2

I read the below regarding kprobes:

Kprobes allows you to install pre-handlers and post-handlers for any kernel instruction as well as for function-entry and function-return handlers

I am trying to register a kprobe for '_do_sys_open' function.

$ sudo cat /proc/kallsyms | grep 'do_sys_open'
ffffffff96ac0130 T do_sys_open

Wrote a basic code which registers the kprobe

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>

MODULE_LICENSE("GPL");

static struct kprobe kp;;
static char *name = "_do_sys_open";

static int pre_handler(struct kprobe *p, struct pt_regs *regs)
{
    return 0;
}

static void post_handler(struct kprobe *p, struct pt_regs *regs,
             unsigned long flags)
{
}

static int __init hello_init(void)
{
    /* set the handler functions */
    kp.pre_handler = pre_handler;
    kp.post_handler = post_handler;
    kp.symbol_name = name;
    return register_kprobe(&kp);
}

static void __exit hello_exit(void)
{
    unregister_kprobe(&kp);
}

module_init(hello_init);
module_exit(hello_exit);

Loading this module fails with 

Unknown symbol in module

Does this mean this function cannot be used with kprobes.

It is also not listed in the blacklist

# cat /sys/kernel/debug/kprobes/blacklist | grep '_do_sys_open'
Marco Bonelli
  • 63,369
  • 21
  • 118
  • 128
md.jamal
  • 4,067
  • 8
  • 45
  • 108
  • What's your kernel's version? What's your CPU architecture? – pchaigno Jan 23 '20 at 07:56
  • Linux Kernel version 5.2, CPU Architecture:x86_64 – md.jamal Jan 23 '20 at 09:58
  • 2
    I might be missing something, but why do you have an underscore at the beginning of the symbol's name? Don't you want to trace `do_sys_open`? – pchaigno Jan 23 '20 at 11:08
  • 2
    Was that the issue or just a typo? – pchaigno Jan 23 '20 at 11:46
  • No, some functions may not be traceable. It depends on compiler optimizations, on specifics of those functions, etc. – 0andriy Jan 23 '20 at 11:53
  • 4
    @Tsyvarev "Unknown symbol in module" is printed when the module insertion fails with an `ENOENT` error. That's not necessarily due to dynamic linking errors. It could be due to the module init function returning `-ENOENT` (which is likely if `register_kprobe` is being given a non-existant symbol name!). – Ian Abbott Jan 23 '20 at 18:16
  • @IanAbbott: Yes, it is my fault - didn't think about `register_kprobe` return value. – Tsyvarev Jan 23 '20 at 19:43
  • We can't help without any more details, currently it seems like the issue is just a typo. Anyway, make sure to not `kprobe` functions that are marked as `NOKPROBE_SYMBOL`. – vmemmap Dec 05 '22 at 19:10

0 Answers0