eBPF Trace from Kernel to Userspace

eBPFTrace from Kernel to Userspace

Gary LinSUSE LabsSoftware Engineer

Technology Sharing Day

2016

Tracer

tick_nohz_idle_enterset_cpu_sd_state_idleup_write__tick_nohz_idle_enterktime_getuprobe_mmapread_hpetvma_set_page_protvma_wants_writenotify

rcu_needs_cpufputget_next_timer_interrupt_raw_spin_lockhrtimer_get_next_event_raw_spin_lock_irqsave_raw_spin_unlock_irqrestoresyscall_trace_leave _raw_write_unlock_irqrestore__audit_syscall_exitpath_putdputmntput

up_write

rax: 0x0000000000000000rbx: 0xffff88012b5a5a28rcx: 0xffff8800987c18e0rdx: 0x0000000000000000rsi: 0xffff88012b439f20rdi: 0xffff88012b464628rbp: 0xffff8800959e3d98

kprobe

Kernel

Userspace

uprobe

/sys/kernel/debug/tracing/kprobe_events

/sys/kernel/debug/tracing/uprobe_events

Berkeley Packet Filter

BPF

No RedBPF Program

The BSD Packet Filter:A New Architecture for User-level

Packet CaptureDecember 19, 1992

SCO lawsuit, August 2003

Stable

BPF ASM

ldh [12]jne #0x800, dropldb [23]jneq #1, drop# get a random uint32 numberld randmod #4jneq #1, dropret #-1drop: ret #0

BPF Bytecode

struct sock_filter code[] = { { 0x28, 0, 0, 0x0000000c }, { 0x15, 0, 8, 0x000086dd }, { 0x30, 0, 0, 0x00000014 }, { 0x15, 2, 0, 0x00000084 }, { 0x15, 1, 0, 0x00000006 }, { 0x15, 0, 17, 0x00000011 }, { 0x28, 0, 0, 0x00000036 }, { 0x15, 14, 0, 0x00000016 }, { 0x28, 0, 0, 0x00000038 }, { 0x15, 12, 13, 0x00000016 }, ...};

Virtual Machinekind of

BPF JIT

BPFBytecode

NativeMachine

CodeBPF JIT

$ find arch/ -name bpf_jit*arch/sparc/net/bpf_jit_comp.carch/sparc/net/bpf_jit_asm.Sarch/sparc/net/bpf_jit.harch/arm/net/bpf_jit_32.carch/arm/net/bpf_jit_32.harch/arm64/net/bpf_jit_comp.carch/arm64/net/bpf_jit.harch/powerpc/net/bpf_jit_comp.carch/powerpc/net/bpf_jit_asm.Sarch/powerpc/net/bpf_jit.harch/s390/net/bpf_jit_comp.carch/s390/net/bpf_jit.Sarch/s390/net/bpf_jit.harch/mips/net/bpf_jit.carch/mips/net/bpf_jit_asm.Sarch/mips/net/bpf_jit.harch/x86/net/bpf_jit_comp.carch/x86/net/bpf_jit.S

Stable and Efficient

Extended BPF

eBPF

userspacekernel

eBPFProgramBPF_PROG_LOAD

At most4096instructions

Extended RegisterseBPF VerifiereBPF MapProbe Event

Classic BPF: 32 bitExtended BPF: 64 bit

Classic BPF: A, X (2)Extended BPF: R0 – R9 (10)

R10 (read-only)

For x86_64 JIT

R0 → raxR1 → rdiR2 → rsiR3 → rdxR4 → rcxR5 → r8R6 → rbxR7 → r13R8 → r14R9 → r15R10 → rbp

BPF Calling Convention

● R0

Return value from in-kernel function, and exit value for eBPF program

● R1 – R5

Arguments from eBPF program to in-kernel function

● R6 – R9

Callee saved registers that in-kernel function will preserve

● R10

Read-only frame pointer to access stack

Two-Step Verification

Step 1

Directed Acyclic GraphCheck

Loops

Unreachable Instructions

Step 2

Simulate the Execution

Read a never-written register

Do arithmetic of two valid pointer

Load/store registers of invalid types

Read stack before writing data into stack

eBPF

userspacekernel

UserProgram

Map BPF_MAP_*

eBPF Map Types

● BPF_MAP_TYPE_HASH● BPF_MAP_TYPE_ARRAY● BPF_MAP_TYPE_PROG_ARRAY● BPF_MAP_TYPE_PERF_EVENT_ARRAY

eBPF Map Syscalls

● BPF_MAP_CREATE● BPF_MAP_LOOKUP_ELEM● BPF_MAP_UPDATE_ELEM● BPF_MAP_DELETE_ELEM● BPF_MAP_GET_NEXT_KEY

New ioctl request

PERF_EVENT_IOC_SET_BPF

Kprobe

BPF_PROG_LOAD

User Program

eBPF

userspace

kernel

KernelProgram

kprobe

Eventfd

fd


fd

Attach

Registration

perf_tp_event_init() kernel/events/core.cperf_trace_init() kernel/trace/trace_event_perf.cperf_trace_event_init() kernel/trace/trace_event_perf.cperf_trace_event_reg() kernel/trace/trace_event_perf.c

ret = tp_event->class->reg(tp_event, TRACE_REG_PERF_REGISTER, NULL);

kprobe_register() kernel/trace/trace_kprobe.cenable_trace_kprobe() kernel/trace/trace_kprobe.cenable_kprobe() kernel/kprobes.c

Attach

perf_ioctl() kernel/events/core.c_perf_ioctl() kernel/events/core.c

case PERF_EVENT_IOC_SET_BPF: return perf_event_set_bpf_prog(event, arg);

perf_event_set_bpf_prog() kernel/events/core.c

prog = bpf_prog_get(prog_fd); event->tp_event->prog = prog;

Dispatch Event

kprobe_dispatcher() kernel/trace/trace_kprobe.ckprobe_perf_func() kernel/trace/trace_kprobe.c

if (prog && !trace_call_bpf(prog, regs)) Return;

trace_call_bpf() kernel/trace/bpf_trace.cBPF_PROG_RUN() include/linux/filter.h__bpf_prog_run() kernel/bpf/core.c

kfree_skb(struct sk_buff *skb){ if (unlikely(!skb)) return; ….}

kprobe

eBPF

BPF bytecode Read Map

BPF bytecode Map

BPF_PROG_LOAD BPF_MAP_*

userspace

kernel

bpf_tracer.c

Uprobe

BPF_PROG_LOAD

User Program

eBPF

userspace

kernel

KernelProgram

uprobe

Eventfd

fd


fd

Attach

__libc_malloc(size_t *bytes){ arena_lookup(ar_ptr);

arena_lock(ar_ptr, bytes); ….}

uprobe

eBPF

BPF bytecode

BPF bytecode

userspace

kernel

bpf_tracer.c

glibc

How to use eBPF?

Linux Kernel >= 4.1

Kernel Config

● CONFIG_BPF=y● CONFIG_BPF_SYSCALL=y● CONFIG_BPF_JIT=y● CONFIG_HAVE_BPF_JIT=y● CONFIG_BPF_EVENTS=y

BPF ASM

BPF ASMRestricted C

LLVM >= 3.7

clang:llc:

--emit-llvm--march=bpf

C codeLLVM

IR BitcodeBPF Bytecodeclang llc

User Program

eBPF

userspace

kernel

eBPF MAP

KernelProgram

As simpleas possible

Whatever you want

BPF Compiler Collection

obs://Base:System/bcc

C & Python Library

Built-in BPF compiler

Hello World

from bcc import BPF

bpf_prog="""void kprobe__sys_clone(void *ctx) { bpf_trace_printk(“Hello, World\\n”);}"""

BPF(text=bpf_prog).trace_print()

Access Map

In bitehist.c:

BPF_HISTOGRAM(dist);dist.increment(bpf_log2l(req->__data_len / 1024));

In bitehist.py:

b = BPF(src_file = "bitehist.c")b["dist"].print_log2_hist("kbytes")

Access Map (Cont’)

# ./bitehist.pyTracing... Hit Ctrl-C to end.^C kbytes : count distribution 0 -> 1 : 8 |****** | 2 -> 3 : 0 | | 4 -> 7 : 51 |****************************************| 8 -> 15 : 8 |****** | 16 -> 31 : 1 | | 32 -> 63 : 3 |** | 64 -> 127 : 2 |* |

memleak.py

if not kernel_trace: print("Attaching to malloc and free in pid %d," "Ctrl+C to quit." % pid) bpf_program.attach_uprobe(name="c", sym="malloc", fn_name="alloc_enter", pid=pid) bpf_program.attach_uretprobe(name="c", sym="malloc", fn_name="alloc_exit", pid=pid) bpf_program.attach_uprobe(name="c", sym="free", fn_name="free_enter", pid=pid)else: print("Attaching to kmalloc and kfree, Ctrl+C to quit.") bpf_program.attach_kprobe(event="__kmalloc", fn_name="alloc_enter") bpf_program.attach_kretprobe(event="__kmalloc", fn_name="alloc_exit") bpf_program.attach_kprobe(event="kfree", fn_name="free_enter")

memleak.py (alloc_enter)

BPF_HASH(sizes, u64);BPF_HASH(allocs, u64, struct alloc_info_t);

int alloc_enter(struct pt_regs *ctx, size_t size) { ... u64 pid = bpf_get_current_pid_tgid(); u64 size64 = size; sizes.update(&pid, &size64); ...}

memleak.py (alloc_exit)


int alloc_exit(struct pt_regs *ctx) { u64 address = ctx->ax; u64 pid = bpf_get_current_pid_tgid(); u64* size64 = sizes.lookup(&pid); struct alloc_info_t info = {0};

if (size64 == 0) return 0; // missed alloc entry

info.size = *size64; sizes.delete(&pid);

info.timestamp_ns = bpf_ktime_get_ns(); info.num_frames = grab_stack(ctx, &info) - 2; allocs.update(&address, &info); ...}

memleak.py (free)


int free_enter(struct pt_regs *ctx, void *address){ u64 addr = (u64)address; struct alloc_info_t *info = allocs.lookup(&addr); if (info == 0) return 0;

allocs.delete(&addr); ...}

Question?

ThankYou

References

● Documentation/networking/filter.txt

● http://www.brendangregg.com/blog/2015-05-15/ebpf-one-small-step.html

● https://suchakra.wordpress.com/2015/05/18/bpf-internals-i/

● https://suchakra.wordpress.com/2015/08/12/bpf-internals-ii/

● https://lkml.org/lkml/2013/9/30/627

● https://lwn.net/Articles/612878/

● https://lwn.net/Articles/650953/

● https://github.com/iovisor/bcc

http://www.brendangregg.com/blog/2015-05-15/ebpf-one-small-step.html

http://www.brendangregg.com/blog/2015-05-15/ebpf-one-small-step.html

https://suchakra.wordpress.com/2015/05/18/bpf-internals-i/

https://suchakra.wordpress.com/2015/08/12/bpf-internals-ii/

https://lkml.org/lkml/2013/9/30/627

https://lwn.net/Articles/612878/

https://lwn.net/Articles/650953/

https://github.com/iovisor/bcc

eBPF Trace from Kernel to Userspace

Software

Transcript of eBPF Trace from Kernel to Userspace