fix "failed to parse ringbuf skbdata" and oom killed #6
Conversation
There was a problem hiding this comment.
I opened another pr #7 to fix the same issue.
The root cause is bpf didn't get has_mac correctly: __dev_queue_xmit doesn't reset skb->mac_header until https://elixir.bootlin.com/linux/v6.8/source/net/core/dev.c#L4267 is executed. The new fix takes that into consideration by comparing skb->network_header to skb->mac_header to make sure we won't read uninitialized skb->mac_header (0xffff).
Also I want to explain why I split skb_data from event: skb_data may have variable length (skb->data_end - skb->data), always transmitting a fixed length from bpf kernel to userspace is no doubt a waste of resource. The design can be seen as HTTP header Content-Length followed by payload of variable length, I believe this is a way more efficient to pass data.
Feel free to ask questions and review #7. Appreciate your contribution, let me treat you to a dinner next time we meet 😋
|
@jschwinger233 got it. thanks for your explain. |
before:
sudo ./ktcpdump -v -i '__dev_queue_xmit+*' -d /usr/lib/debug/boot/vmlinux-`uname -r` 'dst host 1.1.1.1 and icmp'ping 1.1.1.1failed to parse ringbuf skbdataand killed by system due to oom.after:
without
failed to parse ringbuf skbdata, no longer killed due to oom.