无法使用密件抄送工具将eBPF`kretprobes`附加到`napi_poll()` [英] failing to attach eBPF `kretprobes` to `napi_poll()` with bcc tools

问题描述

想法是使用argdist来测量napi_poll()的等待时间，该等待时间返回已处理的数据包数量(称为工作). napi_poll()的执行等待时间与已处理的数据包数量之比将使我以直方图的形式平均处理每个数据包所花费的时间.

Idea is to use argdist to measure latency duration of napi_poll() which returns number of packet processed (called work). Ratio of execution latency of napi_poll() to number of packets processed would give me average amount of time it took to process each packet in form of histogram.

我正在使用以下命令

argdist -H 'r:c:napi_poll():u64:$latency/$retval#avg time per packet (ns)' 最终给我错误Failed to attach BPF to kprobe，在dmesg中我收到类似Could not insert probe at napi_poll+0: -2

argdist -H 'r:c:napi_poll():u64:$latency/$retval#avg time per packet (ns)' which end up giving me error Failed to attach BPF to kprobe and in dmesg I get message like Could not insert probe at napi_poll+0: -2

我只是好奇，为什么当net_rx_action()可以使用类似的技巧时，我不能将kretprobes附加到napi_poll()吗?

I am just curios why I can not attach kretprobes to napi_poll() when similar trick works with net_rx_action() ?

推荐答案

在大多数情况下，Failed to attach BPF to kprobe错误是由内联函数引起的.如 Kprobes文档(Kprobes Features and Limitations节)所述，Kprobes将失败如果内联目标函数，则附加.由于 napi_poll是静态的，它可能已在编译时内联.

Most of the time the Failed to attach BPF to kprobe error is caused by an inlined function. As explained in the Kprobes documentation (section Kprobes Features and Limitations), Kprobes will fail to attach if the target function was inlined. Since napi_poll is static, it might have been inlined at compile time.

您可以检入内核符号是否内联napi_poll:

You can check in kernel symbols if napi_poll was inlined or not:

$ cat /boot/System.map-`uname -r` | grep " napi_poll"
$
$ cat /boot/System.map-`uname -r` | grep " net_rx_action"
ffffffff817d8110 t net_rx_action

在我的系统上，napi_poll是内联的，而net_rx_action不是.

On my system, napi_poll is inlined while net_rx_action is not.

根据您的目标，有几种解决此问题的方法.

There are several workarounds for this problem, depending on your goal.

1. 如果您不介意重新编译内核，则可以使用 Linux 属性，以确保未内嵌napi_poll.
2. 如果无法更改内核，通常的解决方法是找到提供相同信息的napi_poll调用函数.如果napi_poll调用的函数提供了足够的信息并且自身未内联，则也可以使用.

1. If you don't mind recompiling your kernel, you can use the Linux inline attribute to ensure napi_poll is not inlined.
2. If you can't change your kernel, the usual workaround is to find a calling function of napi_poll that provides the same information. A function called by napi_poll can also work if it provides enough information and is not inlined itself.

这篇关于无法使用密件抄送工具将eBPF`kretprobes`附加到`napi_poll()`的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！