1

I want the value in the bpf hash map be a struct, but it doesn't work. who knows if this is allowed by BPF? code like blow.

also, I have the second question, how can I call a kernel function in the bpf program?

typedef struct my_value {
    u64 ts;
    unsigned char opcode;
    unsigned int pages;
    pid_t pid;
} MY_VAL;

struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __uint(max_entries, 8192);
    //__type(key, pid_t);
    __type(key, u64);
    __type(value, MY_VAL);
} _start SEC(".maps");

when I use

struct my_value e;
e.pages= 10;

u64 pate = 0x456;

bpf_map_update_elem(&_start, &pate, &e, BPF_ANY);

there is error :

79: (85) call bpf_map_update_elem#2 invalid indirect read from stack off -32+0 size 8 processed 51 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 1

Improve this question
5
  • What does "it doesn't work" mean exactly? Did you try without defining it as a typedef? Commented Jan 17, 2022 at 15:16
  • Yes it should work. What error message do you get? As for calling kernel functions, you cannot just use any function, but you can call one of the available bpf helpers from your program, see this page for some documentation, or look for examples with e.g. bpf_map_update_elem() or bpf_trace_printk(). Commented Jan 17, 2022 at 15:16
  • @Qeole I want to call a function which is not in bpf helper, but it is in the Linux kernel, which is external, for example, get_unaligned_be32()., how to call this kind of kernel function?? Commented Jan 17, 2022 at 15:21
  • @pchaigno bpf_map_update_elem(&_start, &pate, &e, BPF_ANY); will fail. do you know how to update it? Commented Jan 17, 2022 at 15:55
  • I'm surprised Qeole's solution didn't work. Could you share the full program and the full logs from the verifier? Commented Jan 17, 2022 at 16:23

1 Answer 1

Reset to default
2

Regarding your error: The verifier rejects your program if you try to update the map with uninitialised date from the stack, which is what happens when you create your value.

Try to initialise the whole struct:

struct my_value e;
memset(&e, 0, sizeof(e));
e.pages= 10;

Regarding your second question: You can call eBPF helpers from your eBPF program, you can call a very few white-listed functions from the kernel, but you cannot call just any function from the kernel at this time. Some functions that do not depend on your kernel's internals may be reimplemented in your program, though.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

hi Qeole, you are right, it works now. the error is another one, not because of the update. thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.