On Mon, Mar 30, 2026 at 7:08 PM Jiri Olsa <[email protected]> wrote:
>
> On Sun, Mar 29, 2026 at 09:43:38PM +0900, Hoyeon Lee wrote:
> > bpf_program__attach_kprobe_opts() currently attaches a single kprobe only
> > by func_name, with an optional offset. This covers only the symbol-
> > based form, not the raw-address form that the kernel already supports
> > for both kprobe PMU events and legacy tracefs/debugfs kprobes. Callers
> > that already have a target IP still have to drop down to
> > perf_event_open() or direct tracefs writes.
> >
> > libbpf already exposes address-based attach for kprobe_multi through
> > bpf_kprobe_multi_opts.addrs. This commit adds bpf_kprobe_opts.addr so
> > that single kprobes can be attached either by func_name + offset or by
> > raw address.
>
> curious, is this change just for the api to be complete or you do have
> a usecase where you can't use kprobe_multi and need to attach kprobe
> by address?
>
The main motivation was to fill the single-kprobe API gap, not to
replace kprobe_multi. There is also a case where kprobe_multi is not a
drop-in replacement. bpf_task_fd_query() operates on perf event fds and
does not support generic link fds, while kprobe_multi returns a link fd.
That link fd can be queried through bpf_link_get_info_by_fd(), but it
still cannot be used as a drop-in replacement here.
For PMU-based non-legacy attach, Andrii is right that func_name = NULL
with opts.offset = <raw-address> already works today. However, this does
not work for legacy tracefs/debugfs kprobes, because the tracefs event
string formatting still expects symbol-based input.
So I think the better direction for v3 is to avoid adding a new field to
bpf_kprobe_opts(), document that offset is treated as an absolute
address when func_name = NULL, and make the legacy path support the
same raw-address form as well.
> SNIP
>
> > static void gen_probe_legacy_event_name(char *buf, size_t buf_sz,
> > - const char *name, size_t offset)
> > + const char *name,
> > + uint64_t offset_or_addr)
> > {
> > static int index = 0;
> > int i;
> >
> > - snprintf(buf, buf_sz, "libbpf_%u_%d_%s_0x%zx", getpid(),
> > - __sync_fetch_and_add(&index, 1), name, offset);
> > + snprintf(buf, buf_sz, "libbpf_%u_%d_%s_0x%" PRIx64, getpid(),
> > + __sync_fetch_and_add(&index, 1), name ?: "addr",
> > + offset_or_addr);
> >
> > /* sanitize name in the probe name */
> > for (i = 0; buf[i]; i++) {
> > @@ -11648,13 +11651,28 @@ static void gen_probe_legacy_event_name(char
> > *buf, size_t buf_sz,
> > }
> > }
> >
> > +static void gen_kprobe_target(char *buf, size_t buf_sz, const char *name,
> > + uint64_t offset_or_addr)
> > +{
> > + if (name)
> > + snprintf(buf, buf_sz, "%s+0x%" PRIx64, name, offset_or_addr);
> > + else
> > + snprintf(buf, buf_sz, "0x%" PRIx64, offset_or_addr);
> > +}
> > +
> > static int add_kprobe_event_legacy(const char *probe_name, bool retprobe,
> > - const char *kfunc_name, size_t offset)
> > + const char *kfunc_name,
> > + uint64_t offset_or_addr)
> > {
> > - return append_to_file(tracefs_kprobe_events(), "%c:%s/%s %s+0x%zx",
> > + char probe_target[128];
> > +
> > + gen_kprobe_target(probe_target, sizeof(probe_target), kfunc_name,
> > + offset_or_addr);
> > +
>
> it seems like it'd be easier to get probe_target (via gen_kprobe_target)
> in bpf_program__attach_kprobe_opts and pass it down instead of generating
> it over and over again
>
Good point. I'll simplify this in v3 and build probe_target once in
bpf_program__attach_kprobe_opts(), then pass it down.
> > + return append_to_file(tracefs_kprobe_events(), "%c:%s/%s %s",
> > retprobe ? 'r' : 'p',
> > retprobe ? "kretprobes" : "kprobes",
> > - probe_name, kfunc_name, offset);
> > + probe_name, probe_target);
> > }
> >
> > static int remove_kprobe_event_legacy(const char *probe_name, bool
> > retprobe)
> > @@ -11674,25 +11692,29 @@ static int
> > determine_kprobe_perf_type_legacy(const char *probe_name, bool retpro
> > }
> >
> > static int perf_event_kprobe_open_legacy(const char *probe_name, bool
> > retprobe,
> > - const char *kfunc_name, size_t
> > offset, int pid)
> > + const char *kfunc_name,
> > + uint64_t offset_or_addr, int pid)
> > {
> > const size_t attr_sz = sizeof(struct perf_event_attr);
> > struct perf_event_attr attr;
> > int type, pfd, err;
> > + char probe_target[128];
>
> we need bigger buffer as explained by sashiko [1]
>
Thanks for the pointer! I'll switch this to a larger buffer in v3.
> [1]
> https://sashiko.dev/#/patchset/20260329124429.689912-1-hoyeon.lee%40suse.com
>
> jirka
>
> SNIP
