support: 如何获取 tp/kprobe 函数本身的 IP

[Ghostbaby]

1. kprobe/fentry 等类型使用 bpf_get_func_ip
2. tracepoint 类型，bpf_get_func_ip() 返回的是触发 tracepoint 的函数地址，而不是 tracepoint 本身的地址。

// 使用  bpf_get_stack() 
struct {
    __uint(type, BPF_MAP_TYPE_STACK_TRACE);
    __uint(max_entries, 1024);
} stack_traces SEC(".maps");

SEC("tracepoint/syscalls/sys_enter_open")
int trace_open_stack(struct trace_event_raw_sys_enter *ctx)
{
    u64 stack_id = bpf_get_stackid(ctx, &stack_traces, BPF_F_FAST_STACK_CMP);
    
    // 或者直接获取栈帧
    u64 stack[10];
    int ret = bpf_get_stack(ctx, stack, sizeof(stack), 0);
    if (ret > 0) {
        // stack[0] 是当前执行的指令地址
        bpf_printk("Current IP: 0x%lx\n", stack[0]);
    }
    
    return 0;
}

// 使用 task_struct 获取到 寄存器信息，然后通过 bpf_get_func_ip(ctx) 
SEC("tracepoint/syscalls/sys_enter_open")
int trace_open_task(struct trace_event_raw_sys_enter *ctx)
{
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
    
    // 从任务结构中读取 pt_regs（如果可用）
    // 这种方法较为复杂，需要了解内核内部结构
    
    return 0;
}

tracepoint 介绍

tracepoint 是编译时就确定的静态插桩点，不像 kprobe 是动态插桩：

// 内核代码中的 tracepoint 定义示例
SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)
{
    trace_sys_enter(regs, __NR_open);  // 这里触发 tracepoint
    
    // 实际的系统调用逻辑
    long ret = do_sys_open(AT_FDCWD, filename, flags, mode);
    
    trace_sys_exit(regs, ret);         // 这里触发 tracepoint
    return ret;
}

[Ghostbaby]

验证代码：

SEC("tracepoint/syscalls/sys_enter_write")
int trace_write_stack(struct trace_event_raw_sys_enter *ctx)
{
    bpf_printk("========== Tracepoint IP Analysis ==========\n");

    // 基本信息
    u64 pid_tgid = bpf_get_current_pid_tgid();
    u32 pid = pid_tgid >> 32;
    u32 tid = pid_tgid & 0xffffffff;
    bpf_printk("PID: %u, TID: %u\n", pid, tid);

    // 专注于内核堆栈分析
    bpf_printk("=== Kernel Stack Detailed Analysis ===\n");

    // 方法1: 直接使用 bpf_get_stack 获取内核堆栈
    u64 kernel_stack[8];
    int kernel_ret = bpf_get_stack(ctx, kernel_stack, sizeof(kernel_stack), 0);

    // ❎ otelcol-1461    [003] ...21  4535.117596: bpf_trace_printk: bpf_get_stack(kernel, size=64) returned: 0
    bpf_printk("bpf_get_stack(kernel, size=%d) returned: %d\n", sizeof(kernel_stack), kernel_ret);

    if (kernel_ret > 0)
    {
        int frames = kernel_ret / sizeof(u64);
        bpf_printk("SUCCESS: Got %d kernel stack frames\n", frames);
        for (int i = 0; i < frames && i < 8; i++)
        {
            bpf_printk("  Kernel frame %d: 0x%lx\n", i, kernel_stack[i]);
        }
    }
    else if (kernel_ret == 0)
    {
        bpf_printk("WARNING: bpf_get_stack returned 0 - no kernel frames\n");
    }
    else
    {
        bpf_printk("ERROR: bpf_get_stack failed with: %d\n", kernel_ret);
    }

    // 方法2: 使用 bpf_get_stackid 获取内核堆栈ID
    u32 kernel_stack_id = bpf_get_stackid(ctx, &stack_traces, 0);

    // ❎ otelcol-1461    [003] ...21  4535.117598: bpf_trace_printk: bpf_get_stackid(kernel) returned: -14
    bpf_printk("bpf_get_stackid(kernel) returned: %d\n", kernel_stack_id);
    if (kernel_stack_id >= 0)
    {
        bpf_printk("SUCCESS: Kernel stack ID: %u\n", kernel_stack_id);
    }
    else
    {
        bpf_printk("ERROR: Failed to get kernel stack ID: %d\n", kernel_stack_id);
    }

    // 方法3: 尝试不同的 bpf_get_stackid 标志
    u32 kernel_stack_id_reuse = bpf_get_stackid(ctx, &stack_traces, BPF_F_REUSE_STACKID);

    // ❎ otelcol-1461    [003] ...21  4535.117600: bpf_trace_printk: bpf_get_stackid(BPF_F_REUSE_STACKID) returned: -14
    bpf_printk("bpf_get_stackid(BPF_F_REUSE_STACKID) returned: %d\n", kernel_stack_id_reuse);

    u32 kernel_stack_id_fast = bpf_get_stackid(ctx, &stack_traces, BPF_F_FAST_STACK_CMP);
    bpf_printk("bpf_get_stackid(BPF_F_FAST_STACK_CMP) returned: %d\n", kernel_stack_id_fast);

    // 方法4: 尝试更小的缓冲区
    u64 small_kernel_stack[2];
    int small_kernel_ret = bpf_get_stack(ctx, small_kernel_stack, sizeof(small_kernel_stack), 0);

    // ❎ otelcol-1461    [003] ...21  4535.117601: bpf_trace_printk: bpf_get_stack(small buffer, size=16) returned: 0
    bpf_printk("bpf_get_stack(small buffer, size=%d) returned: %d\n", sizeof(small_kernel_stack), small_kernel_ret);

    if (small_kernel_ret > 0)
    {
        int small_frames = small_kernel_ret / sizeof(u64);
        bpf_printk("SUCCESS: Got %d frames with small buffer\n", small_frames);
        for (int i = 0; i < small_frames && i < 2; i++)
        {
            bpf_printk("  Small frame %d: 0x%lx\n", i, small_kernel_stack[i]);
        }
    }

    // 方法6: 检查 tracepoint 特性
    bpf_printk("=== Tracepoint Characteristics ===\n");

    // tracepoint 的上下文不是 pt_regs，所以不能直接访问寄存器
    // 但是我们可以检查上下文的地址
    // tracepoint ctx address: 00000000ecb829f0
    bpf_printk("tracepoint ctx address: %p\n", ctx);

    // 尝试使用 bpf_get_current_task
    // Current task: 000000009c270d7c
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
    if (task)
    {
        bpf_printk("Current task: %p\n", task);
    }

    // 方法7: 尝试显式的堆栈走查
    bpf_printk("=== Manual Stack Walk Attempt ===\n");

    // 尝试使用 bpf_get_stack 但指定不同的选项
    u64 raw_stack[4];
    int raw_ret = bpf_get_stack(ctx, raw_stack, sizeof(raw_stack), BPF_F_SKIP_FIELD_MASK);
    // ❎ otelcol-1461    [003] ...21  4535.112527: bpf_trace_printk: bpf_get_stack(BPF_F_SKIP_FIELD_MASK) returned: -14
    bpf_printk("bpf_get_stack(BPF_F_SKIP_FIELD_MASK) returned: %d\n", raw_ret);

    if (raw_ret > 0)
    {
        int raw_frames = raw_ret / sizeof(u64);
        bpf_printk("Got %d raw frames\n", raw_frames);
        for (int i = 0; i < raw_frames && i < 4; i++)
        {
            bpf_printk("  Raw frame %d: 0x%lx\n", i, raw_stack[i]);
        }
    }

    // 正确访问 sys_enter_write 的字段
    unsigned long fd = read_tp_field(ctx, 16);    // offset:16
    unsigned long buf = read_tp_field(ctx, 24);   // offset:24
    unsigned long count = read_tp_field(ctx, 32); // offset:32

    bpf_printk("write() args: fd=%lu, buf=0x%lx, count=%lu\n", fd, buf, count);

    // 验证系统调用号
    int syscall_nr = 0;
    bpf_probe_read_kernel(&syscall_nr, sizeof(syscall_nr), (char *)ctx + 8);
    bpf_printk("syscall_nr: %d\n", syscall_nr);

    return 0;
}