19 May, 2020
2 commits
-
Because the previous two commit replaced the bpf_load implementation of
the user program with libbpf, the corresponding kernel program's MAP
definition can be replaced with new BTF-defined map syntax.This commit only updates the samples which uses libbpf API for loading
bpf program not with bpf_load.Signed-off-by: Daniel T. Lee
Signed-off-by: Daniel Borkmann
Acked-by: Yonghong Song
Link: https://lore.kernel.org/bpf/20200516040608.1377876-6-danieltimlee@gmail.com -
Currently, the kprobe BPF program attachment method for bpf_load is
quite old. The implementation of bpf_load "directly" controls and
manages(create, delete) the kprobe events of DEBUGFS. On the other hand,
using using the libbpf automatically manages the kprobe event.
(under bpf_link interface)By calling bpf_program__attach(_kprobe) in libbpf, the corresponding
kprobe is created and the BPF program will be attached to this kprobe.
To remove this, by simply invoking bpf_link__destroy will clean up the
event.This commit refactors kprobe tracing programs (tracex{1~7}_user.c) with
libbpf using bpf_link interface and bpf_program__attach.tracex2_kern.c, which tracks system calls (sys_*), has been modified to
append prefix depending on architecture.Signed-off-by: Daniel T. Lee
Signed-off-by: Daniel Borkmann
Acked-by: Yonghong Song
Link: https://lore.kernel.org/bpf/20200516040608.1377876-3-danieltimlee@gmail.com
21 Jan, 2020
1 commit
-
Fix all files in samples/bpf to include libbpf header files with the bpf/
prefix, to be consistent with external users of the library. Also ensure
that all includes of exported libbpf header files (those that are exported
on 'make install' of the library) use bracketed includes instead of quoted.To make sure no new files are introduced that doesn't include the bpf/
prefix in its include, remove tools/lib/bpf from the include path entirely,
and use tools/lib instead.Fixes: 6910d7d3867a ("selftests/bpf: Ensure bpf_helper_defs.h are taken from selftests dir")
Signed-off-by: Toke Høiland-Jørgensen
Signed-off-by: Alexei Starovoitov
Acked-by: Jesper Dangaard Brouer
Acked-by: Andrii Nakryiko
Link: https://lore.kernel.org/bpf/157952560911.1683545.8795966751309534150.stgit@toke.dk
09 Oct, 2019
1 commit
-
Split-off PT_REGS-related helpers into bpf_tracing.h header. Adjust
selftests and samples to include it where necessary.Signed-off-by: Andrii Nakryiko
Signed-off-by: Daniel Borkmann
Acked-by: John Fastabend
Acked-by: Song Liu
Link: https://lore.kernel.org/bpf/20191008175942.1769476-5-andriin@fb.com
15 Apr, 2016
1 commit
-
Remove the zero initialization in the sample programs where appropriate.
Note that this is an optimization which is now possible, old programs
still doing the zero initialization are just fine as well. Also, make
sure we don't have padding issues when we don't memset() the entire
struct anymore.Signed-off-by: Daniel Borkmann
Acked-by: Alexei Starovoitov
Signed-off-by: David S. Miller
07 Apr, 2016
1 commit
-
Add the necessary definitions for building bpf samples on ppc.
Since ppc doesn't store function return address on the stack, modify how
PT_REGS_RET() and PT_REGS_FP() work.Also, introduce PT_REGS_IP() to access the instruction pointer.
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: Ananth N Mavinakayanahalli
Cc: Michael Ellerman
Signed-off-by: Naveen N. Rao
Acked-by: Alexei Starovoitov
Signed-off-by: David S. Miller
06 Feb, 2016
1 commit
-
Signed-off-by: Alexei Starovoitov
Signed-off-by: David S. Miller
09 Jul, 2015
1 commit
-
The trace bpf samples do not compile on s390x because they use x86
specific fields from the "pt_regs" structure.Fix this and access the fields via new PT_REGS macros.
Signed-off-by: Michael Holzheu
Acked-by: Alexei Starovoitov
Signed-off-by: David S. Miller
16 Jun, 2015
1 commit
-
eBPF programs attached to kprobes need to filter based on
current->pid, uid and other fields, so introduce helper functions:u64 bpf_get_current_pid_tgid(void)
Return: current->tgid << 32 | current->pidu64 bpf_get_current_uid_gid(void)
Return: current_gid << 32 | current_uidbpf_get_current_comm(char *buf, int size_of_buf)
stores current->comm into bufThey can be used from the programs attached to TC as well to classify packets
based on current task fields.Update tracex2 example to print histogram of write syscalls for each process
instead of aggregated for all.Signed-off-by: Alexei Starovoitov
Signed-off-by: David S. Miller
02 Apr, 2015
1 commit
-
this example has two probes in one C file that attach to
different kprove events and use two different maps.1st probe is x64 specific equivalent of dropmon. It attaches to
kfree_skb, retrevies 'ip' address of kfree_skb() caller and
counts number of packet drops at that 'ip' address. User space
prints 'location - count' map every second.2nd probe attaches to kprobe:sys_write and computes a histogram
of different write sizesUsage:
$ sudo tracex2
location 0xffffffff81695995 count 1
location 0xffffffff816d0da9 count 2location 0xffffffff81695995 count 2
location 0xffffffff816d0da9 count 2location 0xffffffff81695995 count 3
location 0xffffffff816d0da9 count 2557145+0 records in
557145+0 records out
285258240 bytes (285 MB) copied, 1.02379 s, 279 MB/s
syscall write() stats
byte_size : count distribution
1 -> 1 : 3 | |
2 -> 3 : 0 | |
4 -> 7 : 0 | |
8 -> 15 : 0 | |
16 -> 31 : 2 | |
32 -> 63 : 3 | |
64 -> 127 : 1 | |
128 -> 255 : 1 | |
256 -> 511 : 0 | |
512 -> 1023 : 1118968 |************************************* |Ctrl-C at any time. Kernel will auto cleanup maps and programs
$ addr2line -ape ./bld_x64/vmlinux 0xffffffff81695995
0xffffffff816d0da9 0xffffffff81695995:
./bld_x64/../net/ipv4/icmp.c:1038 0xffffffff816d0da9:
./bld_x64/../net/unix/af_unix.c:1231Signed-off-by: Alexei Starovoitov
Cc: Arnaldo Carvalho de Melo
Cc: Arnaldo Carvalho de Melo
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: Jiri Olsa
Cc: Linus Torvalds
Cc: Masami Hiramatsu
Cc: Namhyung Kim
Cc: Peter Zijlstra
Cc: Peter Zijlstra
Cc: Steven Rostedt
Link: http://lkml.kernel.org/r/1427312966-8434-8-git-send-email-ast@plumgrid.com
Signed-off-by: Ingo Molnar