1/* Copyright (c) 2015 PLUMgrid, http://plumgrid.com 2 * 3 * This program is free software; you can redistribute it and/or 4 * modify it under the terms of version 2 of the GNU General Public 5 * License as published by the Free Software Foundation. 6 */ 7#include <linux/ptrace.h> 8#include <linux/version.h> 9#include <uapi/linux/bpf.h> 10#include "bpf_helpers.h" 11 12struct pair { 13 u64 val; 14 u64 ip; 15}; 16 17struct bpf_map_def SEC("maps") my_map = { 18 .type = BPF_MAP_TYPE_HASH, 19 .key_size = sizeof(long), 20 .value_size = sizeof(struct pair), 21 .max_entries = 1000000, 22}; 23 24/* kprobe is NOT a stable ABI. If kernel internals change this bpf+kprobe 25 * example will no longer be meaningful 26 */ 27SEC("kprobe/kmem_cache_free") 28int bpf_prog1(struct pt_regs *ctx) 29{ 30 long ptr = PT_REGS_PARM2(ctx); 31 32 bpf_map_delete_elem(&my_map, &ptr); 33 return 0; 34} 35 36SEC("kretprobe/kmem_cache_alloc_node") 37int bpf_prog2(struct pt_regs *ctx) 38{ 39 long ptr = PT_REGS_RC(ctx); 40 long ip = 0; 41 42 /* get ip address of kmem_cache_alloc_node() caller */ 43 bpf_probe_read(&ip, sizeof(ip), (void *)(PT_REGS_FP(ctx) + sizeof(ip))); 44 45 struct pair v = { 46 .val = bpf_ktime_get_ns(), 47 .ip = ip, 48 }; 49 50 bpf_map_update_elem(&my_map, &ptr, &v, BPF_ANY); 51 return 0; 52} 53char _license[] SEC("license") = "GPL"; 54u32 _version SEC("version") = LINUX_VERSION_CODE; 55