Wednesday, February 23, 2022

[SOLVED] kprobe modules cannot work after execute "echo 0 > /proc/sys/kernel/ftrace_enabled "

Issue

Just do some research of ftrace.

TCP echo program is running between two host.

When I shutdown the big switch(echo 0 > /proc/sys/kernel/ftrace_enabled ), my own kprobe module cannot work also. The printk message cannot be seen in the kernel log file. Also, The pkt modify operation failed and the pkt can be received successfully. It really confused me a lot.

My test kprobe module is here:

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/skbuff.h>
#include <linux/inet.h>

/* For each probe you need to allocate a kprobe structure */
static struct kprobe kp = {
    .symbol_name    = "ip_rcv",
};

/* kprobe pre_handler: called just before the probed instruction is executed */
static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{

    struct sk_buff * skb = (struct sk_buff *)(regs->di);
    u16 dst_port;
    dst_port = ntohs(*((u16*)(skb->head + skb->transport_header + 2)));
    if(dst_port == 50000){ //50000 is the TCP port
        printk(KERN_INFO "post handler addr 0x%p skb is 0x%d\n",p->addr, regs->di);

        // modify one byte to make TCP checksum wrong and drop the pkt.
        *((u8*)(skb->head + skb->network_header +7))=0xab;
    }
    return 0;
}

/* kprobe post_handler: called after the probed instruction is executed */
static void handler_post(struct kprobe *p, struct pt_regs *regs,
                unsigned long flags)
{
    //printk(KERN_INFO "post handler addr 0x%p skb is 0x%d\n",p->addr, regs->di);
}

/*
 * fault_handler: this is called if an exception is generated for any
 * instruction within the pre- or post-handler, or when Kprobes
 * single-steps the probed instruction.
 */
static int handler_fault(struct kprobe *p, struct pt_regs *regs, int trapnr)
{
    printk(KERN_INFO "fault_handler: p->addr = 0x%p, trap #%dn",
        p->addr, trapnr);
    /* Return 0 because we don't handle the fault. */
    return 0;
}

static int __init kprobe_init(void)
{
    int ret;
    kp.pre_handler = handler_pre;
    kp.post_handler = handler_post;
    kp.fault_handler = handler_fault;

    ret = register_kprobe(&kp);
    if (ret < 0) {
        printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
        return ret;
    }
    printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
    return 0;
}

static void __exit kprobe_exit(void)
{
    unregister_kprobe(&kp);
    printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
}

module_init(kprobe_init)
module_exit(kprobe_exit)
MODULE_LICENSE("GPL");

Solution

Question Closed.

Actually in sys/kernel/debug/kprobes/list we can get the list of registered kprobe. And I get this xxxxxxxxxxx k ip_rcv+0x0 [FTRACE], it means that the this kprobe is ftrace-based. ftrace-based kprobe cannot work if disable the ftrace.



Answered By - Mean Chou
Answer Checked By - Marie Seifert (WPSolving Admin)