Linux 4.9 aarch64 crash on non-exported function

[sireg]

I am running code on a version 4.9 kernel, the arch is aarch64, and when the registration probe function is on the non exported symbol, the system crashes directly. I just test three functions, capable, scm_send can regist succeeded, and pcfi_lookup_fast regist failed.

CONFIG_GENERIC_IRQ_PROBE=y
CONFIG_KPROBES=y
# CONFIG_UPROBES is not set
CONFIG_KRETPROBES=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KRETPROBES=y
# CONFIG_NET_TCPPROBE is not set
CONFIG_GENERIC_CPU_AUTOPROBE=y
# CONFIG_MTD_JEDECPROBE is not set
CONFIG_CLKSRC_PROBE=y
CONFIG_KPROBE_EVENT=y
# CONFIG_UPROBE_EVENT is not set
CONFIG_PROBE_EVENTS=y
# CONFIG_KPROBES_SANITY_TEST is not set

[solardiz]

@sireg Thank you for reporting this. Can you please provide more detail - how do you know pcfi_lookup_fast regist failed, what the crash looks like, what CPU are you on, what compiler/version you build the kernel and LKRG with?

[sireg]

My English is not very sharp, I hope you can understand what I mean. The kernel version I used is 4.9.38 from the linaro community, with a commit ID of b8f0ea4f, and the lkrg version is 0.9.5, with a commit ID of 7db7483. The CPU is Cortex-A53, and the compiler is gcc-linaro-7.5.0-2019.12-x86_64_aarch64-linux-gnu, cross-compiled on X86. I commented all the elements of the "p_functions_hooks_array" array in the file "src/modules/exploit_detection/p_exploit_detection. c", and the module can be loaded, and then removed the comments from the back to the front. When the comments of "scm_send" and "capable" are removed, the module can also be loaded. When the comments of "pcfi_lookup_fast" are removed, the system directly crashes without any output and reboots, and then tried "pcfi___queue_work" and "pcfi_schedule", respectively, and they are the same situation.

[solardiz]

Thanks. This is weird. I'd suspect one of the known issues of LKRG incompatibility with the kernel's CFI, but both your kernel and your CPU are too old for that. So I don't know why it crashes, as opposed to e.g. failing symbol lookup and refusing to load.

Are you able to capture and share with us the kernel crash messages? As to the system rebooting, do you maybe have the kernel.panic sysctl set? If so, try resetting it to 0 before loading LKRG - then you might have a better chance to capture the kernel messages. Also related, for LKRG itself please use insmod output/lkrg.ko kint_enforce=1 as our README says in the "Testing" section.

Were you using LKRG on a similar system before? Did it work for you until some change? Why do you use an older version of LKRG? (I don't see any newer change in LKRG that would have addressed this issue you're having, so that's fine, but it is maybe a hint that you've been using LKRG before.)