25 Aug, 2020

1 commit

• 3677d0a13   samples: bpf: Refactor kprobe tracing programs with libbpf ... Browse Code »

  For the problem of increasing fragmentation of the bpf loader programs,
  instead of using bpf_loader.o, which is used in samples/bpf, this
  commit refactors the existing kprobe tracing programs with libbbpf
  bpf loader.

  - For kprobe events pointing to system calls, the SYSCALL() macro in
  trace_common.h was used.
  - Adding a kprobe event and attaching a bpf program to it was done
  through bpf_program_attach().
  - Instead of using the existing BPF MAP definition, MAP definition
  has been refactored with the new BTF-defined MAP format.

  Signed-off-by: Daniel T. Lee
  Signed-off-by: Alexei Starovoitov
  Link: https://lore.kernel.org/bpf/20200823085334.9413-3-danieltimlee@gmail.com

  Daniel T. Lee

  2020-08-25 11:59:35 +0800  

08 Jul, 2020

1 commit

• af9bd3e33   samples: bpf: Fix bpf programs with kprobe/sys_connect event ... Browse Code »

  Currently, BPF programs with kprobe/sys_connect does not work properly.

  Commit 34745aed515c ("samples/bpf: fix kprobe attachment issue on x64")
  This commit modifies the bpf_load behavior of kprobe events in the x64
  architecture. If the current kprobe event target starts with "sys_*",
  add the prefix "__x64_" to the front of the event.

  Appending "__x64_" prefix with kprobe/sys_* event was appropriate as a
  solution to most of the problems caused by the commit below.

  commit d5a00528b58c ("syscalls/core, syscalls/x86: Rename struct
  pt_regs-based sys_*() to __x64_sys_*()")

  However, there is a problem with the sys_connect kprobe event that does
  not work properly. For __sys_connect event, parameters can be fetched
  normally, but for __x64_sys_connect, parameters cannot be fetched.

  ffffffff818d3520 :
  ffffffff818d3520: e8 fb df 32 00 callq 0xffffffff81c01520
  
  ffffffff818d3525: 48 8b 57 60 movq 96(%rdi), %rdx
  ffffffff818d3529: 48 8b 77 68 movq 104(%rdi), %rsi
  ffffffff818d352d: 48 8b 7f 70 movq 112(%rdi), %rdi
  ffffffff818d3531: e8 1a ff ff ff callq 0xffffffff818d3450
  
  ffffffff818d3536: 48 98 cltq
  ffffffff818d3538: c3 retq
  ffffffff818d3539: 0f 1f 80 00 00 00 00 nopl (%rax)

  As the assembly code for __x64_sys_connect shows, parameters should be
  fetched and set into rdi, rsi, rdx registers prior to calling
  __sys_connect.

  Because of this problem, this commit fixes the sys_connect event by
  first getting the value of the rdi register and then the value of the
  rdi, rsi, and rdx register through an offset based on that value.

  Fixes: 34745aed515c ("samples/bpf: fix kprobe attachment issue on x64")
  Signed-off-by: Daniel T. Lee
  Signed-off-by: Daniel Borkmann
  Acked-by: Andrii Nakryiko
  Link: https://lore.kernel.org/bpf/20200707184855.30968-2-danieltimlee@gmail.com

  Daniel T. Lee

  2020-07-08 07:32:14 +0800  

21 Jan, 2020

1 commit

• 7cf245a37   samples/bpf: Use consistent include paths for libbpf ... Browse Code »

  Fix all files in samples/bpf to include libbpf header files with the bpf/
  prefix, to be consistent with external users of the library. Also ensure
  that all includes of exported libbpf header files (those that are exported
  on 'make install' of the library) use bracketed includes instead of quoted.

  To make sure no new files are introduced that doesn't include the bpf/
  prefix in its include, remove tools/lib/bpf from the include path entirely,
  and use tools/lib instead.

  Fixes: 6910d7d3867a ("selftests/bpf: Ensure bpf_helper_defs.h are taken from selftests dir")
  Signed-off-by: Toke Høiland-Jørgensen
  Signed-off-by: Alexei Starovoitov
  Acked-by: Jesper Dangaard Brouer
  Acked-by: Andrii Nakryiko
  Link: https://lore.kernel.org/bpf/157952560911.1683545.8795966751309534150.stgit@toke.dk

  Toke Høiland-Jørgensen

  2020-01-21 08:37:45 +0800  

03 Nov, 2019

1 commit

• 251e2d337   bpf, samples: Use bpf_probe_read_user where appropriate ... Browse Code »

  Use bpf_probe_read_user() helper instead of bpf_probe_read() for samples that
  attach to kprobes probing on user addresses.

  Signed-off-by: Daniel Borkmann
  Signed-off-by: Alexei Starovoitov
  Acked-by: Andrii Nakryiko
  Link: https://lore.kernel.org/bpf/5b0144b3f8e031ec5e2438bd7de8d7877e63bf2f.1572649915.git.daniel@iogearbox.net

  Daniel Borkmann

  2019-11-03 03:39:13 +0800  

09 Oct, 2019

1 commit

• 3ac4dbe3d   selftests/bpf: Split off tracing-only helpers into bpf_tracing.h ... Browse Code »

  Split-off PT_REGS-related helpers into bpf_tracing.h header. Adjust
  selftests and samples to include it where necessary.

  Signed-off-by: Andrii Nakryiko
  Signed-off-by: Daniel Borkmann
  Acked-by: John Fastabend
  Acked-by: Song Liu
  Link: https://lore.kernel.org/bpf/20191008175942.1769476-5-andriin@fb.com

  Andrii Nakryiko

  2019-10-09 05:16:03 +0800  

26 Jul, 2016

1 commit

• cf9b1199d   samples/bpf: Add test/example of using bpf_probe_write_user bpf helper ... Browse Code »

  This example shows using a kprobe to act as a dnat mechanism to divert
  traffic for arbitrary endpoints. It rewrite the arguments to a syscall
  while they're still in userspace, and before the syscall has a chance
  to copy the argument into kernel space.

  Although this is an example, it also acts as a test because the mapped
  address is 255.255.255.255:555 -> real address, and that's not a legal
  address to connect to. If the helper is broken, the example will fail
  on the intermediate steps, as well as the final step to verify the
  rewrite of userspace memory succeeded.

  Signed-off-by: Sargun Dhillon
  Cc: Alexei Starovoitov
  Cc: Daniel Borkmann
  Acked-by: Alexei Starovoitov
  Signed-off-by: David S. Miller

  Sargun Dhillon

  2016-07-26 09:07:48 +0800