1. Patchew
  2. linux
  3. [RFC PATCH bpf-next v3 0/3] Upgrading uprobe and kprobe to their `multi` counterparts.
  4. View patch

[RFC PATCH bpf-next v3 2/3] libbpf: Add FEAT_KPROBE_MULTI_LINK feature probe.

Varun R Mallya posted 3 patches 12 hours ago
[RFC PATCH bpf-next v3 2/3] libbpf: Add FEAT_KPROBE_MULTI_LINK feature probe.
Posted by Varun R Mallya 12 hours ago 
Add FEAT_KPROBE_MULTI_LINK, similar to UPROBE_MULTI_LINK
by loading and creating a link for a small BPF program with
BPF_TRACE_KPROBE_MULTI as the expected attach type, and
then checking the success of the operation.

Signed-off-by: Varun R Mallya <varunrmallya@gmail.com>
---
 tools/lib/bpf/features.c        | 38 +++++++++++++++++++++++++++++++++
 tools/lib/bpf/libbpf_internal.h |  2 ++
 2 files changed, 40 insertions(+)

diff --git a/tools/lib/bpf/features.c b/tools/lib/bpf/features.c
index 4f19a0d79b0c..01ded8a1e3c4 100644
--- a/tools/lib/bpf/features.c
+++ b/tools/lib/bpf/features.c
@@ -424,6 +424,41 @@ static int probe_uprobe_multi_link(int token_fd)
 	return link_fd < 0 && err == -EINVAL;
 }
 
+static int probe_kprobe_multi_link(int token_fd)
+{
+	LIBBPF_OPTS(bpf_prog_load_opts, load_opts,
+		    .expected_attach_type = BPF_TRACE_KPROBE_MULTI,
+		    .token_fd = token_fd,
+		    .prog_flags = token_fd ? BPF_F_TOKEN_FD : 0,
+	);
+	LIBBPF_OPTS(bpf_link_create_opts, link_opts);
+	struct bpf_insn insns[] = {
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN(),
+	};
+	int prog_fd, link_fd, err;
+	const char *sym = "bpf_map_lookup_elem"; /* stable, always present */
+
+	prog_fd = bpf_prog_load(BPF_PROG_TYPE_KPROBE, NULL, "GPL",
+				insns, ARRAY_SIZE(insns), &load_opts);
+	if (prog_fd < 0)
+		return -errno;
+
+	/* attaching to a valid symbol should succeed */
+	link_opts.kprobe_multi.syms = &sym;
+	/* MAX_KPROBE_MULTI_CNT is defined as (1U << 20) in kernel/trace/bpf_trace.c,
+	 * so we create one more than the allowed limit to make it fail with E2BIG.
+	 */
+	link_opts.kprobe_multi.cnt = (1U << 20) + 1;
+	link_fd = bpf_link_create(prog_fd, -1, BPF_TRACE_KPROBE_MULTI, &link_opts);
+	err = -errno;
+	if (link_fd >= 0)
+		close(link_fd);
+	close(prog_fd);
+	/* Fails with E2BIG on kernels where kprobe_multi is supported */
+	return link_fd <= 0 && err == -E2BIG;
+}
+
 static int probe_kern_bpf_cookie(int token_fd)
 {
 	struct bpf_insn insns[] = {
@@ -699,6 +734,9 @@ static struct kern_feature_desc {
 	[FEAT_BTF_LAYOUT] = {
 		"kernel supports BTF layout", probe_kern_btf_layout,
 	},
+	[FEAT_KPROBE_MULTI_LINK] = {
+		"BPF multi-kprobe link support", probe_kprobe_multi_link,
+	},
 };
 
 bool feat_supported(struct kern_feature_cache *cache, enum kern_feature_id feat_id)
diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h
index cabdaef79098..b3cb216aadae 100644
--- a/tools/lib/bpf/libbpf_internal.h
+++ b/tools/lib/bpf/libbpf_internal.h
@@ -398,6 +398,8 @@ enum kern_feature_id {
 	FEAT_UPROBE_SYSCALL,
 	/* Kernel supports BTF layout information */
 	FEAT_BTF_LAYOUT,
+	/* BPF multi-kprobe link support */
+	FEAT_KPROBE_MULTI_LINK,
 	__FEAT_CNT,
 };
 
-- 
2.53.0
Re: [RFC PATCH bpf-next v3 2/3] libbpf: Add FEAT_KPROBE_MULTI_LINK feature probe.
Posted by bot+bpf-ci@kernel.org 12 hours ago 
> diff --git a/tools/lib/bpf/features.c b/tools/lib/bpf/features.c
> index 4f19a0d79b0c..01ded8a1e3c4 100644
> --- a/tools/lib/bpf/features.c
> +++ b/tools/lib/bpf/features.c
> @@ -424,6 +424,41 @@ static int probe_uprobe_multi_link(int token_fd)
>  	return link_fd < 0 && err == -EINVAL;
>  }
>
> +static int probe_kprobe_multi_link(int token_fd)
> +{

[ ... ]

> +	/* attaching to a valid symbol should succeed */

The operation is designed to fail with E2BIG (the count is intentionally
set above MAX_KPROBE_MULTI_CNT). Should this comment say something like
"use a stable, always-present symbol" instead? As written, it reads like
the attach is expected to succeed, which contradicts the comment two
lines below about making it fail.

> +	link_opts.kprobe_multi.syms = &sym;
> +	/* MAX_KPROBE_MULTI_CNT is defined as (1U << 20) in kernel/trace/bpf_trace.c,
> +	 * so we create one more than the allowed limit to make it fail with E2BIG.
> +	 */
> +	link_opts.kprobe_multi.cnt = (1U << 20) + 1;
> +	link_fd = bpf_link_create(prog_fd, -1, BPF_TRACE_KPROBE_MULTI, &link_opts);
> +	err = -errno;
> +	if (link_fd >= 0)
> +		close(link_fd);
> +	close(prog_fd);
> +	/* Fails with E2BIG on kernels where kprobe_multi is supported */
> +	return link_fd <= 0 && err == -E2BIG;
                    ^^^^

Should this be "link_fd < 0" rather than "link_fd <= 0"?  The
reference function probe_uprobe_multi_link() just above uses
"link_fd < 0 && err == -EINVAL" for the same pattern.  fd 0 is
a valid file descriptor, so "<= 0" treats a successful fd 0 as
a failure.  In practice bpf_link_create() goes through
ensure_good_fd() which dup's fds below 3, so fd 0 cannot be
returned, but the check is still inconsistent with the
existing code pattern.

> +}

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/23947048141

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.