Failed to load BPF program trace_connect_v4_return: Permission denied

[thnam91]

I'm trying to trace tcp connection using tools/tcptracer.py. But following error messages appears. I found some similar problem, #382 #1007 #829 ..., but I don't know how to fix it.

uname -r : 4.4.0-75-generic

root@iovisor-node:~/bcc/tools# ./tcptracer.py
bpf: Permission denied
0: (79) r7 = *(u64 *)(r1 +80)
1: (85) call 14
2: (7b) *(u64 *)(r10 -24) = r0
3: (18) r1 = 0x7a61e780
5: (bf) r2 = r10
6: (07) r2 += -24
7: (85) call 1
8: (bf) r6 = r0
9: (15) if r6 == 0x0 goto pc+88
R0=map_value_or_null(ks=8,vs=8) R6=map_value(ks=8,vs=8) R7=inv R10=fp
10: (18) r1 = 0x7a61e780
12: (bf) r2 = r10
13: (07) r2 += -24
14: (85) call 3
15: (67) r7 <<= 32
16: (77) r7 >>= 32
17: (55) if r7 != 0x0 goto pc+80
R0=inv R6=map_value(ks=8,vs=8) R7=imm0 R10=fp
18: (79) r6 = *(u64 *)(r6 +0)
19: (b7) r1 = 0
20: (63) *(u32 *)(r10 -32) = r1
21: (7b) *(u64 *)(r10 -40) = r1
22: (63) *(u32 *)(r10 -4) = r1
23: (63) *(u32 *)(r10 -8) = r1
24: (63) *(u32 *)(r10 -12) = r1
25: (6b) *(u16 *)(r10 -14) = r1
26: (6b) *(u16 *)(r10 -16) = r1
27: (bf) r3 = r6
28: (07) r3 += 4
29: (bf) r1 = r10
30: (07) r1 += -4
31: (b7) r2 = 4
32: (85) call 4
33: (bf) r1 = r10
34: (07) r1 += -8
35: (b7) r2 = 4
36: (bf) r3 = r6
37: (85) call 4
38: (bf) r3 = r6
39: (07) r3 += 720
40: (bf) r1 = r10
41: (07) r1 += -14
42: (b7) r2 = 2
43: (85) call 4
44: (bf) r3 = r6
45: (07) r3 += 12
46: (bf) r1 = r10
47: (07) r1 += -16
48: (b7) r2 = 2
49: (85) call 4
50: (07) r6 += 48
51: (bf) r1 = r10
52: (07) r1 += -64
53: (b7) r2 = 8
54: (bf) r3 = r6
55: (85) call 4
invalid indirect read from stack off -64+0 size 8

Traceback (most recent call last):
File "./tcptracer.py", line 530, in
b.attach_kretprobe(event="tcp_v4_connect", fn_name="trace_connect_v4_return")
File "/usr/lib/python2.7/dist-packages/bcc/init.py", line 551, in attach_kretprobe
fn = self.load_func(fn_name, BPF.KPROBE)
File "/usr/lib/python2.7/dist-packages/bcc/init.py", line 345, in load_func
(func_name, errstr))
Exception: Failed to load BPF program trace_connect_v4_return: Permission denied

[yonghong-song]

I tried latest net-next and did not find the issue. It is possible that 4.4.0 has some verifier limitation which is fixed later on. I did not check the kernel code, but you can try to use bpf_probe_read for 2 4-byte read instead of one 8-byte read. Better if you could try a later kernel.

[shehzadkhawar]

I just checked with 4.8.0-58-generic and it is working. I had the same problem with your version of the kernel. Now it is working with newer one.

[mukuntharajaa]

I am running LFS based on 4.4.104. Some of the tools works fine from tools/old. Some doesnt work. For example,

./biosnoop
bpf: Failed to load program: Permission denied
0: (79) r1 = *(u64 *)(r1 +112)
1: (7b) *(u64 *)(r10 -8) = r1
2: (18) r1 = 0xffff880feb004700
4: (bf) r2 = r10
5: (07) r2 += -8
6: (85) call 1
7: (bf) r7 = r0
8: (15) if r0 == 0x0 goto pc+118
R0=map_value(ks=8,vs=8) R7=map_value_or_null(ks=8,vs=8) R10=fp
9: (85) call 5
10: (bf) r6 = r0
11: (79) r9 = *(u64 *)(r7 +0)
R7 invalid mem access 'map_value_or_null'

HINT: The 'map_value_or_null' error can happen if you dereference a pointer value from a map lookup without first checking if that pointer is NULL.

Traceback (most recent call last):
File "./biosnoop", line 102, in
fn_name="trace_req_completion")
File "/usr/lib/python2.7/site-packages/bcc/init.py", line 519, in attach_kprobe
fn = self.load_func(fn_name, BPF.KPROBE)
File "/usr/lib/python2.7/site-packages/bcc/init.py", line 349, in load_func
(func_name, errstr))
Exception: Failed to load BPF program trace_req_completion: Permission denied

Is it because of older kernel or am I missing something ?

[yonghong-song]

On Wed, Feb 7, 2018 at 11:01 PM, mukuntharajaa ***@***.***> wrote: I am running LFS based on 4.4.104. Some of the tools works fine from tools/old. Some doesnt work. For example, ./biosnoop bpf: Failed to load program: Permission denied 0: (79) r1 = *(u64 *)(r1 +112) 1: (7b) *(u64 *)(r10 -8) = r1 2: (18) r1 = 0xffff880feb004700 4: (bf) r2 = r10 5: (07) r2 += -8 6: (85) call 1 7: (bf) r7 = r0 8: (15) if r0 == 0x0 goto pc+118 R0=map_value(ks=8,vs=8) R7=map_value_or_null(ks=8,vs=8) R10=fp 9: (85) call 5 10: (bf) r6 = r0 11: (79) r9 = *(u64 *)(r7 +0) R7 invalid mem access 'map_value_or_null' HINT: The 'map_value_or_null' error can happen if you dereference a pointer value from a map lookup without first checking if that pointer is NULL.

This mostly an old kernel issue. The newer kernel is able to handle the above case, i.e., right before insn #9, R7 will be map_value instead of map_value_or_null.

…

Traceback (most recent call last): File "./biosnoop", line 102, in fn_name="trace_req_completion") File "/usr/lib/python2.7/site-packages/bcc/init.py", line 519, in attach_kprobe fn = self.load_func(fn_name, BPF.KPROBE) File "/usr/lib/python2.7/site-packages/bcc/init.py", line 349, in load_func (func_name, errstr)) Exception: Failed to load BPF program trace_req_completion: Permission denied Is it because of older kernel or am I missing something ? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.