examples: fentry - add comments to illustrate difference with tcprtt

The tcprtt example was added recently, which relies on CO-RE information to work across different kernel versions. fentry, on the other hand, will break if structs change in the running kernel, so document this fact. Replaced unused fields with padding and addressed some nits. Signed-off-by: Timo Beckers <timo@isovalent.com>
holyspectral · Mar 30, 2022 · 403bb27 · 403bb27
1 parent 60ffd2f
commit 403bb27
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/examples/fentry/bpf_bpfeb.o b/examples/fentry/bpf_bpfeb.o
diff --git a/examples/fentry/bpf_bpfel.o b/examples/fentry/bpf_bpfel.o
diff --git a/examples/fentry/fentry.c b/examples/fentry/fentry.c
@@ -8,8 +8,25 @@
 #define AF_INET 2
 #define TASK_COMM_LEN 16
 
-char LICENSE[] SEC("license") = "Dual MIT/GPL";
+char __license[] SEC("license") = "Dual MIT/GPL";
 
+/**
+ * This example copies parts of struct sock_common and struct sock from
+ * the Linux kernel, but doesn't cause any CO-RE information to be emitted
+ * into the ELF object. This requires the struct layout (up until the fields
+ * that are being accessed) to match the kernel's, and the example will break
+ * or misbehave when this is no longer the case.
+ *
+ * Also note that BTF-enabled programs like fentry, fexit, fmod_ret, tp_btf,
+ * lsm, etc. declared using the BPF_PROG macro can read kernel memory without
+ * needing to call bpf_probe_read*().
+ */
+
+/**
+ * struct sock_common reflects the start of the kernel's struct sock_common.
+ * It only contains the fields up until skc_family that are accessed in the
+ * program, with padding to match the kernel's declaration.
+ */
 struct sock_common {
 	union {
 		struct {
@@ -18,8 +35,8 @@ struct sock_common {
 		};
 	};
 	union {
-		unsigned int skc_hash;
-		__u16 skc_u16hashes[2];
+		// Padding out union skc_hash.
+		__u32 _;
 	};
 	union {
 		struct {
@@ -30,6 +47,9 @@ struct sock_common {
 	short unsigned int skc_family;
 };
 
+/**
+ * struct sock reflects the start of the kernel's struct sock.
+ */
 struct sock {
 	struct sock_common __sk_common;
 };
@@ -39,16 +59,19 @@ struct {
 	__uint(max_entries, 1 << 24);
 } events SEC(".maps");
 
-// Force emitting struct event into the ELF.
-const struct event *unused __attribute__((unused));
-
+/**
+ * The sample submitted to userspace over a ring buffer.
+ * Emit struct event's type info into the ELF's BTF so bpf2go
+ * can generate a Go type from it.
+ */
 struct event {
 	u8 comm[16];
 	__u16 sport;
 	__be16 dport;
 	__be32 saddr;
 	__be32 daddr;
 };
+struct event *unused __attribute__((unused));
 
 SEC("fentry/tcp_connect")
 int BPF_PROG(tcp_connect, struct sock *sk) {