minimal example can't run

[baoqger]

After compile and build the minimal example application, I try to run it but with the following error message:

libbpf: loading object 'minimal_bpf' from buffer
libbpf: elf: section(2) tp/syscalls/sys_enter_write, size 104, link 0, flags 6, type=1
libbpf: sec 'tp/syscalls/sys_enter_write': found program 'handle_tp' at insn offset 0 (0 bytes), code size 13 insns (104 bytes)
libbpf: elf: section(3) license, size 13, link 0, flags 3, type=1
libbpf: license of minimal_bpf is Dual BSD/GPL
libbpf: elf: section(4) .bss, size 4, link 0, flags 3, type=8
libbpf: elf: section(5) .rodata, size 28, link 0, flags 2, type=1
libbpf: elf: section(6) .BTF, size 617, link 0, flags 0, type=1
libbpf: elf: section(7) .BTF.ext, size 160, link 0, flags 0, type=1
libbpf: elf: section(8) .symtab, size 216, link 13, flags 0, type=2
libbpf: elf: section(9) .reltp/syscalls/sys_enter_write, size 32, link 8, flags 0, type=9
libbpf: looking for externs among 9 symbols...
libbpf: collected 0 externs total
libbpf: map 'minimal_.bss' (global data): at sec_idx 4, offset 0, flags 400.
libbpf: map 0 is "minimal_.bss"
libbpf: map 'minimal_.rodata' (global data): at sec_idx 5, offset 0, flags 480.
libbpf: map 1 is "minimal_.rodata"
libbpf: sec '.reltp/syscalls/sys_enter_write': collecting relocation for section(2) 'tp/syscalls/sys_enter_write'
libbpf: sec '.reltp/syscalls/sys_enter_write': relo #0: insn #2 against 'my_pid'
libbpf: prog 'handle_tp': found data map 0 (minimal_.bss, sec 4, off 0) for insn 2
libbpf: sec '.reltp/syscalls/sys_enter_write': relo #1: insn #6 against '.rodata'
libbpf: prog 'handle_tp': found data map 1 (minimal_.rodata, sec 5, off 0) for insn 6
libbpf: Kernel doesn't support BTF, skipping uploading it.
libbpf: prog 'handle_tp': relo #0: kernel doesn't support global data
libbpf: prog 'handle_tp': failed to relocate data references: -95
libbpf: failed to load object 'minimal_bpf'
libbpf: failed to load BPF skeleton 'minimal_bpf': -95
Failed to load and verify BPF skeleton

My kernel version is: 4.15.0-96-generic. I run the example on Ubuntu-18.04 system.

[chenhengqi]

Your kernel is too old for this example.

To get it work, you need to remove my_pid (you can use a map instead) and bpf_printk.

[mrpre]

@chenhengqi
It seems that bpf_printk with constant string works well under BCC.
So how BCC process the constant string used by bpf_printk? Does BCC replace or remove .rodata sections and use another way to to make it work ?

[anakryiko]

@mrpre you can prevent bpf_printk() from using global variables by defining BPF_NO_GLOBAL_DATA before including bpf_helpers.h header.

BCC implementation uses suboptimal implementation that requires on the stack variables and their implementation (which libbpf will do if BPF_NO_GLOBAL_DATA is defined)

[mrpre]

@anakryiko Thanks a lot, it works after I remove my_pid and add #define BPF_NO_GLOBAL_DATA in bpf code.

[Darrilla]

From the README: minimal is just that – a minimal practical BPF application example. It doesn't use or require BPF CO-RE, so should run on quite old kernels.
Obviously, my Ubuntu 18.04 kernel 4.15.0-180 is too quite an old a kernel. For someone just starting out with bpf, it would be helpful to have an example on how to avoid the global variable (my_pid) by using a map.

[Darrilla]

From the README: minimal is just that – a minimal practical BPF application example. It doesn't use or require BPF CO-RE, so should run on quite old kernels. Obviously, my Ubuntu 18.04 kernel 4.15.0-180 is too quite an old a kernel. For someone just starting out with bpf, it would be helpful to have an example on how to avoid the global variable (my_pid) by using a map.

For anyone else running across this, I was able to change this to use an array. my_pid becomes this:

// Create an array with 1 entry instead of a global variable
// which does not work with older kernels
struct {
    __uint(type, BPF_MAP_TYPE_ARRAY);
    __uint(max_entries, 1);
    __type(key, u32);
    __type(value, pid_t);
} my_pid SEC(".maps");

The tracepoint hook now contains this:

SEC("tp/syscalls/sys_enter_write")
int handle_tp(void *ctx)
{
    u32 index = 0;
    pid_t pid = bpf_get_current_pid_tgid() >> 32;
    pid_t *user_pid = bpf_map_lookup_elem(&my_pid, &index);
    if (user_pid)
    {
        if (*user_pid == pid)
            bpf_printk("BPF triggered from PID %d.\n", pid);
    }
    return 0;
}

and the user-space program sets it's pid into the first element of the array after the the skeleton load:

    /* ensure BPF program only handles write() syscalls from our process */
    pid = getpid();
    bpf_map__update_elem(skel->maps.my_pid, &index, sizeof(index), &pid, sizeof(pid_t), BPF_ANY);

where index is defined unsigned index = 0;

[anakryiko]

How about we add minimal_legacy example which will define BPF_NO_GLOBAL_DATA (to avoid global variables for bpf_printk()) and do the map as you shown above?

[Darrilla]

How about we add minimal_legacy example which will define BPF_NO_GLOBAL_DATA (to avoid global variables for bpf_printk()) and do the map as you shown above?

PR #84 adds this example.

[Darrilla]

We can close this now that PR #84 has been merged.