Re: [PATCH] tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing

From: Andrii Nakryiko
Date: Thu Jul 08 2021 - 16:05:27 EST


On Wed, Jul 7, 2021 at 5:43 PM Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
>
> On Wed, 7 Jul 2021 17:23:54 -0700
> Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> wrote:
>
> > On Wed, Jul 7, 2021 at 5:05 PM Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> > >
> > > On Wed, 7 Jul 2021 16:49:26 -0700
> > > Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> wrote:
> > >
> > > > As for why the user might need that, it's up to the user and I don't
> > > > want to speculate because it will always sound contrived without a
> > > > specific production use case. But people are very creative and we try
> > > > not to dictate how and what can be done if it doesn't break any
> > > > fundamental assumption and safety.
> > >
> > > I guess it doesn't matter, because if they try to do it, the second
> > > attachment will simply fail to attach.
> > >
> >
> > But not for the kprobe case.
>
> What do you mean "not for the kprobe case"? What kprobe case?
>
> You attach the same program twice to the same kprobe? Or do you create
> two kprobes at the same location?
>

I meant attaching the same BPF program twice to the same kernel
function through the kprobe mechanism (through perf_event_open()
syscall). From user perspective it's one BPF program attached twice to
the same kprobe. Not entirely sure if two perf_event_open() calls will
create two kprobes or re-use one internally.

> >
> > And it might not always be possible to know that the same BPF program
> > is being attached. It could be attached by different processes that
> > re-use pinned program (without being aware of each other). Or it could
> > be done from some generic library that just accepts prog_fd and
> > doesn't really know the exact BPF program and whether it was already
> > attached.
> >
> > Not sure why it doesn't matter that attachment will fail where it is
> > expected to succeed. The question is rather why such restriction?
>
> Why is it expected to succeed? It never did. And why such a
> restriction? Because it complicates the code, and there's no good use
> case to do so. Why complicate something for little reward?

See above about kprobe for why it was my expectation.

But it was my original question whether this causes some complications
or it's just an attempt to detect API mis-use. Seems like it's the
former, alright.

>
> -- Steve