From b18243c94aa3838f7fab8ca7dd47c06dfe41da58 Mon Sep 17 00:00:00 2001
From: li-long315 <lilong@kylinos.cn>
Date: Fri, 16 Jun 2023 20:03:28 +0800
Subject: [PATCH] Loop processing events and Add BPF program to monitor
 upprobes

---
 observation/src/threadsnoop/threadsnoop.bpf.c | 27 +++++++++++++++++++
 observation/src/threadsnoop/threadsnoop.c     | 10 +++++++
 2 files changed, 37 insertions(+)
 create mode 100644 observation/src/threadsnoop/threadsnoop.bpf.c

diff --git a/observation/src/threadsnoop/threadsnoop.bpf.c b/observation/src/threadsnoop/threadsnoop.bpf.c
new file mode 100644
index 00000000..2b0ce80a
--- /dev/null
+++ b/observation/src/threadsnoop/threadsnoop.bpf.c
@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+#include "vmlinux.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_helpers.h>
+#include "threadsnoop.h"
+#include "compat.bpf.h"
+
+SEC("uprobe")
+int BPF_KPROBE(pthread_create, void *arg1, void *arg2, void *(*start)(void *))
+{
+	struct event *event;
+
+	event = reserve_buf(sizeof(*event));
+	if (!event)
+		return 0;
+
+	event->pid = bpf_get_current_pid_tgid() >> 32;
+	bpf_get_current_comm(&event->comm, sizeof(event->comm));
+	event->function_addr = (__u64)start;
+	submit_buf(ctx, event, sizeof(*event));
+
+	return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";
+
diff --git a/observation/src/threadsnoop/threadsnoop.c b/observation/src/threadsnoop/threadsnoop.c
index 90a090a1..92b0ea1b 100644
--- a/observation/src/threadsnoop/threadsnoop.c
+++ b/observation/src/threadsnoop/threadsnoop.c
@@ -200,6 +200,16 @@ int main(int argc, char *argv[])
 	}
 	
 	printf("%-10s %-6s %-16s %s\n", "TIME(ms)", "PID", "COMM", "FUNC");
+        
+	while (!exiting) {
+		err = bpf_buffer__poll(buf, POLL_TIMEOUT_MS);
+		if (err < 0 && err != -EINTR) {
+			warning("Error polling ring/perf buffer: %d\n", err);
+			goto cleanup;
+		}
+		/* reset err to 0 when exiting */
+		err = 0;
+	}
 
 cleanup:
 	bpf_buffer__free(buf);
-- 
Gitee