bcc/tools: Introduce bpf_probe_read_user to the tools.

This is essential for architecture which do have overlapping address space.
- bpf_probe_read_kernel() shall be used for reading data from kernel space
to the bpf vm.
- bpf_probe_read_user() shall be used for reading data from user space
  to the bpf vm.

Signed-off-by: Sumanth Korikkar <[email protected]>

Author: sumanthkorikkar

examples/cpp/RecordMySQLQuery.cc

@@ -34,7 +34,7 @@ int probe_mysql_query(struct pt_regs *ctx, void* thd, char* query, size_t len) {
     key.ts = bpf_ktime_get_ns();
     key.pid = bpf_get_current_pid_tgid();
 
-    bpf_probe_read_str(&key.query, sizeof(key.query), query);
+    bpf_probe_read_user_str(&key.query, sizeof(key.query), query);
 
     int one = 1;
     queries.update(&key, &one);

examples/lua/bashreadline.c

@@ -15,7 +15,8 @@ int printret(struct pt_regs *ctx)
           return 0;
         pid = bpf_get_current_pid_tgid();
         data.pid = pid;
-        bpf_probe_read(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
+        bpf_probe_read_user(&data.str, sizeof(data.str),
+                            (void *)PT_REGS_RC(ctx));
         events.perf_submit(ctx, &data, sizeof(data));
         return 0;
 };

examples/lua/strlen_count.lua

@@ -26,7 +26,7 @@ int printarg(struct pt_regs *ctx) {
   if (pid != PID)
     return 0;
   char str[128] = {};
-  bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
+  bpf_probe_read_user(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
   bpf_trace_printk("strlen(\"%s\")\n", &str);
   return 0;
 };

examples/lua/usdt_ruby.lua

@@ -22,7 +22,7 @@ int trace_method(struct pt_regs *ctx) {
   bpf_usdt_readarg(2, ctx, &addr);
 
   char fn_name[128] = {};
-  bpf_probe_read(&fn_name, sizeof(fn_name), (void *)addr);
+  bpf_probe_read_user(&fn_name, sizeof(fn_name), (void *)addr);
 
   bpf_trace_printk("%s(...)\n", fn_name);
   return 0;

examples/tracing/mysqld_query.py

@@ -34,7 +34,7 @@
      * see: https://dev.mysql.com/doc/refman/5.7/en/dba-dtrace-ref-query.html
      */
     bpf_usdt_readarg(1, ctx, &addr);
-    bpf_probe_read(&query, sizeof(query), (void *)addr);
+    bpf_probe_read_user(&query, sizeof(query), (void *)addr);
     bpf_trace_printk("%s\\n", query);
     return 0;
 };

examples/tracing/nodejs_http_server.py

@@ -26,7 +26,7 @@
     uint64_t addr;
     char path[128]={0};
     bpf_usdt_readarg(6, ctx, &addr);
-    bpf_probe_read(&path, sizeof(path), (void *)addr);
+    bpf_probe_read_user(&path, sizeof(path), (void *)addr);
     bpf_trace_printk("path:%s\\n", path);
     return 0;
 };

examples/tracing/strlen_count.py

@@ -31,7 +31,7 @@
     struct key_t key = {};
     u64 zero = 0, *val;
 
-    bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
+    bpf_probe_read_user(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
     // could also use `counts.increment(key)`
     val = counts.lookup_or_try_init(&key, &zero);
     if (val) {

examples/tracing/strlen_snoop.py

@@ -34,7 +34,7 @@
         return 0;
 
     char str[80] = {};
-    bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
+    bpf_probe_read_user(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
     bpf_trace_printk("%s\\n", &str);
 
     return 0;

tools/bashreadline.py

@@ -52,7 +52,7 @@
         return 0;
     pid = bpf_get_current_pid_tgid();
     data.pid = pid;
-    bpf_probe_read(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
+    bpf_probe_read_user(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
 
     bpf_get_current_comm(&comm, sizeof(comm));
     if (comm[0] == 'b' && comm[1] == 'a' && comm[2] == 's' && comm[3] == 'h' && comm[4] == 0 ) {

tools/biosnoop.lua

@@ -84,7 +84,8 @@ int trace_req_completion(struct pt_regs *ctx, struct request *req)
     valp = infobyreq.lookup(&req);
     if (valp == 0) {
         data.len = req->__data_len;
-        strcpy(data.name,"?");
+        data.name[0] = '?';
+        data.name[1] = 0;
     } else {
         data.pid = valp->pid;
         data.len = req->__data_len;

tools/biosnoop.py

@@ -108,7 +108,8 @@
     valp = infobyreq.lookup(&req);
     if (valp == 0) {
         data.len = req->__data_len;
-        strcpy(data.name, "?");
+        data.name[0] = '?';
+        data.name[1] = 0;
     } else {
         if (##QUEUE##) {
             data.qdelta = *tsp - valp->ts;

tools/dbslower.py

@@ -127,12 +127,12 @@
     tmp.timestamp = bpf_ktime_get_ns();
 
 #if defined(MYSQL56)
-    bpf_probe_read(&tmp.query, sizeof(tmp.query), (void*) PT_REGS_PARM3(ctx));
+    bpf_probe_read_user(&tmp.query, sizeof(tmp.query), (void*) PT_REGS_PARM3(ctx));
 #elif defined(MYSQL57)
     void* st = (void*) PT_REGS_PARM2(ctx);
     char* query;
-    bpf_probe_read(&query, sizeof(query), st);
-    bpf_probe_read(&tmp.query, sizeof(tmp.query), query);
+    bpf_probe_read_user(&query, sizeof(query), st);
+    bpf_probe_read_user(&tmp.query, sizeof(tmp.query), query);
 #else //USDT
     bpf_usdt_readarg(1, ctx, &tmp.query);
 #endif
@@ -157,7 +157,13 @@
         data.pid = pid >> 32;   // only process id
         data.timestamp = tempp->timestamp;
         data.duration = delta;
+#if defined(MYSQL56) || defined(MYSQL57)
+	// We already copied string to the bpf stack. Hence use bpf_probe_read()
         bpf_probe_read(&data.query, sizeof(data.query), tempp->query);
+#else
+	// USDT - we didnt copy string to the bpf stack before.
+        bpf_probe_read_user(&data.query, sizeof(data.query), tempp->query);
+#endif
         events.perf_submit(ctx, &data, sizeof(data));
 #ifdef THRESHOLD
     }

tools/execsnoop.py

@@ -120,15 +120,15 @@ def parse_uid(user):
 
 static int __submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
 {
-    bpf_probe_read(data->argv, sizeof(data->argv), ptr);
+    bpf_probe_read_user(data->argv, sizeof(data->argv), ptr);
     events.perf_submit(ctx, data, sizeof(struct data_t));
     return 1;
 }
 
 static int submit_arg(struct pt_regs *ctx, void *ptr, struct data_t *data)
 {
     const char *argp = NULL;
-    bpf_probe_read(&argp, sizeof(argp), ptr);
+    bpf_probe_read_user(&argp, sizeof(argp), ptr);
     if (argp) {
         return __submit_arg(ctx, (void *)(argp), data);
     }

tools/funcslower.py

@@ -82,7 +82,11 @@
     u64 id;
     u64 start_ns;
 #ifdef GRAB_ARGS
+#ifndef __s390x__
     u64 args[6];
+#else
+    u64 args[5];
+#endif
 #endif
 };
 
@@ -94,7 +98,11 @@
     u64 retval;
     char comm[TASK_COMM_LEN];
 #ifdef GRAB_ARGS
+#ifndef __s390x__
     u64 args[6];
+#else
+    u64 args[5];
+#endif
 #endif
 #ifdef USER_STACKS
     int user_stack_id;
@@ -130,7 +138,9 @@
     entry.args[2] = PT_REGS_PARM3(ctx);
     entry.args[3] = PT_REGS_PARM4(ctx);
     entry.args[4] = PT_REGS_PARM5(ctx);
+#ifndef __s390x__
     entry.args[5] = PT_REGS_PARM6(ctx);
+#endif
 #endif
 
     entryinfo.update(&tgid_pid, &entry);

tools/gethostlatency.py

@@ -64,7 +64,7 @@
     u32 pid = bpf_get_current_pid_tgid();
 
     if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
-        bpf_probe_read(&val.host, sizeof(val.host),
+        bpf_probe_read_user(&val.host, sizeof(val.host),
                        (void *)PT_REGS_PARM1(ctx));
         val.pid = bpf_get_current_pid_tgid();
         val.ts = bpf_ktime_get_ns();

tools/lib/ucalls.py

@@ -158,9 +158,9 @@
 #endif
     READ_CLASS
     READ_METHOD
-    bpf_probe_read(&data.method.clazz, sizeof(data.method.clazz),
+    bpf_probe_read_user(&data.method.clazz, sizeof(data.method.clazz),
                    (void *)clazz);
-    bpf_probe_read(&data.method.method, sizeof(data.method.method),
+    bpf_probe_read_user(&data.method.method, sizeof(data.method.method),
                    (void *)method);
 #ifndef LATENCY
     valp = counts.lookup_or_try_init(&data.method, &val);
@@ -182,9 +182,9 @@
     data.pid = bpf_get_current_pid_tgid();
     READ_CLASS
     READ_METHOD
-    bpf_probe_read(&data.method.clazz, sizeof(data.method.clazz),
+    bpf_probe_read_user(&data.method.clazz, sizeof(data.method.clazz),
                    (void *)clazz);
-    bpf_probe_read(&data.method.method, sizeof(data.method.method),
+    bpf_probe_read_user(&data.method.method, sizeof(data.method.method),
                    (void *)method);
     entry_timestamp = entry.lookup(&data);
     if (!entry_timestamp) {

tools/lib/uflow.py

@@ -81,8 +81,8 @@
 
     READ_CLASS
     READ_METHOD
-    bpf_probe_read(&data.clazz, sizeof(data.clazz), (void *)clazz);
-    bpf_probe_read(&data.method, sizeof(data.method), (void *)method);
+    bpf_probe_read_user(&data.clazz, sizeof(data.clazz), (void *)clazz);
+    bpf_probe_read_user(&data.method, sizeof(data.method), (void *)method);
 
     FILTER_CLASS
     FILTER_METHOD

tools/lib/ugc.py

@@ -140,8 +140,8 @@ def format(self, data):
     u64 manager = 0, pool = 0;
     bpf_usdt_readarg(1, ctx, &manager);        // ptr to manager name
     bpf_usdt_readarg(3, ctx, &pool);           // ptr to pool name
-    bpf_probe_read(&event.string1, sizeof(event.string1), (void *)manager);
-    bpf_probe_read(&event.string2, sizeof(event.string2), (void *)pool);
+    bpf_probe_read_user(&event.string1, sizeof(event.string1), (void *)manager);
+    bpf_probe_read_user(&event.string2, sizeof(event.string2), (void *)pool);
     """
 
     def formatter(e):

tools/lib/uobjnew.py

@@ -98,7 +98,7 @@
     u64 classptr = 0, size = 0;
     bpf_usdt_readarg(2, ctx, &classptr);
     bpf_usdt_readarg(4, ctx, &size);
-    bpf_probe_read(&key.name, sizeof(key.name), (void *)classptr);
+    bpf_probe_read_user(&key.name, sizeof(key.name), (void *)classptr);
     valp = allocs.lookup_or_try_init(&key, &zero);
     if (valp) {
         valp->total_size += size;
@@ -132,7 +132,7 @@
     struct val_t *valp, zero = {};
     u64 classptr = 0;
     bpf_usdt_readarg(1, ctx, &classptr);
-    bpf_probe_read(&key.name, sizeof(key.name), (void *)classptr);
+    bpf_probe_read_user(&key.name, sizeof(key.name), (void *)classptr);
     valp = allocs.lookup_or_try_init(&key, &zero);
     if (valp) {
         valp->num_allocs += 1;  // We don't know the size, unfortunately

tools/lib/uthreads.py

@@ -80,7 +80,7 @@
     bpf_usdt_readarg(1, ctx, &nameptr);
     bpf_usdt_readarg(3, ctx, &id);
     bpf_usdt_readarg(4, ctx, &native_id);
-    bpf_probe_read(&te.name, sizeof(te.name), (void *)nameptr);
+    bpf_probe_read_user(&te.name, sizeof(te.name), (void *)nameptr);
     te.runtime_id = id;
     te.native_id = native_id;
     __builtin_memcpy(&te.type, type, sizeof(te.type));

tools/mountsnoop.py

@@ -109,22 +109,22 @@
 
     event.type = EVENT_MOUNT_SOURCE;
     __builtin_memset(event.str, 0, sizeof(event.str));
-    bpf_probe_read(event.str, sizeof(event.str), source);
+    bpf_probe_read_user(event.str, sizeof(event.str), source);
     events.perf_submit(ctx, &event, sizeof(event));
 
     event.type = EVENT_MOUNT_TARGET;
     __builtin_memset(event.str, 0, sizeof(event.str));
-    bpf_probe_read(event.str, sizeof(event.str), target);
+    bpf_probe_read_user(event.str, sizeof(event.str), target);
     events.perf_submit(ctx, &event, sizeof(event));
 
     event.type = EVENT_MOUNT_TYPE;
     __builtin_memset(event.str, 0, sizeof(event.str));
-    bpf_probe_read(event.str, sizeof(event.str), type);
+    bpf_probe_read_user(event.str, sizeof(event.str), type);
     events.perf_submit(ctx, &event, sizeof(event));
 
     event.type = EVENT_MOUNT_DATA;
     __builtin_memset(event.str, 0, sizeof(event.str));
-    bpf_probe_read(event.str, sizeof(event.str), data);
+    bpf_probe_read_user(event.str, sizeof(event.str), data);
     events.perf_submit(ctx, &event, sizeof(event));
 
     return 0;
@@ -164,7 +164,7 @@
 
     event.type = EVENT_UMOUNT_TARGET;
     __builtin_memset(event.str, 0, sizeof(event.str));
-    bpf_probe_read(event.str, sizeof(event.str), target);
+    bpf_probe_read_user(event.str, sizeof(event.str), target);
     events.perf_submit(ctx, &event, sizeof(event));
 
     return 0;

tools/mysqld_qslower.py

@@ -81,7 +81,7 @@ def usage():
     if (delta >= """ + str(min_ns) + """) {
         // populate and emit data struct
         struct data_t data = {.pid = pid, .ts = sp->ts, .delta = delta};
-        bpf_probe_read(&data.query, sizeof(data.query), (void *)sp->query);
+        bpf_probe_read_user(&data.query, sizeof(data.query), (void *)sp->query);
         events.perf_submit(ctx, &data, sizeof(data));
     }
 

tools/opensnoop.py

@@ -152,7 +152,7 @@
         return 0;
     }
     bpf_probe_read(&data.comm, sizeof(data.comm), valp->comm);
-    bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
+    bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)valp->fname);
     data.id = valp->id;
     data.ts = tsp / 1000;
     data.uid = bpf_get_current_uid_gid();
@@ -167,7 +167,7 @@
 """
 
 bpf_text_kfunc= """
-KRETFUNC_PROBE(do_sys_open, int dfd, const char *filename, int flags, int mode, int ret)
+KRETFUNC_PROBE(do_sys_open, int dfd, const char __user *filename, int flags, int mode, int ret)
 {
     u64 id = bpf_get_current_pid_tgid();
     u32 pid = id >> 32; // PID is higher part
@@ -189,7 +189,7 @@
 
     u64 tsp = bpf_ktime_get_ns();
 
-    bpf_probe_read(&data.fname, sizeof(data.fname), (void *)filename);
+    bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)filename);
     data.id    = id;
     data.ts    = tsp / 1000;
     data.uid   = bpf_get_current_uid_gid();

tools/sslsniff.py

@@ -72,7 +72,7 @@
         bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
 
         if ( buf != 0) {
-                bpf_probe_read(&__data.v0, sizeof(__data.v0), buf);
+                bpf_probe_read_user(&__data.v0, sizeof(__data.v0), buf);
         }
 
         perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data));
@@ -108,7 +108,7 @@
         bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
 
         if (bufp != 0) {
-                bpf_probe_read(&__data.v0, sizeof(__data.v0), (char *)*bufp);
+                bpf_probe_read_user(&__data.v0, sizeof(__data.v0), (char *)*bufp);
         }
 
         bufs.delete(&pid);

tools/statsnoop.py

@@ -84,7 +84,7 @@
     }
 
     struct data_t data = {.pid = pid};
-    bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
+    bpf_probe_read_user(&data.fname, sizeof(data.fname), (void *)valp->fname);
     bpf_get_current_comm(&data.comm, sizeof(data.comm));
     data.ts_ns = bpf_ktime_get_ns();
     data.ret = PT_REGS_RC(ctx);