From d2cde6232b17b087996e4fa16dd574d291d003ec Mon Sep 17 00:00:00 2001 From: marun Date: Tue, 17 Jun 2025 10:03:07 +0800 Subject: [PATCH] update fentry (#167) * update fentry add linux arm kernel version limits * docs(fentry) : translated chineses * docs(fentry) : Complete the missing words --- src/3-fentry-unlink/README.md | 16 ++++++++++++++++ src/3-fentry-unlink/README.zh.md | 12 ++++++++++++ 2 files changed, 28 insertions(+) diff --git a/src/3-fentry-unlink/README.md b/src/3-fentry-unlink/README.md index 015f9ae..cdfa27e 100644 --- a/src/3-fentry-unlink/README.md +++ b/src/3-fentry-unlink/README.md @@ -10,6 +10,22 @@ fentry (function entry) and fexit (function exit) are two types of probes in eBP Compared to kprobes, fentry and fexit programs have higher performance and availability. In this example, we can directly access the pointers to the functions' parameters, just like in regular C code, without needing various read helpers. The main difference between fexit and kretprobe programs is that fexit programs can access both the input parameters and return values of a function, while kretprobe programs can only access the return value. Starting from the 5.5 kernel, fentry and fexit are available for eBPF programs. +> arm64 kernel version requires 6.0 +> +> Refer to the learning eBPF documentation: +> +> A more efficient mechanism for tracing the entry to and exit from kernel functions +> was introduced along with the idea of BPF trampoline in kernel version 5.5 (on x86 +> processors; BPF trampoline support doesn’t arrive for ARM processors until Linux +> 6.0). If you’re using a recent enough kernel, fentry/fexit is now the preferred method +> for tracing the entry to or exit from a kernel function +> +> Reference: https://kernelnewbies.org/Linux_6.0#ARM + + + + + ```c #include "vmlinux.h" #include diff --git a/src/3-fentry-unlink/README.zh.md b/src/3-fentry-unlink/README.zh.md index 3efd30a..051bb25 100644 --- a/src/3-fentry-unlink/README.zh.md +++ b/src/3-fentry-unlink/README.zh.md @@ -10,6 +10,18 @@ fentry(function entry)和 fexit(function exit)是 eBPF(扩展的伯克 与 kprobes 相比,fentry 和 fexit 程序有更高的性能和可用性。在这个例子中,我们可以直接访问函数的指针参数,就像在普通的 C 代码中一样,而不需要使用各种读取帮助程序。fexit 和 kretprobe 程序最大的区别在于,fexit 程序可以访问函数的输入参数和返回值,而 kretprobe 只能访问返回值。从 5.5 内核开始,fentry 和 fexit 对 eBPF 程序可用。 +> arm64 内核版本需要 6.0 +> +> 参考 learning eBPF 文档: +> +> 从内核版本 5.5 开始(适用于 x86 处理器;*BPF trampoline* 支持在 Linux 6.0 之前不适用于 ARM 处理器),引入了一种更高效的机制来跟踪进入和退出内核函数的方式以及 *BPF trampoline* 的概念。如果您正在使用足够新的内核,fentry/fexit 现在是首选的跟踪进入或退出内核函数的方法。 +> +> 参考:https://kernelnewbies.org/Linux_6.0#ARM + + + + + ```c #include "vmlinux.h" #include