diff --git a/examples/fentry/bpf_bpfeb.o b/examples/fentry/bpf_bpfeb.o index 9e1a3a305..e111a042a 100644 Binary files a/examples/fentry/bpf_bpfeb.o and b/examples/fentry/bpf_bpfeb.o differ diff --git a/examples/fentry/bpf_bpfel.o b/examples/fentry/bpf_bpfel.o index 56f2daa29..b85cb601a 100644 Binary files a/examples/fentry/bpf_bpfel.o and b/examples/fentry/bpf_bpfel.o differ diff --git a/examples/fentry/fentry.c b/examples/fentry/fentry.c index 220bd1764..b08994cfa 100644 --- a/examples/fentry/fentry.c +++ b/examples/fentry/fentry.c @@ -8,8 +8,25 @@ #define AF_INET 2 #define TASK_COMM_LEN 16 -char LICENSE[] SEC("license") = "Dual MIT/GPL"; +char __license[] SEC("license") = "Dual MIT/GPL"; +/** + * This example copies parts of struct sock_common and struct sock from + * the Linux kernel, but doesn't cause any CO-RE information to be emitted + * into the ELF object. This requires the struct layout (up until the fields + * that are being accessed) to match the kernel's, and the example will break + * or misbehave when this is no longer the case. + * + * Also note that BTF-enabled programs like fentry, fexit, fmod_ret, tp_btf, + * lsm, etc. declared using the BPF_PROG macro can read kernel memory without + * needing to call bpf_probe_read*(). + */ + +/** + * struct sock_common reflects the start of the kernel's struct sock_common. + * It only contains the fields up until skc_family that are accessed in the + * program, with padding to match the kernel's declaration. + */ struct sock_common { union { struct { @@ -18,8 +35,8 @@ struct sock_common { }; }; union { - unsigned int skc_hash; - __u16 skc_u16hashes[2]; + // Padding out union skc_hash. + __u32 _; }; union { struct { @@ -30,6 +47,9 @@ struct sock_common { short unsigned int skc_family; }; +/** + * struct sock reflects the start of the kernel's struct sock. + */ struct sock { struct sock_common __sk_common; }; @@ -39,9 +59,11 @@ struct { __uint(max_entries, 1 << 24); } events SEC(".maps"); -// Force emitting struct event into the ELF. -const struct event *unused __attribute__((unused)); - +/** + * The sample submitted to userspace over a ring buffer. + * Emit struct event's type info into the ELF's BTF so bpf2go + * can generate a Go type from it. + */ struct event { u8 comm[16]; __u16 sport; @@ -49,6 +71,7 @@ struct event { __be32 saddr; __be32 daddr; }; +struct event *unused __attribute__((unused)); SEC("fentry/tcp_connect") int BPF_PROG(tcp_connect, struct sock *sk) {