Questions tagged [kprobe]
A dynamic instrumentation system that allows one to gather additional information about kernel operation without recompiling or rebooting a kernel.
kprobe
97
questions
0
votes
0
answers
15
views
kretprobe handler hooks show BUG: scheduling while atomic
I tried to use kretprobe to hook the umount syscall with a post handler in my kernel module.
static struct kretprobe umount_kretprobe = {
.entry_handler = umount_kprobe_pre_handler,
.handler ...
2
votes
1
answer
63
views
Fail to hook argv of execve with kretprobe
I tried to hook syscall __x64_sys_execve with kretprobe. So in the entry handler, I tried to get its params, and use strncpy_from_user to get the char* filename, (char**)argv.But after I compiled the ...
0
votes
1
answer
52
views
confused by sys_stat, sys_statfs syscall works
I'm trying to set a kprobe on stat syscall to capture some information. When checking /proc/kallsyms I have many similar names and it's a bit confusing which is the right one for me too use.
I'm ...
0
votes
0
answers
24
views
how to get sys call params in krobe pre_handler in x86
I tried to use krpobe to hook __x64_sys_mount
struct kprobe mount_kprobe = {
.symbol_name = "__x64_sys_mount",
.pre_handler = mount_kprobe_pre_handler,
.post_handler = ...
0
votes
0
answers
37
views
How to detect open file path within Linux module using kprobes properly?
I'm trying to hook open behavior in Linux, so i try to build a module that can log these syscalls.
I use a kprobe to hook openat2 and open, and use printk to show the params, but it turns out that I ...
2
votes
1
answer
38
views
kretprobe handlers in kernel 3.x not getting called
I have been learning and experimenting with kernel probes(both kprobes and kretprobes) recently and today I managed to make it work for Ubuntu 22.04 kernel 5.x(which is the kernel I use on my ...
2
votes
1
answer
78
views
Cannot read syscall arguments from a kprobe handler
I'm installing a kprobe on sys_kill and I want to monitor PIDs and signal numbers.
While I can install the kprobe and get some data in dmesg, the data looks wrong and I cannot make sense of it.
Below ...
1
vote
1
answer
50
views
kernel probes shows wrong returned data
Unfortunately the title might not be the best for describing the problem.
I'm learning Linux kernel programming and when I was excited when it came to kprobe and kretprobe, but I start to experience ...
0
votes
1
answer
48
views
What is the performance impact added to eBPF via kprobe and uprobe
I'm struggling to find an answer to a question how big of a latency overhead is calling an eBPF program attached to kprobe and, more important, to uprobe (where overhead might take bigger relative ...
0
votes
1
answer
34
views
kprobe on getdents64() fails
I'm learning Linux Kernel programming and I'm learning kernel probes. I tried to install kprobe on getdents64() syscall and read it's arguments but I always get -1 in the third argument, count. I ...
0
votes
0
answers
30
views
How to get attached kprobe kernel function name in bpf(libbpf) handler(kernel function tracing)
Use case : Given executable we are trying to trace user space (uprobes) and kernel (kprobes functions of that process.
./profiler vfs_* => this should trace all vfs calls invoked by that ...
0
votes
0
answers
107
views
Can Linux kprobes get disabled temporarily by the kernel?
I am monitoring illegal task namespace changes using kprobes on wake_up_new_task(), do_exit(), begin_new_exec(), unshare() and setns().
For a few systemd services like timedated or upowerd, the ...
0
votes
0
answers
70
views
Kprobe handler is not triggered for some kernel symbols
I am registering my probe to skx_register_mci symbol. Output of this symbol from /proc/kallsyms :
ffffffffc1696a90 t skx_register_mci [skx_edac]
So, this function seems to be local text (code).
...
0
votes
0
answers
55
views
maximum number of uprobe /kprobe that can be attached using libbpf
Is there a limit on how many uprobes /kprobes that can be attached at the same time? Or is there a kernel config that I can change?
Need limits values ,so that I can decide about bpf user space doe ...
0
votes
1
answer
238
views
How to correctly read socket->sk from pt_regs* in ebpf program?
I want to get some information from kprobe/inet_accept through ebpf, but got error:
load program: permission denied: 13: (79) r6 = *(u64 *)(r6 +24): R6 invalid mem access 'inv' (22 line(s) omitted)
...