1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun // Copyright (c) 2019 Facebook
3*4882a593Smuzhiyun #include <linux/sched.h>
4*4882a593Smuzhiyun #include <linux/ptrace.h>
5*4882a593Smuzhiyun #include <stdint.h>
6*4882a593Smuzhiyun #include <stddef.h>
7*4882a593Smuzhiyun #include <stdbool.h>
8*4882a593Smuzhiyun #include <linux/bpf.h>
9*4882a593Smuzhiyun #include <bpf/bpf_helpers.h>
10*4882a593Smuzhiyun
11*4882a593Smuzhiyun #define FUNCTION_NAME_LEN 64
12*4882a593Smuzhiyun #define FILE_NAME_LEN 128
13*4882a593Smuzhiyun #define TASK_COMM_LEN 16
14*4882a593Smuzhiyun
15*4882a593Smuzhiyun typedef struct {
16*4882a593Smuzhiyun int PyThreadState_frame;
17*4882a593Smuzhiyun int PyThreadState_thread;
18*4882a593Smuzhiyun int PyFrameObject_back;
19*4882a593Smuzhiyun int PyFrameObject_code;
20*4882a593Smuzhiyun int PyFrameObject_lineno;
21*4882a593Smuzhiyun int PyCodeObject_filename;
22*4882a593Smuzhiyun int PyCodeObject_name;
23*4882a593Smuzhiyun int String_data;
24*4882a593Smuzhiyun int String_size;
25*4882a593Smuzhiyun } OffsetConfig;
26*4882a593Smuzhiyun
27*4882a593Smuzhiyun typedef struct {
28*4882a593Smuzhiyun uintptr_t current_state_addr;
29*4882a593Smuzhiyun uintptr_t tls_key_addr;
30*4882a593Smuzhiyun OffsetConfig offsets;
31*4882a593Smuzhiyun bool use_tls;
32*4882a593Smuzhiyun } PidData;
33*4882a593Smuzhiyun
34*4882a593Smuzhiyun typedef struct {
35*4882a593Smuzhiyun uint32_t success;
36*4882a593Smuzhiyun } Stats;
37*4882a593Smuzhiyun
38*4882a593Smuzhiyun typedef struct {
39*4882a593Smuzhiyun char name[FUNCTION_NAME_LEN];
40*4882a593Smuzhiyun char file[FILE_NAME_LEN];
41*4882a593Smuzhiyun } Symbol;
42*4882a593Smuzhiyun
43*4882a593Smuzhiyun typedef struct {
44*4882a593Smuzhiyun uint32_t pid;
45*4882a593Smuzhiyun uint32_t tid;
46*4882a593Smuzhiyun char comm[TASK_COMM_LEN];
47*4882a593Smuzhiyun int32_t kernel_stack_id;
48*4882a593Smuzhiyun int32_t user_stack_id;
49*4882a593Smuzhiyun bool thread_current;
50*4882a593Smuzhiyun bool pthread_match;
51*4882a593Smuzhiyun bool stack_complete;
52*4882a593Smuzhiyun int16_t stack_len;
53*4882a593Smuzhiyun int32_t stack[STACK_MAX_LEN];
54*4882a593Smuzhiyun
55*4882a593Smuzhiyun int has_meta;
56*4882a593Smuzhiyun int metadata;
57*4882a593Smuzhiyun char dummy_safeguard;
58*4882a593Smuzhiyun } Event;
59*4882a593Smuzhiyun
60*4882a593Smuzhiyun
61*4882a593Smuzhiyun typedef int pid_t;
62*4882a593Smuzhiyun
63*4882a593Smuzhiyun typedef struct {
64*4882a593Smuzhiyun void* f_back; // PyFrameObject.f_back, previous frame
65*4882a593Smuzhiyun void* f_code; // PyFrameObject.f_code, pointer to PyCodeObject
66*4882a593Smuzhiyun void* co_filename; // PyCodeObject.co_filename
67*4882a593Smuzhiyun void* co_name; // PyCodeObject.co_name
68*4882a593Smuzhiyun } FrameData;
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun #ifdef SUBPROGS
71*4882a593Smuzhiyun __noinline
72*4882a593Smuzhiyun #else
73*4882a593Smuzhiyun __always_inline
74*4882a593Smuzhiyun #endif
get_thread_state(void * tls_base,PidData * pidData)75*4882a593Smuzhiyun static void *get_thread_state(void *tls_base, PidData *pidData)
76*4882a593Smuzhiyun {
77*4882a593Smuzhiyun void* thread_state;
78*4882a593Smuzhiyun int key;
79*4882a593Smuzhiyun
80*4882a593Smuzhiyun bpf_probe_read_user(&key, sizeof(key), (void*)(long)pidData->tls_key_addr);
81*4882a593Smuzhiyun bpf_probe_read_user(&thread_state, sizeof(thread_state),
82*4882a593Smuzhiyun tls_base + 0x310 + key * 0x10 + 0x08);
83*4882a593Smuzhiyun return thread_state;
84*4882a593Smuzhiyun }
85*4882a593Smuzhiyun
get_frame_data(void * frame_ptr,PidData * pidData,FrameData * frame,Symbol * symbol)86*4882a593Smuzhiyun static __always_inline bool get_frame_data(void *frame_ptr, PidData *pidData,
87*4882a593Smuzhiyun FrameData *frame, Symbol *symbol)
88*4882a593Smuzhiyun {
89*4882a593Smuzhiyun // read data from PyFrameObject
90*4882a593Smuzhiyun bpf_probe_read_user(&frame->f_back,
91*4882a593Smuzhiyun sizeof(frame->f_back),
92*4882a593Smuzhiyun frame_ptr + pidData->offsets.PyFrameObject_back);
93*4882a593Smuzhiyun bpf_probe_read_user(&frame->f_code,
94*4882a593Smuzhiyun sizeof(frame->f_code),
95*4882a593Smuzhiyun frame_ptr + pidData->offsets.PyFrameObject_code);
96*4882a593Smuzhiyun
97*4882a593Smuzhiyun // read data from PyCodeObject
98*4882a593Smuzhiyun if (!frame->f_code)
99*4882a593Smuzhiyun return false;
100*4882a593Smuzhiyun bpf_probe_read_user(&frame->co_filename,
101*4882a593Smuzhiyun sizeof(frame->co_filename),
102*4882a593Smuzhiyun frame->f_code + pidData->offsets.PyCodeObject_filename);
103*4882a593Smuzhiyun bpf_probe_read_user(&frame->co_name,
104*4882a593Smuzhiyun sizeof(frame->co_name),
105*4882a593Smuzhiyun frame->f_code + pidData->offsets.PyCodeObject_name);
106*4882a593Smuzhiyun // read actual names into symbol
107*4882a593Smuzhiyun if (frame->co_filename)
108*4882a593Smuzhiyun bpf_probe_read_user_str(&symbol->file,
109*4882a593Smuzhiyun sizeof(symbol->file),
110*4882a593Smuzhiyun frame->co_filename +
111*4882a593Smuzhiyun pidData->offsets.String_data);
112*4882a593Smuzhiyun if (frame->co_name)
113*4882a593Smuzhiyun bpf_probe_read_user_str(&symbol->name,
114*4882a593Smuzhiyun sizeof(symbol->name),
115*4882a593Smuzhiyun frame->co_name +
116*4882a593Smuzhiyun pidData->offsets.String_data);
117*4882a593Smuzhiyun return true;
118*4882a593Smuzhiyun }
119*4882a593Smuzhiyun
120*4882a593Smuzhiyun struct {
121*4882a593Smuzhiyun __uint(type, BPF_MAP_TYPE_HASH);
122*4882a593Smuzhiyun __uint(max_entries, 1);
123*4882a593Smuzhiyun __type(key, int);
124*4882a593Smuzhiyun __type(value, PidData);
125*4882a593Smuzhiyun } pidmap SEC(".maps");
126*4882a593Smuzhiyun
127*4882a593Smuzhiyun struct {
128*4882a593Smuzhiyun __uint(type, BPF_MAP_TYPE_HASH);
129*4882a593Smuzhiyun __uint(max_entries, 1);
130*4882a593Smuzhiyun __type(key, int);
131*4882a593Smuzhiyun __type(value, Event);
132*4882a593Smuzhiyun } eventmap SEC(".maps");
133*4882a593Smuzhiyun
134*4882a593Smuzhiyun struct {
135*4882a593Smuzhiyun __uint(type, BPF_MAP_TYPE_HASH);
136*4882a593Smuzhiyun __uint(max_entries, 1);
137*4882a593Smuzhiyun __type(key, Symbol);
138*4882a593Smuzhiyun __type(value, int);
139*4882a593Smuzhiyun } symbolmap SEC(".maps");
140*4882a593Smuzhiyun
141*4882a593Smuzhiyun struct {
142*4882a593Smuzhiyun __uint(type, BPF_MAP_TYPE_ARRAY);
143*4882a593Smuzhiyun __uint(max_entries, 1);
144*4882a593Smuzhiyun __type(key, int);
145*4882a593Smuzhiyun __type(value, Stats);
146*4882a593Smuzhiyun } statsmap SEC(".maps");
147*4882a593Smuzhiyun
148*4882a593Smuzhiyun struct {
149*4882a593Smuzhiyun __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
150*4882a593Smuzhiyun __uint(max_entries, 32);
151*4882a593Smuzhiyun __uint(key_size, sizeof(int));
152*4882a593Smuzhiyun __uint(value_size, sizeof(int));
153*4882a593Smuzhiyun } perfmap SEC(".maps");
154*4882a593Smuzhiyun
155*4882a593Smuzhiyun struct {
156*4882a593Smuzhiyun __uint(type, BPF_MAP_TYPE_STACK_TRACE);
157*4882a593Smuzhiyun __uint(max_entries, 1000);
158*4882a593Smuzhiyun __uint(key_size, sizeof(int));
159*4882a593Smuzhiyun __uint(value_size, sizeof(long long) * 127);
160*4882a593Smuzhiyun } stackmap SEC(".maps");
161*4882a593Smuzhiyun
162*4882a593Smuzhiyun #ifdef GLOBAL_FUNC
163*4882a593Smuzhiyun __noinline
164*4882a593Smuzhiyun #elif defined(SUBPROGS)
165*4882a593Smuzhiyun static __noinline
166*4882a593Smuzhiyun #else
167*4882a593Smuzhiyun static __always_inline
168*4882a593Smuzhiyun #endif
__on_event(struct bpf_raw_tracepoint_args * ctx)169*4882a593Smuzhiyun int __on_event(struct bpf_raw_tracepoint_args *ctx)
170*4882a593Smuzhiyun {
171*4882a593Smuzhiyun uint64_t pid_tgid = bpf_get_current_pid_tgid();
172*4882a593Smuzhiyun pid_t pid = (pid_t)(pid_tgid >> 32);
173*4882a593Smuzhiyun PidData* pidData = bpf_map_lookup_elem(&pidmap, &pid);
174*4882a593Smuzhiyun if (!pidData)
175*4882a593Smuzhiyun return 0;
176*4882a593Smuzhiyun
177*4882a593Smuzhiyun int zero = 0;
178*4882a593Smuzhiyun Event* event = bpf_map_lookup_elem(&eventmap, &zero);
179*4882a593Smuzhiyun if (!event)
180*4882a593Smuzhiyun return 0;
181*4882a593Smuzhiyun
182*4882a593Smuzhiyun event->pid = pid;
183*4882a593Smuzhiyun
184*4882a593Smuzhiyun event->tid = (pid_t)pid_tgid;
185*4882a593Smuzhiyun bpf_get_current_comm(&event->comm, sizeof(event->comm));
186*4882a593Smuzhiyun
187*4882a593Smuzhiyun event->user_stack_id = bpf_get_stackid(ctx, &stackmap, BPF_F_USER_STACK);
188*4882a593Smuzhiyun event->kernel_stack_id = bpf_get_stackid(ctx, &stackmap, 0);
189*4882a593Smuzhiyun
190*4882a593Smuzhiyun void* thread_state_current = (void*)0;
191*4882a593Smuzhiyun bpf_probe_read_user(&thread_state_current,
192*4882a593Smuzhiyun sizeof(thread_state_current),
193*4882a593Smuzhiyun (void*)(long)pidData->current_state_addr);
194*4882a593Smuzhiyun
195*4882a593Smuzhiyun struct task_struct* task = (struct task_struct*)bpf_get_current_task();
196*4882a593Smuzhiyun void* tls_base = (void*)task;
197*4882a593Smuzhiyun
198*4882a593Smuzhiyun void* thread_state = pidData->use_tls ? get_thread_state(tls_base, pidData)
199*4882a593Smuzhiyun : thread_state_current;
200*4882a593Smuzhiyun event->thread_current = thread_state == thread_state_current;
201*4882a593Smuzhiyun
202*4882a593Smuzhiyun if (pidData->use_tls) {
203*4882a593Smuzhiyun uint64_t pthread_created;
204*4882a593Smuzhiyun uint64_t pthread_self;
205*4882a593Smuzhiyun bpf_probe_read_user(&pthread_self, sizeof(pthread_self),
206*4882a593Smuzhiyun tls_base + 0x10);
207*4882a593Smuzhiyun
208*4882a593Smuzhiyun bpf_probe_read_user(&pthread_created,
209*4882a593Smuzhiyun sizeof(pthread_created),
210*4882a593Smuzhiyun thread_state +
211*4882a593Smuzhiyun pidData->offsets.PyThreadState_thread);
212*4882a593Smuzhiyun event->pthread_match = pthread_created == pthread_self;
213*4882a593Smuzhiyun } else {
214*4882a593Smuzhiyun event->pthread_match = 1;
215*4882a593Smuzhiyun }
216*4882a593Smuzhiyun
217*4882a593Smuzhiyun if (event->pthread_match || !pidData->use_tls) {
218*4882a593Smuzhiyun void* frame_ptr;
219*4882a593Smuzhiyun FrameData frame;
220*4882a593Smuzhiyun Symbol sym = {};
221*4882a593Smuzhiyun int cur_cpu = bpf_get_smp_processor_id();
222*4882a593Smuzhiyun
223*4882a593Smuzhiyun bpf_probe_read_user(&frame_ptr,
224*4882a593Smuzhiyun sizeof(frame_ptr),
225*4882a593Smuzhiyun thread_state +
226*4882a593Smuzhiyun pidData->offsets.PyThreadState_frame);
227*4882a593Smuzhiyun
228*4882a593Smuzhiyun int32_t* symbol_counter = bpf_map_lookup_elem(&symbolmap, &sym);
229*4882a593Smuzhiyun if (symbol_counter == NULL)
230*4882a593Smuzhiyun return 0;
231*4882a593Smuzhiyun #ifdef NO_UNROLL
232*4882a593Smuzhiyun #pragma clang loop unroll(disable)
233*4882a593Smuzhiyun #else
234*4882a593Smuzhiyun #pragma clang loop unroll(full)
235*4882a593Smuzhiyun #endif
236*4882a593Smuzhiyun /* Unwind python stack */
237*4882a593Smuzhiyun for (int i = 0; i < STACK_MAX_LEN; ++i) {
238*4882a593Smuzhiyun if (frame_ptr && get_frame_data(frame_ptr, pidData, &frame, &sym)) {
239*4882a593Smuzhiyun int32_t new_symbol_id = *symbol_counter * 64 + cur_cpu;
240*4882a593Smuzhiyun int32_t *symbol_id = bpf_map_lookup_elem(&symbolmap, &sym);
241*4882a593Smuzhiyun if (!symbol_id) {
242*4882a593Smuzhiyun bpf_map_update_elem(&symbolmap, &sym, &zero, 0);
243*4882a593Smuzhiyun symbol_id = bpf_map_lookup_elem(&symbolmap, &sym);
244*4882a593Smuzhiyun if (!symbol_id)
245*4882a593Smuzhiyun return 0;
246*4882a593Smuzhiyun }
247*4882a593Smuzhiyun if (*symbol_id == new_symbol_id)
248*4882a593Smuzhiyun (*symbol_counter)++;
249*4882a593Smuzhiyun event->stack[i] = *symbol_id;
250*4882a593Smuzhiyun event->stack_len = i + 1;
251*4882a593Smuzhiyun frame_ptr = frame.f_back;
252*4882a593Smuzhiyun }
253*4882a593Smuzhiyun }
254*4882a593Smuzhiyun event->stack_complete = frame_ptr == NULL;
255*4882a593Smuzhiyun } else {
256*4882a593Smuzhiyun event->stack_complete = 1;
257*4882a593Smuzhiyun }
258*4882a593Smuzhiyun
259*4882a593Smuzhiyun Stats* stats = bpf_map_lookup_elem(&statsmap, &zero);
260*4882a593Smuzhiyun if (stats)
261*4882a593Smuzhiyun stats->success++;
262*4882a593Smuzhiyun
263*4882a593Smuzhiyun event->has_meta = 0;
264*4882a593Smuzhiyun bpf_perf_event_output(ctx, &perfmap, 0, event, offsetof(Event, metadata));
265*4882a593Smuzhiyun return 0;
266*4882a593Smuzhiyun }
267*4882a593Smuzhiyun
268*4882a593Smuzhiyun SEC("raw_tracepoint/kfree_skb")
on_event(struct bpf_raw_tracepoint_args * ctx)269*4882a593Smuzhiyun int on_event(struct bpf_raw_tracepoint_args* ctx)
270*4882a593Smuzhiyun {
271*4882a593Smuzhiyun int i, ret = 0;
272*4882a593Smuzhiyun ret |= __on_event(ctx);
273*4882a593Smuzhiyun ret |= __on_event(ctx);
274*4882a593Smuzhiyun ret |= __on_event(ctx);
275*4882a593Smuzhiyun ret |= __on_event(ctx);
276*4882a593Smuzhiyun ret |= __on_event(ctx);
277*4882a593Smuzhiyun return ret;
278*4882a593Smuzhiyun }
279*4882a593Smuzhiyun
280*4882a593Smuzhiyun char _license[] SEC("license") = "GPL";
281