1. 13 Aug, 2018 1 commit
    • yonghong-song's avatar
      fix attach_kretprobe for newer kernels (#1922) · 3a932466
      yonghong-song authored
      fix #1921
      
      For newer kernels, bcc tries to fd based kuprobe
      attachment. In fd based kprobe attachment,
        config1: for symbol
        config2: for symbol offset
      
      In python API attach_kretprobe, the offset value
      is not set in lib.bpf_attach_kprobe and hence it
      will be a random value and eventually causing
      kretprobe attachment failure.
      
      This is not an issue for old debugfs based attachment
      as the offset will not be used if it is a retprobe.
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      3a932466
  2. 09 Aug, 2018 4 commits
    • Teng Qin's avatar
      Add name to program too large error message (#1917) · 5aadf2ed
      Teng Qin authored
      Add name to program too large error message
      5aadf2ed
    • Teng Qin's avatar
      Merge pull request #1918 from jeromemarchand/llcstat · 7bb6a4b1
      Teng Qin authored
      llcstat: print a nicer error message when hardware events are missing
      7bb6a4b1
    • Will Fife's avatar
      Adding Fedora 28 to the list of fedora versions (#1898) · 2ac5e02a
      Will Fife authored
      * Adding Fedora 28 to the list of fedora versions
      
      Looking at the repo location, Fedora 28 appears to be supported as well.  Fixing the documentation to include this.
      
      * Update INSTALL.md
      2ac5e02a
    • Brenden Blanco's avatar
      python3 fixes and testing support (#1916) · a296e1e3
      Brenden Blanco authored
      * python3: check ksymname calls with _assert_is_bytes
      
      Fixes a bytes/string concatenation error when get/fix_syscall_fnname is
      called from a python3 system.
      
      * python3: use env python invocation in tools
      
      In order to facilitate testing, but not necessarily as an example of
      good practice, I am changing the invocation of the test tools to use
      `/usr/bin/env python`, so that we can control which python (2 vs 3)
      gets invoked for the test. On the buildbots, I plan to add an optional
      `ln -s /usr/bin/python3 /usr/local/bin/python` on systems that have
      python3-bcc package built. This way, we get more test coverage. Having a
      cmake mechanism to enable both python2 and python3 testing could be a
      further enhancement.
      
      * tools/memleak: add an explicit stdout.flush to print loop
      
      The stdout flush behavior seems to have changed in python3, breaking one
      of the tests. I think it makes sense to flush stdout at the end of each
      timed interval loop anyway, so adding that to the tool itself.
      
      * tests: add b'' strings and fix dangling handles
      
      Add b'' strings in a few places in the test tools, and fix one dangling
      process handle in the memleak test tool runner.
      a296e1e3
  3. 08 Aug, 2018 1 commit
    • jeromemarchand's avatar
      Miscellaneous fixes (#1914) · b84714a4
      jeromemarchand authored
      * Fix multiple memory access errors
      
      Fixes a buffer overflow in get_pid_exe(), a use-after-free error in
      bcc_usdt_get_probe_argctype() and a possible NULL pointer dereference
      in find_debug_via_debuglink().
      
      * Fix multiple ressource leaks
      
      Leaked file descriptors in bpf_attach_uprobe() and verify_checksum().
      Memory leaks in  Parser::func_add() and bcc_procutils_language().
      
      * fixup! Fix multiple ressource leaks
      b84714a4
  4. 07 Aug, 2018 2 commits
  5. 04 Aug, 2018 1 commit
  6. 03 Aug, 2018 1 commit
    • yonghong-song's avatar
      fix python3 issue for ttysnoop.py (#1912) · e6a166bc
      yonghong-song authored
      Fix issue #1910
      
      Otherwise, we will have a type mismatch like below:
        [root@aborniakFC tools]# ./ttysnoop 1
        Traceback (most recent call last):
        File "./ttysnoop", line 102, in <module>
        b = BPF(text=bpf_text)
        File "/usr/lib/python3.6/site-packages/bcc/__init__.py", line 337, in __init__
        self._trace_autoload()
        File "/usr/lib/python3.6/site-packages/bcc/__init__.py", line 1030, in _trace_autoload
        event=self.fix_syscall_fnname(func_name[8:]),
        File "/usr/lib/python3.6/site-packages/bcc/__init__.py", line 569, in fix_syscall_fnname
        if name.startswith(prefix):
        TypeError: startswith first arg must be bytes or a tuple of bytes, not str
        [root@aborniakFC tools]#
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      e6a166bc
  7. 02 Aug, 2018 1 commit
  8. 01 Aug, 2018 1 commit
  9. 30 Jul, 2018 1 commit
  10. 27 Jul, 2018 2 commits
    • Nikita V. Shirokov's avatar
      [trace.py]: allow to use STRCMP helper with binary values (#1900) · 3953c708
      Nikita V. Shirokov authored
      * [trace.py]: allow to use STRCMP helper with binary values
      
      Summary:
      sometimes in probe you want to compare char* w/ some predefined value
      which is not a string. e.g. setsockopt syscall has signature like this:
      sys_setsockopt(int fd, int level, int optname, char* optval, int optlen)
      and if you want to catch where/who is setting up specific value you are
      forced to compare optval against some predefined array. it's not
      possible today w/ trace.py and in this diff i'm adding such ability
      
      Test Plan:
      as example: we want to catch setsockopt when someone is setting up
      IP_TOS equal to 108
      trace.py 'sys_setsockopt(int fd, int level, int optname, char* optval,
      int optlen)(level==0 && optname == 1 && STRCMP("{0x6C,0x00, 0x00,
      0x00}", optval))' -U -M 1 --bin_cmp -v
      
      without this new modifier:
      static inline bool streq_0(char const *ignored, uintptr_t str) {
              char needle[] = "{0x6C,0x00, 0x00, 0x00}";
              char haystack[sizeof(needle)];
              bpf_probe_read(&haystack, sizeof(haystack), (void *)str);
              for (int i = 0; i < sizeof(needle) - 1; ++i) {
                      if (needle[i] != haystack[i]) {
                              return false;
                      }
              }
              return true;
      }
      
      // see needle is qouted above
      
      with:
      
      tatic inline bool streq_0(char const *ignored, uintptr_t str) {
              char needle[] = {0x6C,0x00, 0x00, 0x00};
              char haystack[sizeof(needle)];
              bpf_probe_read(&haystack, sizeof(haystack), (void *)str);
              for (int i = 0; i < sizeof(needle) - 1; ++i) {
                      if (needle[i] != haystack[i]) {
                              return false;
                      }
              }
              return true;
      }
      
      ...
      PID     TID     COMM            FUNC             -
      1855611 1863183 worker          sys_setsockopt   found
      
      * adding example of --bin_cmp flag usage
      3953c708
    • Javier Honduvilla Coto's avatar
      Allow arbitrary hashtable increments. Fixes #1742 (#1897) · 230c9c00
      Javier Honduvilla Coto authored
      * Allow arbitrary hashtable increments. Fixes #1742
      
      Right now incrementing some datastructure's values like maps or histograms can
      be done with some boilerplate[1] or with `increment` which increments a value
      by 1.
      
      This patch allows a second optional parameter to use as the increment.
      
      - [1]:
      ```
      u64 zero = 0, *val;
      val = map.lookup_or_init(&key, &zero);
      (*val) += inc;
      ```
      
      Notes:
      - Some lines in the documentation where changed because of trailing spaces
      deletion
      - The test is quite simple right now
      - Will update the tools to use `increment` in another PR
      
      * CR changes
      230c9c00
  11. 24 Jul, 2018 1 commit
    • Joel's avatar
      clang: loader: Allow user to override kernel version (#1895) · bfecc243
      Joel authored
      BCC currently requires exactly matching headers. Sometimes this is quite
      inconvenient especially if the kernel version is only very slightly
      different such as updates in a stable kernel. This patch gives the user
      the flexibility to override the the LINUX_VERSION_CODE provided in the
      linux kernel headers, so that the eBPF program may load. We also print a
      message when this is done, so that the user is warned about the override
      happening and that results may be unpredictable.
      
      Also updated the docs.
      Signed-off-by: default avatarJoel Fernandes <joel@joelfernandes.org>
      bfecc243
  12. 23 Jul, 2018 4 commits
    • Eyal Birger's avatar
      table: remove NotImplementedError on LpmTrie __delitem__ calls (#1892) · 492a2bf3
      Eyal Birger authored
      BPF_MAP_TYPE_LPM_TRIE supports element deletion since kernel commit
      e454cf595853 ("bpf: Implement map_delete_elem for BPF_MAP_TYPE_LPM_TRIE")
      which is available in 4.15 kernels onwards.
      Signed-off-by: default avatarEyal Birger <eyal.birger@gmail.com>
      492a2bf3
    • Brenden Blanco's avatar
      Prepare debian changelog for v0.6.1 tag · 13a877ae
      Brenden Blanco authored
      13a877ae
    • Brenden Blanco's avatar
      Fedora 28 support (#1820) · e8001c39
      Brenden Blanco authored
      * tools: use printb for more python3 compat
      
      Switch to printb in killsnoop and wakeuptime
      
      * tests: use subproceess sleep to trigger test
      
      In some python implementations, time.sleep uses select instead of
      nanosleep and hence won't trigger the bpf kprobe.
      
      * tools: remove explicit python3 shebang
      
      Use an ambiguous python invocation in the shebang line. Instead, rely on
      packaging stage to mangle the line to specify a python version.
      
      * cmake: add ENABLE_LLVM_SHARED option
      
      This adds an option to specify that only the dynamic libraries should be
      used to link bcc. This is most likely to be used in systems that don't
      build/provide the llvm-static and clang-static package options
      (fedora-based).
      
      * rpm: enable llvm_shared and python3 build options
      
      Enable rpm packaging with two new features:
       - shared-only packaging (no static linking)
       - python3
      To enable these build features (off by default), run:
       RPM_WITH_OPTS="--with llvm_shared --with python3" ./scripts/build-rpm.sh
      
      * rpm: protect python3-bcc package declaration
      
      Don't define python3-bcc if --with python3 isn't explicitly specified.
      
      * specs: only build python3 if requested
      
      * man: compress man pages
      
      * specs: enable python3 by default in fc28+/rh8+
      
      - Enable llvm_shared and python3 --with options by default in new fedora
      - Fix string quoting
      - Update spec changelog
      e8001c39
    • Brendan Gregg's avatar
      add usdt calls to libbcc (#1890) · 5148fcec
      Brendan Gregg authored
      add usdt calls to libbcc static library
      5148fcec
  13. 19 Jul, 2018 3 commits
    • ChaosData's avatar
      examples/http_filter: Add pointer offset accounting for variable ip header len (#1868) · 3d9b687d
      ChaosData authored
      This fix adds additional accounting logic to the http_filter examples ("simple"
      and "complete") that make sure to shift the pointer for the IP body/payload to
      the correct offset before accessing TCP header fields. This is done by taking
      into account the IP header length field. Previously, the IP header length field
      was used, but it was done later in processing, after TCP header values were
      extracted using the size of the BCC `proto.h` `struct ip_t` a static offset.
      
      Prior to this, it was possible to evade HTTP detection by injecting IP options
      data into the IP header that would spoof parts of the TCP header and shift the
      real one down, as done in the scapy snippet below:
      
      ```Python
      IP(
        dst=target[0],
        options=struct.pack(">BBHHHB",130,11,8080,0,0,0),
      )/TCP(
        ...
      )
      ```
      3d9b687d
    • jeromemarchand's avatar
      ucalls: use replace error handler (#1888) · 4e4c9e01
      jeromemarchand authored
      Prevents the following error when tracing a java program that contains
      non-ascii method name:
      
      Traceback (most recent call last):
        File "/usr/share/bcc/tools/lib/ucalls", line 305, in <module>
          data = get_data()   # [(function, (num calls, latency in ns))]
        File "/usr/share/bcc/tools/lib/ucalls", line 266, in get_data
          bpf["counts"].items()))
        File "/usr/share/bcc/tools/lib/ucalls", line 264, in <lambda>
          kv[0].method.decode(),
      UnicodeDecodeError: 'ascii' codec can't decode byte 0xc4 in position 11: ordinal not in range(128)
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      4e4c9e01
    • Nikita V. Shirokov's avatar
      [profile.py]: adding support to collect profile only from specified CPU (#1891) · e36f9e16
      Nikita V. Shirokov authored
      * [profile.py]: adding support to collect profile only from specified CPU
      
      Summary:
      sometime it is usefull to collect stack only from single cpu
      for example you have single core saturated while others dont and you
      want to know whats going on there. in this diff i'm adding this ability
      (network related code could be example of when single core is saturated
      as usually you have 1 to 1 mappng between rx queue and cpu)
      
      example of generated code w/ CPU specified:
      
      ./tools/profile.py -C 14 2 --ebpf
      Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs.
      
      struct key_t {
          u32 pid;
          u64 kernel_ip;
          u64 kernel_ret_ip;
          int user_stack_id;
          int kernel_stack_id;
          char name[TASK_COMM_LEN];
      };
      BPF_HASH(counts, struct key_t);
      BPF_STACK_TRACE(stack_traces, 16384);
      
      // This code gets a bit complex. Probably not suitable for casual hacking.
      
      int do_perf_event(struct bpf_perf_event_data *ctx) {
      
          if (bpf_get_smp_processor_id() != 14)
              return 0;
      
          u32 pid = bpf_get_current_pid_tgid() >> 32;
      ...
      
      and w/o
      
      ./tools/profile.py  2 --ebpf
      Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs.
      
      struct key_t {
          u32 pid;
          u64 kernel_ip;
          u64 kernel_ret_ip;
          int user_stack_id;
          int kernel_stack_id;
          char name[TASK_COMM_LEN];
      };
      BPF_HASH(counts, struct key_t);
      BPF_STACK_TRACE(stack_traces, 16384);
      
      // This code gets a bit complex. Probably not suitable for casual hacking.
      
      int do_perf_event(struct bpf_perf_event_data *ctx) {
      
          u32 pid = bpf_get_current_pid_tgid() >> 32;
          if (!(1))
              return 0;
      ...
      
      * addressing comments
      
      * adding change in man
      e36f9e16
  14. 16 Jul, 2018 2 commits
  15. 14 Jul, 2018 1 commit
  16. 13 Jul, 2018 2 commits
  17. 12 Jul, 2018 3 commits
  18. 11 Jul, 2018 1 commit
  19. 10 Jul, 2018 6 commits
  20. 09 Jul, 2018 1 commit
  21. 08 Jul, 2018 1 commit