Re: [PATCH v9 tip 6/9] samples: bpf: simple non-portable kprobe filter example

From: Ingo Molnar
Date: Mon Mar 23 2015 - 03:29:43 EST



* Alexei Starovoitov <ast@xxxxxxxxxxxx> wrote:

> tracex1_kern.c - C program compiled into BPF.
> It attaches to kprobe:netif_receive_skb
> When skb->dev->name == "lo", it prints sample debug message into trace_pipe
> via bpf_trace_printk() helper function.
>
> tracex1_user.c - corresponding user space component that:
> - loads bpf program via bpf() syscall
> - opens kprobes:netif_receive_skb event via perf_event_open() syscall
> - attaches the program to event via ioctl(event_fd, PERF_EVENT_IOC_SET_BPF, prog_fd);
> - prints from trace_pipe
>
> Note, this bpf program is completely non-portable. It must be recompiled
> with current kernel headers. kprobe is not a stable ABI and bpf+kprobe scripts
> may stop working any time.
>
> bpf verifier will detect that it's using bpf_trace_printk() and kernel will
> print warning banner:
> ** trace_printk() being used. Allocating extra memory. **

Printing this might be OK.

> ** **
> ** This means that this is a DEBUG kernel and it is **
> ** unsafe for production use. **

But I think printing that it's unsafe for production use is over the
top: it's up to the admin whether it's safe or unsafe, just like
inserting a kprobe can be safe or unsafe.

Informing that something happened is enough.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/