How to enable BTF support for ubuntu 20.04?

[wwwzrb]

I tried to enable BTF support by rebuilding kernel with CONFIG_DEBUG_INFO_BTF=y.

The specific configuration is shown below:

Kernel version:

Clang and LLVM version:

And /sys/kernel/btf/vmlinux exist.

bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h is OK.

However, I encouter this problem:

So actually opensnoop use kprobe and kretprobe to get the filled funcation arguments.
KFUNC and KRETFUNC are not load successfully.

I don't know what's going wrong. Is there anybody meet similar problems? Very gratefull if you have any suggestions!

[yonghong-song]

Could you make sure you have pahole >= 1.16 on your system?

[wwwzrb]

Could you make sure you have pahole >= 1.16 on your system?

No, the pahole version is 1.15 in my system. I install pahole by warves package.

Is pahole the key problem?

[yonghong-song]

Yes, you need >= 1.16 pahole.

[wwwzrb]

Yes, you need >= 1.16 pahole.

I rebuild my kernel with pahole 1.16 and also rebuild bcc. Now it works.

Pahole 1.16 solve the problem of "libbpf: bpf_prog_put is not found in vmulinux BTF"!

However, I encounter another problem.
Do KFUNC and KRETFUNC support all kernel functions?

I tried the opensnoop example and check whether KRETFUNC for do_sys_open is loaded successfully.

is_support_kfunc = BPF.support_kfunc()

if is_support_kfunc:

        print("w/ KFUNC/KRETFUNC_PROBE SUPPORT")

        bpf_text += bpf_text_kfunc

else:

        print("w/o KFUNC/KRETFUNC_PROBE SUPPORT")

        bpf_text += bpf_text_kprobe

Result shows that is_support_kfunc return a false value.

Or is this problem blame to not-upate-to-date kernel and clang/llvm version?
I'm using kernel 5.4.34 and clang/llvm 9.0.1-12.

Thanks for your help!

[yonghong-song]

I think 5.4 does not support kfunc/kretfunc. You probably need 5.6. cc @olsajiri

[wwwzrb]

I think 5.4 does not support kfunc/kretfunc. You probably need 5.6. cc @olsajiri

Got it. I'll have a try for newer version!

[wwwzrb]

I think 5.4 does not support kfunc/kretfunc. You probably need 5.6. cc @olsajiri

Hey, I'm using kernel 5.7 now. It works but another new problem comes.

I'm tring to get the filled arguments after function returns.

A simple example will be like this:

   KRETFUNC_PROBE(do_sys_open, int dfd, const char __user *filename, int flags, int mode, int ret)

Then I can get the filename which may be filled after the function returns.

The problem is that KREFUNC_PROBE cannot deal with the type of pointer to a struct. As attached below, struct sock * is unrecognized! Actually, the probe tries to pass void * of 'ctx[0]?' (I cannot remember exactly) to the first argument of the probed function, however, it cannot recognize the correct type.

By the way, when I tried to include "vmlinux.h" instead of using kernel header, it causes errors of duplicate definitions. Part results are attached below.

[iammattcoleman]

Canonical has updated Ubuntu 20.04's 5.4 kernel to include BTF support. Installing the kernel 5.4 package from the focal-updates repository will fix that issue. Additionally, the dwarves package currently provides pahole 1.21.

Here is the last 20.04 kernel config that did not have BTF support:

• https://launchpad.net/ubuntu/+source/linux/5.4.0-91.102
• https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/tree/debian.master/config/config.common.ubuntu?h=Ubuntu-5.4.0-91.102#n2322

The next version has it enabled:

• https://launchpad.net/ubuntu/+source/linux/5.4.0-92.103
• https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/tree/debian.master/config/config.common.ubuntu?h=Ubuntu-5.4.0-92.103#n2322