crash utility help page:  bpf


NAME
  bpf - extended Berkeley Packet Filter (eBPF)

SYNOPSIS
  bpf [[-p ID | -P] [-tTj]] [[-m ID] | -M] [-s] [-xd]

DESCRIPTION
 
  This command provides information on currently-loaded eBPF programs and maps.
  With no arguments, basic information about each loaded eBPF program and map
  is displayed.  For each eBPF program, its ID number, the addresses of its 
  bpf_prog and bpf_prog_aux data structures, its type, tag, and the IDs of the
  eBPF maps that it uses are displayed.  For each eBPF map, its ID number, the
  address of its bpf_map data structure, its type, and the hexadecimal value of
  its map_flags are displayed.
 
    -p ID  displays the basic information specific to the program ID, plus the
           size in bytes of its translated bytecode, the size in bytes of its
           jited code, the number of bytes locked into memory, the time that
           the program was loaded, whether it is GPL compatible, and its UID.
    -P     same as -p, but displays the basic and extra data for all programs.
    -m ID  displays the basic information specific to the map ID, plus the
           size in bytes of its key and value, the maximum number of key-value
           pairs that can be stored within the map, the number of bytes locked
           into memory, its name string, and its UID.
    -M     same as -m, but displays the basic and extra data for all maps.
    -t     translate the bytecode of the specified program ID.
    -T     same as -t, but also dump the bytecode of each instruction.
    -j     disassemble the jited code of the specified program ID.
    -s     with -p or -P, dump the bpf_prog and bpf_prog_aux data structures.
           with -m or -M, dump the bpf_map structure.
    -x     with -s, override default output format with hexadecimal format.
    -d     with -s, override default output format with decimal format.
 
EXAMPLES
  Display all loaded eBPF programs and maps:

  crash> bpf
   ID     BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG        USED_MAPS
   13 ffffbc00c06d1000 ffff9ff260f0c400  CGROUP_SKB   7be49e3934a125ba   13,14
   14 ffffbc00c0761000 ffff9ff260f0f600  CGROUP_SKB   2a142ef67aaad174   13,14
   15 ffffbc00c001d000 ffff9ff2618f9e00  CGROUP_SKB   7be49e3934a125ba   15,16
   16 ffffbc00c06c9000 ffff9ff2618f9400  CGROUP_SKB   2a142ef67aaad174   15,16
   19 ffffbc00c0d39000 ffff9ff2610fa000  CGROUP_SKB   7be49e3934a125ba   19,20
   20 ffffbc00c0d41000 ffff9ff2610f8e00  CGROUP_SKB   2a142ef67aaad174   19,20
   30 ffffbc00c065f000 ffff9ff1b64de200    KPROBE     69fed6de18629d7a    32
   31 ffffbc00c065b000 ffff9ff1b64df200    KPROBE     69fed6de18629d7a    37
   32 ffffbc00c0733000 ffff9ff1b64dc600    KPROBE     69fed6de18629d7a    38
   33 ffffbc00c0735000 ffff9ff1b64dca00    KPROBE     69fed6de18629d7a    39
   34 ffffbc00c0737000 ffff9ff1b64dfc00    KPROBE     4abbddae72a6ee17 33,36,34
   36 ffffbc00c0839000 ffff9ff1b64dd000    KPROBE     da4fc6a3f41761a2    32
   41 ffffbc00c07ec000 ffff9ff207b70400  TRACEPOINT   e2094f9f46284bf6   55,54
   44 ffffbc00c07ee000 ffff9ff1b64dc800  PERF_EVENT   19578a12836c4115    62
   46 ffffbc00c07f0000 ffff9ff207b70400 SOCKET_FILTER 1fcfc04afd689133    64
  
   ID     BPF_MAP       BPF_MAP_TYPE   MAP_FLAGS
   13 ffff9ff260f0ec00    LPM_TRIE      00000001
   14 ffff9ff260f0de00    LPM_TRIE      00000001
   15 ffff9ff2618fbe00    LPM_TRIE      00000001
   16 ffff9ff2618fb800    LPM_TRIE      00000001
   19 ffff9ff2610faa00    LPM_TRIE      00000001
   20 ffff9ff2610fb800    LPM_TRIE      00000001
   32 ffff9ff260d74000      HASH        00000000
   33 ffff9ff260d76400    LRU_HASH      00000000
   34 ffff9ff260d70000    LRU_HASH      00000002
   35 ffff9ff260d73800    LRU_HASH      00000004
   36 ffff9ff1b4f44000  ARRAY_OF_MAPS   00000000
   37 ffff9ff260d77c00   PERCPU_HASH    00000000
   38 ffff9ff260d70800      HASH        00000001
   39 ffff9ff260d76c00   PERCPU_HASH    00000001
   54 ffff9ff260dd2c00      HASH        00000000
   55 ffff9ff260dd1400      HASH        00000000
   62 ffff9ff1ae784000      HASH        00000000
   64 ffff9ff1aea15000      ARRAY       00000000
 
  Display additional data about program ID 20:

  crash> bpf -p 20
   ID     BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG        USED_MAPS
   20 ffffbc00c0d41000 ffff9ff2610f8e00  CGROUP_SKB   2a142ef67aaad174   19,20
      XLATED: 296  JITED: 229  MEMLOCK: 4096
      LOAD_TIME: Fri Apr 20 19:39:21 2018
      GPL_COMPATIBLE: yes  UID: 0
 
  Display additional data about map ID 34:

  crash> bpf -m 34
   ID     BPF_MAP       BPF_MAP_TYPE   MAP_FLAGS
   34  ffff9ff260d70000    LRU_HASH      00000000
       KEY_SIZE: 4  VALUE_SIZE: 8  MAX_ENTRIES: 10000  MEMLOCK: 1953792
       NAME: "lru_hash_map"  UID: 0

  Disassemble the jited program of program ID 20:

  crash> bpf -p 20 -j
  ID     BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG        USED_MAPS
  20 ffffbc00c0d41000 ffff9ff2610f8e00  CGROUP_SKB   2a142ef67aaad174   19,20
     XLATED: 296  JITED: 229  MEMLOCK: 4096
     LOAD_TIME: Fri Apr 20 19:39:21 2018
     GPL_COMPATIBLE: yes  UID: 0
 
   0xffffffffc06887a2:  push   %rbp 
   0xffffffffc06887a3:  mov    %rsp,%rbp 
   0xffffffffc06887a6:  sub    $0x40,%rsp 
   0xffffffffc06887ad:  sub    $0x28,%rbp 
   0xffffffffc06887b1:  mov    %rbx,0x0(%rbp) 
   0xffffffffc06887b5:  mov    %r13,0x8(%rbp) 
   0xffffffffc06887b9:  mov    %r14,0x10(%rbp) 
   0xffffffffc06887bd:  mov    %r15,0x18(%rbp) 
   0xffffffffc06887c1:  xor    %eax,%eax 
   0xffffffffc06887c3:  mov    %rax,0x20(%rbp) 
   0xffffffffc06887c7:  mov    %rdi,%rbx 
   0xffffffffc06887ca:  movzwq 0xc0(%rbx),%r13 
   0xffffffffc06887d2:  xor    %r14d,%r14d 
   0xffffffffc06887d5:  cmp    $0x8,%r13 
   0xffffffffc06887d9:  jne    0xffffffffc068881b 
   0xffffffffc06887db:  mov    %rbx,%rdi 
   0xffffffffc06887de:  mov    $0xc,%esi 
   0xffffffffc06887e3:  mov    %rbp,%rdx 
   0xffffffffc06887e6:  add    $0xfffffffffffffffc,%rdx 
   0xffffffffc06887ea:  mov    $0x4,%ecx 
   0xffffffffc06887ef:  callq  0xffffffffb0865340 <bpf_skb_load_bytes>
   0xffffffffc06887f4:  movabs $0xffff9ff2610faa00,%rdi 
   0xffffffffc06887fe:  mov    %rbp,%rsi 
   0xffffffffc0688801:  add    $0xfffffffffffffff8,%rsi 
   0xffffffffc0688805:  movl   $0x20,0x0(%rsi) 
   0xffffffffc068880c:  callq  0xffffffffb01fcba0 <bpf_map_lookup_elem>
   0xffffffffc0688811:  cmp    $0x0,%rax 
   0xffffffffc0688815:  je     0xffffffffc068881b 
   0xffffffffc0688817:  or     $0x2,%r14d 
   0xffffffffc068881b:  cmp    $0xdd86,%r13 
   0xffffffffc0688822:  jne    0xffffffffc0688864 
   0xffffffffc0688824:  mov    %rbx,%rdi 
   0xffffffffc0688827:  mov    $0x8,%esi 
   0xffffffffc068882c:  mov    %rbp,%rdx 
   0xffffffffc068882f:  add    $0xfffffffffffffff0,%rdx 
   0xffffffffc0688833:  mov    $0x10,%ecx 
   0xffffffffc0688838:  callq  0xffffffffb0865340 <bpf_skb_load_bytes>
   0xffffffffc068883d:  movabs $0xffff9ff2610fb800,%rdi 
   0xffffffffc0688847:  mov    %rbp,%rsi 
   0xffffffffc068884a:  add    $0xffffffffffffffec,%rsi 
   0xffffffffc068884e:  movl   $0x80,0x0(%rsi) 
   0xffffffffc0688855:  callq  0xffffffffb01fcba0 <bpf_map_lookup_elem>
   0xffffffffc068885a:  cmp    $0x0,%rax 
   0xffffffffc068885e:  je     0xffffffffc0688864 
   0xffffffffc0688860:  or     $0x2,%r14d 
   0xffffffffc0688864:  mov    $0x1,%eax 
   0xffffffffc0688869:  cmp    $0x2,%r14 
   0xffffffffc068886d:  jne    0xffffffffc0688871 
   0xffffffffc068886f:  xor    %eax,%eax 
   0xffffffffc0688871:  mov    0x0(%rbp),%rbx 
   0xffffffffc0688875:  mov    0x8(%rbp),%r13 
   0xffffffffc0688879:  mov    0x10(%rbp),%r14 
   0xffffffffc068887d:  mov    0x18(%rbp),%r15 
   0xffffffffc0688881:  add    $0x28,%rbp 
   0xffffffffc0688885:  leaveq  
   0xffffffffc0688886:  retq 
 
  Translate each bytecode instruction of program ID 13:

  crash> bpf -p 13 -t
   ID      BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG       USED_MAPS
   13 ffffbc00c06d1000 ffff9ff260f0c400  CGROUP_SKB   7be49e3934a125ba   13,14
      XLATED: 296  JITED: 229  MEMLOCK: 4096
      LOAD_TIME: Fri Apr 20 19:39:11 2018
      GPL_COMPATIBLE: yes  UID: 0
 
    0: (bf) r6 = r1
    1: (69) r7 = *(u16 *)(r6 +192)
    2: (b4) (u32) r8 = (u32) 0
    3: (55) if r7 != 0x8 goto pc+14
    4: (bf) r1 = r6
    5: (b4) (u32) r2 = (u32) 16
    6: (bf) r3 = r10
    7: (07) r3 += -4
    8: (b4) (u32) r4 = (u32) 4
    9: (85) call bpf_skb_load_bytes#6793152
   10: (18) r1 = map[id:13]
   12: (bf) r2 = r10
   13: (07) r2 += -8
   14: (62) *(u32 *)(r2 +0) = 32
   15: (85) call bpf_map_lookup_elem#73760
   16: (15) if r0 == 0x0 goto pc+1
   17: (44) (u32) r8 |= (u32) 2
   18: (55) if r7 != 0xdd86 goto pc+14
   19: (bf) r1 = r6
   20: (b4) (u32) r2 = (u32) 24
   21: (bf) r3 = r10
   22: (07) r3 += -16
   23: (b4) (u32) r4 = (u32) 16
   24: (85) call bpf_skb_load_bytes#6793152
   25: (18) r1 = map[id:14]
   27: (bf) r2 = r10
   28: (07) r2 += -20
   29: (62) *(u32 *)(r2 +0) = 128
   30: (85) call bpf_map_lookup_elem#73760
   31: (15) if r0 == 0x0 goto pc+1
   32: (44) (u32) r8 |= (u32) 2
   33: (b7) r0 = 1
   34: (55) if r8 != 0x2 goto pc+1
   35: (b7) r0 = 0
   36: (95) exit
 
  Translate, and then dump each bytecode instruction of program ID 13:

  crash> bpf -p 13 -T
   ID      BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG       USED_MAPS
   13 ffffbc00c06d1000 ffff9ff260f0c400  CGROUP_SKB   7be49e3934a125ba   13,14
      XLATED: 296  JITED: 229  MEMLOCK: 4096
      LOAD_TIME: Fri Apr 20 19:39:11 2018
      GPL_COMPATIBLE: yes  UID: 0
 
    0: (bf) r6 = r1
        bf 16 00 00 00 00 00 00
    1: (69) r7 = *(u16 *)(r6 +192)
        69 67 c0 00 00 00 00 00
    2: (b4) (u32) r8 = (u32) 0
        b4 08 00 00 00 00 00 00
    3: (55) if r7 != 0x8 goto pc+14
        55 07 0e 00 08 00 00 00
    4: (bf) r1 = r6
        bf 61 00 00 00 00 00 00
    5: (b4) (u32) r2 = (u32) 16
        b4 02 00 00 10 00 00 00
    6: (bf) r3 = r10
        bf a3 00 00 00 00 00 00
    7: (07) r3 += -4
        07 03 00 00 fc ff ff ff
    8: (b4) (u32) r4 = (u32) 4
        b4 04 00 00 04 00 00 00
    9: (85) call bpf_skb_load_bytes#6793152
        85 00 00 00 c0 a7 67 00
   10: (18) r1 = map[id:13]
        18 01 00 00 00 7a 96 61 00 00 00 00 b2 9d ff ff
   12: (bf) r2 = r10
        bf a2 00 00 00 00 00 00
   13: (07) r2 += -8
        07 02 00 00 f8 ff ff ff
   14: (62) *(u32 *)(r2 +0) = 32
        62 02 00 00 20 00 00 00
   15: (85) call bpf_map_lookup_elem#73760
        85 00 00 00 20 20 01 00
   16: (15) if r0 == 0x0 goto pc+1
        15 00 01 00 00 00 00 00
   17: (44) (u32) r8 |= (u32) 2
        44 08 00 00 02 00 00 00
   18: (55) if r7 != 0xdd86 goto pc+14
        55 07 0e 00 86 dd 00 00
   19: (bf) r1 = r6
        bf 61 00 00 00 00 00 00
   20: (b4) (u32) r2 = (u32) 24
        b4 02 00 00 18 00 00 00
   21: (bf) r3 = r10
        bf a3 00 00 00 00 00 00
   22: (07) r3 += -16
        07 03 00 00 f0 ff ff ff
   23: (b4) (u32) r4 = (u32) 16
        b4 04 00 00 10 00 00 00
   24: (85) call bpf_skb_load_bytes#6793152
        85 00 00 00 c0 a7 67 00
   25: (18) r1 = map[id:14]
        18 01 00 00 00 68 96 61 00 00 00 00 b2 9d ff ff
   27: (bf) r2 = r10
        bf a2 00 00 00 00 00 00
   28: (07) r2 += -20
        07 02 00 00 ec ff ff ff
   29: (62) *(u32 *)(r2 +0) = 128
        62 02 00 00 80 00 00 00
   30: (85) call bpf_map_lookup_elem#73760
        85 00 00 00 20 20 01 00
   31: (15) if r0 == 0x0 goto pc+1
        15 00 01 00 00 00 00 00
   32: (44) (u32) r8 |= (u32) 2
        44 08 00 00 02 00 00 00
   33: (b7) r0 = 1
        b7 00 00 00 01 00 00 00
   34: (55) if r8 != 0x2 goto pc+1
        55 08 01 00 02 00 00 00
   35: (b7) r0 = 0
        b7 00 00 00 00 00 00 00
   36: (95) exit
        95 00 00 00 00 00 00 00
 
  Display the bpf_map data structure for map ID 13:

  crash> bpf -m 13 -s
   ID      BPF_MAP       BPF_MAP_TYPE   MAP_FLAGS
   13  ffff9ff260f0ec00    LPM_TRIE      00000001
       KEY_SIZE: 8  VALUE_SIZE: 8  MAX_ENTRIES: 1  MEMLOCK: 4096
       NAME: (unused)  UID: 0
 
  struct bpf_map {
    ops = 0xffffffffb0e36720, 
    inner_map_meta = 0x0, 
    security = 0xffff9ff26873a158, 
    map_type = BPF_MAP_TYPE_LPM_TRIE, 
    key_size = 8, 
    value_size = 8, 
    max_entries = 1, 
    map_flags = 1, 
    pages = 1, 
    id = 13, 
    numa_node = -1, 
    unpriv_array = false, 
    user = 0xffffffffb14578a0, 
    refcnt = {
      counter = 3
    }, 
    usercnt = {
      counter = 1
    }, 
    work = {
      data = {
        counter = 0
      }, 
      entry = {
        next = 0x0, 
        prev = 0x0
      }, 
      func = 0x0, 
      lockdep_map = {
        key = 0x0, 
        class_cache = {0x0, 0x0}, 
        name = 0x0, 
        cpu = 0, 
        ip = 0
      }
    }, 
    name = "
  }
 
  Display the bpf_prog and bpf_prog_aux structures for program ID 13:

  crash> bpf -p 13 -s
   ID      BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG       USED_MAPS
   13  ffffbc00c06d1000 ffff9ff260f0c400  CGROUP_SKB   7be49e3934a125ba   13,14
       XLATED: 296  JITED: 229  MEMLOCK: 4096
       LOAD_TIME: Fri Apr 20 19:39:10 2018
       GPL_COMPATIBLE: yes  UID: 0
 
   struct bpf_prog {
     pages = 1, 
     jited = 1, 
     jit_requested = 1, 
     locked = 1, 
     gpl_compatible = 1, 
     cb_access = 0, 
     dst_needed = 0, 
     blinded = 0, 
     is_func = 0, 
     kprobe_override = 0, 
     type = BPF_PROG_TYPE_CGROUP_SKB, 
     len = 37, 
     jited_len = 229, 
     tag = "{\344\236\071\064\241%\272", 
     aux = ffff9ff260f0c400,
     orig_prog = 0x0, 
     bpf_func = 0xffffffffc0218a59, 
     {
       insns = 0xffffb0cf406d1030, 
       insnsi = 0xffffb0cf406d1030
     }
   }
   
   struct bpf_prog_aux {
     refcnt = {
       counter = 2
     }, 
     used_map_cnt = 2, 
     max_ctx_offset = 20, 
     stack_depth = 20, 
     id = 13, 
     func_cnt = 0, 
     offload_requested = false, 
     func = 0x0, 
     jit_data = 0x0, 
     ksym_tnode = {
       node = {{
           __rb_parent_color = 18446635988194065457, 
           rb_right = 0x0, 
           rb_left = 0x0
         }, {
           __rb_parent_color = 18446635988194065481, 
           rb_right = 0x0, 
           rb_left = 0x0
         }}
     }, 
     ksym_lnode = {
       next = 0xffff9db261966460, 
       prev = 0xffffffffb85d1150
     }, 
     ops = 0xffffffffb7f09060, 
     used_maps = 0xffff9db261e03600, 
     prog = 0xffffb0cf406d1000, 
     user = 0xffffffffb84578a0, 
     load_time = 23962237943, 
     name = "
     security = 0xffff9db266f9cf50, 
     offload = 0x0, 
     {
       work = {
         data = {
           counter = 0
         }, 
         entry = {
           next = 0x0, 
           prev = 0x0
         }, 
         func = 0x0, 
         lockdep_map = {
           key = 0x0, 
           class_cache = {0x0, 0x0}, 
           name = 0x0, 
           cpu = 0, 
           ip = 0
         }
       }, 
       rcu = {
         next = 0x0, 
         func = 0x0
       }
     }
   }
 
  Display the extra data about all programs:

  crash> bpf -P
   ID     BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG        USED_MAPS
   13 ffffbc00c06d1000 ffff9ff260f0c400  CGROUP_SKB   7be49e3934a125ba   13,14
      XLATED: 296  JITED: 229  MEMLOCK: 4096
      LOAD_TIME: Fri Apr 20 19:39:10 2018
      GPL_COMPATIBLE: yes  UID: 0
  
   ID     BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG        USED_MAPS
   14 ffffbc00c0761000 ffff9ff260f0f600  CGROUP_SKB   2a142ef67aaad174   13,14
      XLATED: 296  JITED: 229  MEMLOCK: 4096
      LOAD_TIME: Fri Apr 20 19:39:10 2018
      GPL_COMPATIBLE: yes  UID: 0
  
   ID     BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG        USED_MAPS
   15 ffffbc00c001d000 ffff9ff2618f9e00  CGROUP_SKB   7be49e3934a125ba   15,16
      XLATED: 296  JITED: 229  MEMLOCK: 4096
      LOAD_TIME: Fri Apr 20 19:39:11 2018
      GPL_COMPATIBLE: yes  UID: 0
 
  ...
 
   ID     BPF_PROG       BPF_PROG_AUX   BPF_PROG_TYPE       TAG        USED_MAPS
   75 ffffbc00c0ed1000 ffff9ff2429c6400    KPROBE     da4fc6a3f41761a2    107
      XLATED: 5168  JITED: 2828  MEMLOCK: 8192
      LOAD_TIME: Fri Apr 27 14:54:40 2018
      GPL_COMPATIBLE: yes  UID: 0
 
  Display the extra data for all maps:

  crash> bpf -M
   ID      BPF_MAP       BPF_MAP_TYPE   MAP_FLAGS
   13  ffff9ff260f0ec00    LPM_TRIE      00000001 
       KEY_SIZE: 8  VALUE_SIZE: 8  MAX_ENTRIES: 1  MEMLOCK: 4096
       NAME: (unused)  UID: 0
 
   ID      BPF_MAP       BPF_MAP_TYPE   MAP_FLAGS
   14  ffff9ff260f0de00    LPM_TRIE      00000001 
       KEY_SIZE: 20  VALUE_SIZE: 8  MAX_ENTRIES: 1  MEMLOCK: 4096
       NAME: (unused)  UID: 0
 
  ...
 
   ID      BPF_MAP       BPF_MAP_TYPE   MAP_FLAGS
  108  ffff9ff1aeab9400    LRU_HASH      00000000 
       KEY_SIZE: 4  VALUE_SIZE: 8  MAX_ENTRIES: 1000  MEMLOCK: 147456
       NAME: "lru_hash_lookup"  UID: 0
 
  To display all possible information that this command offers about
  all programs and maps, enter:

  crash> bpf -PM -jTs