* kprobe_addr or probe_offset */
>
>         /* pid filter is meaningful only for uprobes */
>         pfd = syscall(__NR_perf_event_open, &attr,
> @@ -11816,6 +11817,8 @@ bpf_program__attach_kprobe_opts(const struct bpf_program *prog,
>         default:
>                 return libbpf_err_ptr(-EINVAL);
>         }
> +       if (!func_name && legacy)
> +               return libbpf_err_ptr(-ENOTSUP);

-EOPNOTSUPP

pw-bot: cr

>
>         if (!legacy) {
>                 pfd = perf_event_open_probe(false /* uprobe */, retprobe,
> @@ -11835,21 +11838,21 @@ bpf_program__attach_kprobe_opts(const struct bpf_program *prog,
>                                                     offset, -1 /* pid */);
>         }
>         if (pfd < 0) {
> -               err = -errno;
> -               pr_warn("prog '%s': failed to create %s '%s+0x%zx' perf event: %s\n",
> +               err = pfd;
> +               pr_warn("prog '%s': failed to create %s '%s%s0x%zx' perf event: %s\n",
>                         prog->name, retprobe ? "kretprobe" : "kprobe",
> -                       func_name, offset,
> -                       errstr(err));
> +                       func_name ?: "", func_name ? "+" : "",
> +                       offset, errstr(err));
>                 goto err_out;
>         }
>         link = bpf_program__attach_perf_event_opts(prog, pfd, &pe_opts);
>         err = libbpf_get_error(link);
>         if (err) {
>                 close(pfd);
> -               pr_warn("prog '%s': failed to attach to %s '%s+0x%zx': %s\n",
> +               pr_warn("prog '%s': failed to attach to %s '%s%s0x%zx': %s\n",
>                         prog->name, retprobe ? "kretprobe" : "kprobe",
> -                       func_name, offset,
> -                       errstr(err));
> +                       func_name ?: "", func_name ? "+" : "",
> +                       offset, errstr(err));
>                 goto err_clean_legacy;
>         }
>         if (legacy) {
> diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h
> index 0be34852350f..f75f3ab0f20c 100644
> --- a/tools/lib/bpf/libbpf.h
> +++ b/tools/lib/bpf/libbpf.h
> @@ -557,7 +557,7 @@ struct bpf_kprobe_opts {
>         size_t sz;
>         /* custom user-provided value fetchable through bpf_get_attach_cookie() */
>         __u64 bpf_cookie;
> -       /* function's offset to install kprobe to */
> +       /* function offset, or raw address if func_name == NULL (non-legacy) */

legacy mode will be useful on very-very old kernels only, let's not
distract with constant mentions for "non-legacy", please remove
"(non-legacy)" here and other legacy mentions above


but also, while you are at it, let's add a proper doc comment to
bpf_program__attach_kprobe and bpf_program__attach_kprobe_opts APIs?
That seems like a more obvious place to explain name+offset and offset
as absolute address behavior, IMO

>         size_t offset;
>         /* kprobe is return probe */
>         bool retprobe;
> @@ -565,6 +565,7 @@ struct bpf_kprobe_opts {
>         enum probe_attach_mode attach_mode;
>         size_t :0;
>  };
> +
>  #define bpf_kprobe_opts__last_field attach_mode
>
>  LIBBPF_API struct bpf_link *
> --
> 2.52.0
>