kernel/bpf-developer-tutorial
1
0
Fork 0
mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-03 10:14:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

update fentry (#167)

Browse Source 
* update fentry

add linux arm kernel version limits

* docs(fentry) : translated chineses

* docs(fentry) : Complete the missing words
This commit is contained in:
marun
2025-06-17 10:03:07 +08:00
committed by GitHub
parent 59ef373431
commit d2cde6232b
2 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/3-fentry-unlink/README.md
View File

@@ -10,6 +10,22 @@ fentry (function entry) and fexit (function exit) are two types of probes in eBP
Compared to kprobes, fentry and fexit programs have higher performance and availability. In this example, we can directly access the pointers to the functions' parameters, just like in regular C code, without needing various read helpers. The main difference between fexit and kretprobe programs is that fexit programs can access both the input parameters and return values of a function, while kretprobe programs can only access the return value. Starting from the 5.5 kernel, fentry and fexit are available for eBPF programs.
> arm64 kernel version requires 6.0
>
> Refer to the learning eBPF documentation:
>
> A more efficient mechanism for tracing the entry to and exit from kernel functions
> was introduced along with the idea of BPF trampoline in kernel version 5.5 (on x86
> processors; BPF trampoline support doesnt arrive for ARM processors until Linux
> 6.0). If youre using a recent enough kernel, fentry/fexit is now the preferred method
> for tracing the entry to or exit from a kernel function
>
> Reference: https://kernelnewbies.org/Linux_6.0#ARM
```c
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>

12
src/3-fentry-unlink/README.zh.md
View File

@@ -10,6 +10,18 @@ fentryfunction entry和 fexitfunction exit是 eBPF扩展的伯克
与 kprobes 相比fentry 和 fexit 程序有更高的性能和可用性。在这个例子中,我们可以直接访问函数的指针参数,就像在普通的 C 代码中一样而不需要使用各种读取帮助程序。fexit 和 kretprobe 程序最大的区别在于fexit 程序可以访问函数的输入参数和返回值,而 kretprobe 只能访问返回值。从 5.5 内核开始fentry 和 fexit 对 eBPF 程序可用。
> arm64 内核版本需要 6.0
>
> 参考 learning eBPF 文档:
>
> 从内核版本 5.5 开始(适用于 x86 处理器;*BPF trampoline* 支持在 Linux 6.0 之前不适用于 ARM 处理器),引入了一种更高效的机制来跟踪进入和退出内核函数的方式以及 *BPF trampoline* 的概念。如果您正在使用足够新的内核fentry/fexit 现在是首选的跟踪进入或退出内核函数的方法。
>
> 参考https://kernelnewbies.org/Linux_6.0#ARM
```c
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>