From 79b060438eae8ef8187dfc6de975f6b4d0eb74e0 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 14 Jan 2024 13:12:20 +0000
Subject: [PATCH] add 36-tracepoint-args-sched_switch-use-custom-struct

---
 .../Makefile                                  |   1 +
 .../README.md                                 |  18 +++
 .../cilium-ebpf/Makefile                      |   1 +
 .../cilium-ebpf/README.md                     |  17 +++
 .../cilium-ebpf/bpf_bpfeb.go                  | 115 ++++++++++++++++++
 .../cilium-ebpf/bpf_bpfeb.o                   | Bin 0 -> 2264 bytes
 .../cilium-ebpf/bpf_bpfel.go                  | 115 ++++++++++++++++++
 .../cilium-ebpf/bpf_bpfel.o                   | Bin 0 -> 2264 bytes
 .../cilium-ebpf/main.go                       |  35 ++++++
 .../main.bpf.c                                |  29 +++++
 .../main.go                                   |  32 +++++
 README.rst                                    |   4 +-
 12 files changed, 366 insertions(+), 1 deletion(-)
 create mode 120000 36-tracepoint-args-sched_switch-use-custom-struct/Makefile
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/README.md
 create mode 120000 36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/Makefile
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/README.md
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.go
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.o
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.go
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.o
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/main.go
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/main.bpf.c
 create mode 100644 36-tracepoint-args-sched_switch-use-custom-struct/main.go

diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/Makefile b/36-tracepoint-args-sched_switch-use-custom-struct/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/README.md b/36-tracepoint-args-sched_switch-use-custom-struct/README.md
new file mode 100644
index 0000000..d3ecaed
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/README.md
@@ -0,0 +1,18 @@
+
+https://mozillazg.com/2022/05/ebpf-libbpf-tracepoint-common-questions.html
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+
+$ make cat
+```
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/Makefile b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/Makefile
new file mode 120000
index 0000000..97ab7f0
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/Makefile
@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile
\ No newline at end of file
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/README.md b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/README.md
new file mode 100644
index 0000000..bbf04bd
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/README.md
@@ -0,0 +1,17 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+
+$ make cat
+```
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.go b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.go
new file mode 100644
index 0000000..0b22678
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.go
@@ -0,0 +1,115 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	TracepointSchedSchedSwitch *ebpf.ProgramSpec `ebpf:"tracepoint__sched__sched_switch"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose()
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	TracepointSchedSchedSwitch *ebpf.Program `ebpf:"tracepoint__sched__sched_switch"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.TracepointSchedSchedSwitch,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.o b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.o
new file mode 100644
index 0000000000000000000000000000000000000000..5450d6b105f3538418e34aef808e1b8ba5951981
GIT binary patch
literal 2264
zcmb_d&1)4`6hD(DYGZ7*S`6Jd2!cX7X`~B5EE6G0X%-=M6SdqonVBThysyqoZPHQ<
zg5bi1E?n3A5t60;2|_nrKH81YjXPaPUw^;*@pAJ_=|T^jd(Q8C+;cz9+_^nBe`RDO
zkO2kq3c6<)c%Y2^p;2td2?>%}xj>Z6$Ry>?QI6U8`gZ?~!=HZ@o=La+uZbt&56@&F
z^`cJKe%bE7q)vOLs-LJ==~@o^3+iS**tYxs5I_BlqsT$T_xt@9JE4Xr?`k0jc8ruq
zR&p-R%UZ0<wPfRRbzxrQ@89$`^}4a;hUM>>I%4uEf>Dt}kTLi;7*Nxv7!QDB@G0;?
z@H6mP@Q2_Y_&j*r9_J<Kh!0}Ot6;<j&mb4Th!1*@*X_XvkgO>ma4<x53{1PSaa>CX
z-Y*U(B$b}T<ZN1<YrE(2Aw%H%79WC)f#rx<G-Drv>3%d}<YDOh)x%nXrH|;;>C6e1
zKQ=kESr^XFzZ8{}tCc9}miaA}c3Lf?b&Jd@WzjKORVQ^W?R=v)aav=XQ5cu5C8a1e
zySO;Jq`v+7`kcD9v@oYIdy%Ocp7p$J=S^i`(XOT0X|GCJZ%ADxY2NL?rj%Kq6{dGQ
z|Fm|S(RP+Z(@`|tN{V*0++B%M2|>`5o>g^AOuK$|rBzRbRq=D)S)qPzD%6|CVx~g3
znR6F)E;kY)=Eis7rSP<WUV|pS**<Mz%e?-vY=>W56xA%!yj|tu<e<kxUI6HX<(rUQ
z8bEA|Ct%wGf@>D`4sGl=((mBE@P!iddjSs6^9}U2Y#5Bu&=!Or|G?nj8<90PpNSkA
z(coUY51c1HdE5RN-o~-r^|@gCZ3f&M=W^fb6m;&-;dlry4B^HQ=6rtsmcxf9B&yMp
z5|w!~x_s?QMDUKy)NI~rsU*wFs#x8<)TpY<I$4&e+H7fQE24BKOX`IFnP>(pdp}fQ
zn*Htr=CRAR1m6aqTo2Jk-C@3yKE*!pbay{AeF^@*{KpLR$Ubq}atEW!=R53E&w`V_
z5xR?~Ogub%4*W-w{PhyMeCodrVcHz&e<S`fe>#Je{(PIT@%<&mdK?U+&#ihClJBuQ
zU$=i}_t!JX#<lh=c;FeS`t|XD`p^1327?-4)^~NCWc|fXe_o&47QkK_i!C16Yu|Hz
WKfpKax8b8*t27|FM;GVnPyP!hNDv_a

literal 0
HcmV?d00001

diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.go b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.go
new file mode 100644
index 0000000..c0ed035
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.go
@@ -0,0 +1,115 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	TracepointSchedSchedSwitch *ebpf.ProgramSpec `ebpf:"tracepoint__sched__sched_switch"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose()
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	TracepointSchedSchedSwitch *ebpf.Program `ebpf:"tracepoint__sched__sched_switch"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.TracepointSchedSchedSwitch,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.o b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.o
new file mode 100644
index 0000000000000000000000000000000000000000..64941c3ffc6861a5249cd19b8459be708f00e4cb
GIT binary patch
literal 2264
zcmbtVO=}fr6h1eJjWw~h#-iL!20>7WlUlkEf@KsEk!BI1o21HnCo_{|n)~I<Xk(=q
z1i^(1yXac`BTAO-PbhTLWw0Be8+W>pUZ3avm^&H8O%C_Wd7ks0^PczP%-jd_iwh%-
zhB#@+YZ)@<75V4T5C<9tGKt9W#6``*sZ-kSA~`-HvekS$po9GUx89kk`9||o;As(U
za?Cpud-t2KN`D@0CiKTD|M7nFWtmT3-uz$lKYk+<8OJ;?2ZO=xh{#FsN6=58yHLun
z#t7%+e5}cOTnpBBb!k!L*?$c&s}^ZtKI#upD<ha1I}|xAG8Vv2LC2t!FQKd#K&PSO
z&_AJPp`SwcpkG6A6nc_NFghL+UIo_iz)Qe79(WZPqHhB=S(-BH9=rnhMbUwAuEirV
zvM=s)_;TYv%$$1`v({sSU4G+<<%|n#T@*jc*k7Pr2+tFCast-MzIt5C3IjzxJBkP4
z8Xou^(@s7h`uwVwqQYz=$Cmn8a#uyYPRF2r8e5R1J%jQhEE4G^+l7hKh;armF4_z;
zQR?#Y^5qqE{o3lhy0Nk}uP}QWs{$iiN!Cr;%Fwi1NW0hFkf_*}A`7FW--Aynvp#D~
z?^MQT^{{!`&Just_h&m{+V$7^>wY921W4&wRX@YDTW8lh#f+DyKPA0&;&U^e-ZU07
z<GIb8o71`6h=-W(Z+Vxz)7A4ToA_q;w294<;!f7}zM2!&PNSroC*rK>aZjJT$O%~L
zO=#cxc;~-E&DG(8f!RCsxmW&g;D5<u(eDfSG!l-qM7Dv+o$LTq<DXjo9pVpdx~LD^
zQPb-C2D#qj75{TP+JgO}T;cG&?Awj7&)A?dPzpJR0w~4tB|}Tzs&RKtE`FyrJ~1hN
zftD0MOWOXG8w)<k0h_7azS~h@9A|mDF}zeiFR~(B6F<M#(biT(>0TTbA;&NH7wiHL
zXj0_s7rZvl726d2E>y)Hd+8#l@|#zcph_y3=UbI;Kt7iLyc!J5KCa3`5a#n6T$Mdb
z_@7Y~#!{ROEv}!zYaKQ0H%rSr$A7l@jywC-f)^vsV{Co@{9g0>8<^qp`IimkJ4)gA
zm}l(vU-i4aFwV)I-Oy9#u(n>G|4$#Pzh?tmHjnjLyIy}8zR|@&4`v5iN?`k^w*B|c
W?=~{(F`T4dtIs_$&eeDS=kEZ|l?_1v

literal 0
HcmV?d00001

diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/main.go b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/main.go
new file mode 100644
index 0000000..23cdee5
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/main.go
@@ -0,0 +1,35 @@
+package main
+
+import (
+	"log"
+	"time"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/rlimit"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatal(err)
+	}
+	defer objs.Close()
+
+	tp, err := link.Tracepoint("sched", "sched_switch", objs.TracepointSchedSchedSwitch, nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer tp.Close()
+
+	log.Println("Waiting for events...")
+	time.Sleep(time.Minute * 1024)
+
+}
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/main.bpf.c b/36-tracepoint-args-sched_switch-use-custom-struct/main.bpf.c
new file mode 100644
index 0000000..77d446a
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/main.bpf.c
@@ -0,0 +1,29 @@
+#include "vmlinux.h"
+
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+// sudo cat /sys/kernel/debug/tracing/events/sched/sched_switch/format
+struct sched_switch_args {
+    char _[8];
+    char prev_comm[16];
+    pid_t prev_pid;
+    int prev_prio;
+    long prev_state;
+    char next_comm[16];
+    pid_t next_pid;
+    int next_prio;
+};
+
+SEC("tracepoint/sched/sched_switch")
+int tracepoint__sched__sched_switch(struct sched_switch_args *ctx) {
+    u32 prev_pid = (u32)ctx->prev_pid;
+    u32 next_pid = (u32)ctx->next_pid;
+
+    char fmt[] = "sched_switch %d -> %d\n";
+    bpf_trace_printk(fmt, sizeof(fmt), prev_pid, next_pid);
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/36-tracepoint-args-sched_switch-use-custom-struct/main.go b/36-tracepoint-args-sched_switch-use-custom-struct/main.go
new file mode 100644
index 0000000..a88a55a
--- /dev/null
+++ b/36-tracepoint-args-sched_switch-use-custom-struct/main.go
@@ -0,0 +1,32 @@
+package main
+
+import (
+	"fmt"
+	"time"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+)
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+	prog, err := bpfModule.GetProgram("tracepoint__sched__sched_switch")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog.AttachTracepoint("sched", "sched_switch"); err != nil {
+		panic(err)
+	}
+
+	for {
+		fmt.Println("Waiting...")
+		time.Sleep(10 * time.Second)
+	}
+}
diff --git a/README.rst b/README.rst
index 67dee79..53a516c 100644
--- a/README.rst
+++ b/README.rst
@@ -154,7 +154,7 @@ Examples by program type:
 | ``BPF_PROG_TYPE_SYSCALL``                 |                                        | ``syscall``                      |                       |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
 | ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+``                          |`04`_ `07`_ `14`_      |
-+                                           +                                        +----------------------------------+                       +
++                                           +                                        +----------------------------------+`35`_ `36`_            +
 |                                           |                                        | ``tracepoint+``                  |                       |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
 | ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+``                    |                       |
@@ -212,6 +212,8 @@ Examples by program type:
 .. _32: 32-fentry-hello
 .. _33: 33-xdp-hello
 .. _34: 34-iter-task-hello
+.. _35: 35-tracepoint-args-use-custom-struct
+.. _36: 36-tracepoint-args-sched_switch-use-custom-struct
 
 
 https://mozillazg.com/tag/libbpf.html