Bug 2219196
| Summary: | bpf-biosnoop fails to run | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Carlos Rodriguez-Fernandez <carlosrodrifernandez> |
| Component: | bcc | Assignee: | Jerome Marchand <jmarchan> |
| Status: | ASSIGNED --- | QA Contact: | |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bfubel, bstinson, ctrautma, jmarchan, jwboyer, ldoskova, rdossant |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looks like the following commit might fix it: 02daf8d8 libbpf-tools/biosnoop: Fix out-of-bounds accessing of rq |
Description of problem: bpf-biosnoop fails to run. ``` bpf-biosnoop 1 libbpf: prog 'block_rq_complete': BPF program load failed: Permission denied libbpf: prog 'block_rq_complete': -- BEGIN PROG LOAD LOG -- reg type unsupported for arg#0 function block_rq_complete#142 0: R1=ctx(off=0,imm=0) R10=fp0 ; int BPF_PROG(block_rq_complete, struct request *rq, int error, 0: (bf) r6 = r1 ; R1=ctx(off=0,imm=0) R6_w=ctx(off=0,imm=0) ; int BPF_PROG(block_rq_complete, struct request *rq, int error, 1: (79) r1 = *(u64 *)(r6 +0) func 'block_rq_complete' arg0 has btf_id 6289 type STRUCT 'request' 2: R1_w=trusted_ptr_request(off=0,imm=0) R6_w=ctx(off=0,imm=0) 2: (7b) *(u64 *)(r10 -8) = r1 ; R1_w=trusted_ptr_request(off=0,imm=0) R10=fp0 fp-8_w=trusted_ptr_ ; if (filter_cg && !bpf_current_task_under_cgroup(&cgroup_map, 0)) 3: (18) r1 = 0xffffb81ac011c000 ; R1_w=map_value(off=0,ks=4,vs=8,imm=0) 5: (71) r1 = *(u8 *)(r1 +0) ; R1_w=0 ; if (filter_cg && !bpf_current_task_under_cgroup(&cgroup_map, 0)) 6: (15) if r1 == 0x0 goto pc+5 ; R1_w=0 ; u64 ts = bpf_ktime_get_ns(); 12: (85) call bpf_ktime_get_ns#5 ; R0=scalar() 13: (bf) r9 = r0 ; R0=scalar(id=1) R9_w=scalar(id=1) 14: (b7) r7 = 0 ; R7_w=0 ; struct event event = {}; 15: (7b) *(u64 *)(r10 -16) = r7 ; R7_w=0 R10=fp0 fp-16_w=00000000 16: (7b) *(u64 *)(r10 -24) = r7 ; R7_w=0 R10=fp0 fp-24_w=00000000 17: (7b) *(u64 *)(r10 -32) = r7 ; R7_w=0 R10=fp0 fp-32_w=00000000 18: (7b) *(u64 *)(r10 -40) = r7 ; R7_w=0 R10=fp0 fp-40_w=00000000 19: (7b) *(u64 *)(r10 -48) = r7 ; R7_w=0 R10=fp0 fp-48_w=00000000 20: (7b) *(u64 *)(r10 -56) = r7 ; R7_w=0 R10=fp0 fp-56_w=00000000 21: (7b) *(u64 *)(r10 -64) = r7 ; R7_w=0 R10=fp0 fp-64_w=00000000 22: (7b) *(u64 *)(r10 -72) = r7 ; R7_w=0 R10=fp0 fp-72_w=00000000 23: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 ; u64 ts = bpf_ktime_get_ns(); 24: (07) r2 += -8 ; R2_w=fp-8 ; stagep = bpf_map_lookup_elem(&start, &rq); 25: (18) r1 = 0xffff93cadb714000 ; R1_w=map_ptr(off=0,ks=8,vs=24,imm=0) 27: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=2,off=0,ks=8,vs=24,imm=0) 28: (bf) r8 = r0 ; R0_w=map_value_or_null(id=2,off=0,ks=8,vs=24,imm=0) R8_w=map_value_or_null(id=2,off=0,ks=8,vs=24,imm=0) ; if (!stagep) 29: (15) if r8 == 0x0 goto pc+82 ; R8_w=map_value(off=0,ks=8,vs=24,imm=0) ; delta = (s64)(ts - stagep->issue); 30: (79) r1 = *(u64 *)(r8 +8) ; R1_w=scalar() R8_w=map_value(off=0,ks=8,vs=24,imm=0) 31: (7b) *(u64 *)(r10 -96) = r9 ; R9_w=scalar(id=1) R10=fp0 fp-96_w=mmmmmmmm ; delta = (s64)(ts - stagep->issue); 32: (1f) r9 -= r1 ; R1=scalar() R9=scalar() ; if (delta < 0) 33: (6d) if r7 s> r9 goto pc+68 ; R7=0 R9=scalar(umax=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) 34: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 ; 35: (07) r2 += -8 ; R2_w=fp-8 ; piddatap = bpf_map_lookup_elem(&infobyreq, &rq); 36: (18) r1 = 0xffff93cadb715c00 ; R1_w=map_ptr(off=0,ks=8,vs=20,imm=0) 38: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=3,off=0,ks=8,vs=20,imm=0) ; if (!piddatap) { 39: (55) if r0 != 0x0 goto pc+3 ; R0_w=0 40: (b7) r1 = 63 ; R1_w=63 ; event.comm[0] = '?'; 41: (73) *(u8 *)(r10 -72) = r1 ; R1_w=63 R10=fp0 fp-72=63 42: (05) goto pc+12 ; event.delta = delta; 55: (7b) *(u64 *)(r10 -56) = r9 ; R9=scalar(umax=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) R10=fp0 fp-56_w= ; if (targ_queued && BPF_CORE_READ(rq, q, elevator)) { 56: (18) r1 = 0xffffb81ac011c001 ; R1_w=map_value(off=1,ks=4,vs=8,imm=0) 58: (71) r1 = *(u8 *)(r1 +0) ; R1_w=0 59: (79) r7 = *(u64 *)(r10 -96) ; R7_w=scalar() R10=fp0 ; if (targ_queued && BPF_CORE_READ(rq, q, elevator)) { 60: (15) if r1 == 0x0 goto pc+22 ; R1_w=0 ; event.ts = ts; 83: (7b) *(u64 *)(r10 -40) = r7 ; R7_w=scalar() R10=fp0 fp-40_w=mmmmmmmm ; event.sector = rq->__sector; 84: (79) r1 = *(u64 *)(r10 -8) ; R1_w=scalar() R10=fp0 ; event.sector = rq->__sector; 85: (79) r2 = *(u64 *)(r1 +48) R1 invalid mem access 'scalar' processed 43 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 2 -- END PROG LOAD LOG -- libbpf: prog 'block_rq_complete': failed to load: -13 libbpf: failed to load object 'biosnoop_bpf' libbpf: failed to load BPF skeleton 'biosnoop_bpf': -13 failed to load BPF object: -13 ``` Version-Release number of selected component (if applicable): Name : libbpf-tools Version : 0.26.0 Release : 3.el9 How reproducible: Steps to Reproduce: 1. Download Centos Stream 9 QCOW2 and run it 2. run dnf install libbpf-tools 3. run bpf-biosnoop 1 Actual results: ``` libbpf: prog 'block_rq_complete': BPF program load failed: Permission denied libbpf: prog 'block_rq_complete': -- BEGIN PROG LOAD LOG -- reg type unsupported for arg#0 function block_rq_complete#142 0: R1=ctx(off=0,imm=0) R10=fp0 ; int BPF_PROG(block_rq_complete, struct request *rq, int error, 0: (bf) r6 = r1 ; R1=ctx(off=0,imm=0) R6_w=ctx(off=0,imm=0) ; int BPF_PROG(block_rq_complete, struct request *rq, int error, 1: (79) r1 = *(u64 *)(r6 +0) func 'block_rq_complete' arg0 has btf_id 6289 type STRUCT 'request' 2: R1_w=trusted_ptr_request(off=0,imm=0) R6_w=ctx(off=0,imm=0) 2: (7b) *(u64 *)(r10 -8) = r1 ; R1_w=trusted_ptr_request(off=0,imm=0) R10=fp0 fp-8_w=trusted_ptr_ ; if (filter_cg && !bpf_current_task_under_cgroup(&cgroup_map, 0)) 3: (18) r1 = 0xffffb81ac011c000 ; R1_w=map_value(off=0,ks=4,vs=8,imm=0) 5: (71) r1 = *(u8 *)(r1 +0) ; R1_w=0 ; if (filter_cg && !bpf_current_task_under_cgroup(&cgroup_map, 0)) 6: (15) if r1 == 0x0 goto pc+5 ; R1_w=0 ; u64 ts = bpf_ktime_get_ns(); 12: (85) call bpf_ktime_get_ns#5 ; R0=scalar() 13: (bf) r9 = r0 ; R0=scalar(id=1) R9_w=scalar(id=1) 14: (b7) r7 = 0 ; R7_w=0 ; struct event event = {}; 15: (7b) *(u64 *)(r10 -16) = r7 ; R7_w=0 R10=fp0 fp-16_w=00000000 16: (7b) *(u64 *)(r10 -24) = r7 ; R7_w=0 R10=fp0 fp-24_w=00000000 17: (7b) *(u64 *)(r10 -32) = r7 ; R7_w=0 R10=fp0 fp-32_w=00000000 18: (7b) *(u64 *)(r10 -40) = r7 ; R7_w=0 R10=fp0 fp-40_w=00000000 19: (7b) *(u64 *)(r10 -48) = r7 ; R7_w=0 R10=fp0 fp-48_w=00000000 20: (7b) *(u64 *)(r10 -56) = r7 ; R7_w=0 R10=fp0 fp-56_w=00000000 21: (7b) *(u64 *)(r10 -64) = r7 ; R7_w=0 R10=fp0 fp-64_w=00000000 22: (7b) *(u64 *)(r10 -72) = r7 ; R7_w=0 R10=fp0 fp-72_w=00000000 23: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 ; u64 ts = bpf_ktime_get_ns(); 24: (07) r2 += -8 ; R2_w=fp-8 ; stagep = bpf_map_lookup_elem(&start, &rq); 25: (18) r1 = 0xffff93cadb714000 ; R1_w=map_ptr(off=0,ks=8,vs=24,imm=0) 27: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=2,off=0,ks=8,vs=24,imm=0) 28: (bf) r8 = r0 ; R0_w=map_value_or_null(id=2,off=0,ks=8,vs=24,imm=0) R8_w=map_value_or_null(id=2,off=0,ks=8,vs=24,imm=0) ; if (!stagep) 29: (15) if r8 == 0x0 goto pc+82 ; R8_w=map_value(off=0,ks=8,vs=24,imm=0) ; delta = (s64)(ts - stagep->issue); 30: (79) r1 = *(u64 *)(r8 +8) ; R1_w=scalar() R8_w=map_value(off=0,ks=8,vs=24,imm=0) 31: (7b) *(u64 *)(r10 -96) = r9 ; R9_w=scalar(id=1) R10=fp0 fp-96_w=mmmmmmmm ; delta = (s64)(ts - stagep->issue); 32: (1f) r9 -= r1 ; R1=scalar() R9=scalar() ; if (delta < 0) 33: (6d) if r7 s> r9 goto pc+68 ; R7=0 R9=scalar(umax=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) 34: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 ; 35: (07) r2 += -8 ; R2_w=fp-8 ; piddatap = bpf_map_lookup_elem(&infobyreq, &rq); 36: (18) r1 = 0xffff93cadb715c00 ; R1_w=map_ptr(off=0,ks=8,vs=20,imm=0) 38: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=3,off=0,ks=8,vs=20,imm=0) ; if (!piddatap) { 39: (55) if r0 != 0x0 goto pc+3 ; R0_w=0 40: (b7) r1 = 63 ; R1_w=63 ; event.comm[0] = '?'; 41: (73) *(u8 *)(r10 -72) = r1 ; R1_w=63 R10=fp0 fp-72=63 42: (05) goto pc+12 ; event.delta = delta; 55: (7b) *(u64 *)(r10 -56) = r9 ; R9=scalar(umax=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) R10=fp0 fp-56_w= ; if (targ_queued && BPF_CORE_READ(rq, q, elevator)) { 56: (18) r1 = 0xffffb81ac011c001 ; R1_w=map_value(off=1,ks=4,vs=8,imm=0) 58: (71) r1 = *(u8 *)(r1 +0) ; R1_w=0 59: (79) r7 = *(u64 *)(r10 -96) ; R7_w=scalar() R10=fp0 ; if (targ_queued && BPF_CORE_READ(rq, q, elevator)) { 60: (15) if r1 == 0x0 goto pc+22 ; R1_w=0 ; event.ts = ts; 83: (7b) *(u64 *)(r10 -40) = r7 ; R7_w=scalar() R10=fp0 fp-40_w=mmmmmmmm ; event.sector = rq->__sector; 84: (79) r1 = *(u64 *)(r10 -8) ; R1_w=scalar() R10=fp0 ; event.sector = rq->__sector; 85: (79) r2 = *(u64 *)(r1 +48) R1 invalid mem access 'scalar' processed 43 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 2 -- END PROG LOAD LOG -- libbpf: prog 'block_rq_complete': failed to load: -13 libbpf: failed to load object 'biosnoop_bpf' libbpf: failed to load BPF skeleton 'biosnoop_bpf': -13 failed to load BPF object: -13 ``` Expected results: It doesn't error but works as intended Additional info: