ttysnoop fails on newer kernel

jeromemarchand commented 8 months ago

ttysnoop fails on recent kernel.

bcc v0.29.1 kernel 6.8.0-rc0 libbpf 1.2.0

# uname -r
6.8.0-0.rc0.20240112git70d201a40823.5.fc40.x86_64
# /usr/share/bcc/tools/ttysnoop /dev/tty0
bpf: Failed to load program: Permission denied
Arg#0 type PTR in kfunc__vmlinux__tty_write() is not supported yet.
0: R1=ctx() R10=fp0
; KFUNC_PROBE(tty_write, struct kiocb *iocb, struct iov_iter *from)
0: (79) r2 = *(u64 *)(r1 +0)
func 'tty_write' arg0 has btf_id 797 type STRUCT 'kiocb'
1: R1=ctx() R2_w=ptr_kiocb()
; if (iocb->ki_filp->f_inode->i_ino != 13)
1: (79) r2 = *(u64 *)(r2 +0)          ; R2_w=ptr_file()
; if (iocb->ki_filp->f_inode->i_ino != 13)
2: (79) r2 = *(u64 *)(r2 +168)        ; R2_w=ptr_inode()
; if (iocb->ki_filp->f_inode->i_ino != 13)
3: (79) r2 = *(u64 *)(r2 +64)         ; R2_w=scalar()
; if (iocb->ki_filp->f_inode->i_ino != 13)
4: (55) if r2 != 0xd goto pc+395      ; R2_w=13
; KFUNC_PROBE(tty_write, struct kiocb *iocb, struct iov_iter *from)
5: (79) r1 = *(u64 *)(r1 +8)
func 'tty_write' arg1 has btf_id 303 type STRUCT 'iov_iter'
6: R1_w=ptr_iov_iter()
; if (from->iter_type != ITER_UBUF && from->iter_type != ITER_IOVEC)
6: (71) r2 = *(u8 *)(r1 +0)           ; R1_w=ptr_iov_iter() R2_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))
; if (from->iter_type != ITER_UBUF && from->iter_type != ITER_IOVEC)
7: (25) if r2 > 0x1 goto pc+392       ; R2_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1,var_off=(0x0; 0x1))
; if (from->data_source != WRITE)
8: (71) r3 = *(u8 *)(r1 +3)           ; R1=ptr_iov_iter() R3=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))
; if (from->data_source != WRITE)
9: (15) if r3 == 0x0 goto pc+390      ; R3=scalar(smin=umin=smin32=umin32=1,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))
; switch (from->iter_type) {
10: (15) if r2 == 0x0 goto pc+8       ; R2=1
11: (b7) r7 = 0                       ; R7_w=0
12: (b7) r3 = 0                       ; R3_w=0
13: (7b) *(u64 *)(r10 -16) = r3       ; R3_w=0 R10=fp0 fp-16_w=0
14: (55) if r2 != 0x1 goto pc+10      ; R2=1
; kvec  = from->kvec;
15: (79) r1 = *(u64 *)(r1 +16)        ; R1_w=scalar()
; count = kvec->iov_len;
16: (bf) r2 = r1                      ; R1_w=scalar(id=1) R2_w=scalar(id=1)
17: (07) r2 += 8                      ; R2_w=scalar()
18: (05) goto pc+3
; 
22: (79) r2 = *(u64 *)(r2 +0)
R2 invalid mem access 'scalar'
processed 20 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 1

Traceback (most recent call last):
  File "/usr/share/bcc/tools/ttysnoop", line 236, in <module>
    b = BPF(text=bpf_text)
        ^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/bcc/__init__.py", line 487, in __init__
    self._trace_autoload()
  File "/usr/lib/python3.12/site-packages/bcc/__init__.py", line 1483, in _trace_autoload
    self.attach_kfunc(fn_name=func_name)
  File "/usr/lib/python3.12/site-packages/bcc/__init__.py", line 1145, in attach_kfunc
    fn = self.load_func(fn_name, BPF.TRACING)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/bcc/__init__.py", line 526, in load_func
    raise Exception("Failed to load BPF program %s: %s" %
Exception: Failed to load BPF program b'kfunc__vmlinux__tty_write': Permission denied

It seems related to the kernel commit 94e1c70a3452 ("bpf: support 'arg:xxx' btf_decl_tag-based hints for global subprog args") which added the failing check and error message in btf_prepare_func_args().

jeromemarchand commented 8 months ago

It fails on x86_64, but not on s390x. I haven't tested other arches.

yonghong-song commented 8 months ago

@jeromemarchand https://github.com/iovisor/bcc/pull/4888 should fix the issue. Could you verify whether the issue is fixed in your environment or not?

jeromemarchand commented 8 months ago

Yes, it fixes the issue.

iovisor / bcc

ttysnoop fails on newer kernel #4884