1. 19 Jul, 2018 3 commits
    • ChaosData's avatar
      examples/http_filter: Add pointer offset accounting for variable ip header len (#1868) · 3d9b687d
      ChaosData authored
      This fix adds additional accounting logic to the http_filter examples ("simple"
      and "complete") that make sure to shift the pointer for the IP body/payload to
      the correct offset before accessing TCP header fields. This is done by taking
      into account the IP header length field. Previously, the IP header length field
      was used, but it was done later in processing, after TCP header values were
      extracted using the size of the BCC `proto.h` `struct ip_t` a static offset.
      
      Prior to this, it was possible to evade HTTP detection by injecting IP options
      data into the IP header that would spoof parts of the TCP header and shift the
      real one down, as done in the scapy snippet below:
      
      ```Python
      IP(
        dst=target[0],
        options=struct.pack(">BBHHHB",130,11,8080,0,0,0),
      )/TCP(
        ...
      )
      ```
      3d9b687d
    • jeromemarchand's avatar
      ucalls: use replace error handler (#1888) · 4e4c9e01
      jeromemarchand authored
      Prevents the following error when tracing a java program that contains
      non-ascii method name:
      
      Traceback (most recent call last):
        File "/usr/share/bcc/tools/lib/ucalls", line 305, in <module>
          data = get_data()   # [(function, (num calls, latency in ns))]
        File "/usr/share/bcc/tools/lib/ucalls", line 266, in get_data
          bpf["counts"].items()))
        File "/usr/share/bcc/tools/lib/ucalls", line 264, in <lambda>
          kv[0].method.decode(),
      UnicodeDecodeError: 'ascii' codec can't decode byte 0xc4 in position 11: ordinal not in range(128)
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      4e4c9e01
    • Nikita V. Shirokov's avatar
      [profile.py]: adding support to collect profile only from specified CPU (#1891) · e36f9e16
      Nikita V. Shirokov authored
      * [profile.py]: adding support to collect profile only from specified CPU
      
      Summary:
      sometime it is usefull to collect stack only from single cpu
      for example you have single core saturated while others dont and you
      want to know whats going on there. in this diff i'm adding this ability
      (network related code could be example of when single core is saturated
      as usually you have 1 to 1 mappng between rx queue and cpu)
      
      example of generated code w/ CPU specified:
      
      ./tools/profile.py -C 14 2 --ebpf
      Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs.
      
      struct key_t {
          u32 pid;
          u64 kernel_ip;
          u64 kernel_ret_ip;
          int user_stack_id;
          int kernel_stack_id;
          char name[TASK_COMM_LEN];
      };
      BPF_HASH(counts, struct key_t);
      BPF_STACK_TRACE(stack_traces, 16384);
      
      // This code gets a bit complex. Probably not suitable for casual hacking.
      
      int do_perf_event(struct bpf_perf_event_data *ctx) {
      
          if (bpf_get_smp_processor_id() != 14)
              return 0;
      
          u32 pid = bpf_get_current_pid_tgid() >> 32;
      ...
      
      and w/o
      
      ./tools/profile.py  2 --ebpf
      Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs.
      
      struct key_t {
          u32 pid;
          u64 kernel_ip;
          u64 kernel_ret_ip;
          int user_stack_id;
          int kernel_stack_id;
          char name[TASK_COMM_LEN];
      };
      BPF_HASH(counts, struct key_t);
      BPF_STACK_TRACE(stack_traces, 16384);
      
      // This code gets a bit complex. Probably not suitable for casual hacking.
      
      int do_perf_event(struct bpf_perf_event_data *ctx) {
      
          u32 pid = bpf_get_current_pid_tgid() >> 32;
          if (!(1))
              return 0;
      ...
      
      * addressing comments
      
      * adding change in man
      e36f9e16
  2. 16 Jul, 2018 2 commits
  3. 14 Jul, 2018 1 commit
  4. 13 Jul, 2018 2 commits
  5. 12 Jul, 2018 3 commits
  6. 11 Jul, 2018 1 commit
  7. 10 Jul, 2018 6 commits
  8. 09 Jul, 2018 1 commit
  9. 08 Jul, 2018 1 commit
  10. 06 Jul, 2018 1 commit
  11. 02 Jul, 2018 1 commit
  12. 01 Jul, 2018 2 commits
    • Paul Chaignon's avatar
      Fix license recognition on GitHub.com · a1b1f413
      Paul Chaignon authored
      The second file with the license information, COPYRIGHT.txt, contains
      the same information as LICENSE.txt, expect for the license's text.
      However, it prevents Licensee, the tool used by GitHub to detect
      licenses, from working properly as it doesn't know which file to take
      into account.
      a1b1f413
    • Paul Chaignon's avatar
      tools: remove unnecessary calls to bpf_probe_read · 8d78edd8
      Paul Chaignon authored
      Most of these calls have been rendered useless by a9f96c02 ("Recognize
      context member dereferences despite array accesses (#1828)").
      8d78edd8
  13. 28 Jun, 2018 3 commits
  14. 27 Jun, 2018 3 commits
  15. 26 Jun, 2018 3 commits
    • Lakshmipathi's avatar
      Fedora-28 install step (#1857) · 293938d8
      Lakshmipathi authored
      Ensure dnf point to correct  package name.
      293938d8
    • Teng Qin's avatar
      Unify and improve C++'s USDT implementation (#1841) · 8265aca7
      Teng Qin authored
      * Add interface to Probe's getargs call
      
      This commit allows the Probe instance to generate argument for arbitary
      probe function
      
      * Refactor C++ USDT implementation
      
      This commit makes C++ USDT implementation uses the common USDT::Context
      and USDT::Probe logic
      
      * Add test case for C++ USDT API
      
      * Improve FollyRequestContextSwitch example
      8265aca7
    • yonghong-song's avatar
      fix a bug in tracepoint struct rewriter (#1856) · c2e2a26b
      yonghong-song authored
      Fix issue #1853.
      
      Commit 7c489469 ("adjust tracepoint field type
      based on size") tried to fix the tracepoint format
      descrepancy between declared type and actual size is 8.
      The type has to be promoted to match the size.
      
      The commit introduced a bug if the field is an array.
      For exmaple, block:block_rq_complete tracepoint has
      field rwbs:
        field:char rwbs[8];	offset:32;	size:8;	signed:1;
      
      The current implementation will incorrectly translate it
      into
        s64 rwbs[8];
      since it considers the type is "char".
      
      This patch fixed this issue by checking the field name
      and if it is an array, rewriting will be skipped.
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      c2e2a26b
  16. 25 Jun, 2018 2 commits
  17. 22 Jun, 2018 2 commits
  18. 21 Jun, 2018 3 commits