On Wed, 17 Sep 2025 15:22:39 +0800 Fuyu Zhao zhaofuyu@vivo.com wrote:
Hi everyone,
This patchset introduces a new BPF program type that allows overriding a tracepoint probe function registered via register_trace_*.
Motivation
Tracepoint probe functions registered via register_trace_* in the kernel cannot be dynamically modified, changing a probe function requires recompiling the kernel and rebooting. Nor can BPF programs change an existing probe function.
I'm confused by what you mean by "tracepoint probe function"?
You mean the function callback that gets called via the "register_trace_*()"?
Overiding tracepoint supports a way to apply patches into kernel quickly (such as applying security ones), through predefined static tracepoints, without waiting for upstream integration.
This sounds way out of scope for tracepoints. Please provide a solid example for this.
This patchset demonstrates the way to override probe functions by BPF program.
Overview
This patchset adds BPF_PROG_TYPE_RAW_TRACEPOINT_OVERRIDE program type. When this type of BPF program attaches, it overrides the target tracepoint probe function.
And it also extends a new struct type "tracepoint_func_snapshot", which extends the tracepoint structure. It is used to record the original probe function registered by kernel after BPF program being attached and restore from it after detachment.
The tracepoint structure exists for every tracepoint in the kernel. By adding a pointer to it, you just increased the size of the tracepoint. I'm already complaining that each tracepoint causes around 5K of memory overhead, and I'd like to make it smaller.
-- Steve