Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tracee won't run in newer kernels (>= v6.4) due to bad CO-RE relocation. #3339

Closed
ihexon opened this issue Jul 26, 2023 · 3 comments · Fixed by #3360
Closed

Tracee won't run in newer kernels (>= v6.4) due to bad CO-RE relocation. #3339

ihexon opened this issue Jul 26, 2023 · 3 comments · Fixed by #3360
Labels
kind/bug
Milestone
v0.18.0

Comments

@ihexon
Copy link

ihexon commented Jul 26, 2023
edited
Loading

Description

$ sudo ./tracee  --events execve,open
{"level":"warn","ts":1690340858.0025456,"msg":"libbpf: prog 'lkm_seeker_proc_tail': BPF program load failed: Invalid argument"}
libbpf: prog 'lkm_seeker_proc_tail': -- BEGIN PROG LOAD LOG --
reg type unsupported for arg#0 function lkm_seeker_proc_tail#481
0: R1=ctx(off=0,imm=0) R10=fp0
; int lkm_seeker_proc_tail(struct pt_regs *ctx)
0: (18) r2 = 0x1                      ; R2_w=1
2: (7b) *(u64 *)(r10 -112) = r1       ; R1=ctx(off=0,imm=0) R10=fp0 fp-112_w=ctx
; if (!bpf_core_enum_value_exists(enum bpf_func_id, BPF_FUNC_sk_storage_get)) {
3: (55) if r2 != 0x0 goto pc+92       ; R2_w=1
;
96: (b7) r1 = 0                       ; R1_w=0
; u32 zero = 0;
97: (63) *(u32 *)(r10 -72) = r1       ; R1_w=0 R10=fp0 fp-72=????0000
98: (bf) r2 = r10                     ; R2_w=fp0 R10=fp0
;
99: (07) r2 += -72                    ; R2_w=fp-72
; p->event = bpf_map_lookup_elem(&event_data_map, &zero);
100: (18) r1 = 0xffff00000d3be200     ; R1_w=map_ptr(off=0,ks=4,vs=32152,imm=0)
102: (85) call bpf_map_lookup_elem#1          ; R0=map_value_or_null(id=1,off=0,ks=4,vs=32152,imm=0)
103: (bf) r6 = r0                     ; R0=map_value_or_null(id=1,off=0,ks=4,vs=32152,imm=0) R6_w=map_value_or_null(id=1,off=0,ks=4,vs=32152,imm=0)
; if (unlikely(p->event == NULL))
104: (15) if r6 == 0x0 goto pc+7      ; R6_w=map_value(off=0,ks=4,vs=32152,imm=0)
105: (bf) r2 = r10                    ; R2_w=fp0 R10=fp0
;
106: (07) r2 += -72                   ; R2_w=fp-72
; p->config = bpf_map_lookup_elem(&config_map, &zero);
107: (18) r1 = 0xffff0000058cf800     ; R1_w=map_ptr(off=0,ks=4,vs=256,imm=0)
109: (85) call bpf_map_lookup_elem#1          ; R0_w=map_value_or_null(id=2,off=0,ks=4,vs=256,imm=0)
110: (7b) *(u64 *)(r10 -120) = r0     ; R0_w=map_value_or_null(id=2,off=0,ks=4,vs=256,imm=0) R10=fp0 fp-120_w=map_value_or_null
; if (unlikely(p->config == NULL))
111: (55) if r0 != 0x0 goto pc+1 113: R0_w=map_value(off=0,ks=4,vs=256,imm=0) R6_w=map_value(off=0,ks=4,vs=32152,imm=0) R10=fp0 fp-72=????mmmm fp-112=ctx fp-120_w=map_value
; p->task_info = bpf_map_lookup_elem(&task_info_map, &p->event->context.task.host_tid);
113: (bf) r2 = r6                     ; R2_w=map_value(off=0,ks=4,vs=32152,imm=0) R6_w=map_value(off=0,ks=4,vs=32152,imm=0)
114: (07) r2 += 40                    ; R2_w=map_value(off=40,ks=4,vs=32152,imm=0)
; p->task_info = bpf_map_lookup_elem(&task_info_map, &p->event->context.task.host_tid);
115: (18) r1 = 0xffff00000d468000     ; R1_w=map_ptr(off=0,ks=4,vs=184,imm=0)
117: (85) call bpf_map_lookup_elem#1          ; R0=map_value_or_null(id=4,off=0,ks=4,vs=184,imm=0)
118: (18) r8 = 0xffffffff             ; R8_w=4294967295
; if (!init_tailcall_program_data(&p, ctx))
120: (15) if r0 == 0x0 goto pc+14114          ; R0=map_value(off=0,ks=4,vs=184,imm=0)
121: (7b) *(u64 *)(r10 -136) = r6     ; R6=map_value(off=0,ks=4,vs=32152,imm=0) R10=fp0 fp-136_w=map_value
122: (18) r1 = 0x73656c75646f6d       ; R1_w=32481138822115181
; char modules_sym[8] = "modules";
124: (7b) *(u64 *)(r10 -88) = r1      ; R1_w=32481138822115181 R10=fp0 fp-88_w=32481138822115181
125: (b7) r1 = 0                      ; R1_w=0
; char new_ksym_name[MAX_KSYM_NAME_SIZE] = {};
126: (7b) *(u64 *)(r10 -16) = r1      ; R1_w=0 R10=fp0 fp-16_w=00000000
127: (7b) *(u64 *)(r10 -24) = r1      ; R1_w=0 R10=fp0 fp-24_w=00000000
128: (7b) *(u64 *)(r10 -32) = r1      ; R1_w=0 R10=fp0 fp-32_w=00000000
129: (7b) *(u64 *)(r10 -40) = r1      ; R1_w=0 R10=fp0 fp-40_w=00000000
130: (7b) *(u64 *)(r10 -48) = r1      ; R1_w=0 R10=fp0 fp-48_w=00000000
131: (7b) *(u64 *)(r10 -56) = r1      ; R1_w=0 R10=fp0 fp-56_w=00000000
132: (7b) *(u64 *)(r10 -64) = r1      ; R1_w=0 R10=fp0 fp-64_w=00000000
133: (7b) *(u64 *)(r10 -72) = r1      ; R1_w=0 R10=fp0 fp-72_w=00000000
134: (bf) r6 = r10                    ; R6_w=fp0 R10=fp0
;
135: (07) r6 += -72                   ; R6_w=fp-72
136: (bf) r3 = r10                    ; R3_w=fp0 R10=fp0
137: (07) r3 += -88                   ; R3_w=fp-88
; bpf_probe_read_str(new_ksym_name, MAX_KSYM_NAME_SIZE, symbol_name);
138: (bf) r1 = r6                     ; R1_w=fp-72 R6_w=fp-72
139: (b7) r2 = 64                     ; R2_w=64
140: (85) call bpf_probe_read_str#45          ; R0=scalar(smin=-4095,smax=64) fp-16=mmmmmmmm fp-24=mmmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm
; void **sym = bpf_map_lookup_elem(&ksymbols_map, (void *) &new_ksym_name);
141: (18) r1 = 0xffff000005ff3c00     ; R1_w=map_ptr(off=0,ks=64,vs=8,imm=0)
143: (bf) r2 = r6                     ; R2_w=fp-72 R6=fp-72
144: (85) call bpf_map_lookup_elem#1          ; R0_w=map_value_or_null(id=5,off=0,ks=64,vs=8,imm=0)
145: (b7) r6 = 0                      ; R6_w=0
; if (sym == NULL)
146: (15) if r0 == 0x0 goto pc+1      ; R0_w=map_value(off=0,ks=64,vs=8,imm=0)
; return *sym;
147: (79) r6 = *(u64 *)(r0 +0)        ; R0_w=map_value(off=0,ks=64,vs=8,imm=0) R6_w=scalar()
148: (18) r1 = 0x80000001             ; R1_w=2147483649
; u32 flags = PROC_MODULES | HIDDEN_MODULE;
150: (63) *(u32 *)(r10 -92) = r1      ; R1_w=2147483649 R10=fp0 fp-96=mmmm????
151: (b7) r1 = 0                      ; R1_w=0
152: (bf) r3 = r6                     ; R3_w=scalar(id=6) R6_w=scalar(id=6)
153: (0f) r3 += r1                    ; R1_w=0 R3_w=scalar()
154: (bf) r1 = r10                    ; R1_w=fp0 R10=fp0
;
155: (07) r1 += -72                   ; R1_w=fp-72
; pos = list_first_entry_ebpf(head, typeof(*pos), list);
156: (b7) r2 = 8                      ; R2_w=8
157: (85) call bpf_probe_read_kernel#113      ; R0=scalar() fp-72=mmmmmmmm
158: (b7) r1 = 8                      ; R1_w=8
; pos = list_first_entry_ebpf(head, typeof(*pos), list);
159: (79) r9 = *(u64 *)(r10 -72)      ; R9_w=scalar() R10=fp0
160: (b7) r7 = 8                      ; R7_w=8
; pos = list_first_entry_ebpf(head, typeof(*pos), list);
161: (1f) r9 -= r1                    ; R1_w=8 R9_w=scalar()
162: (b7) r1 = 600                    ; R1_w=600
163: (7b) *(u64 *)(r10 -176) = r1     ; R1_w=600 R10=fp0 fp-176_w=600
164: (79) r2 = *(u64 *)(r10 -136)     ; R2_w=map_value(off=0,ks=4,vs=32152,imm=0) R10=fp0
165: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
166: (07) r1 += 120                   ; R1_w=map_value(off=120,ks=4,vs=32152,imm=0)
167: (7b) *(u64 *)(r10 -168) = r1     ; R1_w=map_value(off=120,ks=4,vs=32152,imm=0) R10=fp0 fp-168_w=map_value
168: (79) r1 = *(u64 *)(r10 -120)     ; R1_w=map_value(off=0,ks=4,vs=256,imm=0) R10=fp0
169: (07) r1 += 4                     ; R1_w=map_value(off=4,ks=4,vs=256,imm=0)
170: (7b) *(u64 *)(r10 -120) = r1     ; R1_w=map_value(off=4,ks=4,vs=256,imm=0) R10=fp0 fp-120_w=map_value
171: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
172: (07) r1 += 112                   ; R1_w=map_value(off=112,ks=4,vs=32152,imm=0)
173: (7b) *(u64 *)(r10 -152) = r1     ; R1_w=map_value(off=112,ks=4,vs=32152,imm=0) R10=fp0 fp-152_w=map_value
174: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
175: (07) r1 += 96                    ; R1_w=map_value(off=96,ks=4,vs=32152,imm=0)
176: (7b) *(u64 *)(r10 -160) = r1     ; R1_w=map_value(off=96,ks=4,vs=32152,imm=0) R10=fp0 fp-160_w=map_value
177: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
178: (07) r1 += 128                   ; R1_w=map_value(off=128,ks=4,vs=32152,imm=0)
179: (7b) *(u64 *)(r10 -128) = r1     ; R1_w=map_value(off=128,ks=4,vs=32152,imm=0) R10=fp0 fp-128_w=map_value
180: (07) r2 += 32132                 ; R2_w=map_value(off=32132,ks=4,vs=32152,imm=0)
181: (7b) *(u64 *)(r10 -104) = r2     ; R2_w=map_value(off=32132,ks=4,vs=32152,imm=0) R10=fp0 fp-104_w=map_value
182: (7b) *(u64 *)(r10 -144) = r6     ; R6=scalar(id=6) R10=fp0 fp-144_w=mmmmmmmm
183: (bf) r3 = r9                     ; R3_w=scalar(id=7) R9_w=scalar(id=7)
184: (b7) r1 = 8                      ; R1_w=8
185: (0f) r3 += r1                    ; R1_w=8 R3_w=scalar()
186: (bf) r1 = r10                    ; R1_w=fp0 R10=fp0
;
187: (07) r1 += -72                   ; R1_w=fp-72
; n = list_next_entry_ebpf(n, list);
188: (b7) r2 = 8                      ; R2_w=8
189: (85) call bpf_probe_read_kernel#113      ; R0_w=scalar() fp-72=mmmmmmmm
190: (bf) r1 = r9                     ; R1_w=scalar(id=7) R9_w=scalar(id=7)
191: (0f) r1 += r7                    ; R1_w=scalar() R7_w=8
; if (&pos->list == head) {
192: (1d) if r1 == r6 goto pc+14035   ; R1_w=scalar() R6=scalar(id=6)
193: (79) r8 = *(u64 *)(r10 -72)      ; R8_w=scalar() R10=fp0
194: (bf) r3 = r9                     ; R3_w=scalar(id=7) R9_w=scalar(id=7)
195: <invalid CO-RE relocation>
failed to resolve CO-RE relocation <byte_off> [472] struct module.core_layout.base (0:5:0 @ offset 120)
processed 99 insns (limit 1000000) max_states_per_insn 0 total_states 5 peak_states 5 mark_read 3
-- END PROG LOAD LOG --
{"level":"warn","ts":1690340858.0097213,"msg":"libbpf: prog 'lkm_seeker_proc_tail': failed to load: -22"}
{"level":"warn","ts":1690340858.011841,"msg":"libbpf: failed to load object ''"}
{"level":"fatal","ts":1690340858.016407,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: invalid argument"}

Output of tracee version:

I build tracee from source code, for now the commit:

commit 68e96098d7b4dfc0bb3c811f8a4500d1dbeb87f8 (grafted, HEAD -> main, origin/main, origin/HEAD)

Output of uname -a:

Linux ufi002 6.4.0-rc4+ #2 SMP PREEMPT Sun Jun  4 19:21:13 HKT 2023 aarch64 aarch64 aarch64 GNU/Linux

Additional information

I also try the release version 0.16.2, still the same problem.
@rafaeldtinoco
Copy link
Contributor

rafaeldtinoco commented Jul 26, 2023
edited
Loading

Thanks @ihexon, I'll add tests for latest kernels soon so we can pick these things. Question:

6.3 seems to be working in our tests (which is EOL so the next supported kernel version would be v6.4.6 (from the stable tree). Have you tested that version ? The v6.4.x from the stable tree ? Looks like you're testing a RC version.

@rafaeldtinoco
Copy link
Contributor

That is likely caused by changes in the kernel types:

image

meaning that we will have to add a flavor of that type for recent kernels @OriGlassman FYI.

@rafaeldtinoco rafaeldtinoco changed the title Can not run tracee in kernel 6.4.0-rc4+ aarch64 Tracee won't run in newer kernels (> v6.3) due to bad CO-RE relocation. Jul 26, 2023
@rafaeldtinoco rafaeldtinoco added this to the v0.18.0 milestone Jul 26, 2023
@06kellyjac
Copy link
Contributor

replicated on 6.4.3 kernel

{"L":"WARN","T":"2023-08-01T22:01:20.964+0100","M":"libbpf: prog 'lkm_seeker_proc_tail': BPF program load failed: Invalid argument"}
libbpf: prog 'lkm_seeker_proc_tail': -- BEGIN PROG LOAD LOG --
0: R1=ctx(off=0,imm=0) R10=fp0
; int lkm_seeker_proc_tail(struct pt_regs *ctx)
0: (18) r2 = 0x1                      ; R2_w=1
2: (7b) *(u64 *)(r10 -112) = r1       ; R1=ctx(off=0,imm=0) R10=fp0 fp-112_w=ctx
; if (!bpf_core_enum_value_exists(enum bpf_func_id, BPF_FUNC_sk_storage_get)) {
3: (55) if r2 != 0x0 goto pc+92       ; R2_w=1
; 
96: (b7) r1 = 0                       ; R1_w=0
; u32 zero = 0;
97: (63) *(u32 *)(r10 -72) = r1       ; R1_w=0 R10=fp0 fp-72=????0000
98: (bf) r2 = r10                     ; R2_w=fp0 R10=fp0
; 
99: (07) r2 += -72                    ; R2_w=fp-72
; p->event = bpf_map_lookup_elem(&event_data_map, &zero);
100: (18) r1 = 0xffff97106dc66800     ; R1_w=map_ptr(off=0,ks=4,vs=32152,imm=0)
102: (85) call bpf_map_lookup_elem#1          ; R0=map_value_or_null(id=1,off=0,ks=4,vs=32152,imm=0)
103: (bf) r6 = r0                     ; R0=map_value_or_null(id=1,off=0,ks=4,vs=32152,imm=0) R6_w=map_value_or_null(id=1,off=0,ks=4,vs=32152,imm=0)
; if (unlikely(p->event == NULL))
104: (15) if r6 == 0x0 goto pc+7      ; R6_w=map_value(off=0,ks=4,vs=32152,imm=0)
105: (bf) r2 = r10                    ; R2_w=fp0 R10=fp0
; 
106: (07) r2 += -72                   ; R2_w=fp-72
; p->config = bpf_map_lookup_elem(&config_map, &zero);
107: (18) r1 = 0xffff97114c524c00     ; R1_w=map_ptr(off=0,ks=4,vs=256,imm=0)
109: (85) call bpf_map_lookup_elem#1          ; R0_w=map_value_or_null(id=2,off=0,ks=4,vs=256,imm=0)
110: (7b) *(u64 *)(r10 -120) = r0     ; R0_w=map_value_or_null(id=2,off=0,ks=4,vs=256,imm=0) R10=fp0 fp-120_w=map_value_or_null
; if (unlikely(p->config == NULL))
111: (55) if r0 != 0x0 goto pc+1 113: R0_w=map_value(off=0,ks=4,vs=256,imm=0) R6_w=map_value(off=0,ks=4,vs=32152,imm=0) R10=fp0 fp-72=????mmmm fp-112=ctx fp-120_w=map_value
; p->task_info = bpf_map_lookup_elem(&task_info_map, &p->event->context.task.host_tid);
113: (bf) r2 = r6                     ; R2_w=map_value(off=0,ks=4,vs=32152,imm=0) R6_w=map_value(off=0,ks=4,vs=32152,imm=0)
114: (07) r2 += 40                    ; R2_w=map_value(off=40,ks=4,vs=32152,imm=0)
; p->task_info = bpf_map_lookup_elem(&task_info_map, &p->event->context.task.host_tid);
115: (18) r1 = 0xffff97114c522800     ; R1_w=map_ptr(off=0,ks=4,vs=184,imm=0)
117: (85) call bpf_map_lookup_elem#1          ; R0=map_value_or_null(id=4,off=0,ks=4,vs=184,imm=0)
118: (18) r8 = 0xffffffff             ; R8_w=4294967295
; if (!init_tailcall_program_data(&p, ctx))
120: (15) if r0 == 0x0 goto pc+14114          ; R0=map_value(off=0,ks=4,vs=184,imm=0)
121: (7b) *(u64 *)(r10 -136) = r6     ; R6=map_value(off=0,ks=4,vs=32152,imm=0) R10=fp0 fp-136_w=map_value
122: (18) r1 = 0x73656c75646f6d       ; R1_w=32481138822115181
; char modules_sym[8] = "modules";
124: (7b) *(u64 *)(r10 -88) = r1      ; R1_w=32481138822115181 R10=fp0 fp-88_w=32481138822115181
125: (b7) r1 = 0                      ; R1_w=0
; char new_ksym_name[MAX_KSYM_NAME_SIZE] = {};
126: (7b) *(u64 *)(r10 -16) = r1      ; R1_w=0 R10=fp0 fp-16_w=00000000
127: (7b) *(u64 *)(r10 -24) = r1      ; R1_w=0 R10=fp0 fp-24_w=00000000
128: (7b) *(u64 *)(r10 -32) = r1      ; R1_w=0 R10=fp0 fp-32_w=00000000
129: (7b) *(u64 *)(r10 -40) = r1      ; R1_w=0 R10=fp0 fp-40_w=00000000
130: (7b) *(u64 *)(r10 -48) = r1      ; R1_w=0 R10=fp0 fp-48_w=00000000
131: (7b) *(u64 *)(r10 -56) = r1      ; R1_w=0 R10=fp0 fp-56_w=00000000
132: (7b) *(u64 *)(r10 -64) = r1      ; R1_w=0 R10=fp0 fp-64_w=00000000
133: (7b) *(u64 *)(r10 -72) = r1      ; R1_w=0 R10=fp0 fp-72_w=00000000
134: (bf) r6 = r10                    ; R6_w=fp0 R10=fp0
; 
135: (07) r6 += -72                   ; R6_w=fp-72
136: (bf) r3 = r10                    ; R3_w=fp0 R10=fp0
137: (07) r3 += -88                   ; R3_w=fp-88
; bpf_probe_read_str(new_ksym_name, MAX_KSYM_NAME_SIZE, symbol_name);
138: (bf) r1 = r6                     ; R1_w=fp-72 R6_w=fp-72
139: (b7) r2 = 64                     ; R2_w=64
140: (85) call bpf_probe_read_str#45          ; R0=scalar(smin=-4095,smax=64) fp-16=mmmmmmmm fp-24=mmmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm
; void **sym = bpf_map_lookup_elem(&ksymbols_map, (void *) &new_ksym_name);
141: (18) r1 = 0xffff97104ff09c00     ; R1_w=map_ptr(off=0,ks=64,vs=8,imm=0)
143: (bf) r2 = r6                     ; R2_w=fp-72 R6=fp-72
144: (85) call bpf_map_lookup_elem#1          ; R0_w=map_value_or_null(id=5,off=0,ks=64,vs=8,imm=0)
145: (b7) r6 = 0                      ; R6_w=0
; if (sym == NULL)
146: (15) if r0 == 0x0 goto pc+1      ; R0_w=map_value(off=0,ks=64,vs=8,imm=0)
; return *sym;
147: (79) r6 = *(u64 *)(r0 +0)        ; R0_w=map_value(off=0,ks=64,vs=8,imm=0) R6_w=scalar()
148: (18) r1 = 0x80000001             ; R1_w=2147483649
; u32 flags = PROC_MODULES | HIDDEN_MODULE;
150: (63) *(u32 *)(r10 -92) = r1      ; R1_w=2147483649 R10=fp0 fp-96=mmmm????
151: (b7) r1 = 0                      ; R1_w=0
152: (bf) r3 = r6                     ; R3_w=scalar(id=6) R6_w=scalar(id=6)
153: (0f) r3 += r1                    ; R1_w=0 R3_w=scalar()
154: (bf) r1 = r10                    ; R1_w=fp0 R10=fp0
; 
155: (07) r1 += -72                   ; R1_w=fp-72
; pos = list_first_entry_ebpf(head, typeof(*pos), list);
156: (b7) r2 = 8                      ; R2_w=8
157: (85) call bpf_probe_read_kernel#113      ; R0=scalar() fp-72=mmmmmmmm
158: (b7) r1 = 8                      ; R1_w=8
; pos = list_first_entry_ebpf(head, typeof(*pos), list);
159: (79) r9 = *(u64 *)(r10 -72)      ; R9_w=scalar() R10=fp0
160: (b7) r7 = 8                      ; R7_w=8
; pos = list_first_entry_ebpf(head, typeof(*pos), list);
161: (1f) r9 -= r1                    ; R1_w=8 R9_w=scalar()
162: (b7) r1 = 600                    ; R1_w=600
163: (7b) *(u64 *)(r10 -176) = r1     ; R1_w=600 R10=fp0 fp-176_w=600
164: (79) r2 = *(u64 *)(r10 -136)     ; R2_w=map_value(off=0,ks=4,vs=32152,imm=0) R10=fp0
165: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
166: (07) r1 += 120                   ; R1_w=map_value(off=120,ks=4,vs=32152,imm=0)
167: (7b) *(u64 *)(r10 -168) = r1     ; R1_w=map_value(off=120,ks=4,vs=32152,imm=0) R10=fp0 fp-168_w=map_value
168: (79) r1 = *(u64 *)(r10 -120)     ; R1_w=map_value(off=0,ks=4,vs=256,imm=0) R10=fp0
169: (07) r1 += 4                     ; R1_w=map_value(off=4,ks=4,vs=256,imm=0)
170: (7b) *(u64 *)(r10 -120) = r1     ; R1_w=map_value(off=4,ks=4,vs=256,imm=0) R10=fp0 fp-120_w=map_value
171: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
172: (07) r1 += 112                   ; R1_w=map_value(off=112,ks=4,vs=32152,imm=0)
173: (7b) *(u64 *)(r10 -152) = r1     ; R1_w=map_value(off=112,ks=4,vs=32152,imm=0) R10=fp0 fp-152_w=map_value
174: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
175: (07) r1 += 96                    ; R1_w=map_value(off=96,ks=4,vs=32152,imm=0)
176: (7b) *(u64 *)(r10 -160) = r1     ; R1_w=map_value(off=96,ks=4,vs=32152,imm=0) R10=fp0 fp-160_w=map_value
177: (bf) r1 = r2                     ; R1_w=map_value(off=0,ks=4,vs=32152,imm=0) R2_w=map_value(off=0,ks=4,vs=32152,imm=0)
178: (07) r1 += 128                   ; R1_w=map_value(off=128,ks=4,vs=32152,imm=0)
179: (7b) *(u64 *)(r10 -128) = r1     ; R1_w=map_value(off=128,ks=4,vs=32152,imm=0) R10=fp0 fp-128_w=map_value
180: (07) r2 += 32132                 ; R2_w=map_value(off=32132,ks=4,vs=32152,imm=0)
181: (7b) *(u64 *)(r10 -104) = r2     ; R2_w=map_value(off=32132,ks=4,vs=32152,imm=0) R10=fp0 fp-104_w=map_value
182: (7b) *(u64 *)(r10 -144) = r6     ; R6=scalar(id=6) R10=fp0 fp-144_w=mmmmmmmm
183: (bf) r3 = r9                     ; R3_w=scalar(id=7) R9_w=scalar(id=7)
184: (b7) r1 = 8                      ; R1_w=8
185: (0f) r3 += r1                    ; R1_w=8 R3_w=scalar()
186: (bf) r1 = r10                    ; R1_w=fp0 R10=fp0
; 
187: (07) r1 += -72                   ; R1_w=fp-72
; n = list_next_entry_ebpf(n, list);
188: (b7) r2 = 8                      ; R2_w=8
189: (85) call bpf_probe_read_kernel#113      ; R0_w=scalar() fp-72=mmmmmmmm
190: (bf) r1 = r9                     ; R1_w=scalar(id=7) R9_w=scalar(id=7)
191: (0f) r1 += r7                    ; R1_w=scalar() R7_w=8
; if (&pos->list == head) {
192: (1d) if r1 == r6 goto pc+14035   ; R1_w=scalar() R6=scalar(id=6)
193: (79) r8 = *(u64 *)(r10 -72)      ; R8_w=scalar() R10=fp0
194: (bf) r3 = r9                     ; R3_w=scalar(id=7) R9_w=scalar(id=7)
195: <invalid CO-RE relocation>
failed to resolve CO-RE relocation <byte_off> [465] struct module.core_layout.base (0:5:0 @ offset 120)
processed 99 insns (limit 1000000) max_states_per_insn 0 total_states 5 peak_states 5 mark_read 3
-- END PROG LOAD LOG --
{"L":"WARN","T":"2023-08-01T22:01:20.964+0100","M":"libbpf: prog 'lkm_seeker_proc_tail': failed to load: -22"}
{"L":"WARN","T":"2023-08-01T22:01:20.964+0100","M":"libbpf: failed to load object ''"}
{"L":"DEBUG","T":"2023-08-01T22:01:20.964+0100","M":"Capabilities change","origin":"capabilities:pkg/capabilities/capabilities.go:366","calls":"(*Capabilities).apply() < (*Capabilities).EBPF() < (*Tracee).Init() < Runner.Run() < glob..func4() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"FATAL","T":"2023-08-01T22:01:20.965+0100","M":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: invalid argument"}

λ ls /sys/kernel/btf/vmlinux
 /sys/kernel/btf/vmlinux

@yanivagman yanivagman changed the title Tracee won't run in newer kernels (> v6.3) due to bad CO-RE relocation. Tracee won't run in newer kernels (>= v6.4) due to bad CO-RE relocation. Aug 2, 2023
@OriGlassman OriGlassman mentioned this issue Aug 3, 2023
Merged
@yanivagman yanivagman mentioned this issue Sep 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
v0.18.0
Development

Successfully merging a pull request may close this issue.

events: adjust hidden kernel module event to v6.4 OriGlassman/tracee
3 participants
@rafaeldtinoco @06kellyjac @ihexon