BPF Notes

small-pieces-of-bpf.md

bpf_helpers.h

bpf_trace_printk is defined in bpf_helpers.h which is not distributed with linux kernel. When compile BPF programs, you may occur following warning:

foo.c:4:5: warning: implicit declaration of function 'bpf_trace_printk' is invalid in C99 [-Wimplicit-function-declaration]
    bpf_trace_printk(msg, sizeof(msg));
    ^
1 warning generated.

To abtain a copy of this file, download the ubuntu kernel source code and search for this file.

Compile BPF programs

$ clang -target bpf -c foo.c -o foo.o

Disassemble BPF binary

$ llvm-objdump -S --no-show-raw-insn foo.o

Fix missing headers

In file included from /path/to/project/foobar.c:1:
In file included from /usr/include/linux/bpf.h:11:
/usr/include/linux/types.h:5:10: fatal error: 'asm/types.h' file not found
#include <asm/types.h>
         ^~~~~~~~~~~~~
1 error generated.
Error: clang-11: exit status 1

$ sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm

libbpf

Whenever possible, use libbpf

Tracepoint Definition

https://github.com/torvalds/linux/tree/master/include/trace/events

Find DEFINE_EVENT and then TP_PROTO

BPF Helpers to ID Mapping

https://github.com/libbpf/libbpf/blob/master/src/bpf_helper_defs.h

References

• https://blog.raymond.burkholder.net/index.php?/archives/1000-eBPF-Basics.html
• https://stackoverflow.com/questions/55436213/how-can-i-get-the-bpf-helpers-h-header-file-for-my-linux-kernel

dereference of modified ctx ptr R2 off=16 disallowed

• solution 1: __always_inline
• solution 2: compile with -O3
• solution 3: use local variable

ln -s /usr/include/aarch64-linux-gnu/asm /usr/include/asm