Re: [RFC PATCH bpf-next v2 1/3] libbpf: Optimize kprobe.session attachment for exact function names

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: Jiri Olsa <olsajiri@gmail.com>
To: Andrey Grodzovsky <andrey.grodzovsky@crowdstrike.com>
Cc: bpf@vger.kernel.org, linux-open-source@crowdstrike.com,
	ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
	rostedt@goodmis.org, linux-trace-kernel@vger.kernel.org
Subject: Re: [RFC PATCH bpf-next v2 1/3] libbpf: Optimize kprobe.session attachment for exact function names
Date: Fri, 27 Feb 2026 18:08:13 +0100	[thread overview]
Message-ID: <aaHPfR_cOwKIm-lU@krava> (raw)
In-Reply-To: <20260226173342.3565919-2-andrey.grodzovsky@crowdstrike.com>

On Thu, Feb 26, 2026 at 12:33:40PM -0500, Andrey Grodzovsky wrote:
> Implement dual-path optimization in attach_kprobe_session():
> - Fast path: Use syms[] array for exact function names
>   (no kallsyms parsing)
> - Slow path: Use pattern matching with kallsyms only for
>   wildcards
> 
> This avoids expensive kallsyms file parsing (~150ms) when function names
> are specified exactly, improving attachment time 50x (~3-5ms).
> 
> Error code normalization: The fast path returns ESRCH from kernel's
> ftrace_lookup_symbols(), while slow path returns ENOENT from userspace
> kallsyms parsing. Convert ESRCH to ENOENT in fast path to maintain API
> consistency - both paths now return identical error codes for "symbol
> not found".
> 
> Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@crowdstrike.com>
> ---
>  tools/lib/bpf/libbpf.c | 34 ++++++++++++++++++++++++++++------
>  1 file changed, 28 insertions(+), 6 deletions(-)
> 
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 0be7017800fe..0ba8aa2c5fd2 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -12042,6 +12042,20 @@ bpf_program__attach_kprobe_multi_opts(const struct bpf_program *prog,
>  		return libbpf_err_ptr(-EINVAL);
>  
>  	if (pattern) {
> +		/*
> +		 * Exact function name (no wildcards): bypass kallsyms parsing
> +		 * and pass the symbol directly to the kernel via syms[] array.
> +		 * The kernel's ftrace_lookup_symbols() resolves it efficiently.
> +		 */
> +		if (!strpbrk(pattern, "*?")) {
> +			const char *sym = pattern;
> +
> +			syms = &sym;

why not use pattern ndirectly?

> +			cnt = 1;
> +			pattern = NULL;

not sure why we need this

> +			goto attach;
> +		}

I wonder we could just another if path and avoid the goto, like:


-	if (pattern) {
+	/*
+	 * Exact function name (no wildcards): bypass kallsyms parsing
+	 * and pass the symbol directly to the kernel via syms[] array.
+	 * The kernel's ftrace_lookup_symbols() resolves it efficiently.
+	 */
+	if (pattern && !strpbrk(pattern, "*?")) {
+		syms = &pattern;
+		cnt = 1;
+	} else if (pattern) {
 		if (has_available_filter_functions_addrs())
 			err = libbpf_available_kprobes_parse(&res);


wdyt?

> +
>  		if (has_available_filter_functions_addrs())
>  			err = libbpf_available_kprobes_parse(&res);
>  		else
> @@ -12060,6 +12074,7 @@ bpf_program__attach_kprobe_multi_opts(const struct bpf_program *prog,
>  		cnt = res.cnt;
>  	}
>  
> +attach:
>  	retprobe = OPTS_GET(opts, retprobe, false);
>  	session  = OPTS_GET(opts, session, false);
>  
> @@ -12067,7 +12082,6 @@ bpf_program__attach_kprobe_multi_opts(const struct bpf_program *prog,
>  		return libbpf_err_ptr(-EINVAL);
>  
>  	attach_type = session ? BPF_TRACE_KPROBE_SESSION : BPF_TRACE_KPROBE_MULTI;
> -

not needed

>  	lopts.kprobe_multi.syms = syms;
>  	lopts.kprobe_multi.addrs = addrs;
>  	lopts.kprobe_multi.cookies = cookies;
> @@ -12084,6 +12098,14 @@ bpf_program__attach_kprobe_multi_opts(const struct bpf_program *prog,
>  	link_fd = bpf_link_create(prog_fd, 0, attach_type, &lopts);
>  	if (link_fd < 0) {
>  		err = -errno;
> +		/*
> +		 * Normalize error code: when exact name bypasses kallsyms
> +		 * parsing, kernel returns ESRCH from ftrace_lookup_symbols().
> +		 * Convert to ENOENT for API consistency with the pattern
> +		 * matching path which returns ENOENT from userspace.
> +		 */
> +		if (err == -ESRCH)
> +			err = -ENOENT;
>  		pr_warn("prog '%s': failed to attach: %s\n",
>  			prog->name, errstr(err));
>  		goto error;
> @@ -12192,7 +12214,7 @@ static int attach_kprobe_session(const struct bpf_program *prog, long cookie,
>  {
>  	LIBBPF_OPTS(bpf_kprobe_multi_opts, opts, .session = true);
>  	const char *spec;
> -	char *pattern;
> +	char *func_name;

I don't think we need the change, it's jus for the different pr_warn
below right? let's keep pattern

thanks,
jirka

>  	int n;
>  
>  	*link = NULL;
> @@ -12202,14 +12224,14 @@ static int attach_kprobe_session(const struct bpf_program *prog, long cookie,
>  		return 0;
>  
>  	spec = prog->sec_name + sizeof("kprobe.session/") - 1;
> -	n = sscanf(spec, "%m[a-zA-Z0-9_.*?]", &pattern);
> +	n = sscanf(spec, "%m[a-zA-Z0-9_.*?]", &func_name);
>  	if (n < 1) {
> -		pr_warn("kprobe session pattern is invalid: %s\n", spec);
> +		pr_warn("kprobe session function name is invalid: %s\n", spec);
>  		return -EINVAL;
>  	}
>  
> -	*link = bpf_program__attach_kprobe_multi_opts(prog, pattern, &opts);
> -	free(pattern);
> +	*link = bpf_program__attach_kprobe_multi_opts(prog, func_name, &opts);
> +	free(func_name);
>  	return *link ? 0 : -errno;
>  }
>  
> -- 
> 2.34.1
>

next prev parent reply	other threads:[~2026-02-27 17:08 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-26 17:33 [RFC PATCH bpf-next v2 0/3] Optimize kprobe.session attachment for exact function names Andrey Grodzovsky
2026-02-26 17:33 ` [RFC PATCH bpf-next v2 1/3] libbpf: " Andrey Grodzovsky
2026-02-27 17:08   ` Jiri Olsa [this message]
2026-02-27 20:52     ` [External] " Andrey Grodzovsky
2026-02-26 17:33 ` [RFC PATCH bpf-next v2 2/3] ftrace: Use kallsyms binary search for single-symbol lookup Andrey Grodzovsky
2026-02-26 18:24   ` bot+bpf-ci
2026-02-26 17:33 ` [RFC PATCH bpf-next v2 3/3] selftests/bpf: add tests for kprobe.session optimization Andrey Grodzovsky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aaHPfR_cOwKIm-lU@krava \
    --to=olsajiri@gmail.com \
    --cc=andrey.grodzovsky@crowdstrike.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-open-source@crowdstrike.com \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=rostedt@goodmis.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox