[PATCH,bpf-next 0/2] Fix broken samples due to symbol mismatch

[PATCH,bpf-next 0/2] Fix broken samples due to symbol mismatch

[Daniel T. Lee]

Currently, there are broken samples due to symbol mismatch (missing or
unused symbols). For example, the function open() calls the syscall 
'sys_openat' instead of 'sys_open'. And there are no exact symbols such
as 'sys_read' or 'sys_write' under kallsyms, instead the symbols have
prefixes. And these error leads to broke of samples.

This Patchset fixes the problem by changing the symbol match.

Daniel T. Lee (2):
  samples: bpf: replace symbol compare of trace_event
  samples: bpf: fix syscall_tp due to unused syscall

 samples/bpf/syscall_tp_kern.c  | 14 ++++++++++++++
 samples/bpf/trace_event_user.c |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)

-- 
2.24.0

[PATCH,bpf-next 1/2] samples: bpf: replace symbol compare of trace_event

[Daniel T. Lee]

Previously, when this sample is added, commit 1c47910ef8013
("samples/bpf: add perf_event+bpf example"), a symbol 'sys_read' and
'sys_write' has been used without no prefixes. But currently there are
no exact symbols with these under kallsyms and this leads to failure.

This commit changes exact compare to substring compare to keep compatible
with exact symbol or prefixed symbol.

Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
---
 samples/bpf/trace_event_user.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/samples/bpf/trace_event_user.c b/samples/bpf/trace_event_user.c
index 16a16eadd509..749a50f2f9f3 100644
--- a/samples/bpf/trace_event_user.c
+++ b/samples/bpf/trace_event_user.c
@@ -37,9 +37,9 @@ static void print_ksym(__u64 addr)
 	}
 
 	printf("%s;", sym->name);
-	if (!strcmp(sym->name, "sys_read"))
+	if (!strstr(sym->name, "sys_read"))
 		sys_read_seen = true;
-	else if (!strcmp(sym->name, "sys_write"))
+	else if (!strstr(sym->name, "sys_write"))
 		sys_write_seen = true;
 }
 
-- 
2.24.0

[PATCH,bpf-next 2/2] samples: bpf: fix syscall_tp due to unused syscall

[Daniel T. Lee]

Currently, open() is called from the user program and it calls the syscall
'sys_openat', not the 'sys_open'. This leads to an error of the program
of user side, due to the fact that the counter maps are zero since no
function such 'sys_open' is called.

This commit adds the kernel bpf program which are attached to the
tracepoint 'sys_enter_openat' and 'sys_enter_openat'.

Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
---
 samples/bpf/syscall_tp_kern.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c
index 1d78819ffef1..4ea91b1d3e03 100644
--- a/samples/bpf/syscall_tp_kern.c
+++ b/samples/bpf/syscall_tp_kern.c
@@ -51,9 +51,23 @@ int trace_enter_open(struct syscalls_enter_open_args *ctx)
 	return 0;
 }
 
+SEC("tracepoint/syscalls/sys_enter_openat")
+int trace_enter_open_at(struct syscalls_enter_open_args *ctx)
+{
+	count((void *)&enter_open_map);
+	return 0;
+}
+
 SEC("tracepoint/syscalls/sys_exit_open")
 int trace_enter_exit(struct syscalls_exit_open_args *ctx)
 {
 	count((void *)&exit_open_map);
 	return 0;
 }
+
+SEC("tracepoint/syscalls/sys_exit_openat")
+int trace_enter_exit_at(struct syscalls_exit_open_args *ctx)
+{
+	count((void *)&exit_open_map);
+	return 0;
+}
-- 
2.24.0

RE: [PATCH,bpf-next 0/2] Fix broken samples due to symbol mismatch

[John Fastabend]

Daniel T. Lee wrote:
> Currently, there are broken samples due to symbol mismatch (missing or
> unused symbols). For example, the function open() calls the syscall 
> 'sys_openat' instead of 'sys_open'. And there are no exact symbols such
> as 'sys_read' or 'sys_write' under kallsyms, instead the symbols have
> prefixes. And these error leads to broke of samples.
> 
> This Patchset fixes the problem by changing the symbol match.
> 
> Daniel T. Lee (2):
>   samples: bpf: replace symbol compare of trace_event
>   samples: bpf: fix syscall_tp due to unused syscall
> 
>  samples/bpf/syscall_tp_kern.c  | 14 ++++++++++++++
>  samples/bpf/trace_event_user.c |  4 ++--
>  2 files changed, 16 insertions(+), 2 deletions(-)
> 
> -- 
> 2.24.0
> 

Patches look good, please reply to each with a "Fixes" tag
though so its easier to keep track of these things.

Thanks,
John

Re: [PATCH,bpf-next 2/2] samples: bpf: fix syscall_tp due to unused syscall

[Daniel Borkmann]

On 11/23/19 6:51 AM, Daniel T. Lee wrote:
> Currently, open() is called from the user program and it calls the syscall
> 'sys_openat', not the 'sys_open'. This leads to an error of the program
> of user side, due to the fact that the counter maps are zero since no
> function such 'sys_open' is called.
> 
> This commit adds the kernel bpf program which are attached to the
> tracepoint 'sys_enter_openat' and 'sys_enter_openat'.
> 
> Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
> ---
>   samples/bpf/syscall_tp_kern.c | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 
> diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c
> index 1d78819ffef1..4ea91b1d3e03 100644
> --- a/samples/bpf/syscall_tp_kern.c
> +++ b/samples/bpf/syscall_tp_kern.c
> @@ -51,9 +51,23 @@ int trace_enter_open(struct syscalls_enter_open_args *ctx)
>   	return 0;
>   }
>   
> +SEC("tracepoint/syscalls/sys_enter_openat")
> +int trace_enter_open_at(struct syscalls_enter_open_args *ctx)
> +{
> +	count((void *)&enter_open_map);

Nit: cast to void * not needed, same in below 3 locations.

> +	return 0;
> +}
> +
>   SEC("tracepoint/syscalls/sys_exit_open")
>   int trace_enter_exit(struct syscalls_exit_open_args *ctx)
>   {
>   	count((void *)&exit_open_map);
>   	return 0;
>   }
> +
> +SEC("tracepoint/syscalls/sys_exit_openat")
> +int trace_enter_exit_at(struct syscalls_exit_open_args *ctx)
> +{
> +	count((void *)&exit_open_map);
> +	return 0;
> +}
>