Commit
d2e8ea47352e36f63a9dda281c00fadeb87e890a
by yonghong-songFix ELF ABI and endianness checks for powerpc64
Earlier, it was assumed that ELF ABI v2 is used only on little-endian powerpc64 environments but it seems this ABI can be used independently of endianness.
It is expected that any C preprocessor that conforms to the ELF ABI v2 specification must predefine the _CALL_ELF macro and set its value to 2.
Instead of looking at __BYTE_ORDER__ to determine whether to use the Local Entry Point (LEP) of symbols, one should look at the _CALL_ELF macro instead as this is ABI-related.
Similarly, _CALL_ELF should be used only for determining the ABI version and not the endianness.
Reported-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com> Fixes: bbd4180c ("Fix uprobes on powerpc64") Fixes: 10869523 ("clang: Add support to build eBPF for user specified ARCH") Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com> Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
|
| src/cc/bcc_syms.cc (diff) |
| src/cc/frontends/clang/arch_helper.h (diff) |
| tests/cc/test_c_api.cc (diff) |
| src/cc/bcc_syms.h (diff) |
| src/cc/bcc_elf.c (diff) |
Commit
264b2ccf4e42f7f1b9abb89fb320d0467c509e37
by sumanthkbcc: Use bpf_probe_read_user in tools and provide backward compatibility
s390 has overlapping address space for user and kernel. Hence separation of bpf_probe_read_user and bpf_probe_read_kernel is essential. Commit 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers") introduced these changes into the kernel. However, bcc tools does not respect it.
As a workaround, perform the following: 1. Use bpf_probe_read_user() explicitly in the bcc tools. 2. When kernel version < 5.5, perform the checks if the bpf_probe_read_user kernel helper is present in the backported kernel as well. If not found, then fallback from bpf_probe_read_user to bpf_probe_read.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
|
| src/cc/export/helpers.h (diff) |
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
| tools/ttysnoop.py (diff) |
Commit
ac157b474b2e2964ec2cba81574f2bddbd62b42b
by sumanthkbcc: Use direct parameter assignment for syscall probe s390.
1. Commit fa697140f9a2 ("syscalls/x86: Use 'struct pt_regs' based syscall calling convention for 64-bit syscalls") changed the raw parameter passed to the syscall entry function from a list of parameters supplied in user space to a single `pt_regs *` parameter (ARCH_HAS_SYSCALL_WRAPPER)
2. But ARCH_HAS_SYSCALL_WRAPPER in s390 is not used for that purpose. See commit a18f03cd89e9 ("s390: autogenerate compat syscall wrappers")
3. Use direct parameter assignment assumption for s390 syscall probe instead.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
|
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
Commit
023154c7708087ddf6c2031cef5d25c2445b70c4
by sumanthkbcc/tools: Introduce bpf_probe_read_user to the tools.
This is essential for architecture which do have overlapping address space. - bpf_probe_read_kernel() shall be used for reading data from kernel space to the bpf vm. - bpf_probe_read_user() shall be used for reading data from user space to the bpf vm.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
|
| examples/tracing/strlen_count.py (diff) |
| tools/sslsniff.py (diff) |
| examples/cpp/RecordMySQLQuery.cc (diff) |
| tools/gethostlatency.py (diff) |
| examples/lua/strlen_count.lua (diff) |
| tools/lib/uflow.py (diff) |
| examples/lua/usdt_ruby.lua (diff) |
| tools/bashreadline.py (diff) |
| tools/funcslower.py (diff) |
| tools/opensnoop.py (diff) |
| examples/tracing/nodejs_http_server.py (diff) |
| tools/execsnoop.py (diff) |
| tools/mountsnoop.py (diff) |
| tools/lib/uobjnew.py (diff) |
| tools/lib/ucalls.py (diff) |
| tools/lib/uthreads.py (diff) |
| tools/statsnoop.py (diff) |
| examples/lua/bashreadline.c (diff) |
| tools/biosnoop.lua (diff) |
| examples/tracing/mysqld_query.py (diff) |
| tools/biosnoop.py (diff) |
| tools/lib/ugc.py (diff) |
| examples/tracing/strlen_snoop.py (diff) |
| tools/dbslower.py (diff) |
| tools/mysqld_qslower.py (diff) |
|
| docs/reference_guide.md (diff) |
| docs/tutorial_bcc_python_developer.md (diff) |
Commit
99739b2aa214984b783f61e4bcb3754eda876c1b
by sumanthkbcc/utils: Avoid code duplication of __generate_streq_function
bcc tools like trace.py and argdist.py uses _generate_streq_function() functions to convert char * read to bpf_probe_read/bpf_probe_read_user. Refactor it and move the common functionality to utils.py.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| src/python/bcc/__init__.py (diff) |
| src/python/bcc/utils.py (diff) |
Commit
306080b9c6370974b0e11ed6bbe47f086c42d7ac
by sumanthkbcc: Add __user attribute to support bpf_probe_read_user in argdist
argdist traces probe functions and its parameter values.
Add functionality to convert: - All userspace probes char * read to bpf_probe_read_user() - Syscall/kprobes char* params with __user attribute to bpf_probe_read_user()
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| tools/argdist.py (diff) |
| tools/argdist_example.txt (diff) |
Commit
7cbd074cb5af6b82f53a5de9936ffaa74fea00f0
by sumanthkbcc: Support bpf_probe_read_user in trace.py
Arguments of a probe point can be either user pointer or kernel pointer.
Previously: - tools/trace.py 'do_sys_open "%s", arg2' When reading arg2 as char *, it would resolve to bpf_probe_read.
Now: - tools/trace.py 'do_sys_open "%s", arg2@user' - When reading arg2 as char *, it is resolved to bpf_probe_read_user. - tools/trace.py 'do_sys_open (STRCMP("test.txt", arg2@user)) "%s", arg2' - For arg2 char * read, bpf_probe_read_user is utilized
To distinguish this, add arg@user. - All userspace probes char *read converted to bpf_probe_read_user - Syscall/kprobes with arg[1-6]@user attribute are converted to bpf_probe_read_user.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| tools/trace.py (diff) |
| tools/trace_example.txt (diff) |
Commit
09be5b50c1168c2796786029fa159c63f71e2936
by sumanthkbcc/libbpf: Fix bpf_has_kernel_btf return status
bool returns True for negative integers. Hence bcc tools tries to switch to kfunc instead of kprobes, even when the btf data is not found.
For libbpf_find_vmlinux_btf_id, When err <= 0 , btf is not found.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| src/cc/libbpf.c (diff) |
Commit
59a753da82f9eab628a5506822a6ff16a6912a88
by noreplyAdd perf event data collection example for an userspace application (#2888)
* Add perf event data collection example for an userspace application * Add comments for potential issues in perf_event example
|
| examples/perf/ipc.py |
|
| INSTALL.md (diff) |
|
| examples/usdt_sample/usdt_sample.md (diff) |
| src/cc/usdt/usdt.cc (diff) |
|
| tools/nfsdist.py (diff) |
|
| tools/argdist.py (diff) |
Commit
0d87484b724e3f20d03c49a48e356e6fd1533c68
by yonghong-songadd -fPIC to compile examples/cpp and tests/cc
I use clang-8.0.1 and gcc-8.3.1 to compile bcc-0.8.1, without -fPIC, will get errors like this: /usr/bin/ld: CMakeFiles/test_libbcc.dir/test_libbcc.cc.o: relocation R_X86_64_32S against symbol `_ZTVN5Catch21LegacyReporterAdapterE' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: CMakeFiles/test_libbcc.dir/test_c_api.cc.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: CMakeFiles/CGroupTest.dir/CGroupTest.cc.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a PIE object; recompile with -fPIC
Signed-off-by: Chunmei Xu <xuchunmei@linux.alibaba.com>
|
| examples/cpp/CMakeLists.txt (diff) |
| tests/cc/CMakeLists.txt (diff) |
|
| libbpf-tools/Makefile (diff) |
| libbpf-tools/vfsstat.bpf.c |
| libbpf-tools/.gitignore (diff) |
| libbpf-tools/vfsstat.h |
| libbpf-tools/vfsstat.c |
Commit
c6342d23e48ae03df78f7c716f55e6ff14e5169b
by yonghong-songFix github actions tests
Github actions are failing because the docker image used for testing is based in Ubuntu 19.04 that is EOL now. This commit downgrades the version used for testing to 18.04 that is LTS. It also installs the "util-linux" package that includes the "unshare" command.
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| Dockerfile.tests (diff) |
Commit
8c12794214bf906089f972676eb065e618d581af
by noreplytools/dirtop: Adding dirtop utility (#2819)
This tools is about reporting IOs per directory. That's a clone of filetop but works in a different way : - user specify a set of globs to select a list of directories to watch - dirtop extracts the inode_id of the selected directories - the bpf program receives the list of top directories to consider - when vfs_{read|write} occurs, the bpf program check if one of the parents is part of the list we search for - if it matches, the io is accounted
On the python side, the program will reconcilate IOs per directory and print stats.
While filetop list the programs and filename, dirtop only list the directory name.
A typical usages looks like :
[root@host]: dirtop.py -d '/hdfs/uuid/*/yarn' 14:56:33 loadavg: 52.21 48.81 37.78 53/2721 28720
READS WRITES R_Kb W_Kb PATH 36821 7632 238219 149183 /hdfs/uuid/d04fccd8-bc72-4ed9-bda4-c5b6893f1405/yarn 20823 2 196290 3 /hdfs/uuid/b94cbf3f-76b1-4ced-9043-02d450b9887c/yarn 16059 12064 109748 85778 /hdfs/uuid/250b21c8-1714-45fe-8c08-d45d0271c6bd/yarn 14128 20360 106287 81440 /hdfs/uuid/4a833770-767e-43b3-b696-dc98901bce26/yarn 15883 4991 86014 82075 /hdfs/uuid/0cc3683f-4800-4c73-8075-8d77dc7cf116/yarn 11182 4485 28834 116917 /hdfs/uuid/7d512fe7-b20d-464c-a75a-dbf8b687ee1c/yarn 11848 7810 103139 31240 /hdfs/uuid/2c6a7223-cb18-4916-a1b6-8cd02bda1d31/yarn 10418 1272 114842 18 /hdfs/uuid/76dc0b77-e2fd-4476-818f-2b5c3c452396/yarn 10066 6630 93969 20218 /hdfs/uuid/c11da291-28de-4a77-873e-44bb452d238b/yarn 13648 15453 39450 53744 /hdfs/uuid/99c178d5-a209-4af2-8467-7382c7f03c1b/yarn 9509 2049 31363 48219 /hdfs/uuid/a78f846a-58c4-4d10-a9f5-42f16a6134a0/yarn 8112 2178 13765 63479 /hdfs/uuid/bf829d08-1455-45b8-81fa-05c3303e8c45/yarn 4327 0 37544 0 /hdfs/uuid/fada8004-53ff-48df-9396-165d8e42925b/yarn 2238 2742 72 50 /hdfs/uuid/b3b2a2ed-f6c1-4641-86bf-2989dd932411/yarn 3716 0 47 0 /hdfs/uuid/8138a53b-b942-44d3-82df-51575f1a3901/yarn
Signed-off-by: Erwan Velu <e.velu@criteo.com>
Co-authored-by: Erwan Velu <e.velu@criteo.com>
|
| README.md (diff) |
| tools/dirtop.py |
| tools/dirtop_example.txt |
| man/man8/dirtop.8 |
|
| libbpf-tools/.gitignore (diff) |
| libbpf-tools/execsnoop.h |
| libbpf-tools/Makefile (diff) |
| libbpf-tools/execsnoop.bpf.c |
| libbpf-tools/execsnoop.c |
|
| src/cc/libbpf (diff) |
| src/cc/export/helpers.h (diff) |
| docs/kernel-versions.md (diff) |
| src/cc/compat/linux/virtual_bpf.h (diff) |
| src/cc/libbpf.c (diff) |
Commit
44e0f43eeac53648adb4734862f9b36d80853420
by yonghong-songFix KFUNC_PROBE return value
The KFUNC_PROBE macro is using "void" as return type, this is causing problems in some tools that have a filtering enable that returns 0.
Reproducer: (Notice that it requires BTF support)
``` $ python opensnoop.py --pid 5 /virtual/main.c:33:21: error: void function '____kretfunc__do_sys_open' should not return a value [-Wreturn-type] if (pid != 5) { return 0; } ^ ~ 1 error generated. ... ```
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| tools/opensnoop.py (diff) |
| tools/klockstat.py (diff) |
| src/cc/export/helpers.h (diff) |
Commit
7722fc55f6c8a5ec1c16ba76f10db3b709af5d36
by yonghong-songlibbcc-py: Fix libbpf types
1ad2656a1d9c ("Add support_kfunc function to BPF object") added new functions to libbcc-py but didn't set the restype and argstypes for those. It's causing the `bpf_has_kernel_btf` function to return True in systems without support for BTF, making tools like opensnoop, klockstat and any other using kfuncs unusable in those systems.
The following Python script reproduces the problem:
``` from bcc import BPF print(BPF.support_kfunc()) ```
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| src/python/bcc/libbcc.py (diff) |
|
| tools/tcplife.py (diff) |
Commit
32ab858309c84c23049715aaab936ce654ad5792
by yonghong-songtools: add filtering by mount namespace
In previous patches, I added the option --cgroupmap to filter events belonging to a set of cgroup-v2. Although this approach works fine with systemd services and containers when cgroup-v2 is enabled, it does not work with containers when only cgroup-v1 is enabled because bpf_get_current_cgroup_id() only works with cgroup-v2. It also requires Linux 4.18 to get this bpf helper function.
This patch adds an additional way to filter by containers, using mount namespaces.
Note that this does not help with systemd services since they normally don't create a new mount namespace (unless you set some options like 'ReadOnlyPaths=', see "man 5 systemd.exec").
My goal with this patch is to filter Kubernetes pods, even on distributions with an older kernel (<4.18) or without cgroup-v2 enabled.
- This is only implemented for tools that already support filtering by cgroup id (bindsnoop, capable, execsnoop, profile, tcpaccept, tcpconnect, tcptop and tcptracer).
- I picked the mount namespace because the other namespaces could be disabled in Kubernetes (e.g. HostNetwork, HostPID, HostIPC).
It can be tested by following the example in docs/special_filtering added in this commit, to avoid compiling locally the following command can be used
``` sudo bpftool map create /sys/fs/bpf/mnt_ns_set type hash key 8 value 4 \ entries 128 name mnt_ns_set flags 0 docker run -ti --rm --privileged \ -v /usr/src:/usr/src -v /lib/modules:/lib/modules \ -v /sys/fs/bpf:/sys/fs/bpf --pid=host kinvolk/bcc:alban-containers-filters \ /usr/share/bcc/tools/execsnoop --mntnsmap /sys/fs/bpf/mnt_ns_set
```
Co-authored-by: Alban Crequy <alban@kinvolk.io> Co-authored-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| tools/capable_example.txt (diff) |
| tools/tcpaccept_example.txt (diff) |
| tools/tcpaccept.py (diff) |
| src/python/bcc/containers.py |
| man/man8/tcptracer.8 (diff) |
| tools/tcptop_example.txt (diff) |
| tools/capable.py (diff) |
| man/man8/tcpaccept.8 (diff) |
| man/man8/bindsnoop.8 (diff) |
| docs/special_filtering.md |
| tools/bindsnoop_example.txt (diff) |
| tools/tcpconnect_example.txt (diff) |
| man/man8/tcpconnect.8 (diff) |
| tools/opensnoop_example.txt (diff) |
| tools/tcptracer.py (diff) |
| man/man8/execsnoop.8 (diff) |
| man/man8/tcptop.8 (diff) |
| tools/tcptracer_example.txt (diff) |
| tools/execsnoop.py (diff) |
| tools/execsnoop_example.txt (diff) |
| tools/tcptop.py (diff) |
| tools/tcpconnect.py (diff) |
| tools/profile_example.txt (diff) |
| man/man8/capable.8 (diff) |
| man/man8/opensnoop.8 (diff) |
| man/man8/profile.8 (diff) |
| tools/profile.py (diff) |
| tools/bindsnoop.py (diff) |
| tools/opensnoop.py (diff) |
| docs/filtering_by_cgroups.md |
|
| docs/tutorial_bcc_python_developer.md (diff) |
Commit
a28337a7ebea6ce375fb2e976f0b3b61aa05e981
by yonghong-songtool: trace process termination by default
`sched_process_exit` tracepoint is called when thread terminates. So exitsnoop shows line per each thread termination if the process is multi-thread process. This is not useful when people wants to know why process terminates, not thread.
So this changes exitsnoop default behavior which traces process termination instead of thread termination. And add `--per-thread` option which behaves as original exitsnoop implementation.
|
| man/man8/exitsnoop.8 (diff) |
| tools/exitsnoop.py (diff) |
| tools/exitsnoop_example.txt (diff) |
Commit
112f5291c63fe6160685160c552ae2b03deb3d1e
by yonghong-songbcc: Error out when bpf_probe_read_user is not present
1. For architecture with overlapping address space, error out when bpf_probe_read_user is not available. 2. For arch with non overlapping address space, if bpf_probe_read_user is not available bpf_probe_read_user is implicitly converted to bpf_probe_read. 3. Use bpf_probe_read_kernel instead of bpf_probe_read. When bpf_probe_read_kernel is not available, fallback to bpf_probe_read. If bpf_probe_read is not available, then bcc would fail anyways. 4. See kernel commit 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}() only to archs where they work")
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
Commit
7f6066d250efa138419c16c150ad8711d6528d29
by yonghong-songbcc/tools: Replace bpf_probe_read with bpf_probe_read_kernel
It is recommended to use bpf_probe_read_kernel_{str} in the bpf tools. See kernel commit 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}() only to archs where they work")
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| tools/filetop.py (diff) |
| tools/compactsnoop.py (diff) |
| tools/tcpaccept.py (diff) |
| tools/memleak.py (diff) |
| tools/bindsnoop.py (diff) |
| tools/opensnoop.py (diff) |
| tools/slabratetop.py (diff) |
| tools/bitesize.py (diff) |
| tools/fileslower.py (diff) |
| tools/tcptop.py (diff) |
| tools/tcpdrop.py (diff) |
| tools/tcplife.py (diff) |
| tools/biosnoop.py (diff) |
| tools/tcpconnect.py (diff) |
| tools/nfsslower.py (diff) |
| tools/solisten.py (diff) |
| tools/tcpretrans.py (diff) |
| tools/zfsslower.py (diff) |
| tools/btrfsslower.py (diff) |
| tests/python/test_clang.py (diff) |
| tools/tcptracer.py (diff) |
| tools/mdflush.py (diff) |
| tools/dcsnoop.py (diff) |
| tools/biosnoop.lua (diff) |
| tools/wakeuptime.py (diff) |
| src/cc/libbpf.c (diff) |
| tools/ext4slower.py (diff) |
| tools/filelife.py (diff) |
| tools/hardirqs.py (diff) |
| tools/killsnoop.py (diff) |
| tools/biolatency.py (diff) |
| tools/trace.py (diff) |
| tools/funcslower.py (diff) |
| tools/drsnoop.py (diff) |
| tools/argdist.py (diff) |
| tools/dbslower.py (diff) |
| tools/tcpconnlat.py (diff) |
| tools/tcpstates.py (diff) |
| tools/ttysnoop.py (diff) |
| tools/deadlock.c (diff) |
| tools/xfsslower.py (diff) |
| tools/sofdsnoop.py (diff) |
| tools/runqslower.py (diff) |
| tools/gethostlatency.py (diff) |
| tools/oomkill.py (diff) |
| tools/tcplife.lua (diff) |
Commit
747e0dd9f0e40ef0fd55291a42f79d4691c344dd
by yonghong-songbcc: Fix user space probe reads with bpf_probe_read_user
User space probe reads should be performed using bpf_probe_read_user. Fix this in remaining places.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| examples/cpp/pyperf/PyPerfBPFProgram.cc (diff) |
| src/cc/usdt/usdt_args.cc (diff) |
| examples/usdt_sample/scripts/bpf_text_shared.c (diff) |
Commit
d9583813c07897fbbe99d475ab6beb445ae9ffe8
by yonghong-songbcc/libbpf-tools: Replace bpf_probe_read with bpf_probe_read_kernel.
As kernel commit b8ebce86ffe6 ("libbpf: Provide CO-RE variants of PT_REGS macros") is introduced after bpf_probe_read_kernel changes, it is safe to use bpf_probe_read_kernel directly
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| libbpf-tools/drsnoop.bpf.c (diff) |
| libbpf-tools/runqslower.bpf.c (diff) |
| libbpf-tools/xfsslower.bpf.c (diff) |
| libbpf-tools/filelife.bpf.c (diff) |
Commit
4a1313d179e9701469e1e5650b05ec332b85751f
by yonghong-songbcc/libbpf-tools: Fix user probe read references
Replace bpf_probe_read_str with bpf_probe_read_user_str.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com> Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
|
| libbpf-tools/opensnoop.bpf.c (diff) |
|
| docs/reference_guide.md (diff) |
| docs/tutorial_bcc_python_developer.md (diff) |
Commit
275abc9f3b7fb22ad1ac6a4188c807793b9c38bd
by yonghong-songbcc: Check probe read availabilty and use macros
When bpf_probe_read_kernel is not available, then macros are defined at the prologue to replace bpf_probe_read_kernel to bpf_prob_read. This resolves the problem of test_probe_read3 failure in test_clang.py for #2919
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
|
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
Commit
0b2f4d0b981803ea8d8393ad2eec93c699e59df1
by yonghong-songbcc: Remove bpf_probe_read_user availability checks on compile time
If wrong kernel-headers are installed, then this can provide false result for probe read selection. Instead look for only kallsyms.
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
|
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
|
| src/cc/frontends/b/lexer.h (diff) |
|
| tools/killsnoop.py (diff) |
|
| tools/killsnoop_example.txt (diff) |
| man/man8/killsnoop.8 (diff) |
|
| tools/killsnoop_example.txt (diff) |
|
| tools/killsnoop.py (diff) |
Commit
30d897563bd116451f41230712aad2b952eda7d0
by yonghong-songreturn failure if rewriter cannot rewrite properly
Fix issue #537.
The bcc rewriter does not have enough information to do proper rewriting from: #define PKT_LEN_ADD 1 ip->tlen += PKT_LEN_ADD; to bpf_dins_pkt(skb, (u64)ip+2, 0, 16, PKT_LEN_ADD);
So instead of generate incorrect code which caused compilation error. Let return an error earlier with helper comments so users know what to do. With this patch, we will have /virtual/main.c:20:17: error: cannot have macro at the end of expresssion, workaround: put perentheses around macro "(MARCO)" ip->tlen += PKT_LEN_ADD; ^
|
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
Commit
82abd2f2680e5c8c86c8cfcab02cc8c68915c599
by yonghong-songAllow to specify kernel include dirs
It's sometimes convenient to use other kernel headers, now it's possible possible with new KERNEL_INCLUDE_DIRS build variable, like:
$ cd <kernel-dir> $ make INSTALL_HDR_PATH=/tmp/headers headers_install $ cd <bcc-dir> $ cmake -DKERNEL_INCLUDE_DIRS=/tmp/headers/include/ ...
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
|
| CMakeLists.txt (diff) |
Commit
d0074783b6f56ed195f378a581726098ab87fe98
by yonghong-songAdding support to load lsm programs
Adding the 'lsm__' prefix check for loaded program and set BPF_LSM_MAC as expected_attach_type if the program name matches.
This way we can load LSM programs via bcc interface.
The program attach can be done by existing kfunc API: bpf_attach_kfunc bpf_detach_kfunc
It will be used in upcomming bpftrace change that adds lsm probes.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
|
| src/cc/libbpf.c (diff) |
| src/cc/export/helpers.h (diff) |
| src/python/bcc/__init__.py (diff) |
| tests/python/test_clang.py (diff) |
Commit
5558e36bd97ace7bc3efe3a70d0c9d4fc0d34e2a
by yonghong-songMake reading blacklist from debugfs optional
With lockdown enabled one sees the following:
``` $ sudo /usr/share/bcc/tools/funccount -Ti 1 run_timer_softirq [Errno 1] Operation not permitted: '/sys/kernel/debug/tracing/../kprobes/blacklist' ```
Which is accompanied by the following in `dmesg`:
``` [Fri May 29 22:12:47 2020] Lockdown: funccount: debugfs access is restricted; see man kernel_lockdown.7 ```
Since blacklist is not a required feature, let's make reading from it optional, so that bcc can work out of the box.
|
| src/python/bcc/__init__.py (diff) |
Commit
b20f5e741f086bf37b19365566b01b5bf6fa251e
by noreplyoffwaketime: Add support for --state (#2940)
Since offwaketime is really an amalgamation of offcputime and wakeuptime there is no reason why it shouldn't support the --state argument of the former.
Co-authored-by: Nikolay Borisov <nborisov@suse.com>
|
| tools/offwaketime_example.txt (diff) |
| man/man8/offwaketime.8 (diff) |
| tools/offwaketime.py (diff) |
Commit
f3fbeb46cb5264d324e60882bd97977ad3dc00d5
by noreplylibbpf-tools: convert BCC syscount to BPF CO-RE version
Add a new libbpf-based tool, syscount, and add some helpers which may be used by other tools. Namely,
* syscall_helpers.{c,h}: convert system call numbers to names * errno_helpers.{c,h}: convert errno names to numbers
The helpers contain pre-generated tables for x86_64 (which will be outdated at some point, so require to be updated on demand), but for other architectures require additional tools: syscall helpers require the ausyscall(1) tool, and errno helpers require errno(1) utility from the moreutils package. So, if you run on non-x86_64, then either install these tools, or use numeric values.
If possible, use bpf_map_lookup_and_delete_batch function to read and reset values in the data map. This is a raceless way to obtain all values. If the function is not available, e.g., for old kernels, then fall back to the old version which can loose some syscalls (happened between reading values and resetting them).
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
|
| libbpf-tools/drsnoop.c (diff) |
| libbpf-tools/syscount.h |
| libbpf-tools/syscount.c |
| libbpf-tools/.gitignore (diff) |
| libbpf-tools/Makefile (diff) |
| libbpf-tools/errno_helpers.c |
| libbpf-tools/syscount.bpf.c |
| libbpf-tools/errno_helpers.h |
| libbpf-tools/filelife.c (diff) |
| libbpf-tools/syscall_helpers.c |
| libbpf-tools/xfsslower.c (diff) |
| libbpf-tools/syscall_helpers.h |
|
| README.md (diff) |
| man/man8/funcinterval.8 |
| tools/funcinterval_example.txt |
| tools/funcinterval.py |
|
| libbpf-tools/Makefile (diff) |
| libbpf-tools/cpudist.bpf.c |
| libbpf-tools/cpudist.h |
| libbpf-tools/trace_helpers.c (diff) |
| libbpf-tools/.gitignore (diff) |
| libbpf-tools/cpudist.c |
| libbpf-tools/trace_helpers.h (diff) |
Commit
da0d82cc11d56d12a383f5c670281bfa61ca2ad7
by yonghong-songsilence a python travis-ci warning
The travis-ci flags a python warning:
$ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics ./tools/biolatpcts.py:123:5: F821 undefined name 'die' die() ^ 1 F821 undefined name 'die'
Let us fix it with proper error message and then exit().
Signed-off-by: Yonghong Song <yhs@fb.com>
|
| tools/biolatpcts.py (diff) |
Commit
5fed2a94da19501c3088161db0c412b5623050ca
by yonghong-songDocker: add kmod dependency to docker container
modprobe and rmmod are used to load the kheaders module as a last option when kernel headers are not found. The modprobe command is missing in the docker image and scroipts are failing:
$ /usr/share/bcc/tools/execsnoop --mntnsmap /sys/fs/bpf/mnt_ns_set sh: 1: modprobe: not found Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) ...
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| Dockerfile.ubuntu (diff) |
Commit
8319d52dc8834daa0766f61487f75ed3c3c731fe
by yonghong-songturn off x86 jump table optimization during jit compilation
jump table optimization tries to optimize switch statements into an array access. But such optimization will place certain information, acted as the array, in the read-only section. Currently, bcc does not support read-only section, so jump table optimized code will fail during kernel verification. This is what happened to biolatpcts.py in my environment with latest llvm.
-bash-4.4$ sudo ./biolatpcts.py console bpf: Failed to load program: Invalid argument unknown opcode 60 processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
HINT: The 'unknown opcode' can happen if you reference a global or static variable, or data in read-only section. For example, 'char *p = "hello"' will result in p referencing a read-only section, and 'char p[] = "hello"' will have "hello" stored on the stack.
This patch disabled jump table optimization on x64. The jump table optimization is guarded for llvm version 4 and above. We can disable jump table on other architectures if needed. A test case, developed based biolatpcts.py tool, is added to ensure it pass the verifier.
Signed-off-by: Yonghong Song <yhs@fb.com>
|
| tests/python/test_clang.py (diff) |
| src/cc/frontends/clang/loader.cc (diff) |
|
| tools/runqslower.py (diff) |
Commit
126054e829e7c6ed342f8719818490bc093f851a
by yonghong-songusdt: Add helpers to set semaphore values
While debugging a high memory consumption issue in bpftrace, I noticed that a USDT::Context object can take ~10M per instance [0]. Along with the new --usdt-file-activation feature in bpftrace ( https://github.com/iovisor/bpftrace/pull/1317 ), bpftrace can potentially hold onto many dozens of USDT:Context instances, causing memory issues.
While reducing the amount of memory USDT::Context uses is one option, we can potentially side step it by allowing the usdt semaphore count to be set independently. Before, the only way to increment the count (by 1) is to call bcc_usdt_enable*(). bcc_usdt_enable*() has checks that limit it to a single increment per context. The only way to decrement the count is by calling bcc_usdt_close() which naturally only allows for one decrement.
With independent semaphore helpers, we can avoid holding onto a USDT::Context instance for the lifetime of the tracing session. We can simply:
1. create a USDT::Context 2. increment the semaphore count for the probe we care about 3. destroy the USDT::Context 4. repeat 1-3 for all probes we want to attach to 5. do our tracing 6. create a USDT::Context for the probe we care about 7. decrement the semaphore count 8. destroy the USDT::Context 9. repeat 6-8 for all the probes we're attached to
This approach also has the benefit of 1 USDT::Context instance being alive at a time which can help keep memory high watermark low.
[0]: Through gdb single stepping and /proc/pid/status. Exact process is not described here b/c memory usage probably varies based on tracee binary.
|
| src/cc/usdt.h (diff) |
| src/cc/usdt/usdt.cc (diff) |
| src/cc/bcc_usdt.h (diff) |
Commit
0bcf2388ce19271c98512d04f719f9efb1c87d39
by yonghong-songusdt: Have Context::addsem_probe() nop if pid not specified
This makes bcc_usdt_addsem*() more consistent with the bcc_usdt_enable*() interface where if a USDT::Context was not constructed with a pid the semaphore enablement nops.
|
| src/cc/usdt/usdt.cc (diff) |
Commit
263411be9805502bc7e4daaf0ce6cea90884aa38
by noreplyAdd support for multiple PID/TID for offwaketime (#2951)
Instead of filtering on a single process allow up to 5 pid/tgid to be used for filtering. The limit of 5 is arbitrary and can be increased should the need arise. Also remove unnecessary thread_context variable.
Co-authored-by: Nikolay Borisov <nborisov@suse.com>
|
| tools/offwaketime.py (diff) |
| tools/offwaketime_example.txt (diff) |
| man/man8/offwaketime.8 (diff) |
|
| src/python/bcc/__init__.py (diff) |
|
| tools/opensnoop.py (diff) |
|
| libbpf-tools/execsnoop.h (diff) |
| libbpf-tools/filelife.h (diff) |
| libbpf-tools/drsnoop.c (diff) |
| libbpf-tools/filelife.c (diff) |
| libbpf-tools/execsnoop.c (diff) |
| libbpf-tools/runqslower.c (diff) |
| libbpf-tools/cpudist.c (diff) |
| libbpf-tools/trace_helpers.c (diff) |
| libbpf-tools/vfsstat.c (diff) |
| libbpf-tools/xfsslower.c (diff) |
| libbpf-tools/opensnoop.c (diff) |
| libbpf-tools/trace_helpers.h (diff) |
| libbpf-tools/syscount.c (diff) |
Commit
4440a4db2e3fdb5277c2ad283504ea3504b43ecf
by jmarchandeadlock: print a more explicit message when pthread_mutex_unlock can't be attached
Most likely, this happen because of a missing --binary argument. Let's be friendly to our user and print a more useful messsage.
|
| tools/deadlock.py (diff) |
|
| man/man8/tcpconnect.8 (diff) |
Commit
7830947fad1e0a9e2c723e7cb800af9d7e5b8e77
by jmarchanloader: suggest to install the right kernel devel package
Unfortunately, some package dependency system do not allow to make sure that the kernel development package installed is the same version as the running kernel. When this happen, the loader, unable to find the kernel header, will suggest to rebuild the kernel with CONFIG_IKHEADERS. For most users, this is probably not an option, but installing the kernel development package corresponding to the running kernel version is.
|
| src/cc/frontends/clang/loader.cc (diff) |
Commit
c9805f44bfe491a6fbbc34a06d0432a5ae3e8c20
by yonghong-songtools: fix a python 3 map issue in dbstat and dbslower
In python 3, map returns an iterator and not a list anymore. This patch cast the map into a list. It fixes the following error:
$ /usr/share/bcc/tools/dbstat mysql Traceback (most recent call last): File "/usr/share/bcc/tools/dbstat", line 95, in <module> bpf = BPF(text=program, usdt_contexts=usdts) File "/usr/lib/python3.6/site-packages/bcc/__init__.py", line 339, in __init__ ctx_array = (ct.c_void_p * len(usdt_contexts))() TypeError: object of type 'map' has no len()
|
| tools/dbslower.py (diff) |
| tools/dbstat.py (diff) |
|
| docs/reference_guide.md (diff) |
|
| docs/tutorial_bcc_python_developer.md (diff) |
| examples/tracing/sync_timing.py (diff) |
Commit
10603c7123c4b2157190151b63ea846c04c76037
by yonghong-songdbstat: fix overflowing timestamp
The current default value of interval (99999999999) in dbstat is too high to be used in the sleep() function in python 3. I couldn't find a authoritative source on the issue, but it seems the max value is 2^63/10^9 (9223372036). Anyway, 99999999 is the de facto standard for a very big number here, so just use that. It's over 3 years, that should be enough.
For consistency, I also change a couple of value in klockstat even though they didn't overflow.
It fixes the following error: $ dbstat mysql Tracing database queries for pids slower than 0 ms... Traceback (most recent call last): File "./dbstat", line 112, in <module> sleep(args.interval) OverflowError: timestamp too large to convert to C _PyTime_t
|
| tools/klockstat.py (diff) |
| tools/dbstat.py (diff) |
|
| INSTALL.md (diff) |
|
| src/cc/export/helpers.h (diff) |
| src/cc/libbpf (diff) |
| introspection/bps.c (diff) |
| src/cc/libbpf.c (diff) |
| src/cc/compat/linux/virtual_bpf.h (diff) |
| docs/kernel-versions.md (diff) |
|
| src/cc/frontends/clang/kbuild_helper.cc (diff) |
|
| tools/tcpstates.py (diff) |
| examples/networking/xdp/xdp_macswap_count.py (diff) |
| examples/networking/xdp/xdp_redirect_map.py (diff) |
| examples/networking/xdp/xdp_redirect_cpu.py (diff) |
| tests/python/test_clang.py (diff) |
| tools/tcplife.py (diff) |
| examples/networking/xdp/xdp_drop_count.py (diff) |
| examples/tracing/nflatency.py (diff) |
| tools/tcplife.lua (diff) |
|
| src/cc/libbpf (diff) |
| src/cc/compat/linux/virtual_bpf.h (diff) |
|
| src/cc/api/BPFTable.cc (diff) |
Commit
f438bffe0331d482fac57899fdd68411c4aca693
by yonghong-songfix LSM_PROBE return value
Fix issue #2976. The LSM_PROBE program return value is fixed with value 0. This is not correct. The return value is meaningful for LSM_PROBE programs. Return proper value provided by the bpf program itself.
Signed-off-by: Yonghong Song <yhs@fb.com>
|
| src/cc/export/helpers.h (diff) |
Commit
9b82af3ef53bbae76d9f09f403b58975995aa900
by noreplyAPI improvements for BPF LSM programs (#2979)
* Enhanced support for LSM programs - added explicit libbcc support for LSM programs - added bcc helpers to attach LSM programs - added bcc helper to indicate kernel support for LSM programs - added LSM programs to __trace_autoload hook - removed (now) unnecessary load_func from LSM unit test - Remove detach_kfunc
Signed-off-by: William Findlay <william@williamfindlay.com>
|
| src/cc/libbpf.c (diff) |
| src/python/bcc/__init__.py (diff) |
| tests/python/test_clang.py (diff) |
| src/python/bcc/libbcc.py (diff) |
| src/cc/libbpf.h (diff) |
|
| docs/reference_guide.md (diff) |
|
| debian/changelog (diff) |
Commit
05f3f8668481cf975cbf89338e0db7d411ef1432
by yonghong-songlibbpf-tools: remove unnecessary header include from syscount.bpf.c
It causes build failure on my system due to trying to include GCC-specific header. It doesn't seem to be necessary, though, so remove it.
Signed-off-by: Andrii Nakryiko <andriin@fb.com>
|
| libbpf-tools/syscount.bpf.c (diff) |
|
| src/python/bcc/__init__.py (diff) |
Commit
f579bf8d60c804084888c12ecb621d74a86815aa
by yonghong-songbpf: use bpf_probe_read in implicitly generated kernel mem read
Currently, bcc rewriter uses bpf_probe_read_kernel() for implicitly specified kernel memory read. This is not totally correct. Some user memory in kernel data structure may be accessed. bpf_probe_read_kernel() may fail with later kernels. Let us revert back to old bpf_probe_read().
|
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
|
| docs/kernel-versions.md (diff) |
| src/cc/libbpf.c (diff) |
|
| libbpf-tools/.gitignore (diff) |
| libbpf-tools/bitesize.bpf.c |
| libbpf-tools/Makefile (diff) |
| libbpf-tools/bits.bpf.h |
| libbpf-tools/bitesize.c |
| libbpf-tools/cpudist.bpf.c (diff) |
| libbpf-tools/bitesize.h |
|
| tools/profile.py (diff) |
|
| tools/vfsstat.py (diff) |
Commit
fe730f29f14bef8b5ffe1112c578df876c44d22d
by noreplyRingbuf Support for Python API (#2989)
This pull request contains an implementation for ringbuf support in bcc's Python API.
Fixes #2985. More specifically, the following are added: - ringbuf helpers from libbpf API to libbcc - a new RingBuf class to represent the ringbuf map - BPF_RINGBUF_OUTPUT macro for BPF programs - tests - detailed documentation and examples
|
| src/cc/libbpf.c (diff) |
| tests/python/CMakeLists.txt (diff) |
| docs/reference_guide.md (diff) |
| src/python/bcc/__init__.py (diff) |
| tests/python/test_ringbuf.py |
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
| src/python/bcc/libbcc.py (diff) |
| src/cc/libbpf.h (diff) |
| src/python/bcc/table.py (diff) |
| examples/ringbuf/ringbuf_submit.py |
| src/cc/export/helpers.h (diff) |
| examples/ringbuf/ringbuf_output.py |
Commit
fbde62b089fd7bd7818fa4b4e36f89e9b49883f9
by yonghong-songIntroducing Queue/Stack helpers and clang frontend
This commit aims to introduce helpers to declare Queue/Stack maps. I have supported also the creation of shared/public/pinned ones, as for the "traditional" tables. In clang frontend I have added both declaration of maps type/queue, type/stack and all the operations supported so far by these new maps (push/pop/peek).
Possible declarations introduced:
* BPF_QUEUESTACK(<"queue"/"stack">, <name>, <leaf_type>, <max_entries>, <flags>) * BPF_QUEUESTACK_SHARED(...) * BPF_QUEUESTACK_PINNED(...) * BPF_QUEUESTACK_PUBLIC(...) * BPF_QUEUE(<name>, <leaf_type>, <max_entries>) * BPF_QUEUE(<name>, <leaf_type>, <max_entries>, <flags>) * BPF_STACK(<name>, <leaf_type>, <max_entries>) * BPF_STACK(<name>, <leaf_type>, <max_entries>, <flags>)
Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com> Co-authored-by: Sebastiano Miano <sebastiano.miano@polito.it>
|
| src/cc/export/helpers.h (diff) |
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
Commit
30a420d70457555b92b8e5f555e58cf79d70ab23
by yonghong-songadd BPFQueueStackTable and tests
This commit aims to introduce a new abstraction for these new map types: BPFQueueStackTableBase. As all the allowed operation on these map types are different from the "traditional" ones, I thought to introduce a new abstraction, following the already used programming style (template classes and utility func). Moreover, I had to update libbpf.h/c to insert the new bpf_map_lookup_and_delete_elem(), used when calling "pop()"
Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
|
| tests/cc/test_queuestack_table.cc |
| tests/cc/CMakeLists.txt (diff) |
| src/cc/libbpf.c (diff) |
| src/cc/api/BPFTable.h (diff) |
| src/cc/libbpf.h (diff) |
| src/cc/api/BPF.h (diff) |
|
| src/cc/export/helpers.h (diff) |
| docs/kernel-versions.md (diff) |
| src/cc/compat/linux/virtual_bpf.h (diff) |
| src/cc/libbpf.c (diff) |
| src/cc/libbpf (diff) |
|
| tools/memleak.py (diff) |
Commit
fc20957bdf266ce3468a53e7d6b071d717c612d0
by yonghong-songFix symfs symbol resolution
Paths that are passed to find_debug_via_symfs often start with /proc/PID/root/ prefix which is followed by actual path. This breaks symfs symbol resoultion. Symfs directory usually does not contain proc subdirectory and subdirectories for each pid.
Here are examples of stack traces I got when tracing dlopen on Android before: ``` 7acc558ef8 dlopen+0 (/system/lib64/libdl.so) 7a2222f988 EglThreadState::GetProcAddress(char const*)+64 (/vendor/lib64/egl/libGLESv2_adreno.so) 7ac8e3ecbc eglGetProcAddress+540 (/system/lib64/libEGL.so) 7acb824a58 GrGLMakeAssembledGLESInterface(void*, void (* ()(void, char const*))())+8136 (/system/lib64/libhwui.so) 7acb83a9b0 GrGLCreateNativeInterface()+48 (/system/lib64/libhwui.so) 7acb63443c 0x7acb63443c ([unknown]) 7acb9cd33c 0x7acb9cd33c ([unknown]) 7acb9cdd70 0x7acb9cdd70 ([unknown]) 7acb9c7f20 0x7acb9c7f20 ([unknown]) 7acb9cbcc8 0x7acb9cbcc8 ([unknown]) 7acb98348c 0x7acb98348c ([unknown]) 7acb65da30 0x7acb65da30 ([unknown]) 7aca096b84 android::Thread::_threadLoop(void*)+284 (/system/lib64/libutils.so) 7acc2c6288 __pthread_start(void*)+40 (/system/lib64/libc.so) 7acc266500 __start_thread+72 (/system/lib64/libc.so) ```
and after: ``` 7acc558ef8 dlopen+0 (/system/lib64/libdl.so) 7a23a2d988 EglThreadState::GetProcAddress(char const*)+64 (/vendor/lib64/egl/libGLESv2_adreno.so) 7ac8e3ecbc eglGetProcAddress+540 (/system/lib64/libEGL.so) 7acb824a58 0x7acb824a58 ([unknown]) 7acb83a9b0 GrGLCreateNativeInterface()+48 (/system/lib64/libhwui.so) 7acb63443c android::uirenderer::debug::GlesDriver::getSkiaInterface()+20 (/system/lib64/libhwui.so) 7acb9cd33c android::uirenderer::renderthread::EglManager::initialize()+700 (/system/lib64/libhwui.so) 7acb9cdd70 android::uirenderer::renderthread::EglManager::createSurface(ANativeWindow*, bool)+48 (/system/lib64/libhwui.so) 7acb9c7f20 android::uirenderer::skiapipeline::SkiaOpenGLPipeline::setSurface(android::Surface*, android::uirenderer::renderthread::SwapBehavior, android::uirenderer::renderthread::ColorMode)+88 (/system/lib64/libhwui.so) 7acb9cbcc8 android::uirenderer::renderthread::CanvasContext::setSurface(android::sp<android::Surface>&&)+88 (/system/lib64/libhwui.so) 7acb98348c android::uirenderer::WorkQueue::process()+172 (/system/lib64/libhwui.so) 7acb65da30 0x7acb65da30 ([unknown]) 7aca096b84 android::Thread::_threadLoop(void*)+284 (/system/lib64/libutils.so) 7acc2c6288 __pthread_start(void*)+40 (/system/lib64/libc.so) 7acc266500 __start_thread+72 (/system/lib64/libc.so) ```
|
| src/cc/bcc_elf.c (diff) |
|
| docs/kernel-versions.md (diff) |
|
| docs/kernel-versions.md (diff) |
|
| docs/kernel-versions.md (diff) |
|
| tools/sslsniff.py (diff) |
|
| tools/sslsniff.py (diff) |
|
| tools/sslsniff_example.txt (diff) |
| tools/sslsniff.py (diff) |
| man/man8/sslsniff.8 (diff) |
|
| tools/sslsniff_example.txt (diff) |
|
| INSTALL.md (diff) |
Commit
95c9229ea9f029a1b9e8dcbe86fc67f037c0dfa2
by yonghong-songReplace kprobe function "blk_account_io_completion" to "blk_account_io_done" for kernel version >= 5.8.0
The kernel function "blk_account_io_completion" is not available anymore as attach point of Kprobe as of kernel version 5.8.0. Therefore, after discussions, we decided to use function "blk_account_io_done" instead in every kprobe attachment to "blk_account_io_completion".
|
| docs/reference_guide.md (diff) |
| tools/biosnoop.py (diff) |
| tools/biosnoop.lua (diff) |
| tools/old/biosnoop.py (diff) |
| docs/tutorial_bcc_python_developer.md (diff) |
| tools/biotop.py (diff) |
| examples/tracing/bitehist.py (diff) |
| examples/tracing/disksnoop.py (diff) |
| examples/lua/kprobe-latency.lua (diff) |
Commit
cd81f13c1ff96927d6e4fffd6a5d9fb0cd354c08
by yonghong-songmemleak: Add workaround to alleviate misjudgments when free is missing
Profiling in memory part is hard to be accurate because of BPF infrastructure. memleak keeps misjudging memory leak on the complicated environment which has the action of free in hard/soft irq.
For example, in my misjudged case:
640 bytes in 10 allocations from stack -- __kmalloc+0x178 [kernel] __kmalloc+0x178 [kernel] xhci_urb_enqueue+0x140 [kernel] usb_hcd_submit_urb+0x5e0 [kernel]
This result looks like kernel doesn't free urb_priv. However, it's not true. The reason for this leak is because xhci hw irq interrupts during the BPF program. BPF program is not finished on that CPU, and xhci_irq() will call xhci_urb_free_priv() before the end. But the kernel doesn't permit this isr to go into BPF program again. Because BPF infrastructure(trace_call_bpf) denied this action. So we miss this free action and cause memory leak misjudgment.
Side-effect: - Increase overhead for each memory allocation. - A higher chance to be interrupted at the allocation part causes ignore more allocations.
This workaround doesn't solve all misjudgments, the improvement in BPF infrastructure is the only solution.
|
| tools/memleak_example.txt (diff) |
| man/man8/memleak.8 (diff) |
| tools/memleak.py (diff) |
|
| src/cc/export/helpers.h (diff) |
| docs/kernel-versions.md (diff) |
| src/cc/compat/linux/virtual_bpf.h (diff) |
| src/cc/libbpf (diff) |
| src/cc/libbpf.c (diff) |
Commit
57d10f5b4ed4c27b789cc72292e16daa1e1f9e7a
by a.s.protopopovlibbpf-tools: add header to store BPF-side map helpers
Add a new header kern_map_helpers.h to store BPF-size map helpers which may be used from different programs. On the moment it contains the bpf_map_lookup_or_try_init helper.
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
|
| libbpf-tools/maps.bpf.h |
| libbpf-tools/syscount.bpf.c (diff) |
|
| libbpf-tools/syscount.c (diff) |
Commit
3ef753186420e39e8b9c97d5eb2af7c991339dd7
by a.s.protopopovlibbpf-tools: convert BCC tcpconnect to BPF CO-RE version
Add a new libbpf-based tool, tcpconnect, and add some helpers which may be used by other tools. Namely, user_map_helpers.{c,h} files implement a function dump_hash() which uses map_batch_lookup (if possible) to read entire hash maps to user space.
The tcpconnect acts as the original BCC tool except that --cgroupmap and --mntnsmap options are not implemented, yet.
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
|
| libbpf-tools/Makefile (diff) |
| libbpf-tools/tcpconnect.h |
| libbpf-tools/map_helpers.h |
| libbpf-tools/.gitignore (diff) |
| libbpf-tools/map_helpers.c |
| libbpf-tools/tcpconnect.c |
| libbpf-tools/tcpconnect.bpf.c |
|
| src/python/bcc/libbcc.py (diff) |
| src/python/bcc/perf.py (diff) |
|
| tests/python/test_queuestack.py |
| docs/reference_guide.md (diff) |
| src/python/bcc/table.py (diff) |
| src/python/bcc/__init__.py (diff) |
| tests/python/CMakeLists.txt (diff) |
Commit
1abab9bd2b68a389db704848c3b9fbb03f8e0c02
by yonghong-songuse bpf_probe_read_kernel for implicit kernel mem read on s390
Commit f579bf8d60c8 ("bpf: use bpf_probe_read in implicitly generated kernel mem read") unconditionally use bpf_probe_read() for implicit kernel memory read in bpf programs.
This won't work for s390 with recent kernels since s390 has overlap user/kernel addresses and bpf_probe_read() is not available any more.
This patch partially reverted Commit f579bf8d60c8 such that for s390, bpf_probe_read_kernel() will be used while other architectures bpf_probe_read() is used.
Signed-off-by: Yonghong Song <yhs@fb.com>
|
| src/cc/frontends/clang/b_frontend_action.h (diff) |
| src/cc/frontends/clang/b_frontend_action.cc (diff) |
Commit
d3a102d5d1029438ec7a1a5450095362f3b56fc1
by yonghong-songfix cc queue/stack test kernel version
This commit fixes the Kernel version check in test_queuestack_table.cc . The correct one, as discussed in #3013, is 4.20 (not 5.0).
Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
|
| tests/cc/test_queuestack_table.cc (diff) |
Commit
4efe7fe3e81a65ca4d2cf6eec8055125ca3018f9
by yonghong-songfix debug file lookup in bcc_elf_symbol_str
Logic for looking up debug file in bcc_elf_symbol_str and foreach_sym_core differ. This commit factors out relevant code from foreach_sym_core and reuses it in bcc_elf_symbol_str.
|
| src/cc/bcc_elf.c (diff) |
Commit
316b404c28744fd106b3b37cc216693d143a7a2d
by yonghong-songupdate reference_guide for implicit kmem access rewriting
Update the reference_guide to spell out for implicit kernel memory access, when rewriter uses bpf_probe_read() (for non-s390) and when using bpf_probe_read_kernel() (for s390).
Signed-off-by: Yonghong Song <yhs@fb.com>
|
| docs/reference_guide.md (diff) |
|
| libbpf-tools/.gitignore (diff) |
| libbpf-tools/biolatency.bpf.c |
| libbpf-tools/Makefile (diff) |
| libbpf-tools/biolatency.h |
| libbpf-tools/blk_types.h |
| libbpf-tools/biolatency.c |