1

Is there a way to increase the size of eBPF stack size? I am getting the Looks like the BPF stack limit of 512 bytes is exceeded. Please move large on stack variables into BPF per-cpu array map. error. Is there an eBPF helper function or command that I can use to increase the size of stack so I won't get this error

On this page, it says this, but it was posted some time ago; I wonder if there is any work around this limitation:

Currently, no. The stack size is limited to 512 bytes, and there is no kmalloc style dynamic allocation inside the bpf program either. One way you could try is with per-cpu map with value size of 4k and fill in the 4k map value and submit it with the map value. But I never tried this before.

This is my eBPF program

struct {
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
    __type(key, long);
    __type(value, long);
    __uint(max_entries, 1024);
} tcp_map SEC(".maps");

struct buffer2
{
    char buffer[1024];
};



SEC("kprobe/__sys_sendto")
int bpf_prog3(struct pt_regs *ctx)
{

    char buf[300];
    struct buffer2 buf1;
    
    int fd  = (int)PT_REGS_PARM1(ctx);
    //cha ptr=(char *)PT_REGS_PARM2(ctx);
    //char *buffer=(char *)ptr;

    bpf_probe_read(buf1.buffer,1023,(void *)PT_REGS_PARM2(ctx));
    bpf_trace_printk("[fd = %d]\n",sizeof("[fd = %d]\n"),fd);
    bpf_trace_printk("[buffer = %x]\n",sizeof("[buffer = %x]\n"),buf);
    long ptr3=PT_REGS_PARM3(ctx);
    if(ptr3>0)
    bpf_trace_printk("***********************************************\n",sizeof("***********************************************\n"));
    bpf_trace_printk("[count = %ld]\n",sizeof("[count = %d]\n"),ptr3);
    
    long *value;
        value = bpf_map_lookup_elem(&tcp_map, buf1.buffer);
    bpf_map_update_elem(&tcp_map, 0, &buf1, BPF_ANY);

 }

I like to read 1024 bytes from function parameter two using bpf_probe_read(buf1.buffer,1023,(void *)PT_REGS_PARM2(ctx)) and then share the buf1 struct object to userspace in this trace.

Hedam
  • 2,209
  • 27
  • 53
user786
  • 3,902
  • 4
  • 40
  • 72
  • `on this page it says` What page? You didn't include a link. – pchaigno Jan 31 '22 at 13:03
  • 2
    Does this answer your question? [eBPF, track values longer than stack size?](https://stackoverflow.com/questions/53627094/ebpf-track-values-longer-than-stack-size) – pchaigno Jan 31 '22 at 13:05
  • https://github.com/iovisor/bcc/issues/1650#issuecomment-376220822 -> This is still valid. The limit [is still 512 bytes](https://elixir.bootlin.com/linux/v5.16/source/include/linux/filter.h#L85), and `kmalloc()`-like helpers are not here yet. Per-CPU arrays are likely the solution you're looking for, as described in pchaigno's answer. – Qeole Jan 31 '22 at 19:48
  • @Qeole well I am not using bcc. Using libbpf – user786 Feb 01 '22 at 03:23
  • 2
    It's not a limitation of bcc. It's a limitation of the kernel. – pchaigno Feb 01 '22 at 09:09

1 Answers1

0

I will answer this question with newer information for those finding this via a search engine.

Yesterday, the LLVM infrastructure introduced the possibility of overriding the BPF stack size with the -mllvm -bpf-stack-size <stack size> flag. As such, you can now compile BPF ELF binaries with a larger stack.

However, for completeness, the increased stack will not work for BPF programs loaded into the kernel. The increased stack size is targeted at non-kernel uses.

Hedam
  • 2,209
  • 27
  • 53