From 31c92abad85d854723007d0d9a33725f2db72de7 Mon Sep 17 00:00:00 2001 From: Ruidong-X Date: Sun, 13 Aug 2023 03:01:05 +0800 Subject: [PATCH] fix(exitsnoop): get the correct 'DURATION_NS' (#59) --- src/8-exitsnoop/README.md | 58 +++++++++++++++--------------- src/8-exitsnoop/README_en.md | 64 +++++++++++++++++---------------- src/8-exitsnoop/exitsnoop.bpf.c | 5 +-- 3 files changed, 66 insertions(+), 61 deletions(-) diff --git a/src/8-exitsnoop/README.md b/src/8-exitsnoop/README.md index 01300d4..fbb30a8 100644 --- a/src/8-exitsnoop/README.md +++ b/src/8-exitsnoop/README.md @@ -60,47 +60,49 @@ struct event { #include #include #include "exitsnoop.h" + char LICENSE[] SEC("license") = "Dual BSD/GPL"; struct { - __uint(type, BPF_MAP_TYPE_RINGBUF); - __uint(max_entries, 256 * 1024); + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 256 * 1024); } rb SEC(".maps"); SEC("tp/sched/sched_process_exit") int handle_exit(struct trace_event_raw_sched_process_template* ctx) { - struct task_struct *task; - struct event *e; - pid_t pid, tid; - u64 id, ts, *start_ts, duration_ns = 0; - - /* get PID and TID of exiting thread/process */ - id = bpf_get_current_pid_tgid(); - pid = id >> 32; - tid = (u32)id; + struct task_struct *task; + struct event *e; + pid_t pid, tid; + u64 id, ts, *start_ts, start_time = 0; + + /* get PID and TID of exiting thread/process */ + id = bpf_get_current_pid_tgid(); + pid = id >> 32; + tid = (u32)id; - /* ignore thread exits */ - if (pid != tid) - return 0; + /* ignore thread exits */ + if (pid != tid) + return 0; - /* reserve sample from BPF ringbuf */ - e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); - if (!e) - return 0; + /* reserve sample from BPF ringbuf */ + e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); + if (!e) + return 0; - /* fill out the sample with data */ - task = (struct task_struct *)bpf_get_current_task(); + /* fill out the sample with data */ + task = (struct task_struct *)bpf_get_current_task(); + start_time = BPF_CORE_READ(task, start_time); - e->duration_ns = duration_ns; - e->pid = pid; - e->ppid = BPF_CORE_READ(task, real_parent, tgid); - e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff; - bpf_get_current_comm(&e->comm, sizeof(e->comm)); + e->duration_ns = bpf_ktime_get_ns() - start_time; + e->pid = pid; + e->ppid = BPF_CORE_READ(task, real_parent, tgid); + e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff; + bpf_get_current_comm(&e->comm, sizeof(e->comm)); - /* send data to user-space for post-processing */ - bpf_ringbuf_submit(e, 0); - return 0; + /* send data to user-space for post-processing */ + bpf_ringbuf_submit(e, 0); + return 0; } ``` diff --git a/src/8-exitsnoop/README_en.md b/src/8-exitsnoop/README_en.md index 84fb0a1..9448fd3 100644 --- a/src/8-exitsnoop/README_en.md +++ b/src/8-exitsnoop/README_en.md @@ -60,47 +60,49 @@ Source File: exitsnoop.bpf.c #include #include #include "exitsnoop.h" + char LICENSE[] SEC("license") = "Dual BSD/GPL"; struct { - __uint(type, BPF_MAP_TYPE_RINGBUF); - __uint(max_entries, 256 * 1024); + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 256 * 1024); } rb SEC(".maps"); SEC("tp/sched/sched_process_exit") int handle_exit(struct trace_event_raw_sched_process_template* ctx) { - struct task_struct *task; - struct event *e; - pid_t pid, tid; - u64 id, ts, *start_ts, duration_ns = 0; - - /* get PID and TID of exiting thread/process */ - id = bpf_get_current_pid_tgid(); - pid = id >> 32; - format: rawtid = (u32)id; + struct task_struct *task; + struct event *e; + pid_t pid, tid; + u64 id, ts, *start_ts, start_time = 0; + + /* get PID and TID of exiting thread/process */ + id = bpf_get_current_pid_tgid(); + pid = id >> 32; + tid = (u32)id; - /* ignore thread exits */ - if (pid != tid) + /* ignore thread exits */ + if (pid != tid) + return 0; + + /* reserve sample from BPF ringbuf */ + e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); + if (!e) + return 0; + + /* fill out the sample with data */ + task = (struct task_struct *)bpf_get_current_task(); + start_time = BPF_CORE_READ(task, start_time); + + e->duration_ns = bpf_ktime_get_ns() - start_time; + e->pid = pid; + e->ppid = BPF_CORE_READ(task, real_parent, tgid); + e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff; + bpf_get_current_comm(&e->comm, sizeof(e->comm)); + + /* send data to user-space for post-processing */ + bpf_ringbuf_submit(e, 0); return 0; - - /* reserve sample from BPF ringbuf */ - e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); - if (!e) - return 0; - - /* fill out the sample with data */ - task = (struct task_struct *)bpf_get_current_task(); - - e->duration_ns = duration_ns; - e->pid = pid; - e->ppid = BPF_CORE_READ(task, real_parent, tgid); - e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff; - bpf_get_current_comm(&e->comm, sizeof(e->comm)); - - /* send data to user-space for post-processing */ - bpf_ringbuf_submit(e, 0); - return 0; } ``` diff --git a/src/8-exitsnoop/exitsnoop.bpf.c b/src/8-exitsnoop/exitsnoop.bpf.c index a2c41d9..23c7bd2 100644 --- a/src/8-exitsnoop/exitsnoop.bpf.c +++ b/src/8-exitsnoop/exitsnoop.bpf.c @@ -19,7 +19,7 @@ int handle_exit(struct trace_event_raw_sched_process_template* ctx) struct task_struct *task; struct event *e; pid_t pid, tid; - u64 id, ts, *start_ts, duration_ns = 0; + u64 id, ts, *start_ts, start_time = 0; /* get PID and TID of exiting thread/process */ id = bpf_get_current_pid_tgid(); @@ -37,8 +37,9 @@ int handle_exit(struct trace_event_raw_sched_process_template* ctx) /* fill out the sample with data */ task = (struct task_struct *)bpf_get_current_task(); + start_time = BPF_CORE_READ(task, start_time); - e->duration_ns = duration_ns; + e->duration_ns = bpf_ktime_get_ns() - start_time; e->pid = pid; e->ppid = BPF_CORE_READ(task, real_parent, tgid); e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;