214 lines
8.8 KiB
ReStructuredText
214 lines
8.8 KiB
ReStructuredText
|
.. SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
|
||
|
|
||
|
==============
|
||
|
BPF drgn tools
|
||
|
==============
|
||
|
|
||
|
drgn scripts is a convenient and easy to use mechanism to retrieve arbitrary
|
||
|
kernel data structures. drgn is not relying on kernel UAPI to read the data.
|
||
|
Instead it's reading directly from ``/proc/kcore`` or vmcore and pretty prints
|
||
|
the data based on DWARF debug information from vmlinux.
|
||
|
|
||
|
This document describes BPF related drgn tools.
|
||
|
|
||
|
See `drgn/tools`_ for all tools available at the moment and `drgn/doc`_ for
|
||
|
more details on drgn itself.
|
||
|
|
||
|
bpf_inspect.py
|
||
|
--------------
|
||
|
|
||
|
Description
|
||
|
===========
|
||
|
|
||
|
`bpf_inspect.py`_ is a tool intended to inspect BPF programs and maps. It can
|
||
|
iterate over all programs and maps in the system and print basic information
|
||
|
about these objects, including id, type and name.
|
||
|
|
||
|
The main use-case `bpf_inspect.py`_ covers is to show BPF programs of types
|
||
|
``BPF_PROG_TYPE_EXT`` and ``BPF_PROG_TYPE_TRACING`` attached to other BPF
|
||
|
programs via ``freplace``/``fentry``/``fexit`` mechanisms, since there is no
|
||
|
user-space API to get this information.
|
||
|
|
||
|
Getting started
|
||
|
===============
|
||
|
|
||
|
List BPF programs (full names are obtained from BTF)::
|
||
|
|
||
|
% sudo bpf_inspect.py prog
|
||
|
27: BPF_PROG_TYPE_TRACEPOINT tracepoint__tcp__tcp_send_reset
|
||
|
4632: BPF_PROG_TYPE_CGROUP_SOCK_ADDR tw_ipt_bind
|
||
|
49464: BPF_PROG_TYPE_RAW_TRACEPOINT raw_tracepoint__sched_process_exit
|
||
|
|
||
|
List BPF maps::
|
||
|
|
||
|
% sudo bpf_inspect.py map
|
||
|
2577: BPF_MAP_TYPE_HASH tw_ipt_vips
|
||
|
4050: BPF_MAP_TYPE_STACK_TRACE stack_traces
|
||
|
4069: BPF_MAP_TYPE_PERCPU_ARRAY ned_dctcp_cntr
|
||
|
|
||
|
Find BPF programs attached to BPF program ``test_pkt_access``::
|
||
|
|
||
|
% sudo bpf_inspect.py p | grep test_pkt_access
|
||
|
650: BPF_PROG_TYPE_SCHED_CLS test_pkt_access
|
||
|
654: BPF_PROG_TYPE_TRACING test_main linked:[650->25: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access()]
|
||
|
655: BPF_PROG_TYPE_TRACING test_subprog1 linked:[650->29: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access_subprog1()]
|
||
|
656: BPF_PROG_TYPE_TRACING test_subprog2 linked:[650->31: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access_subprog2()]
|
||
|
657: BPF_PROG_TYPE_TRACING test_subprog3 linked:[650->21: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access_subprog3()]
|
||
|
658: BPF_PROG_TYPE_EXT new_get_skb_len linked:[650->16: BPF_TRAMP_REPLACE test_pkt_access->get_skb_len()]
|
||
|
659: BPF_PROG_TYPE_EXT new_get_skb_ifindex linked:[650->23: BPF_TRAMP_REPLACE test_pkt_access->get_skb_ifindex()]
|
||
|
660: BPF_PROG_TYPE_EXT new_get_constant linked:[650->19: BPF_TRAMP_REPLACE test_pkt_access->get_constant()]
|
||
|
|
||
|
It can be seen that there is a program ``test_pkt_access``, id 650 and there
|
||
|
are multiple other tracing and ext programs attached to functions in
|
||
|
``test_pkt_access``.
|
||
|
|
||
|
For example the line::
|
||
|
|
||
|
658: BPF_PROG_TYPE_EXT new_get_skb_len linked:[650->16: BPF_TRAMP_REPLACE test_pkt_access->get_skb_len()]
|
||
|
|
||
|
, means that BPF program id 658, type ``BPF_PROG_TYPE_EXT``, name
|
||
|
``new_get_skb_len`` replaces (``BPF_TRAMP_REPLACE``) function ``get_skb_len()``
|
||
|
that has BTF id 16 in BPF program id 650, name ``test_pkt_access``.
|
||
|
|
||
|
Getting help:
|
||
|
|
||
|
.. code-block:: none
|
||
|
|
||
|
% sudo bpf_inspect.py
|
||
|
usage: bpf_inspect.py [-h] {prog,p,map,m} ...
|
||
|
|
||
|
drgn script to list BPF programs or maps and their properties
|
||
|
unavailable via kernel API.
|
||
|
|
||
|
See https://github.com/osandov/drgn/ for more details on drgn.
|
||
|
|
||
|
optional arguments:
|
||
|
-h, --help show this help message and exit
|
||
|
|
||
|
subcommands:
|
||
|
{prog,p,map,m}
|
||
|
prog (p) list BPF programs
|
||
|
map (m) list BPF maps
|
||
|
|
||
|
Customization
|
||
|
=============
|
||
|
|
||
|
The script is intended to be customized by developers to print relevant
|
||
|
information about BPF programs, maps and other objects.
|
||
|
|
||
|
For example, to print ``struct bpf_prog_aux`` for BPF program id 53077:
|
||
|
|
||
|
.. code-block:: none
|
||
|
|
||
|
% git diff
|
||
|
diff --git a/tools/bpf_inspect.py b/tools/bpf_inspect.py
|
||
|
index 650e228..aea2357 100755
|
||
|
--- a/tools/bpf_inspect.py
|
||
|
+++ b/tools/bpf_inspect.py
|
||
|
@@ -112,7 +112,9 @@ def list_bpf_progs(args):
|
||
|
if linked:
|
||
|
linked = f" linked:[{linked}]"
|
||
|
|
||
|
- print(f"{id_:>6}: {type_:32} {name:32} {linked}")
|
||
|
+ if id_ == 53077:
|
||
|
+ print(f"{id_:>6}: {type_:32} {name:32}")
|
||
|
+ print(f"{bpf_prog.aux}")
|
||
|
|
||
|
|
||
|
def list_bpf_maps(args):
|
||
|
|
||
|
It produces the output::
|
||
|
|
||
|
% sudo bpf_inspect.py p
|
||
|
53077: BPF_PROG_TYPE_XDP tw_xdp_policer
|
||
|
*(struct bpf_prog_aux *)0xffff8893fad4b400 = {
|
||
|
.refcnt = (atomic64_t){
|
||
|
.counter = (long)58,
|
||
|
},
|
||
|
.used_map_cnt = (u32)1,
|
||
|
.max_ctx_offset = (u32)8,
|
||
|
.max_pkt_offset = (u32)15,
|
||
|
.max_tp_access = (u32)0,
|
||
|
.stack_depth = (u32)8,
|
||
|
.id = (u32)53077,
|
||
|
.func_cnt = (u32)0,
|
||
|
.func_idx = (u32)0,
|
||
|
.attach_btf_id = (u32)0,
|
||
|
.linked_prog = (struct bpf_prog *)0x0,
|
||
|
.verifier_zext = (bool)0,
|
||
|
.offload_requested = (bool)0,
|
||
|
.attach_btf_trace = (bool)0,
|
||
|
.func_proto_unreliable = (bool)0,
|
||
|
.trampoline_prog_type = (enum bpf_tramp_prog_type)BPF_TRAMP_FENTRY,
|
||
|
.trampoline = (struct bpf_trampoline *)0x0,
|
||
|
.tramp_hlist = (struct hlist_node){
|
||
|
.next = (struct hlist_node *)0x0,
|
||
|
.pprev = (struct hlist_node **)0x0,
|
||
|
},
|
||
|
.attach_func_proto = (const struct btf_type *)0x0,
|
||
|
.attach_func_name = (const char *)0x0,
|
||
|
.func = (struct bpf_prog **)0x0,
|
||
|
.jit_data = (void *)0x0,
|
||
|
.poke_tab = (struct bpf_jit_poke_descriptor *)0x0,
|
||
|
.size_poke_tab = (u32)0,
|
||
|
.ksym_tnode = (struct latch_tree_node){
|
||
|
.node = (struct rb_node [2]){
|
||
|
{
|
||
|
.__rb_parent_color = (unsigned long)18446612956263126665,
|
||
|
.rb_right = (struct rb_node *)0x0,
|
||
|
.rb_left = (struct rb_node *)0xffff88a0be3d0088,
|
||
|
},
|
||
|
{
|
||
|
.__rb_parent_color = (unsigned long)18446612956263126689,
|
||
|
.rb_right = (struct rb_node *)0x0,
|
||
|
.rb_left = (struct rb_node *)0xffff88a0be3d00a0,
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
.ksym_lnode = (struct list_head){
|
||
|
.next = (struct list_head *)0xffff88bf481830b8,
|
||
|
.prev = (struct list_head *)0xffff888309f536b8,
|
||
|
},
|
||
|
.ops = (const struct bpf_prog_ops *)xdp_prog_ops+0x0 = 0xffffffff820fa350,
|
||
|
.used_maps = (struct bpf_map **)0xffff889ff795de98,
|
||
|
.prog = (struct bpf_prog *)0xffffc9000cf2d000,
|
||
|
.user = (struct user_struct *)root_user+0x0 = 0xffffffff82444820,
|
||
|
.load_time = (u64)2408348759285319,
|
||
|
.cgroup_storage = (struct bpf_map *[2]){},
|
||
|
.name = (char [16])"tw_xdp_policer",
|
||
|
.security = (void *)0xffff889ff795d548,
|
||
|
.offload = (struct bpf_prog_offload *)0x0,
|
||
|
.btf = (struct btf *)0xffff8890ce6d0580,
|
||
|
.func_info = (struct bpf_func_info *)0xffff889ff795d240,
|
||
|
.func_info_aux = (struct bpf_func_info_aux *)0xffff889ff795de20,
|
||
|
.linfo = (struct bpf_line_info *)0xffff888a707afc00,
|
||
|
.jited_linfo = (void **)0xffff8893fad48600,
|
||
|
.func_info_cnt = (u32)1,
|
||
|
.nr_linfo = (u32)37,
|
||
|
.linfo_idx = (u32)0,
|
||
|
.num_exentries = (u32)0,
|
||
|
.extable = (struct exception_table_entry *)0xffffffffa032d950,
|
||
|
.stats = (struct bpf_prog_stats *)0x603fe3a1f6d0,
|
||
|
.work = (struct work_struct){
|
||
|
.data = (atomic_long_t){
|
||
|
.counter = (long)0,
|
||
|
},
|
||
|
.entry = (struct list_head){
|
||
|
.next = (struct list_head *)0x0,
|
||
|
.prev = (struct list_head *)0x0,
|
||
|
},
|
||
|
.func = (work_func_t)0x0,
|
||
|
},
|
||
|
.rcu = (struct callback_head){
|
||
|
.next = (struct callback_head *)0x0,
|
||
|
.func = (void (*)(struct callback_head *))0x0,
|
||
|
},
|
||
|
}
|
||
|
|
||
|
|
||
|
.. Links
|
||
|
.. _drgn/doc: https://drgn.readthedocs.io/en/latest/
|
||
|
.. _drgn/tools: https://github.com/osandov/drgn/tree/master/tools
|
||
|
.. _bpf_inspect.py:
|
||
|
https://github.com/osandov/drgn/blob/master/tools/bpf_inspect.py
|