When the PMU LBR is running in branch-sensitive mode, 'perf_snapshot_branch_stack()' may capture branch entries from the trampoline entry up to the call site inside a BPF program. These branch entries are not useful for analyzing the control flow of the tracee.
To eliminate such noise for tracing programs, the branch snapshot should be taken as early as possible:
* Call 'perf_snapshot_branch_stack()' at the very beginning of the trampoline for fentry programs. * Call 'perf_snapshot_branch_stack()' immediately after invoking the tracee for fexit programs.
With this change, LBR snapshots remain meaningful even when multiple BPF programs execute before the one requesting LBR data.
In addition, more relevant branch entries can be captured on AMD CPUs, which provide a 16-entry-deep LBR stack.
Testing
The series was tested in a VM configured with LBR enabled:
vmtest --kvm-cpu-args 'host,pmu=on,lbr-fmt=0x5' -k $(make -s image_name) -
Branch records were verified using bpfsnoop [1]:
/path/to/bpfsnoop -k '(l)icmp_rcv' -E 1 -v \ --kernel-vmlinux /path/to/kernel/vmlinux
For comparison, the following command was used without BPF_BRANCH_SNAPSHOT_F_COPY:
/path/to/bpfsnoop -k '(l)icmp_rcv' -E 1 -v \ --force-get-branch-snapshot --kernel-vmlinux /path/to/kernel/vmlinux
Without BPF_BRANCH_SNAPSHOT_F_COPY, no branch records related to the tracee are captured. With it enabled, 17 branch records from the tracee are observed.
Detailed verification results are available in the gist [2].
With this series applied, retsnoop [3] can benefit from improved LBR support when using the '--lbr --fentries' options.
Links: [1] https://github.com/bpfsnoop/bpfsnoop [2] https://gist.github.com/Asphaltt/cffdeb4b2f2db4c3c42f91a59109f9e7 [3] https://github.com/anakryiko/retsnoop
Leon Hwang (3): bpf, x64: Call perf_snapshot_branch_stack in trampoline bpf: Introduce BPF_BRANCH_SNAPSHOT_F_COPY flag for bpf_get_branch_snapshot helper selftests/bpf: Add BPF_BRANCH_SNAPSHOT_F_COPY test
arch/x86/net/bpf_jit_comp.c | 66 +++++++++++++++++++ include/linux/bpf.h | 18 ++++- include/linux/bpf_verifier.h | 1 + kernel/bpf/verifier.c | 30 +++++++++ kernel/trace/bpf_trace.c | 17 ++++- .../bpf/prog_tests/get_branch_snapshot.c | 26 +++++++- .../selftests/bpf/progs/get_branch_snapshot.c | 3 +- 7 files changed, 153 insertions(+), 8 deletions(-)
-- 2.52.0