Changes

Summary

  1. Fix ELF ABI and endianness checks for powerpc64 (details)
  2. bcc: Use bpf_probe_read_user in tools and provide backward compatibility (details)
  3. bcc: Use direct parameter assignment for syscall probe s390. (details)
  4. bcc/tools: Introduce bpf_probe_read_user to the tools. (details)
  5. bcc/docs: Add bpf_probe_read_user to docs and tutorials (details)
  6. bcc/utils: Avoid code duplication of __generate_streq_function (details)
  7. bcc: Add __user attribute to support bpf_probe_read_user in argdist (details)
  8. bcc: Support bpf_probe_read_user in trace.py (details)
  9. bcc/libbpf: Fix bpf_has_kernel_btf return status (details)
  10. Add perf event data collection example for an userspace application (#2888) (details)
  11. Update INSTALL.md (details)
  12. USDT: make path failure message more explicit (details)
  13. add nfs v3 support to nfsdist.py (#2902) (details)
  14. Bug #2907 - Fix argdist filtering option for USDT probes (details)
  15. add -fPIC to compile examples/cpp and tests/cc (details)
  16. libbpf-tools: convert BCC vfsstat to BPF CO-RE version (details)
  17. Fix github actions tests (details)
  18. tools/dirtop: Adding dirtop utility (#2819) (details)
  19. libbpf-tools: add CO-RE execsnoop (details)
  20. sync with latest libbpf (details)
  21. Fix KFUNC_PROBE return value (details)
  22. libbcc-py: Fix libbpf types (details)
  23. bcc/tools: fix typo in help message (details)
  24. tools: add filtering by mount namespace (details)
  25. Spelling (details)
  26. tool: trace process termination by default (details)
  27. bcc: Error out when bpf_probe_read_user is not present (details)
  28. bcc/tools: Replace bpf_probe_read with bpf_probe_read_kernel (details)
  29. bcc: Fix user space probe reads with bpf_probe_read_user (details)
  30. bcc/libbpf-tools: Replace bpf_probe_read with bpf_probe_read_kernel. (details)
  31. bcc/libbpf-tools: Fix user probe read references (details)
  32. bcc/docs: Replace bpf_probe_read with bpf_probe_read_kernel (details)
  33. bcc: Check probe read availabilty and use macros (details)
  34. bcc: Remove bpf_probe_read_user availability checks on compile time (details)
  35. fix: avoid -Wsign-compare warnings (details)
  36. Add arg for filtering on signal (details)
  37. Update man page and example file (details)
  38. Fix example indent (details)
  39. Make examples consistent (details)
  40. return failure if rewriter cannot rewrite properly (details)
  41. Allow to specify kernel include dirs (details)
  42. Adding support to load lsm programs (details)
  43. Make reading blacklist from debugfs optional (details)
  44. offwaketime: Add support for --state (#2940) (details)
  45. libbpf-tools: convert BCC syscount to BPF CO-RE version (details)
  46. tools: Add funcinterval bcc tool. (details)
  47. libbpf-tools: add CO-RE cpudist (details)
  48. silence a python travis-ci warning (details)
  49. Docker: add kmod dependency to docker container (details)
  50. turn off x86 jump table optimization during jit compilation (details)
  51. Fix runqslower to indicate that the latency param is in microseconds. (details)
  52. usdt: Add helpers to set semaphore values (details)
  53. usdt: Have Context::addsem_probe() nop if pid not specified (details)
  54. Add support for multiple PID/TID for offwaketime (#2951) (details)
  55. fix: encode path to bytes in python3 (details)
  56. tools/opensnoop: Fix compilation problem (details)
  57. libbpf-tools: refactor, move public methods to trace_helpers.c (details)
  58. deadlock: print a more explicit message when pthread_mutex_unlock can't be attached (details)
  59. man: remove non-existent -x argument from tcpconnect man page (details)
  60. loader: suggest to install the right kernel devel package (details)
  61. tools: fix a python 3 map issue in dbstat and dbslower (details)
  62. Fix typos in kretfunc documentation (details)
  63. Explicitly use NULL macro in pointer value check (#2965) (details)
  64. dbstat: fix overflowing timestamp (details)
  65. Add install steps for Alpine Linux (details)
  66. sync with latest libbpf repo (details)
  67. Add KBUILD_MODNAME flag to default cflags (details)
  68. Delete existing kbuild_modname definitions (details)
  69. sync with libbpf v0.0.9 (details)
  70. [BPFTable] clear_table_non_atomic: Remove duplicate macro (details)
  71. fix LSM_PROBE return value (details)
  72. API improvements for BPF LSM programs (#2979) (details)
  73. Add LSM probe documentation (#2980) (details)
  74. prepare for release v0.15.0 (details)
  75. libbpf-tools: remove unnecessary header include from syscount.bpf.c (details)
  76. Add missing LSM cleanup hook (details)
  77. bpf: use bpf_probe_read in implicitly generated kernel mem read (details)
  78. Fix kernel version for ringbuf and add ringbuf to maps table (details)
  79. libbpf-tools: add CO-RE bitesize (details)
  80. tools/profile: fix suggestion about when to increase stack-storage-size (details)
  81. Fix KFUNC_PROBE calls in vfs_stat.py by adding a return value (#2990) (details)
  82. Ringbuf Support for Python API (#2989) (details)
  83. Introducing Queue/Stack helpers and clang frontend (details)
  84. add BPFQueueStackTable and tests (details)
  85. sync with latest libbpf repo (details)
  86. valloc and pvalloc is deprecated in bionic on Android (details)
  87. Fix symfs symbol resolution (details)
  88. docs: Add BPF LSM hook to kernel features (details)
  89. docs: Update XDP driver support list (details)
  90. docs: add RISC-V to the JIT support list (details)
  91. add the option --hexdump to sslsniff to allow sniffing of binary protocols inside TLS/SSL connections (details)
  92. fix examples in sslsniff.py (details)
  93. reformat code, add new option to manpage and usage in sslsniff_example.txt (details)
  94. example block of --hexdump in sslsniff_example.txt (details)
  95. docs: fix Ubuntu Eoan spelling (details)
  96. Replace kprobe function "blk_account_io_completion" to "blk_account_io_done" for kernel version >= 5.8.0 (details)
  97. memleak: Add workaround to alleviate misjudgments when free is missing (details)
  98. sync with latest libbpf (details)
  99. libbpf-tools: add header to store BPF-side map helpers (details)
  100. libbpf-tools: fix an error message (details)
  101. libbpf-tools: convert BCC tcpconnect to BPF CO-RE version (details)
  102. Add .lazy_symbolize field to bcc_symbol_option and add ignored fields to perf_event_attr (details)
  103. Add Python API and documentation for Queue/Stack Tables (#3013) (details)
  104. use bpf_probe_read_kernel for implicit kernel mem read on s390 (details)
  105. fix cc queue/stack test kernel version (details)
  106. fix debug file lookup in bcc_elf_symbol_str (details)
  107. update reference_guide for implicit kmem access rewriting (details)
  108. libbpf-tools: add CO-RE biolatency (details)
Commit d2e8ea47352e36f63a9dda281c00fadeb87e890a by yonghong-song
Fix ELF ABI and endianness checks for powerpc64

Earlier, it was assumed that ELF ABI v2 is used only on
little-endian powerpc64 environments but it seems this
ABI can be used independently of endianness.

It is expected that any C preprocessor that conforms to
the ELF ABI v2 specification must predefine the _CALL_ELF
macro and set its value to 2.

Instead of looking at __BYTE_ORDER__ to determine whether
to use the Local Entry Point (LEP) of symbols, one should
look at the _CALL_ELF macro instead as this is ABI-related.

Similarly, _CALL_ELF should be used only for determining
the ABI version and not the endianness.

Reported-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Fixes: bbd4180c ("Fix uprobes on powerpc64")
Fixes: 10869523 ("clang: Add support to build eBPF for user specified ARCH")
Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
The file was modifiedsrc/cc/bcc_elf.c (diff)
The file was modifiedsrc/cc/bcc_syms.h (diff)
The file was modifiedsrc/cc/frontends/clang/arch_helper.h (diff)
The file was modifiedsrc/cc/bcc_syms.cc (diff)
The file was modifiedtests/cc/test_c_api.cc (diff)
Commit 264b2ccf4e42f7f1b9abb89fb320d0467c509e37 by sumanthk
bcc: Use bpf_probe_read_user in tools and provide backward compatibility

s390 has overlapping address space for user and kernel. Hence separation of
bpf_probe_read_user and bpf_probe_read_kernel is essential. Commit 6ae08ae3dea2
("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str
helpers") introduced these changes into the kernel. However, bcc tools does not
respect it.

As a workaround, perform the following:
1. Use bpf_probe_read_user() explicitly in the bcc tools.
2. When kernel version < 5.5, perform the checks if the
   bpf_probe_read_user kernel helper is present in the backported kernel
   as well. If not found, then fallback from bpf_probe_read_user to
   bpf_probe_read.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
The file was modifiedtools/ttysnoop.py (diff)
The file was modifiedsrc/cc/export/helpers.h (diff)
Commit ac157b474b2e2964ec2cba81574f2bddbd62b42b by sumanthk
bcc: Use direct parameter assignment for syscall probe s390.

1. Commit fa697140f9a2 ("syscalls/x86: Use 'struct pt_regs' based
   syscall calling convention for 64-bit syscalls") changed the raw
   parameter passed to the syscall entry function from a list of
   parameters supplied in user space to a single `pt_regs *` parameter
   (ARCH_HAS_SYSCALL_WRAPPER)

2. But ARCH_HAS_SYSCALL_WRAPPER in s390 is not used for that purpose.
   See commit a18f03cd89e9 ("s390: autogenerate compat syscall
   wrappers")

3. Use direct parameter assignment assumption for s390 syscall probe
   instead.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
Commit 023154c7708087ddf6c2031cef5d25c2445b70c4 by sumanthk
bcc/tools: Introduce bpf_probe_read_user to the tools.

This is essential for architecture which do have overlapping address space.
- bpf_probe_read_kernel() shall be used for reading data from kernel space
to the bpf vm.
- bpf_probe_read_user() shall be used for reading data from user space
  to the bpf vm.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
The file was modifiedexamples/cpp/RecordMySQLQuery.cc (diff)
The file was modifiedtools/mountsnoop.py (diff)
The file was modifiedexamples/tracing/strlen_snoop.py (diff)
The file was modifiedexamples/lua/bashreadline.c (diff)
The file was modifiedtools/sslsniff.py (diff)
The file was modifiedtools/bashreadline.py (diff)
The file was modifiedtools/biosnoop.py (diff)
The file was modifiedexamples/tracing/mysqld_query.py (diff)
The file was modifiedtools/funcslower.py (diff)
The file was modifiedtools/lib/uthreads.py (diff)
The file was modifiedexamples/tracing/strlen_count.py (diff)
The file was modifiedexamples/lua/strlen_count.lua (diff)
The file was modifiedtools/lib/uflow.py (diff)
The file was modifiedtools/biosnoop.lua (diff)
The file was modifiedtools/gethostlatency.py (diff)
The file was modifiedtools/dbslower.py (diff)
The file was modifiedtools/mysqld_qslower.py (diff)
The file was modifiedtools/opensnoop.py (diff)
The file was modifiedtools/lib/ucalls.py (diff)
The file was modifiedtools/lib/ugc.py (diff)
The file was modifiedtools/execsnoop.py (diff)
The file was modifiedtools/lib/uobjnew.py (diff)
The file was modifiedtools/statsnoop.py (diff)
The file was modifiedexamples/lua/usdt_ruby.lua (diff)
The file was modifiedexamples/tracing/nodejs_http_server.py (diff)
Commit aa3a4a6f7c6d59ede1598bc54fb9c83d8ad1f776 by sumanthk
bcc/docs: Add bpf_probe_read_user to docs and tutorials

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
The file was modifieddocs/tutorial_bcc_python_developer.md (diff)
The file was modifieddocs/reference_guide.md (diff)
Commit 99739b2aa214984b783f61e4bcb3754eda876c1b by sumanthk
bcc/utils: Avoid code duplication of __generate_streq_function

bcc tools like trace.py and argdist.py uses _generate_streq_function()
functions to convert char * read to bpf_probe_read/bpf_probe_read_user.
Refactor it and move the common functionality to utils.py.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedsrc/python/bcc/utils.py (diff)
The file was modifiedsrc/python/bcc/__init__.py (diff)
Commit 306080b9c6370974b0e11ed6bbe47f086c42d7ac by sumanthk
bcc: Add __user attribute to support bpf_probe_read_user in argdist

argdist traces probe functions and its parameter values.

Add functionality to convert:
- All userspace probes char * read to bpf_probe_read_user()
- Syscall/kprobes char* params with __user attribute to bpf_probe_read_user()

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedtools/argdist.py (diff)
The file was modifiedtools/argdist_example.txt (diff)
Commit 7cbd074cb5af6b82f53a5de9936ffaa74fea00f0 by sumanthk
bcc: Support bpf_probe_read_user in trace.py

Arguments of a probe point can be either user pointer or kernel
pointer.

Previously:
- tools/trace.py 'do_sys_open "%s", arg2'
  When reading arg2 as char *, it would resolve to bpf_probe_read.

Now:
- tools/trace.py 'do_sys_open "%s", arg2@user'
  - When reading arg2 as char *, it is resolved to bpf_probe_read_user.
- tools/trace.py 'do_sys_open (STRCMP("test.txt", arg2@user)) "%s", arg2'
  - For arg2 char * read, bpf_probe_read_user is utilized

To distinguish this, add arg@user.
- All userspace probes char *read converted to bpf_probe_read_user
- Syscall/kprobes with arg[1-6]@user attribute are converted to
  bpf_probe_read_user.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedtools/trace_example.txt (diff)
The file was modifiedtools/trace.py (diff)
Commit 09be5b50c1168c2796786029fa159c63f71e2936 by sumanthk
bcc/libbpf: Fix bpf_has_kernel_btf return status

bool returns True for negative integers. Hence bcc tools
tries to switch to kfunc instead of kprobes, even when the
btf data is not found.

For libbpf_find_vmlinux_btf_id, When err <= 0 , btf is not found.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedsrc/cc/libbpf.c (diff)
Commit 59a753da82f9eab628a5506822a6ff16a6912a88 by noreply
Add perf event data collection example for an userspace application (#2888)

* Add perf event data collection example for an userspace application
* Add comments for potential issues in perf_event example
The file was addedexamples/perf/ipc.py
The file was modifiedINSTALL.md (diff)
Commit 0d93f24ce8f9ee273151acd117a612da00c4d632 by yonghong-song
USDT: make path failure message more explicit

Make it clear which file the USDT runtime files to find and suggest a
fix.
The file was modifiedexamples/usdt_sample/usdt_sample.md (diff)
The file was modifiedsrc/cc/usdt/usdt.cc (diff)
Commit a433ef9451f187541012354cf6a2f4cf67646e11 by noreply
add nfs v3 support to nfsdist.py (#2902)

add nfs v3 support to nfsdist.py

Co-authored-by: sabbene <sabbene@sabbene.nvidia.com>
The file was modifiedtools/nfsdist.py (diff)
Commit b8269aac2130c9cfd6f18b211b5b2af570edbe76 by yonghong-song
Bug #2907 - Fix argdist filtering option for USDT probes
The file was modifiedtools/argdist.py (diff)
Commit 0d87484b724e3f20d03c49a48e356e6fd1533c68 by yonghong-song
add -fPIC to compile examples/cpp and tests/cc

I use clang-8.0.1 and gcc-8.3.1 to compile bcc-0.8.1,
without -fPIC, will get errors like this:
/usr/bin/ld: CMakeFiles/test_libbcc.dir/test_libbcc.cc.o: relocation
R_X86_64_32S against symbol `_ZTVN5Catch21LegacyReporterAdapterE' can
not be used when making a PIE object; recompile with -fPIC
/usr/bin/ld: CMakeFiles/test_libbcc.dir/test_c_api.cc.o: relocation
R_X86_64_32 against `.rodata.str1.1' can not be used when making a PIE
object; recompile with -fPIC
/usr/bin/ld: CMakeFiles/CGroupTest.dir/CGroupTest.cc.o: relocation
R_X86_64_32 against `.rodata.str1.8' can not be used when making a PIE
object; recompile with -fPIC

Signed-off-by: Chunmei Xu <xuchunmei@linux.alibaba.com>
The file was modifiedexamples/cpp/CMakeLists.txt (diff)
The file was modifiedtests/cc/CMakeLists.txt (diff)
Commit 46947c5d4575853ca7ddfc695b53d83c824278e4 by yonghong-song
libbpf-tools: convert BCC vfsstat to BPF CO-RE version

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
The file was modifiedlibbpf-tools/Makefile (diff)
The file was addedlibbpf-tools/vfsstat.c
The file was addedlibbpf-tools/vfsstat.bpf.c
The file was modifiedlibbpf-tools/.gitignore (diff)
The file was addedlibbpf-tools/vfsstat.h
Commit c6342d23e48ae03df78f7c716f55e6ff14e5169b by yonghong-song
Fix github actions tests

Github actions are failing because the docker image used for testing is based
in Ubuntu 19.04 that is EOL now. This commit downgrades the version used for
testing to 18.04 that is LTS. It also installs the "util-linux" package that
includes the "unshare" command.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
The file was modifiedDockerfile.tests (diff)
Commit 8c12794214bf906089f972676eb065e618d581af by noreply
tools/dirtop: Adding dirtop utility (#2819)

This tools is about reporting IOs per directory.
That's a clone of filetop but works in a different way :
- user specify a set of globs to select a list of directories to watch
- dirtop extracts the inode_id of the selected directories
- the bpf program receives the list of top directories to consider
- when vfs_{read|write} occurs, the bpf program check
  if one of the parents is part of the list we search for
- if it matches, the io is accounted

On the python side, the program will reconcilate IOs per directory and print stats.

While filetop list the programs and filename, dirtop only list the directory name.

A typical usages looks like :

[root@host]: dirtop.py -d '/hdfs/uuid/*/yarn'
14:56:33 loadavg: 52.21 48.81 37.78 53/2721 28720

READS  WRITES R_Kb     W_Kb     PATH
36821  7632   238219   149183   /hdfs/uuid/d04fccd8-bc72-4ed9-bda4-c5b6893f1405/yarn
20823  2      196290   3        /hdfs/uuid/b94cbf3f-76b1-4ced-9043-02d450b9887c/yarn
16059  12064  109748   85778    /hdfs/uuid/250b21c8-1714-45fe-8c08-d45d0271c6bd/yarn
14128  20360  106287   81440    /hdfs/uuid/4a833770-767e-43b3-b696-dc98901bce26/yarn
15883  4991   86014    82075    /hdfs/uuid/0cc3683f-4800-4c73-8075-8d77dc7cf116/yarn
11182  4485   28834    116917   /hdfs/uuid/7d512fe7-b20d-464c-a75a-dbf8b687ee1c/yarn
11848  7810   103139   31240    /hdfs/uuid/2c6a7223-cb18-4916-a1b6-8cd02bda1d31/yarn
10418  1272   114842   18       /hdfs/uuid/76dc0b77-e2fd-4476-818f-2b5c3c452396/yarn
10066  6630   93969    20218    /hdfs/uuid/c11da291-28de-4a77-873e-44bb452d238b/yarn
13648  15453  39450    53744    /hdfs/uuid/99c178d5-a209-4af2-8467-7382c7f03c1b/yarn
9509   2049   31363    48219    /hdfs/uuid/a78f846a-58c4-4d10-a9f5-42f16a6134a0/yarn
8112   2178   13765    63479    /hdfs/uuid/bf829d08-1455-45b8-81fa-05c3303e8c45/yarn
4327   0      37544    0        /hdfs/uuid/fada8004-53ff-48df-9396-165d8e42925b/yarn
2238   2742   72       50       /hdfs/uuid/b3b2a2ed-f6c1-4641-86bf-2989dd932411/yarn
3716   0      47       0        /hdfs/uuid/8138a53b-b942-44d3-82df-51575f1a3901/yarn

Signed-off-by: Erwan Velu <e.velu@criteo.com>

Co-authored-by: Erwan Velu <e.velu@criteo.com>
The file was modifiedREADME.md (diff)
The file was addedtools/dirtop_example.txt
The file was addedman/man8/dirtop.8
The file was addedtools/dirtop.py
Commit fa8142e39a65b626309fe01e5024c9886b7a5059 by yonghong-song
libbpf-tools: add CO-RE execsnoop
The file was addedlibbpf-tools/execsnoop.c
The file was addedlibbpf-tools/execsnoop.h
The file was modifiedlibbpf-tools/.gitignore (diff)
The file was modifiedlibbpf-tools/Makefile (diff)
The file was addedlibbpf-tools/execsnoop.bpf.c
Commit 74e66b4f6730e0708f97150ac23d5951c5684ff8 by yonghong-song
sync with latest libbpf

Sync with latest libbpf repo. Update virtual_bpf.h,
helpers.h, docs, etc.

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedsrc/cc/libbpf (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
The file was modifieddocs/kernel-versions.md (diff)
The file was modifiedsrc/cc/export/helpers.h (diff)
The file was modifiedsrc/cc/compat/linux/virtual_bpf.h (diff)
Commit 44e0f43eeac53648adb4734862f9b36d80853420 by yonghong-song
Fix KFUNC_PROBE return value

The KFUNC_PROBE macro is using "void" as return type, this is causing problems
in some tools that have a filtering enable that returns 0.

Reproducer: (Notice that it requires BTF support)

```
$ python opensnoop.py --pid 5
/virtual/main.c:33:21: error: void function '____kretfunc__do_sys_open' should not return a value [-Wreturn-type]
    if (pid != 5) { return 0; }
                    ^      ~
1 error generated.
...
```

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
The file was modifiedtools/klockstat.py (diff)
The file was modifiedtools/opensnoop.py (diff)
The file was modifiedsrc/cc/export/helpers.h (diff)
Commit 7722fc55f6c8a5ec1c16ba76f10db3b709af5d36 by yonghong-song
libbcc-py: Fix libbpf types

1ad2656a1d9c ("Add support_kfunc function to BPF object") added new functions
to libbcc-py but didn't set the restype and argstypes for those. It's causing
the `bpf_has_kernel_btf` function to return True in systems without support
for BTF, making tools like opensnoop, klockstat and any other using kfuncs
unusable in those systems.

The following Python script reproduces the problem:

```
from bcc import BPF
print(BPF.support_kfunc())
```

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
The file was modifiedsrc/python/bcc/libbcc.py (diff)
Commit 104a5b8052a2c7743109b8d19351b66d218359d5 by yonghong-song
bcc/tools: fix typo in help message
The file was modifiedtools/tcplife.py (diff)
Commit 32ab858309c84c23049715aaab936ce654ad5792 by yonghong-song
tools: add filtering by mount namespace

In previous patches, I added the option --cgroupmap to filter events
belonging to a set of cgroup-v2. Although this approach works fine with
systemd services and containers when cgroup-v2 is enabled, it does not
work with containers when only cgroup-v1 is enabled because
bpf_get_current_cgroup_id() only works with cgroup-v2. It also requires
Linux 4.18 to get this bpf helper function.

This patch adds an additional way to filter by containers, using mount
namespaces.

Note that this does not help with systemd services since they normally
don't create a new mount namespace (unless you set some options like
'ReadOnlyPaths=', see "man 5 systemd.exec").

My goal with this patch is to filter Kubernetes pods, even on
distributions with an older kernel (<4.18) or without cgroup-v2 enabled.

- This is only implemented for tools that already support filtering by
  cgroup id (bindsnoop, capable, execsnoop, profile, tcpaccept, tcpconnect,
  tcptop and tcptracer).

- I picked the mount namespace because the other namespaces could be
  disabled in Kubernetes (e.g. HostNetwork, HostPID, HostIPC).

It can be tested by following the example in docs/special_filtering added
in this commit, to avoid compiling locally the following command can be used

```
sudo bpftool map create /sys/fs/bpf/mnt_ns_set type hash key 8 value 4 \
  entries 128 name mnt_ns_set flags 0
docker run -ti --rm --privileged \
  -v /usr/src:/usr/src -v /lib/modules:/lib/modules \
  -v /sys/fs/bpf:/sys/fs/bpf --pid=host kinvolk/bcc:alban-containers-filters \
  /usr/share/bcc/tools/execsnoop --mntnsmap /sys/fs/bpf/mnt_ns_set

```

Co-authored-by: Alban Crequy <alban@kinvolk.io>
Co-authored-by: Mauricio Vásquez <mauricio@kinvolk.io>
The file was modifiedman/man8/execsnoop.8 (diff)
The file was modifiedtools/execsnoop_example.txt (diff)
The file was modifiedtools/tcpconnect.py (diff)
The file was modifiedtools/profile.py (diff)
The file was modifiedtools/tcptop.py (diff)
The file was modifiedman/man8/tcpconnect.8 (diff)
The file was modifiedman/man8/capable.8 (diff)
The file was modifiedtools/bindsnoop_example.txt (diff)
The file was modifiedtools/bindsnoop.py (diff)
The file was modifiedtools/profile_example.txt (diff)
The file was modifiedtools/execsnoop.py (diff)
The file was removeddocs/filtering_by_cgroups.md
The file was addedsrc/python/bcc/containers.py
The file was addeddocs/special_filtering.md
The file was modifiedman/man8/tcptracer.8 (diff)
The file was modifiedtools/tcpaccept.py (diff)
The file was modifiedtools/tcptracer_example.txt (diff)
The file was modifiedtools/opensnoop.py (diff)
The file was modifiedman/man8/bindsnoop.8 (diff)
The file was modifiedtools/tcptop_example.txt (diff)
The file was modifiedman/man8/profile.8 (diff)
The file was modifiedtools/tcpaccept_example.txt (diff)
The file was modifiedman/man8/tcptop.8 (diff)
The file was modifiedtools/tcpconnect_example.txt (diff)
The file was modifiedtools/capable.py (diff)
The file was modifiedman/man8/tcpaccept.8 (diff)
The file was modifiedman/man8/opensnoop.8 (diff)
The file was modifiedtools/capable_example.txt (diff)
The file was modifiedtools/opensnoop_example.txt (diff)
The file was modifiedtools/tcptracer.py (diff)
The file was modifieddocs/tutorial_bcc_python_developer.md (diff)
Commit a28337a7ebea6ce375fb2e976f0b3b61aa05e981 by yonghong-song
tool: trace process termination by default

`sched_process_exit` tracepoint is called when thread terminates.
So exitsnoop shows line per each thread termination if the process
is multi-thread process. This is not useful when people wants to
know why process terminates, not thread.

So this changes exitsnoop default behavior which traces process termination
instead of thread termination. And add `--per-thread` option which behaves
as original exitsnoop implementation.
The file was modifiedtools/exitsnoop.py (diff)
The file was modifiedman/man8/exitsnoop.8 (diff)
The file was modifiedtools/exitsnoop_example.txt (diff)
Commit 112f5291c63fe6160685160c552ae2b03deb3d1e by yonghong-song
bcc: Error out when bpf_probe_read_user is not present

1. For architecture with overlapping address space, error out when
   bpf_probe_read_user is not available.
2. For arch with non overlapping address space, if bpf_probe_read_user
   is not available bpf_probe_read_user is implicitly converted to
   bpf_probe_read.
3. Use bpf_probe_read_kernel instead of bpf_probe_read. When
   bpf_probe_read_kernel is not available, fallback to bpf_probe_read.
   If bpf_probe_read is not available, then bcc would fail anyways.
4. See kernel commit 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{,
   str}() only to archs where they work")

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
Commit 7f6066d250efa138419c16c150ad8711d6528d29 by yonghong-song
bcc/tools: Replace bpf_probe_read with bpf_probe_read_kernel

It is recommended to use bpf_probe_read_kernel_{str} in the bpf tools.
See kernel commit 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}()
only to archs where they work")

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedtools/biolatency.py (diff)
The file was modifiedtools/compactsnoop.py (diff)
The file was modifiedtools/tcpstates.py (diff)
The file was modifiedtools/dbslower.py (diff)
The file was modifiedtools/tcplife.lua (diff)
The file was modifiedtools/btrfsslower.py (diff)
The file was modifiedtools/wakeuptime.py (diff)
The file was modifiedtools/memleak.py (diff)
The file was modifiedtools/sofdsnoop.py (diff)
The file was modifiedtools/argdist.py (diff)
The file was modifiedtools/filetop.py (diff)
The file was modifiedtools/solisten.py (diff)
The file was modifiedtools/biosnoop.lua (diff)
The file was modifiedtools/drsnoop.py (diff)
The file was modifiedtools/oomkill.py (diff)
The file was modifiedtools/tcpconnlat.py (diff)
The file was modifiedtools/deadlock.c (diff)
The file was modifiedtools/tcpdrop.py (diff)
The file was modifiedtools/mdflush.py (diff)
The file was modifiedtools/gethostlatency.py (diff)
The file was modifiedtools/opensnoop.py (diff)
The file was modifiedtools/hardirqs.py (diff)
The file was modifiedtools/nfsslower.py (diff)
The file was modifiedtools/killsnoop.py (diff)
The file was modifiedtools/tcpconnect.py (diff)
The file was modifiedtools/trace.py (diff)
The file was modifiedtools/dcsnoop.py (diff)
The file was modifiedtools/tcptracer.py (diff)
The file was modifiedtools/ext4slower.py (diff)
The file was modifiedtools/tcpretrans.py (diff)
The file was modifiedtools/tcptop.py (diff)
The file was modifiedtools/ttysnoop.py (diff)
The file was modifiedtools/bindsnoop.py (diff)
The file was modifiedtools/slabratetop.py (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
The file was modifiedtools/filelife.py (diff)
The file was modifiedtools/runqslower.py (diff)
The file was modifiedtools/zfsslower.py (diff)
The file was modifiedtools/tcplife.py (diff)
The file was modifiedtools/funcslower.py (diff)
The file was modifiedtools/xfsslower.py (diff)
The file was modifiedtools/bitesize.py (diff)
The file was modifiedtools/fileslower.py (diff)
The file was modifiedtools/tcpaccept.py (diff)
The file was modifiedtests/python/test_clang.py (diff)
The file was modifiedtools/biosnoop.py (diff)
Commit 747e0dd9f0e40ef0fd55291a42f79d4691c344dd by yonghong-song
bcc: Fix user space probe reads with bpf_probe_read_user

User space probe reads should be performed using bpf_probe_read_user.
Fix this in remaining places.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedexamples/usdt_sample/scripts/bpf_text_shared.c (diff)
The file was modifiedexamples/cpp/pyperf/PyPerfBPFProgram.cc (diff)
The file was modifiedsrc/cc/usdt/usdt_args.cc (diff)
Commit d9583813c07897fbbe99d475ab6beb445ae9ffe8 by yonghong-song
bcc/libbpf-tools: Replace bpf_probe_read with bpf_probe_read_kernel.

As kernel commit b8ebce86ffe6 ("libbpf: Provide CO-RE variants of
PT_REGS macros") is introduced after bpf_probe_read_kernel changes, it
is safe to use bpf_probe_read_kernel directly

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedlibbpf-tools/runqslower.bpf.c (diff)
The file was modifiedlibbpf-tools/xfsslower.bpf.c (diff)
The file was modifiedlibbpf-tools/drsnoop.bpf.c (diff)
The file was modifiedlibbpf-tools/filelife.bpf.c (diff)
Commit 4a1313d179e9701469e1e5650b05ec332b85751f by yonghong-song
bcc/libbpf-tools: Fix user probe read references

Replace bpf_probe_read_str with bpf_probe_read_user_str.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifiedlibbpf-tools/opensnoop.bpf.c (diff)
Commit 471d366bb001f6025ec610dd3a615fba8c1dcd26 by yonghong-song
bcc/docs: Replace bpf_probe_read with bpf_probe_read_kernel

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
The file was modifieddocs/tutorial_bcc_python_developer.md (diff)
The file was modifieddocs/reference_guide.md (diff)
Commit 275abc9f3b7fb22ad1ac6a4188c807793b9c38bd by yonghong-song
bcc: Check probe read availabilty and use macros

When bpf_probe_read_kernel is not available, then macros are defined at
the prologue to replace bpf_probe_read_kernel to bpf_prob_read. This
resolves the problem of test_probe_read3 failure in test_clang.py for
#2919

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
Commit 0b2f4d0b981803ea8d8393ad2eec93c699e59df1 by yonghong-song
bcc: Remove bpf_probe_read_user availability checks on compile time

If wrong kernel-headers are installed, then this can provide false
result for probe read selection. Instead look for only kallsyms.

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
Commit ec64e6a774499aa54fdf6eb006a8c94eabec8866 by yonghong-song
fix: avoid -Wsign-compare warnings
The file was modifiedsrc/cc/frontends/b/lexer.h (diff)
Commit 076a3545e4f365cdc517995d77329ea0c15c89f0 by yonghong-song
Add arg for filtering on signal
The file was modifiedtools/killsnoop.py (diff)
Commit 33c8b1aca84b4cdd955efb14d06cea6ce7db4169 by yonghong-song
Update man page and example file
The file was modifiedtools/killsnoop_example.txt (diff)
The file was modifiedman/man8/killsnoop.8 (diff)
The file was modifiedtools/killsnoop_example.txt (diff)
Commit 7cecd795440251ca53065caca185978bdc8a18d5 by yonghong-song
Make examples consistent
The file was modifiedtools/killsnoop.py (diff)
Commit 30d897563bd116451f41230712aad2b952eda7d0 by yonghong-song
return failure if rewriter cannot rewrite properly

Fix issue #537.

The bcc rewriter does not have enough information to do
proper rewriting from:
  #define PKT_LEN_ADD 1
  ip->tlen += PKT_LEN_ADD;
to
  bpf_dins_pkt(skb, (u64)ip+2, 0, 16, PKT_LEN_ADD);

So instead of generate incorrect code
which caused compilation error. Let return an error
earlier with helper comments so users know what to do.
With this patch, we will have
/virtual/main.c:20:17: error: cannot have macro at the end of expresssion,
workaround: put perentheses around macro "(MARCO)"
    ip->tlen += PKT_LEN_ADD;
                ^
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
Commit 82abd2f2680e5c8c86c8cfcab02cc8c68915c599 by yonghong-song
Allow to specify kernel include dirs

It's sometimes convenient to use other kernel headers,
now it's possible possible with new KERNEL_INCLUDE_DIRS
build variable, like:

  $ cd <kernel-dir>
  $ make INSTALL_HDR_PATH=/tmp/headers headers_install
  $ cd <bcc-dir>
  $ cmake -DKERNEL_INCLUDE_DIRS=/tmp/headers/include/ ...

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
The file was modifiedCMakeLists.txt (diff)
Commit d0074783b6f56ed195f378a581726098ab87fe98 by yonghong-song
Adding support to load lsm programs

Adding the 'lsm__' prefix check for loaded program
and set BPF_LSM_MAC as expected_attach_type if the
program name matches.

This way we can load LSM programs via bcc interface.

The program attach can be done by existing kfunc API:
  bpf_attach_kfunc
  bpf_detach_kfunc

It will be used in upcomming bpftrace change that
adds lsm probes.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
The file was modifiedsrc/cc/export/helpers.h (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
The file was modifiedtests/python/test_clang.py (diff)
The file was modifiedsrc/python/bcc/__init__.py (diff)
Commit 5558e36bd97ace7bc3efe3a70d0c9d4fc0d34e2a by yonghong-song
Make reading blacklist from debugfs optional

With lockdown enabled one sees the following:

```
$ sudo /usr/share/bcc/tools/funccount -Ti 1 run_timer_softirq
[Errno 1] Operation not permitted: '/sys/kernel/debug/tracing/../kprobes/blacklist'
```

Which is accompanied by the following in `dmesg`:

```
[Fri May 29 22:12:47 2020] Lockdown: funccount: debugfs access is restricted; see man kernel_lockdown.7
```

Since blacklist is not a required feature, let's make
reading from it optional, so that bcc can work out of the box.
The file was modifiedsrc/python/bcc/__init__.py (diff)
Commit b20f5e741f086bf37b19365566b01b5bf6fa251e by noreply
offwaketime: Add support for --state (#2940)

Since offwaketime is really an amalgamation of offcputime and wakeuptime
there is no reason why it shouldn't support the --state argument of the
former.

Co-authored-by: Nikolay Borisov <nborisov@suse.com>
The file was modifiedtools/offwaketime.py (diff)
The file was modifiedman/man8/offwaketime.8 (diff)
The file was modifiedtools/offwaketime_example.txt (diff)
Commit f3fbeb46cb5264d324e60882bd97977ad3dc00d5 by noreply
libbpf-tools: convert BCC syscount to BPF CO-RE version

Add a new libbpf-based tool, syscount, and add some helpers which may be used
by other tools. Namely,

  * syscall_helpers.{c,h}: convert system call numbers to names
  * errno_helpers.{c,h}: convert errno names to numbers

The helpers contain pre-generated tables for x86_64 (which will be outdated at
some point, so require to be updated on demand), but for other architectures
require additional tools: syscall helpers require the ausyscall(1) tool, and
errno helpers require errno(1) utility from the moreutils package. So, if you
run on non-x86_64, then either install these tools, or use numeric values.

If possible, use bpf_map_lookup_and_delete_batch function to read and reset
values in the data map.  This is a raceless way to obtain all values.  If the
function is not available, e.g., for old kernels, then fall back to the old
version which can loose some syscalls (happened between reading values and
resetting them).

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
The file was addedlibbpf-tools/errno_helpers.h
The file was modifiedlibbpf-tools/.gitignore (diff)
The file was addedlibbpf-tools/syscount.c
The file was addedlibbpf-tools/syscall_helpers.c
The file was addedlibbpf-tools/syscount.h
The file was modifiedlibbpf-tools/drsnoop.c (diff)
The file was addedlibbpf-tools/errno_helpers.c
The file was addedlibbpf-tools/syscount.bpf.c
The file was modifiedlibbpf-tools/filelife.c (diff)
The file was modifiedlibbpf-tools/xfsslower.c (diff)
The file was modifiedlibbpf-tools/Makefile (diff)
The file was addedlibbpf-tools/syscall_helpers.h
Commit 2188d233d69baf9b49ccf5856292f56285be6d41 by yonghong-song
tools: Add funcinterval bcc tool.

Time interval between the same function as a histogram.
Referenced from funclatency.
The file was addedtools/funcinterval.py
The file was addedtools/funcinterval_example.txt
The file was modifiedREADME.md (diff)
The file was addedman/man8/funcinterval.8
Commit be5d68c7a4847113337e5f98711a3ff37ebd7c29 by yonghong-song
libbpf-tools: add CO-RE cpudist

Signed-off-by: Wenbo Zhang <ethercflow@gmail.com>
The file was addedlibbpf-tools/cpudist.h
The file was modifiedlibbpf-tools/.gitignore (diff)
The file was addedlibbpf-tools/cpudist.c
The file was modifiedlibbpf-tools/trace_helpers.c (diff)
The file was modifiedlibbpf-tools/Makefile (diff)
The file was addedlibbpf-tools/cpudist.bpf.c
The file was modifiedlibbpf-tools/trace_helpers.h (diff)
Commit da0d82cc11d56d12a383f5c670281bfa61ca2ad7 by yonghong-song
silence a python travis-ci warning

The travis-ci flags a python warning:

  $ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
  ./tools/biolatpcts.py:123:5: F821 undefined name 'die'
      die()
      ^
  1     F821 undefined name 'die'

Let us fix it with proper error message and then exit().

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedtools/biolatpcts.py (diff)
Commit 5fed2a94da19501c3088161db0c412b5623050ca by yonghong-song
Docker: add kmod dependency to docker container

modprobe and rmmod are used to load the kheaders module as a last option
when kernel headers are not found. The modprobe command is missing in the
docker image and scroipts are failing:

$ /usr/share/bcc/tools/execsnoop --mntnsmap /sys/fs/bpf/mnt_ns_set
sh: 1: modprobe: not found
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module)
...

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
The file was modifiedDockerfile.ubuntu (diff)
Commit 8319d52dc8834daa0766f61487f75ed3c3c731fe by yonghong-song
turn off x86 jump table optimization during jit compilation

jump table optimization tries to optimize switch statements
into an array access. But such optimization will place certain
information, acted as the array, in the read-only section.
Currently, bcc does not support read-only section, so
jump table optimized code will fail during kernel verification.
This is what happened to biolatpcts.py in my environment with
latest llvm.

  -bash-4.4$ sudo ./biolatpcts.py console
  bpf: Failed to load program: Invalid argument
  unknown opcode 60
  processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0

  HINT: The 'unknown opcode' can happen if you reference a global or static variable,
  or data in read-only section. For example, 'char *p = "hello"' will result in p
  referencing a read-only section, and 'char p[] = "hello"' will have "hello" stored on the stack.

This patch disabled jump table optimization on x64. The jump table
optimization is guarded for llvm version 4 and above.
We can disable jump table on other architectures if needed.
A test case, developed based biolatpcts.py tool, is added
to ensure it pass the verifier.

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedtests/python/test_clang.py (diff)
The file was modifiedsrc/cc/frontends/clang/loader.cc (diff)
Commit 78b0f07c55e179929e789c987cce47031495cad6 by yonghong-song
Fix runqslower to indicate that the latency param is in microseconds.
The file was modifiedtools/runqslower.py (diff)
Commit 126054e829e7c6ed342f8719818490bc093f851a by yonghong-song
usdt: Add helpers to set semaphore values

While debugging a high memory consumption issue in bpftrace, I noticed
that a USDT::Context object can take ~10M per instance [0]. Along with
the new --usdt-file-activation feature in bpftrace
( https://github.com/iovisor/bpftrace/pull/1317 ), bpftrace can
potentially hold onto many dozens of USDT:Context instances, causing
memory issues.

While reducing the amount of memory USDT::Context uses is one option,
we can potentially side step it by allowing the usdt semaphore count to
be set independently. Before, the only way to increment the count (by 1)
is to call bcc_usdt_enable*(). bcc_usdt_enable*() has checks that limit
it to a single increment per context. The only way to decrement the
count is by calling bcc_usdt_close() which naturally only allows for
one decrement.

With independent semaphore helpers, we can avoid holding onto a
USDT::Context instance for the lifetime of the tracing session. We can
simply:

1. create a USDT::Context
2. increment the semaphore count for the probe we care about
3. destroy the USDT::Context
4. repeat 1-3 for all probes we want to attach to
5. do our tracing
6. create a USDT::Context for the probe we care about
7. decrement the semaphore count
8. destroy the USDT::Context
9. repeat 6-8 for all the probes we're attached to

This approach also has the benefit of 1 USDT::Context instance being
alive at a time which can help keep memory high watermark low.

[0]: Through gdb single stepping and /proc/pid/status. Exact process is
not described here b/c memory usage probably varies based on tracee
binary.
The file was modifiedsrc/cc/usdt.h (diff)
The file was modifiedsrc/cc/bcc_usdt.h (diff)
The file was modifiedsrc/cc/usdt/usdt.cc (diff)
Commit 0bcf2388ce19271c98512d04f719f9efb1c87d39 by yonghong-song
usdt: Have Context::addsem_probe() nop if pid not specified

This makes bcc_usdt_addsem*() more consistent with the bcc_usdt_enable*()
interface where if a USDT::Context was not constructed with a pid the
semaphore enablement nops.
The file was modifiedsrc/cc/usdt/usdt.cc (diff)
Commit 263411be9805502bc7e4daaf0ce6cea90884aa38 by noreply
Add support for multiple PID/TID for offwaketime (#2951)

Instead of filtering on a single process allow up to 5 pid/tgid to be
used for filtering. The limit of 5 is arbitrary and can be increased
should the need arise. Also remove unnecessary thread_context variable.

Co-authored-by: Nikolay Borisov <nborisov@suse.com>
The file was modifiedtools/offwaketime.py (diff)
The file was modifiedtools/offwaketime_example.txt (diff)
The file was modifiedman/man8/offwaketime.8 (diff)
Commit 005664bd2d252c51ef18f5286e049a389e298bd3 by yonghong-song
fix: encode path to bytes in python3
The file was modifiedsrc/python/bcc/__init__.py (diff)
Commit 8cd2717de91983aeeadefd0886031bd4d8e920ee by yonghong-song
tools/opensnoop: Fix compilation problem

Fix stupid bug introduced by myself.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
The file was modifiedtools/opensnoop.py (diff)
Commit e4de95efada2bdb2f5a1ae8647421a712d1c196a by yonghong-song
libbpf-tools: refactor, move public methods to trace_helpers.c

Signed-off-by: Wenbo Zhang <ethercflow@gmail.com>
The file was modifiedlibbpf-tools/runqslower.c (diff)
The file was modifiedlibbpf-tools/trace_helpers.h (diff)
The file was modifiedlibbpf-tools/execsnoop.c (diff)
The file was modifiedlibbpf-tools/syscount.c (diff)
The file was modifiedlibbpf-tools/filelife.c (diff)
The file was modifiedlibbpf-tools/vfsstat.c (diff)
The file was modifiedlibbpf-tools/filelife.h (diff)
The file was modifiedlibbpf-tools/execsnoop.h (diff)
The file was modifiedlibbpf-tools/drsnoop.c (diff)
The file was modifiedlibbpf-tools/cpudist.c (diff)
The file was modifiedlibbpf-tools/opensnoop.c (diff)
The file was modifiedlibbpf-tools/trace_helpers.c (diff)
The file was modifiedlibbpf-tools/xfsslower.c (diff)
Commit 4440a4db2e3fdb5277c2ad283504ea3504b43ecf by jmarchan
deadlock: print a more explicit message when pthread_mutex_unlock can't be attached

Most likely, this happen because of a missing --binary argument. Let's
be friendly to our user and print a more useful messsage.
The file was modifiedtools/deadlock.py (diff)
Commit eddf9dd07a4c1d94aad70894f98df24bc0e4cbc2 by jmarchan
man: remove non-existent -x argument from tcpconnect man page

There's no -x option in tcpconnect. I don't know how it get into the
man page sysnopsis, but it doesn't belong there.
The file was modifiedman/man8/tcpconnect.8 (diff)
Commit 7830947fad1e0a9e2c723e7cb800af9d7e5b8e77 by jmarchan
loader: suggest to install the right kernel devel package

Unfortunately, some package dependency system do not allow to make
sure that the kernel development package installed is the same version
as the running kernel. When this happen, the loader, unable to find
the kernel header, will suggest to rebuild the kernel with
CONFIG_IKHEADERS. For most users, this is probably not an option, but
installing the kernel development package corresponding to the running
kernel version is.
The file was modifiedsrc/cc/frontends/clang/loader.cc (diff)
Commit c9805f44bfe491a6fbbc34a06d0432a5ae3e8c20 by yonghong-song
tools: fix a python 3 map issue in dbstat and dbslower

In python 3, map returns an iterator and not a list anymore. This
patch cast the map into a list. It fixes the following error:

$ /usr/share/bcc/tools/dbstat mysql
Traceback (most recent call last):
  File "/usr/share/bcc/tools/dbstat", line 95, in <module>
    bpf = BPF(text=program, usdt_contexts=usdts)
  File "/usr/lib/python3.6/site-packages/bcc/__init__.py", line 339, in __init__
    ctx_array = (ct.c_void_p * len(usdt_contexts))()
TypeError: object of type 'map' has no len()
The file was modifiedtools/dbslower.py (diff)
The file was modifiedtools/dbstat.py (diff)
Commit 6a9619418cd202b477ca0582bd9b3a30d14731d5 by yonghong-song
Fix typos in kretfunc documentation

Fixes an incorrect link to kretfunc documentation section and fixes example to use proper macro
The file was modifieddocs/reference_guide.md (diff)
Commit 59665497bf967e29a3d693e50081f62e3012edfe by noreply
Explicitly use NULL macro in pointer value check (#2965)

Explicitly use NULL macro in pointer value check
also updated the tutorial
The file was modifieddocs/tutorial_bcc_python_developer.md (diff)
The file was modifiedexamples/tracing/sync_timing.py (diff)
Commit 10603c7123c4b2157190151b63ea846c04c76037 by yonghong-song
dbstat: fix overflowing timestamp

The current default value of interval (99999999999) in dbstat is too
high to be used in the sleep() function in python 3. I couldn't find a
authoritative source on the issue, but it seems the max value is
2^63/10^9 (9223372036). Anyway, 99999999 is the de facto standard for
a very big number here, so just use that. It's over 3 years, that
should be enough.

For consistency, I also change a couple of value in klockstat even
though they didn't overflow.

It fixes the following error:
$ dbstat mysql
Tracing database queries for pids  slower than 0 ms...
Traceback (most recent call last):
  File "./dbstat", line 112, in <module>
    sleep(args.interval)
OverflowError: timestamp too large to convert to C _PyTime_t
The file was modifiedtools/klockstat.py (diff)
The file was modifiedtools/dbstat.py (diff)
Commit 2c9395596e100697412225dc9e3856c2138a117b by yonghong-song
Add install steps for Alpine Linux
The file was modifiedINSTALL.md (diff)
Commit 99fa312fefd90a760be9ba429f3267dfd78a76a8 by yonghong-song
sync with latest libbpf repo

sync with latest libbpf repo, added newer ringbuf_*
helper functions and new csum_level() helper.

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedintrospection/bps.c (diff)
The file was modifiedsrc/cc/export/helpers.h (diff)
The file was modifiedsrc/cc/libbpf (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
The file was modifiedsrc/cc/compat/linux/virtual_bpf.h (diff)
The file was modifieddocs/kernel-versions.md (diff)
Commit 68abb51ed067c4317b991cec0bbc2ea4e7f6ddab by yonghong-song
Add KBUILD_MODNAME flag to default cflags
The file was modifiedsrc/cc/frontends/clang/kbuild_helper.cc (diff)
Commit 1c843e2c0f7570844a2c955436455132936eae47 by yonghong-song
Delete existing kbuild_modname definitions
The file was modifiedtools/tcplife.lua (diff)
The file was modifiedexamples/networking/xdp/xdp_redirect_map.py (diff)
The file was modifiedtools/tcpstates.py (diff)
The file was modifiedexamples/networking/xdp/xdp_drop_count.py (diff)
The file was modifiedtests/python/test_clang.py (diff)
The file was modifiedexamples/networking/xdp/xdp_macswap_count.py (diff)
The file was modifiedtools/tcplife.py (diff)
The file was modifiedexamples/networking/xdp/xdp_redirect_cpu.py (diff)
The file was modifiedexamples/tracing/nflatency.py (diff)
Commit c3ed131d33426d2094fdd05f76f3a33bc3140ddf by yonghong-song
sync with libbpf v0.0.9

sync with libbpf version 0.0.9.

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedsrc/cc/libbpf (diff)
The file was modifiedsrc/cc/compat/linux/virtual_bpf.h (diff)
Commit e3daec85c47c0695f1bf955782fddf8644d89742 by yonghong-song
[BPFTable] clear_table_non_atomic: Remove duplicate macro

Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>
The file was modifiedsrc/cc/api/BPFTable.cc (diff)
Commit f438bffe0331d482fac57899fdd68411c4aca693 by yonghong-song
fix LSM_PROBE return value

Fix issue #2976.
The LSM_PROBE program return value is fixed with value 0.
This is not correct. The return value is meaningful for
LSM_PROBE programs. Return proper value provided by the
bpf program itself.

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedsrc/cc/export/helpers.h (diff)
Commit 9b82af3ef53bbae76d9f09f403b58975995aa900 by noreply
API improvements for BPF LSM programs (#2979)

* Enhanced support for LSM programs
- added explicit libbcc support for LSM programs
- added bcc helpers to attach LSM programs
- added bcc helper to indicate kernel support for LSM programs
- added LSM programs to __trace_autoload hook
- removed (now) unnecessary load_func from LSM unit test
- Remove detach_kfunc

Signed-off-by: William Findlay <william@williamfindlay.com>
The file was modifiedsrc/python/bcc/__init__.py (diff)
The file was modifiedsrc/python/bcc/libbcc.py (diff)
The file was modifiedsrc/cc/libbpf.h (diff)
The file was modifiedtests/python/test_clang.py (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
Commit 5a8bf15a7e1bfdcd327126f02501630f8b79f4d1 by noreply
Add LSM probe documentation (#2980)

Add LSM documentation
Add minimum kernel version requirements
The file was modifieddocs/reference_guide.md (diff)
Commit e41f7a3be5c8114ef6a0990e50c2fbabea0e928e by yonghong-song
prepare for release v0.15.0

added changelog for release v0.15.0

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifieddebian/changelog (diff)
Commit 05f3f8668481cf975cbf89338e0db7d411ef1432 by yonghong-song
libbpf-tools: remove unnecessary header include from syscount.bpf.c

It causes build failure on my system due to trying to include GCC-specific
header. It doesn't seem to be necessary, though, so remove it.

Signed-off-by: Andrii Nakryiko <andriin@fb.com>
The file was modifiedlibbpf-tools/syscount.bpf.c (diff)
Commit 4bf92d1110799393439cb6138bbcfa57670b42b9 by yonghong-song
Add missing LSM cleanup hook
The file was modifiedsrc/python/bcc/__init__.py (diff)
Commit f579bf8d60c804084888c12ecb621d74a86815aa by yonghong-song
bpf: use bpf_probe_read in implicitly generated kernel mem read

Currently, bcc rewriter uses bpf_probe_read_kernel() for implicitly specified
kernel memory read. This is not totally correct. Some user memory in kernel
data structure may be accessed. bpf_probe_read_kernel() may fail with
later kernels. Let us revert back to old bpf_probe_read().
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
Commit 0d9e0911ddd9e6132fd2b05c7de6eaeafc540d67 by yonghong-song
Fix kernel version for ringbuf and add ringbuf to maps table
The file was modifiedsrc/cc/libbpf.c (diff)
The file was modifieddocs/kernel-versions.md (diff)
Commit 34f8985c29b0107b8526d5b0eedce2299db6570b by yonghong-song
libbpf-tools: add CO-RE bitesize

Signed-off-by: Wenbo Zhang <ethercflow@gmail.com>
The file was addedlibbpf-tools/bitesize.bpf.c
The file was addedlibbpf-tools/bitesize.c
The file was modifiedlibbpf-tools/Makefile (diff)
The file was modifiedlibbpf-tools/.gitignore (diff)
The file was addedlibbpf-tools/bitesize.h
The file was modifiedlibbpf-tools/cpudist.bpf.c (diff)
The file was addedlibbpf-tools/bits.bpf.h
Commit 1bddba6adefedc02fa5d6fda371a92c8fd4a3aea by yonghong-song
tools/profile: fix suggestion about when to increase stack-storage-size

When we do stack traces via stackmaps, hash collisions (-EEXIST) may indicate
that the map size is too small. Not -ENOMEM.
The file was modifiedtools/profile.py (diff)
Commit 156a7d150a20f2ce7cce0fb7144952ab9fedf6e7 by noreply
Fix KFUNC_PROBE calls in vfs_stat.py by adding a return value (#2990)

Fix KFUNC_PROBE calls in vfs_stat.py by adding a return value of 0
The file was modifiedtools/vfsstat.py (diff)
Commit fe730f29f14bef8b5ffe1112c578df876c44d22d by noreply
Ringbuf Support for Python API (#2989)

This pull request contains an implementation for ringbuf support in bcc's Python API.

Fixes #2985.

More specifically, the following are added:
    - ringbuf helpers from libbpf API to libbcc
    - a new RingBuf class to represent the ringbuf map
    - BPF_RINGBUF_OUTPUT macro for BPF programs
    - tests
    - detailed documentation and examples
The file was modifiedsrc/python/bcc/table.py (diff)
The file was modifieddocs/reference_guide.md (diff)
The file was modifiedsrc/cc/libbpf.h (diff)
The file was modifiedsrc/cc/export/helpers.h (diff)
The file was modifiedsrc/python/bcc/libbcc.py (diff)
The file was addedexamples/ringbuf/ringbuf_submit.py
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
The file was addedtests/python/test_ringbuf.py
The file was addedexamples/ringbuf/ringbuf_output.py
The file was modifiedtests/python/CMakeLists.txt (diff)
The file was modifiedsrc/python/bcc/__init__.py (diff)
Commit fbde62b089fd7bd7818fa4b4e36f89e9b49883f9 by yonghong-song
Introducing Queue/Stack helpers and clang frontend

This commit aims to introduce helpers to declare Queue/Stack maps. I have supported also
the creation of shared/public/pinned ones, as for the "traditional" tables.
In clang frontend I have added both declaration of maps type/queue, type/stack and all the operations
supported so far by these new maps (push/pop/peek).

Possible declarations introduced:

* BPF_QUEUESTACK(<"queue"/"stack">, <name>, <leaf_type>, <max_entries>, <flags>)
* BPF_QUEUESTACK_SHARED(...)
* BPF_QUEUESTACK_PINNED(...)
* BPF_QUEUESTACK_PUBLIC(...)
* BPF_QUEUE(<name>, <leaf_type>, <max_entries>)
* BPF_QUEUE(<name>, <leaf_type>, <max_entries>, <flags>)
* BPF_STACK(<name>, <leaf_type>, <max_entries>)
* BPF_STACK(<name>, <leaf_type>, <max_entries>, <flags>)

Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
Co-authored-by: Sebastiano Miano <sebastiano.miano@polito.it>
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
The file was modifiedsrc/cc/export/helpers.h (diff)
Commit 30a420d70457555b92b8e5f555e58cf79d70ab23 by yonghong-song
add BPFQueueStackTable and tests

This commit aims to introduce a new abstraction for these new map types: BPFQueueStackTableBase.
As all the allowed operation on these map types are different from the
"traditional" ones, I thought to introduce a new abstraction, following the
already used programming style (template classes and utility func).
Moreover, I had to update libbpf.h/c to insert the new bpf_map_lookup_and_delete_elem(),
used when calling "pop()"

Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
The file was modifiedsrc/cc/api/BPF.h (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
The file was modifiedtests/cc/CMakeLists.txt (diff)
The file was modifiedsrc/cc/libbpf.h (diff)
The file was addedtests/cc/test_queuestack_table.cc
The file was modifiedsrc/cc/api/BPFTable.h (diff)
Commit f0bbf327dc4dba3cfb4d48a27de6c690bee172ef by yonghong-song
sync with latest libbpf repo

sync with latest libbpf repository
The file was modifieddocs/kernel-versions.md (diff)
The file was modifiedsrc/cc/export/helpers.h (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
The file was modifiedsrc/cc/libbpf (diff)
The file was modifiedsrc/cc/compat/linux/virtual_bpf.h (diff)
Commit 581b198cffb55a7dd6486e54007df25e57feb466 by yonghong-song
valloc and pvalloc is deprecated in bionic on Android

memleak -p PID will failed on Android
https://android.googlesource.com/platform/bionic/+/master/libc/bionic/malloc_common.cpp#196
The file was modifiedtools/memleak.py (diff)
Commit fc20957bdf266ce3468a53e7d6b071d717c612d0 by yonghong-song
Fix symfs symbol resolution

Paths that are passed to find_debug_via_symfs often start with /proc/PID/root/
prefix which is followed by actual path. This breaks symfs symbol resoultion.
Symfs directory usually does not contain proc subdirectory and subdirectories
for each pid.

Here are examples of stack traces I got when tracing dlopen on Android before:
```
7acc558ef8 dlopen+0 (/system/lib64/libdl.so)
7a2222f988 EglThreadState::GetProcAddress(char const*)+64 (/vendor/lib64/egl/libGLESv2_adreno.so)
7ac8e3ecbc eglGetProcAddress+540 (/system/lib64/libEGL.so)
7acb824a58 GrGLMakeAssembledGLESInterface(void*, void (* ()(void, char const*))())+8136 (/system/lib64/libhwui.so)
7acb83a9b0 GrGLCreateNativeInterface()+48 (/system/lib64/libhwui.so)
7acb63443c 0x7acb63443c ([unknown])
7acb9cd33c 0x7acb9cd33c ([unknown])
7acb9cdd70 0x7acb9cdd70 ([unknown])
7acb9c7f20 0x7acb9c7f20 ([unknown])
7acb9cbcc8 0x7acb9cbcc8 ([unknown])
7acb98348c 0x7acb98348c ([unknown])
7acb65da30 0x7acb65da30 ([unknown])
7aca096b84 android::Thread::_threadLoop(void*)+284 (/system/lib64/libutils.so)
7acc2c6288 __pthread_start(void*)+40 (/system/lib64/libc.so)
7acc266500 __start_thread+72 (/system/lib64/libc.so)
```

and after:
```
7acc558ef8 dlopen+0 (/system/lib64/libdl.so)
7a23a2d988 EglThreadState::GetProcAddress(char const*)+64 (/vendor/lib64/egl/libGLESv2_adreno.so)
7ac8e3ecbc eglGetProcAddress+540 (/system/lib64/libEGL.so)
7acb824a58 0x7acb824a58 ([unknown])
7acb83a9b0 GrGLCreateNativeInterface()+48 (/system/lib64/libhwui.so)
7acb63443c android::uirenderer::debug::GlesDriver::getSkiaInterface()+20 (/system/lib64/libhwui.so)
7acb9cd33c android::uirenderer::renderthread::EglManager::initialize()+700 (/system/lib64/libhwui.so)
7acb9cdd70 android::uirenderer::renderthread::EglManager::createSurface(ANativeWindow*, bool)+48 (/system/lib64/libhwui.so)
7acb9c7f20 android::uirenderer::skiapipeline::SkiaOpenGLPipeline::setSurface(android::Surface*, android::uirenderer::renderthread::SwapBehavior, android::uirenderer::renderthread::ColorMode)+88 (/system/lib64/libhwui.so)
7acb9cbcc8 android::uirenderer::renderthread::CanvasContext::setSurface(android::sp<android::Surface>&&)+88 (/system/lib64/libhwui.so)
7acb98348c android::uirenderer::WorkQueue::process()+172 (/system/lib64/libhwui.so)
7acb65da30 0x7acb65da30 ([unknown])
7aca096b84 android::Thread::_threadLoop(void*)+284 (/system/lib64/libutils.so)
7acc2c6288 __pthread_start(void*)+40 (/system/lib64/libc.so)
7acc266500 __start_thread+72 (/system/lib64/libc.so)
```
The file was modifiedsrc/cc/bcc_elf.c (diff)
Commit 1a348d4ae12ba6ec9831e89532504e27a815fa99 by yonghong-song
docs: Add BPF LSM hook to kernel features

Signed-off-by: Gary Lin <glin@suse.com>
The file was modifieddocs/kernel-versions.md (diff)
Commit f0dd3496bd40b867cdf05d5f4565c8363f5fb906 by yonghong-song
docs: Update XDP driver support list

Signed-off-by: Gary Lin <glin@suse.com>
The file was modifieddocs/kernel-versions.md (diff)
Commit be277421add33cb348ae1092d3ab926c1f609328 by yonghong-song
docs: add RISC-V to the JIT support list

Signed-off-by: Gary Lin <glin@suse.com>
The file was modifieddocs/kernel-versions.md (diff)
Commit 1b7aab1b12fbfd621ceec282df9fbffb7423c508 by yonghong-song
add the option --hexdump to sslsniff to allow sniffing of binary protocols inside TLS/SSL connections
The file was modifiedtools/sslsniff.py (diff)
Commit d40c3a7d801b3944a036a193366a99f96fbd570c by yonghong-song
fix examples in sslsniff.py
The file was modifiedtools/sslsniff.py (diff)
Commit d91b31a59038c9c79ee1c9e6a45149239531b155 by yonghong-song
reformat code, add new option to manpage and usage in sslsniff_example.txt
The file was modifiedtools/sslsniff.py (diff)
The file was modifiedman/man8/sslsniff.8 (diff)
The file was modifiedtools/sslsniff_example.txt (diff)
Commit 1ef6758b1ce5847d2699183d951c0e2bee00ee39 by yonghong-song
example block of --hexdump in sslsniff_example.txt
The file was modifiedtools/sslsniff_example.txt (diff)
Commit d4f6a162363b759f00cecc9aa2293557519f615c by yonghong-song
docs: fix Ubuntu Eoan spelling

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
The file was modifiedINSTALL.md (diff)
Commit 95c9229ea9f029a1b9e8dcbe86fc67f037c0dfa2 by yonghong-song
Replace kprobe function "blk_account_io_completion" to "blk_account_io_done" for kernel version >= 5.8.0

The kernel function "blk_account_io_completion" is not available anymore as attach point of Kprobe as of kernel version 5.8.0. Therefore, after discussions, we decided to use function "blk_account_io_done" instead in every kprobe attachment to "blk_account_io_completion".
The file was modifiedtools/old/biosnoop.py (diff)
The file was modifiedexamples/tracing/bitehist.py (diff)
The file was modifieddocs/tutorial_bcc_python_developer.md (diff)
The file was modifiedexamples/tracing/disksnoop.py (diff)
The file was modifiedexamples/lua/kprobe-latency.lua (diff)
The file was modifiedtools/biotop.py (diff)
The file was modifiedtools/biosnoop.lua (diff)
The file was modifiedtools/biosnoop.py (diff)
The file was modifieddocs/reference_guide.md (diff)
Commit cd81f13c1ff96927d6e4fffd6a5d9fb0cd354c08 by yonghong-song
memleak: Add workaround to alleviate misjudgments when free is missing

Profiling in memory part is hard to be accurate because of BPF infrastructure.
memleak keeps misjudging memory leak on the complicated environment which has
the action of free in hard/soft irq.

For example, in my misjudged case:

640 bytes in 10 allocations from stack
--
__kmalloc+0x178 [kernel]
__kmalloc+0x178 [kernel]
xhci_urb_enqueue+0x140 [kernel]
usb_hcd_submit_urb+0x5e0 [kernel]

This result looks like kernel doesn't free urb_priv. However, it's not true.
The reason for this leak is because xhci hw irq interrupts during the BPF program.
BPF program is not finished on that CPU, and xhci_irq() will call xhci_urb_free_priv()
before the end. But the kernel doesn't permit this isr to go into BPF program again.
Because BPF infrastructure(trace_call_bpf) denied this action.
So we miss this free action and cause memory leak misjudgment.

Side-effect:
- Increase overhead for each memory allocation.
- A higher chance to be interrupted at the allocation part causes ignore more allocations.

This workaround doesn't solve all misjudgments, the improvement in BPF infrastructure
is the only solution.
The file was modifiedman/man8/memleak.8 (diff)
The file was modifiedtools/memleak_example.txt (diff)
The file was modifiedtools/memleak.py (diff)
Commit fab26b4369aa020b412c2c1ba42bc1179b9c3337 by yonghong-song
sync with latest libbpf

sync with latest libbpf repo

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedsrc/cc/export/helpers.h (diff)
The file was modifiedsrc/cc/libbpf (diff)
The file was modifieddocs/kernel-versions.md (diff)
The file was modifiedsrc/cc/compat/linux/virtual_bpf.h (diff)
The file was modifiedsrc/cc/libbpf.c (diff)
Commit 57d10f5b4ed4c27b789cc72292e16daa1e1f9e7a by a.s.protopopov
libbpf-tools: add header to store BPF-side map helpers

Add a new header kern_map_helpers.h to store BPF-size map helpers
which may be used from different programs. On the moment it contains
the bpf_map_lookup_or_try_init helper.

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
The file was modifiedlibbpf-tools/syscount.bpf.c (diff)
The file was addedlibbpf-tools/maps.bpf.h
Commit b8cdd214a0fcce7e2086e04f1a1f7a268e841271 by a.s.protopopov
libbpf-tools: fix an error message

A wrong argument (-errno) was passed to strerror, fix it.

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
The file was modifiedlibbpf-tools/syscount.c (diff)
Commit 3ef753186420e39e8b9c97d5eb2af7c991339dd7 by a.s.protopopov
libbpf-tools: convert BCC tcpconnect to BPF CO-RE version

Add a new libbpf-based tool, tcpconnect, and add some helpers which may
be used by other tools. Namely, user_map_helpers.{c,h} files implement
a function dump_hash() which uses map_batch_lookup (if possible) to read
entire hash maps to user space.

The tcpconnect acts as the original BCC tool except that --cgroupmap and
--mntnsmap options are not implemented, yet.

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
The file was addedlibbpf-tools/map_helpers.h
The file was addedlibbpf-tools/tcpconnect.bpf.c
The file was modifiedlibbpf-tools/Makefile (diff)
The file was addedlibbpf-tools/tcpconnect.h
The file was addedlibbpf-tools/tcpconnect.c
The file was modifiedlibbpf-tools/.gitignore (diff)
The file was addedlibbpf-tools/map_helpers.c
Commit 104d2b3eb6ed1f1bdbc03cb322c6ae917c1b4425 by yonghong-song
Add .lazy_symbolize field to bcc_symbol_option and add ignored fields to perf_event_attr
The file was modifiedsrc/python/bcc/libbcc.py (diff)
The file was modifiedsrc/python/bcc/perf.py (diff)
Commit e70bbdcbcbcd01e5570ba7b9d79e282d16a53d40 by noreply
Add Python API and documentation for Queue/Stack Tables (#3013)

* Add QueueStack Python API
* Add tests for QueueStack Python API
* Add documentation for QueueStack
The file was modifiedsrc/python/bcc/__init__.py (diff)
The file was modifiedtests/python/CMakeLists.txt (diff)
The file was addedtests/python/test_queuestack.py
The file was modifieddocs/reference_guide.md (diff)
The file was modifiedsrc/python/bcc/table.py (diff)
Commit 1abab9bd2b68a389db704848c3b9fbb03f8e0c02 by yonghong-song
use bpf_probe_read_kernel for implicit kernel mem read on s390

Commit f579bf8d60c8 ("bpf: use bpf_probe_read in implicitly
generated kernel mem read") unconditionally use bpf_probe_read()
for implicit kernel memory read in bpf programs.

This won't work for s390 with recent kernels since s390 has
overlap user/kernel addresses and bpf_probe_read() is not
available any more.

This patch partially reverted Commit f579bf8d60c8 such
that for s390, bpf_probe_read_kernel() will be used
while other architectures bpf_probe_read() is used.

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.cc (diff)
The file was modifiedsrc/cc/frontends/clang/b_frontend_action.h (diff)
Commit d3a102d5d1029438ec7a1a5450095362f3b56fc1 by yonghong-song
fix cc queue/stack test kernel version

This commit fixes the Kernel version check in test_queuestack_table.cc .
The correct one, as discussed in #3013, is 4.20 (not 5.0).

Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
The file was modifiedtests/cc/test_queuestack_table.cc (diff)
Commit 4efe7fe3e81a65ca4d2cf6eec8055125ca3018f9 by yonghong-song
fix debug file lookup in bcc_elf_symbol_str

Logic for looking up debug file in bcc_elf_symbol_str and foreach_sym_core
differ. This commit factors out relevant code from foreach_sym_core and reuses
it in bcc_elf_symbol_str.
The file was modifiedsrc/cc/bcc_elf.c (diff)
Commit 316b404c28744fd106b3b37cc216693d143a7a2d by yonghong-song
update reference_guide for implicit kmem access rewriting

Update the reference_guide to spell out for implicit
kernel memory access, when rewriter uses bpf_probe_read()
(for non-s390) and when using bpf_probe_read_kernel()
(for s390).

Signed-off-by: Yonghong Song <yhs@fb.com>
The file was modifieddocs/reference_guide.md (diff)
Commit 222821c8be2c3aa862ddd7e4bf2a10965ae0639f by yonghong-song
libbpf-tools: add CO-RE biolatency

Signed-off-by: Wenbo Zhang <ethercflow@gmail.com>
The file was addedlibbpf-tools/biolatency.h
The file was addedlibbpf-tools/biolatency.bpf.c
The file was addedlibbpf-tools/blk_types.h
The file was modifiedlibbpf-tools/Makefile (diff)
The file was modifiedlibbpf-tools/.gitignore (diff)
The file was addedlibbpf-tools/biolatency.c