How to make BPF program which is attached to kprobe keep working after process exits?

Junyeong Jeong esrse.jeong at gmail.com
Sat May 15 02:55:53 EDT 2021


Hello :)

My BPF program is loaded by `bpf_load_program_xattr` of `libbpf` and
then attached to kprobe event using `perf_event_open`,
`ioctl(PERF_EVENT_IOC_SET_BPF)` and `ioctl(PERF_EVENT_IOC_ENABLE)`.
Then the BPF program is working as I expected.

And I wanted to make the BPF program keep working even though the
userspace process exits. So I pinned it using `bpf_obj_pin()`.

But unfortunately the BPF program is never called after the userspace
process exits.

I discovered the cause of the failure. The file descriptor of perf event
is automatically closed when userspace process exits so objects related
to perf event get destroyed.

So I tried to find how to pin the fd of perf event, but I got to know
that only BPF programs, BPF maps and BPF links are subject to pin.

How can I make my BPF program which is attached to kprobe keep working
after userspace process exits?

regards,
  Junyeong



More information about the Kernelnewbies mailing list