Forum Stats

  • 3,875,413 Users
  • 2,266,914 Discussions
  • 7,912,199 Comments

Discussions

OracleLinux9 - UEK7 - Fail to use kprobe with ftrace.

Levi Yun
Levi Yun Member Posts: 5 Green Ribbon
edited Nov 10, 2022 8:19AM in Oracle Linux

Hi. while I'm testing OracleLinux9 - UEK7 kernel (5.15.0-0.30.20.1.el9uek / 5.15.0-0.30.20el9uek) on x86_64

I met strange case -- whenever i use kprobe with KPROBE_FTRACE, it's going to panic.

So, I take a look about it, and I confirm some strange at the last of ftrace-trampoline.

   0xffffffffc08ed0c3:  call   0xffffffff8188d820 <kprobe_ftrace_handler>
   0xffffffffc08ed0c8:  mov    0x90(%rsp),%rax
   0xffffffffc08ed0d0:  mov    %rax,0xa8(%rsp)
   0xffffffffc08ed0d8:  mov    0x80(%rsp),%rax
   0xffffffffc08ed0e0:  mov    %rax,0xb0(%rsp)
   0xffffffffc08ed0e8:  mov    (%rsp),%r15
   0xffffffffc08ed0ec:  mov    0x8(%rsp),%r14
   0xffffffffc08ed0f1:  mov    0x10(%rsp),%r13
   0xffffffffc08ed0f6:  mov    0x18(%rsp),%r12
   0xffffffffc08ed0fb:  mov    0x38(%rsp),%r10
   0xffffffffc08ed100:  mov    0x28(%rsp),%rbx
   0xffffffffc08ed105:  mov    0x78(%rsp),%rax
   0xffffffffc08ed10a:  mov    %rax,0xa0(%rsp)
   0xffffffffc08ed112:  mov    0x78(%rsp),%rax
   0xffffffffc08ed117:  test   %rax,%rax
   0xffffffffc08ed11a:  xchg   %ax,%ax
   0xffffffffc08ed11c:  mov    0x20(%rsp),%rbp
   0xffffffffc08ed121:  mov    0x40(%rsp),%r9
   0xffffffffc08ed126:  mov    0x48(%rsp),%r8
   0xffffffffc08ed12b:  mov    0x70(%rsp),%rdi
   0xffffffffc08ed130:  mov    0x68(%rsp),%rsi
   0xffffffffc08ed135:  mov    0x60(%rsp),%rdx
   0xffffffffc08ed13a:  mov    0x58(%rsp),%rcx
   0xffffffffc08ed13f:  mov    0x50(%rsp),%rax
   0xffffffffc08ed144:  add    $0xa8,%rsp
   0xffffffffc08ed14b:  popf   
   0xffffffffc08ed14c:  jmp    0xffffffffc18670fc 

note the last instruction. it should be the address of __x86_return_thunk,

But that address is:

crash> p __x86_return_thunk
__x86_return_thunk = $6 = 
 {<text variable, no debug info>} 0xffffffff828023c0 <__x86_return_thunk>

Unfortunately, the generated trampoline's last jmp destination is different form __x86_return_thunk, I always meet the panic with Page translation fault.


Does those version of kernel has some issues related what I experienced?

Thansk.

Answers