bcc/tools: Introduce bpf_probe_read_user to the tools.

This is essential for architecture which do have overlapping address space. - bpf_probe_read_kernel() shall be used for reading data from kernel space to the bpf vm. - bpf_probe_read_user() shall be used for reading data from user space to the bpf vm. Signed-off-by: Sumanth Korikkar <[email protected]>
yingtaojuzi · Apr 23, 2020 · 023154c · 023154c
1 parent ac157b4
commit 023154c
Show file tree

Hide file tree

Showing 25 changed files with 59 additions and 40 deletions.
diff --git a/examples/cpp/RecordMySQLQuery.cc b/examples/cpp/RecordMySQLQuery.cc
@@ -34,7 +34,7 @@ int probe_mysql_query(struct pt_regs *ctx, void* thd, char* query, size_t len) {
  key.ts = bpf_ktime_get_ns();
  key.pid = bpf_get_current_pid_tgid();
 
- bpf_probe_read_str(&key.query, sizeof(key.query), query);
+ bpf_probe_read_user_str(&key.query, sizeof(key.query), query);
 
  int one = 1;
  queries.update(&key, &one);

diff --git a/examples/lua/bashreadline.c b/examples/lua/bashreadline.c
@@ -15,7 +15,8 @@ int printret(struct pt_regs *ctx)
  return 0;
  pid = bpf_get_current_pid_tgid();
  data.pid = pid;
- bpf_probe_read(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
+ bpf_probe_read_user(&data.str, sizeof(data.str),
+ (void *)PT_REGS_RC(ctx));
  events.perf_submit(ctx, &data, sizeof(data));
  return 0;
 };
diff --git a/examples/lua/strlen_count.lua b/examples/lua/strlen_count.lua
@@ -26,7 +26,7 @@ int printarg(struct pt_regs *ctx) {
  if (pid != PID)
  return 0;
  char str[128] = {};
- bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
+ bpf_probe_read_user(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
  bpf_trace_printk("strlen(\"%s\")\n", &str);
  return 0;
 };

diff --git a/examples/lua/usdt_ruby.lua b/examples/lua/usdt_ruby.lua
@@ -22,7 +22,7 @@ int trace_method(struct pt_regs *ctx) {
  bpf_usdt_readarg(2, ctx, &addr);
 
  char fn_name[128] = {};
- bpf_probe_read(&fn_name, sizeof(fn_name), (void *)addr);
+ bpf_probe_read_user(&fn_name, sizeof(fn_name), (void *)addr);
 
  bpf_trace_printk("%s(...)\n", fn_name);
  return 0;

diff --git a/examples/tracing/mysqld_query.py b/examples/tracing/mysqld_query.py
@@ -34,7 +34,7 @@
  * see: https://dev.mysql.com/doc/refman/5.7/en/dba-dtrace-ref-query.html
  */
  bpf_usdt_readarg(1, ctx, &addr);
- bpf_probe_read(&query, sizeof(query), (void *)addr);
+ bpf_probe_read_user(&query, sizeof(query), (void *)addr);
  bpf_trace_printk("%s\\n", query);
  return 0;
 };

diff --git a/examples/tracing/nodejs_http_server.py b/examples/tracing/nodejs_http_server.py
@@ -26,7 +26,7 @@
  uint64_t addr;
  char path[128]={0};
  bpf_usdt_readarg(6, ctx, &addr);
- bpf_probe_read(&path, sizeof(path), (void *)addr);
+ bpf_probe_read_user(&path, sizeof(path), (void *)addr);
  bpf_trace_printk("path:%s\\n", path);
  return 0;
 };

diff --git a/examples/tracing/strlen_count.py b/examples/tracing/strlen_count.py
@@ -31,7 +31,7 @@
  struct key_t key = {};
  u64 zero = 0, *val;
 
- bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
+ bpf_probe_read_user(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
  // could also use `counts.increment(key)`
  val = counts.lookup_or_try_init(&key, &zero);
  if (val) {

diff --git a/examples/tracing/strlen_snoop.py b/examples/tracing/strlen_snoop.py
@@ -34,7 +34,7 @@
  return 0;
 
  char str[80] = {};
- bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
+ bpf_probe_read_user(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
  bpf_trace_printk("%s\\n", &str);
 
  return 0;

diff --git a/tools/bashreadline.py b/tools/bashreadline.py
@@ -52,7 +52,7 @@
  return 0;
  pid = bpf_get_current_pid_tgid();
  data.pid = pid;
- bpf_probe_read(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
+ bpf_probe_read_user(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
 
  bpf_get_current_comm(&comm, sizeof(comm));
  if (comm[0] == 'b' && comm[1] == 'a' && comm[2] == 's' && comm[3] == 'h' && comm[4] == 0 ) {

diff --git a/tools/biosnoop.lua b/tools/biosnoop.lua
@@ -84,7 +84,8 @@ int trace_req_completion(struct pt_regs *ctx, struct request *req)
  valp = infobyreq.lookup(&req);
  if (valp == 0) {
  data.len = req->__data_len;
- strcpy(data.name,"?");
+ data.name[0] = '?';
+ data.name[1] = 0;
  } else {
  data.pid = valp->pid;
  data.len = req->__data_len;

diff --git a/tools/biosnoop.py b/tools/biosnoop.py
@@ -108,7 +108,8 @@
  valp = infobyreq.lookup(&req);
  if (valp == 0) {
  data.len = req->__data_len;
- strcpy(data.name, "?");
+ data.name[0] = '?';
+ data.name[1] = 0;
  } else {
  if (##QUEUE##) {
  data.qdelta = *tsp - valp->ts;

diff --git a/tools/dbslower.py b/tools/dbslower.py
@@ -127,12 +127,12 @@
  tmp.timestamp = bpf_ktime_get_ns();
 
 #if defined(MYSQL56)
- bpf_probe_read(&tmp.query, sizeof(tmp.query), (void*) PT_REGS_PARM3(ctx));
+ bpf_probe_read_user(&tmp.query, sizeof(tmp.query), (void*) PT_REGS_PARM3(ctx));
 #elif defined(MYSQL57)
  void* st = (void*) PT_REGS_PARM2(ctx);
  char* query;
- bpf_probe_read(&query, sizeof(query), st);
- bpf_probe_read(&tmp.query, sizeof(tmp.query), query);
+ bpf_probe_read_user(&query, sizeof(query), st);
+ bpf_probe_read_user(&tmp.query, sizeof(tmp.query), query);
 #else //USDT
  bpf_usdt_readarg(1, ctx, &tmp.query);
 #endif
@@ -157,7 +157,13 @@
  data.pid = pid >> 32; // only process id
  data.timestamp = tempp->timestamp;
  data.duration = delta;
+#if defined(MYSQL56) || defined(MYSQL57)
+ // We already copied string to the bpf stack. Hence use bpf_probe_read()
  bpf_probe_read(&data.query, sizeof(data.query), tempp->query);
+#else
+ // USDT - we didnt copy string to the bpf stack before.
+ bpf_probe_read_user(&data.query, sizeof(data.query), tempp->query);
+#endif
  events.perf_submit(ctx, &data, sizeof(data));
 #ifdef THRESHOLD
  }

diff --git a/tools/execsnoop.py b/tools/execsnoop.py
@@ -120,15 +120,15 @@ def parse_uid(user):
 
 static int __submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
 {
- bpf_probe_read(data->argv, sizeof(data->argv), ptr);
+ bpf_probe_read_user(data->argv, sizeof(data->argv), ptr);
  events.perf_submit(ctx, data, sizeof(struct data_t));
  return 1;
 }
 
 static int submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
 {
  const char *argp = NULL;
- bpf_probe_read(&argp, sizeof(argp), ptr);
+ bpf_probe_read_user(&argp, sizeof(argp), ptr);
  if (argp) {
  return __submit_arg(ctx, (void *)(argp), data);
  }

diff --git a/tools/funcslower.py b/tools/funcslower.py
@@ -82,7 +82,11 @@
  u64 id;
  u64 start_ns;
 #ifdef GRAB_ARGS
+#ifndef __s390x__
  u64 args[6];
+#else
+ u64 args[5];
+#endif
 #endif
 };
 
@@ -94,7 +98,11 @@
  u64 retval;
  char comm[TASK_COMM_LEN];
 #ifdef GRAB_ARGS
+#ifndef __s390x__
  u64 args[6];
+#else
+ u64 args[5];
+#endif
 #endif
 #ifdef USER_STACKS
  int user_stack_id;
@@ -130,7 +138,9 @@
  entry.args[2] = PT_REGS_PARM3(ctx);
  entry.args[3] = PT_REGS_PARM4(ctx);
  entry.args[4] = PT_REGS_PARM5(ctx);
+#ifndef __s390x__
  entry.args[5] = PT_REGS_PARM6(ctx);
+#endif
 #endif
 
  entryinfo.update(&tgid_pid, &entry);

diff --git a/tools/gethostlatency.py b/tools/gethostlatency.py
@@ -64,7 +64,7 @@
  u32 pid = bpf_get_current_pid_tgid();
 
  if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
- bpf_probe_read(&val.host, sizeof(val.host),
+ bpf_probe_read_user(&val.host, sizeof(val.host),
  (void *)PT_REGS_PARM1(ctx));
  val.pid = bpf_get_current_pid_tgid();
  val.ts = bpf_ktime_get_ns();

diff --git a/tools/lib/ucalls.py b/tools/lib/ucalls.py
@@ -158,9 +158,9 @@
 #endif
  READ_CLASS
  READ_METHOD
- bpf_probe_read(&data.method.clazz, sizeof(data.method.clazz),
+ bpf_probe_read_user(&data.method.clazz, sizeof(data.method.clazz),
  (void *)clazz);
- bpf_probe_read(&data.method.method, sizeof(data.method.method),
+ bpf_probe_read_user(&data.method.method, sizeof(data.method.method),
  (void *)method);
 #ifndef LATENCY
  valp = counts.lookup_or_try_init(&data.method, &val);
@@ -182,9 +182,9 @@
  data.pid = bpf_get_current_pid_tgid();
  READ_CLASS
  READ_METHOD
- bpf_probe_read(&data.method.clazz, sizeof(data.method.clazz),
+ bpf_probe_read_user(&data.method.clazz, sizeof(data.method.clazz),
  (void *)clazz);
- bpf_probe_read(&data.method.method, sizeof(data.method.method),
+ bpf_probe_read_user(&data.method.method, sizeof(data.method.method),
  (void *)method);
  entry_timestamp = entry.lookup(&data);
  if (!entry_timestamp) {

diff --git a/tools/lib/uflow.py b/tools/lib/uflow.py
@@ -81,8 +81,8 @@
 
  READ_CLASS
  READ_METHOD
- bpf_probe_read(&data.clazz, sizeof(data.clazz), (void *)clazz);
- bpf_probe_read(&data.method, sizeof(data.method), (void *)method);
+ bpf_probe_read_user(&data.clazz, sizeof(data.clazz), (void *)clazz);
+ bpf_probe_read_user(&data.method, sizeof(data.method), (void *)method);
 
  FILTER_CLASS
  FILTER_METHOD

diff --git a/tools/lib/ugc.py b/tools/lib/ugc.py
@@ -140,8 +140,8 @@ def format(self, data):
  u64 manager = 0, pool = 0;
  bpf_usdt_readarg(1, ctx, &manager); // ptr to manager name
  bpf_usdt_readarg(3, ctx, &pool); // ptr to pool name
- bpf_probe_read(&event.string1, sizeof(event.string1), (void *)manager);
- bpf_probe_read(&event.string2, sizeof(event.string2), (void *)pool);
+ bpf_probe_read_user(&event.string1, sizeof(event.string1), (void *)manager);
+ bpf_probe_read_user(&event.string2, sizeof(event.string2), (void *)pool);
  """
 
  def formatter(e):

diff --git a/tools/lib/uobjnew.py b/tools/lib/uobjnew.py
@@ -98,7 +98,7 @@
  u64 classptr = 0, size = 0;
  bpf_usdt_readarg(2, ctx, &classptr);
  bpf_usdt_readarg(4, ctx, &size);
- bpf_probe_read(&key.name, sizeof(key.name), (void *)classptr);
+ bpf_probe_read_user(&key.name, sizeof(key.name), (void *)classptr);
  valp = allocs.lookup_or_try_init(&key, &zero);
  if (valp) {
  valp->total_size += size;
@@ -132,7 +132,7 @@
  struct val_t *valp, zero = {};
  u64 classptr = 0;
  bpf_usdt_readarg(1, ctx, &classptr);
- bpf_probe_read(&key.name, sizeof(key.name), (void *)classptr);
+ bpf_probe_read_user(&key.name, sizeof(key.name), (void *)classptr);
  valp = allocs.lookup_or_try_init(&key, &zero);
  if (valp) {
  valp->num_allocs += 1; // We don't know the size, unfortunately

diff --git a/tools/lib/uthreads.py b/tools/lib/uthreads.py
@@ -80,7 +80,7 @@
  bpf_usdt_readarg(1, ctx, &nameptr);
  bpf_usdt_readarg(3, ctx, &id);
  bpf_usdt_readarg(4, ctx, &native_id);
- bpf_probe_read(&te.name, sizeof(te.name), (void *)nameptr);
+ bpf_probe_read_user(&te.name, sizeof(te.name), (void *)nameptr);
  te.runtime_id = id;
  te.native_id = native_id;
  __builtin_memcpy(&te.type, type, sizeof(te.type));

diff --git a/tools/mountsnoop.py b/tools/mountsnoop.py
@@ -109,22 +109,22 @@
 
  event.type = EVENT_MOUNT_SOURCE;
  __builtin_memset(event.str, 0, sizeof(event.str));
- bpf_probe_read(event.str, sizeof(event.str), source);
+ bpf_probe_read_user(event.str, sizeof(event.str), source);
  events.perf_submit(ctx, &event, sizeof(event));
 
  event.type = EVENT_MOUNT_TARGET;
  __builtin_memset(event.str, 0, sizeof(event.str));
- bpf_probe_read(event.str, sizeof(event.str), target);
+ bpf_probe_read_user(event.str, sizeof(event.str), target);
  events.perf_submit(ctx, &event, sizeof(event));
 
  event.type = EVENT_MOUNT_TYPE;
  __builtin_memset(event.str, 0, sizeof(event.str));
- bpf_probe_read(event.str, sizeof(event.str), type);
+ bpf_probe_read_user(event.str, sizeof(event.str), type);
  events.perf_submit(ctx, &event, sizeof(event));
 
  event.type = EVENT_MOUNT_DATA;
  __builtin_memset(event.str, 0, sizeof(event.str));
- bpf_probe_read(event.str, sizeof(event.str), data);
+ bpf_probe_read_user(event.str, sizeof(event.str), data);
  events.perf_submit(ctx, &event, sizeof(event));
 
  return 0;
@@ -164,7 +164,7 @@
 
  event.type = EVENT_UMOUNT_TARGET;
  __builtin_memset(event.str, 0, sizeof(event.str));
- bpf_probe_read(event.str, sizeof(event.str), target);
+ bpf_probe_read_user(event.str, sizeof(event.str), target);
  events.perf_submit(ctx, &event, sizeof(event));
 
  return 0;

diff --git a/tools/mysqld_qslower.py b/tools/mysqld_qslower.py
@@ -81,7 +81,7 @@ def usage():
  if (delta >= """ + str(min_ns) + """) {
  // populate and emit data struct
  struct data_t data = {.pid = pid, .ts = sp->ts, .delta = delta};
- bpf_probe_read(&data.query, sizeof(data.query), (void *)sp->query);
+ bpf_probe_read_user(&data.query, sizeof(data.query), (void *)sp->query);
  events.perf_submit(ctx, &data, sizeof(data));
  }
 

diff --git a/tools/opensnoop.py b/tools/opensnoop.py
@@ -152,7 +152,7 @@
  return 0;
  }
  bpf_probe_read(&data.comm, sizeof(data.comm), valp->comm);
- bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
+ bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)valp->fname);
  data.id = valp->id;
  data.ts = tsp / 1000;
  data.uid = bpf_get_current_uid_gid();
@@ -167,7 +167,7 @@
 """
 
 bpf_text_kfunc= """
-KRETFUNC_PROBE(do_sys_open, int dfd, const char *filename, int flags, int mode, int ret)
+KRETFUNC_PROBE(do_sys_open, int dfd, const char __user *filename, int flags, int mode, int ret)
 {
  u64 id = bpf_get_current_pid_tgid();
  u32 pid = id >> 32; // PID is higher part
@@ -189,7 +189,7 @@
 
  u64 tsp = bpf_ktime_get_ns();
 
- bpf_probe_read(&data.fname, sizeof(data.fname), (void *)filename);
+ bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)filename);
  data.id = id;
  data.ts = tsp / 1000;
  data.uid = bpf_get_current_uid_gid();

diff --git a/tools/sslsniff.py b/tools/sslsniff.py
@@ -72,7 +72,7 @@
  bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
 
  if ( buf != 0) {
- bpf_probe_read(&__data.v0, sizeof(__data.v0), buf);
+ bpf_probe_read_user(&__data.v0, sizeof(__data.v0), buf);
  }
 
  perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data));
@@ -108,7 +108,7 @@
  bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
 
  if (bufp != 0) {
- bpf_probe_read(&__data.v0, sizeof(__data.v0), (char *)*bufp);
+ bpf_probe_read_user(&__data.v0, sizeof(__data.v0), (char *)*bufp);
  }
 
  bufs.delete(&pid);

diff --git a/tools/statsnoop.py b/tools/statsnoop.py
@@ -84,7 +84,7 @@
  }
 
  struct data_t data = {.pid = pid};
- bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
+ bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)valp->fname);
  bpf_get_current_comm(&data.comm, sizeof(data.comm));
  data.ts_ns = bpf_ktime_get_ns();
  data.ret = PT_REGS_RC(ctx);