[Feature] Can Maps be updated by both bpftime's uprobes and usual kprobes?

[LCastanheira-1]

First of all: I'm really glad I found this repo, thank you for making uprobes faster!

I am working with maps that get updated by both uprobes and kprobes (essentially trying to do this).

Do your maps currently support reading/writing by both bpftime's uprobes as well as the usual kprobes?

Thanks!

[yunwei37]

Hi @LCastanheira-1,

Thank you for bringing this up!

Currently, our implementation does not support updating maps by both bpftime's uprobes and standard kprobes simultaneously. However, we recognize the value of this feature and are actively investigating the best way to implement it.

We'll keep you updated as we make progress. Contributions or insights on this topic are also highly welcomed.

Thanks for your understanding and patience!

[yunwei37]

Hi @LCastanheira-1,

By the way, where can I find more about https://lpc.events/event/17/contributions/1597/? I'm very interested in the mixed usage of uprobes and kprobes you mentioned.

Thanks!

[LCastanheira-1]

Well, we can always hop on a zoom call :) I haven't seen anything about mixed usage in the wild, which is why Theo (my advisor) and I submitted this talk to LPC. We're actively looking into it.

[yunwei37]

The answer is yes now!

Now, eBPF programs running in userspace can share maps with those in the kernel, allowing the same interactive capabilities as traditional kernel-bound eBPF programs.

For a hands-on demonstration of this, refer to the prototype available at eunomia-bpf/bpftime. This prototype leverages several methods to interact with the kernel without modifying it:

1. eBPF Modification for System Calls: By using the bpf_probe_write_user function, the behavior of bpf and perf event syscalls can be modified. This avoids the need for direct kernel modifications.

2. Monitoring eBPF Processes: The load and attachment processes of eBPF programs are monitored. This allows for interception or modification of the BPF instructions and alteration of the uprobe attach targets.

3. Shared Memory for Map Access: The bpf_map_get_fd_by_id function is utilized to open array or hash maps. Combined with mmap, shared memory can be established, making it accessible for both kernel-bound and userspace eBPF programs. In instances where mmap isn't supported, the bpf syscall can be employed to facilitate updates, though this is relatively slower. We are continues finding better ways for that.

Would appreciate any feedback or suggestions!

[yunwei37]

Hi @LCastanheira-1, Would you like to have a zoom call with us to discuss about it? We have implemented the feature mentioned in this issue, and we also found that a mix usage of uprobe and kernel event (Socket, kprobe, tracepoint) can be used in modern network distribution tracing. We would greatly appreciate if you can help us review our design and improve our project : )

[yunwei37]

I'm sorry that I can't find you email...My email address is yunwei356@gmail.com, if you want a further contact