[PATCH v1 2/7] perf trace: Etcsnoop fix libbpf 1.0+ compatibility

[Ian Rogers <irogers@google.com>]

Don't use deprecated and now broken map style. Avoid use of
tools/perf/include/bpf/bpf.h and use the more regular BPF headers.
Add "< 0" checks to fix BPF verifier failures about potentially
negative values being passed to bpf_perf_event_output. Add a
raw_syscalls:sys_enter to avoid the evlist being empty and causing
perf trace to exit during argument parsing.

Signed-off-by: Ian Rogers <irogers@google.com>
---
 tools/perf/examples/bpf/etcsnoop.c | 41 ++++++++++++++++++++++++------
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/tools/perf/examples/bpf/etcsnoop.c b/tools/perf/examples/bpf/etcsnoop.c
index e81b535346c0..a04109d9b2b5 100644
--- a/tools/perf/examples/bpf/etcsnoop.c
+++ b/tools/perf/examples/bpf/etcsnoop.c
@@ -5,7 +5,7 @@
  *
  * Test it with:
  *
- * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null
+ * perf trace -e tools/perf/examples/bpf/etcsnoop.c cat /etc/passwd > /dev/null
  *
  * It'll catch some openat syscalls related to the dynamic linked and
  * the last one should be the one for '/etc/passwd'.
@@ -19,10 +19,17 @@
  * tools/perf/include/bpf/stdio.h.
  */
 
-#include <stdio.h>
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
 
 /* bpf-output associated map */
-bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__);
+struct __augmented_syscalls__ {
+	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+	__type(key, int);
+	__type(value, __u32);
+	__uint(max_entries, __NR_CPUS__);
+} __augmented_syscalls__ SEC(".maps");
+
 
 struct augmented_filename {
 	int	size;
@@ -30,6 +37,9 @@ struct augmented_filename {
 	char	value[64];
 };
 
+#define syscall_enter(name) \
+	SEC("!syscalls:sys_enter_" #name) syscall_enter_ ## name
+
 #define augmented_filename_syscall_enter(syscall) 						\
 struct augmented_enter_##syscall##_args {			 				\
 	struct syscall_enter_##syscall##_args	args;				 		\
@@ -39,17 +49,25 @@ int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args)				\
 {												\
 	char etc[6] = "/etc/";									\
 	struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; 	\
-	probe_read(&augmented_args.args, sizeof(augmented_args.args), args);			\
-	augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, 		\
+	long size;										\
+												\
+	if (bpf_probe_read(&augmented_args.args, sizeof(augmented_args.args), args) < 0)	\
+		return -1;									\
+												\
+	size = bpf_probe_read_str(&augmented_args.filename.value,				\
 						      sizeof(augmented_args.filename.value), 	\
 						      args->filename_ptr); 			\
+	if (size < 0)										\
+		return -1;									\
+												\
+	augmented_args.filename.size = size;							\
 	if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0)			\
 		return 0;									\
 	/* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */	\
-	return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, 		\
+	return bpf_perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU,		\
 				 &augmented_args,						\
 				 (sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \
-				 augmented_args.filename.size));				\
+				 size));				\
 }
 
 struct syscall_enter_openat_args {
@@ -73,4 +91,11 @@ struct syscall_enter_open_args {
 
 augmented_filename_syscall_enter(open);
 
-license(GPL);
+struct syscall_enter_args;
+
+SEC("raw_syscalls:sys_enter")
+int sys_enter(struct syscall_enter_args *args)
+{
+	return 0;
+}
+char _license[] SEC("license") = "GPL";
-- 
2.38.1.273.g43a17bfeac-goog