EventProbe: use redirected_tty_write BTF info instead of tty_write

elastic / ebpf

Elastic's eBPF

Other

67 stars 11 forks source link

EventProbe: use redirected_tty_write BTF info instead of tty_write #128

Closed mmat11 closed 2 years ago

mmat11 commented 2 years ago

Use a different function to obtain signature indexes as tty_write BTF info are missing on ARM systems. Read more: https://github.com/elastic/ebpf/pull/116#issue-1327583872

Co-Authored-By: Rhys Rustad-Elliott rhys.rustad-elliott@elastic.co

rhysre commented 2 years ago

Hmmm, mainline/5.19 is failing for arm64 and x86. You can ignore all failures except mainline (I'm working on those). But mainline was passing before and should keep passing.

I'm seeing the following:

[            ] stdout: Failed to unmarshal the following JSON: "": unexpected end of JSON input

Seems the testrunner is unable to unmarshal something that EventsTrace outputs. Digging into this further right now.

mmat11 commented 2 years ago

Hmmm, mainline/5.19 is failing for arm64 and x86. You can ignore all failures except mainline (I'm working on those). But mainline was passing before and should keep passing.

I'm seeing the following:
[            ] stdout: Failed to unmarshal the following JSON: "": unexpected end of JSON input
Seems the testrunner is unable to unmarshal something that EventsTrace outputs. Digging into this further right now.

missed that, will have a look later (probably something changed in tests, I am pretty sure it used to work)

edit: disregard my comment, didn't notice it only fails on 5.19

rhysre commented 2 years ago

@mmat11 Figured out why this is failing on mainline/5.19.

Our "5.19" kernel is actually 6.0-rc1 (check the first line logged to the serial console):

Booting from ROM..ESCcESC[?7lESC[2J[    0.000000] Linux version 6.0.0-rc1 (root@lrishi-el) (x86_64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP PREEMPT_DYNAMIC Tue Aug 16 12:02:02 UTC 2022

6.0-rc1 added this commit: https://github.com/torvalds/linux/commit/fcb14cb1bdacec5b4374fe161e83fb8208164a85

ii->iter_type is 6 in the invocation of the tty_write probe on 6.0-rc1 (i.e. ITER_UBUF), so we need to be reading from ii->ubuf instead of ii->iov->iov_base.

TBH though an RC kernel should not be in our testing set, and this problem is unrelated to this PR, so I'd say we can fix that in a new PR.

rhysre commented 2 years ago

Spoke to @lrishi, we've removed the RC kernel and I've pushed a commit to use the new imagepack above.

mmat11 commented 2 years ago

Our "5.19" kernel is actually 6.0-rc1 (check the first line logged to the serial console):

oh.. thanks for looking into it