pwru
pwru copied to clipboard
failed to `--output-skb`
# ./pwru --output-skb
2021/11/25 16:47:00 Loading objects: field KprobeSkb1: program kprobe_skb_1: load program: invalid argument: BPF_STX uses reserved fields
processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
The running OS:
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 21.04
Release: 21.04
Codename: hirsute
# uname -a
Linux pagani 5.11.0-31-generic #33-Ubuntu SMP Wed Aug 11 13:19:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
bpf:
# cat /boot/config-$(uname -r) | grep BPF
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_LSM=y
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_PRELOAD is not set
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=y
CONFIG_TEST_BPF=m
# cat /boot/config-$(uname -r) | grep BTF
CONFIG_VIDEO_SONY_BTF_MPX=m
CONFIG_DEBUG_INFO_BTF=y
CONFIG_PAHOLE_HAS_SPLIT_BTF=y
CONFIG_DEBUG_INFO_BTF_MODULES=y
llvm:
# llc --version
LLVM (http://llvm.org/):
LLVM version 12.0.0
Optimized build.
Default target: x86_64-pc-linux-gnu
Host CPU: skylake
Registered Targets:
bpf - BPF (host endian)
bpfeb - BPF (big endian)
bpfel - BPF (little endian)
how error happens
I run Ubuntu 21.04 as a VirtualBox VM. go generate
, go build
and ./pwru --output-skb
, then the error comes.
what I try
check the kprobe_pwru.c:
static __always_inline void
set_skb_btf(struct sk_buff *skb, typeof(print_skb_id) *event_id) {
#ifdef OUTPUT_SKB
static struct btf_ptr p = {};
typeof(print_skb_id) id;
char *str;
p.type_id = bpf_core_type_id_kernel(struct sk_buff);
p.ptr = skb;
id = __sync_fetch_and_add(&print_skb_id, 1) % 256;
str = bpf_map_lookup_elem(&print_skb_map, (u32 *) &id);
if (!str)
return;
if (bpf_snprintf_btf(str, PRINT_SKB_STR_SIZE, &p, sizeof(p), 0) < 0)
return;
*event_id = id;
#endif
}
check the kernel bpf verifier.c:
if (BPF_CLASS(insn->code) == BPF_STX &&
((BPF_MODE(insn->code) != BPF_MEM &&
BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {
verbose(env, "BPF_STX uses reserved fields\n");
return -EINVAL;
}
and learn BPF and XDP Reference Guide:
BPF_ST, BPF_STX: Both classes are for store operations. Similar to BPF_LDX the BPF_STX is the store counterpart and is used to
store the data from a register into memory, which, again, can be stack memory, map value, packet data, etc. BPF_STX also holds
special instructions for performing word and double-word based atomic add operations, which can be used for counters, for
example. The BPF_ST class is similar to BPF_STX by providing instructions for storing data into memory only that the source
operand is an immediate value.
also to check its assembly code:
# clang -I./bpf/headers -O2 -target bpf -c bpf/kprobe_pwru.c -o kprobe_pwru.elf -g -DOUTPUT_SKB
# llvm-objdump -S ./kprobe_pwru.elf > kprobe_pwru.elf.txt
But at the end, I don't know how to fix it.
Could you attach the object file pwru/kprobepwru_bpfel.o
that's generated after running go generate && go build
?
Could you attach the object file pwru/kprobepwru_bpfel.o
How to attach it?
You can click on the text below at the bottom of any new comment or comment you are editing.
Oh, sorry, I misunderstand the 'attach'. Attach the kprobes in object file to kernel.
Here it is. kprobepwru_bpfel.o.txt
(Can't upload the .o file, plz remove the suffix .txt to get .o file)
@Asphaltt Does this still happen with the latest release?
I try it with the latest release. It does not happen again.
Probably, the reason of that the issue gone is because I upgraded my Ubuntu VM.
I have upgraded my Ubuntu VM to Ubuntu 22.04.
# lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
# uname -a
Linux pagani 5.15.0-46-generic #49-Ubuntu SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
I try it with the latest release. It does not happen again.
Thanks for confirming!