Skip to Main Content

OracleLinux9 - UEK7 -- some version can't use kprobe with KPROBE_FTRACE

Levi YunNov 10 2022 — edited Nov 10 2022

Hi, i'm using the new kernel UEK-9, 5.15.0- and 5.15.0-0.30.20.el9uek.x86_64.
But I met some problem when i try to use kprobe with KPROBE_FTRACE -- it's going to panic.
when I take a look the ftrace trampoline which generated while registering kprobe.
There is one strange at the end of trampoline.

   0xffffffffc08ed0c3:  call   0xffffffff8188d820 <kprobe_ftrace_handler>
   0xffffffffc08ed0c8:  mov    0x90(%rsp),%rax
   0xffffffffc08ed0d0:  mov    %rax,0xa8(%rsp)
   0xffffffffc08ed0d8:  mov    0x80(%rsp),%rax
   0xffffffffc08ed0e0:  mov    %rax,0xb0(%rsp)
   0xffffffffc08ed0e8:  mov    (%rsp),%r15
   0xffffffffc08ed0ec:  mov    0x8(%rsp),%r14
   0xffffffffc08ed0f1:  mov    0x10(%rsp),%r13
   0xffffffffc08ed0f6:  mov    0x18(%rsp),%r12
   0xffffffffc08ed0fb:  mov    0x38(%rsp),%r10
   0xffffffffc08ed100:  mov    0x28(%rsp),%rbx
   0xffffffffc08ed105:  mov    0x78(%rsp),%rax
   0xffffffffc08ed10a:  mov    %rax,0xa0(%rsp)
   0xffffffffc08ed112:  mov    0x78(%rsp),%rax
   0xffffffffc08ed117:  test   %rax,%rax
   0xffffffffc08ed11a:  xchg   %ax,%ax
   0xffffffffc08ed11c:  mov    0x20(%rsp),%rbp
   0xffffffffc08ed121:  mov    0x40(%rsp),%r9
   0xffffffffc08ed126:  mov    0x48(%rsp),%r8
   0xffffffffc08ed12b:  mov    0x70(%rsp),%rdi
   0xffffffffc08ed130:  mov    0x68(%rsp),%rsi
   0xffffffffc08ed135:  mov    0x60(%rsp),%rdx
   0xffffffffc08ed13a:  mov    0x58(%rsp),%rcx
   0xffffffffc08ed13f:  mov    0x50(%rsp),%rax
   0xffffffffc08ed144:  add    $0xa8,%rsp
   0xffffffffc08ed14b:  popf   
   0xffffffffc08ed14c:  jmp    0xffffffffc18670fc 

See the last operation at the end of trampoline, actually it should be jmp to


But when I get the address, it is:

crash> p __x86_return_thunk
__x86_return_thunk = $6 = 
 {<text variable, no debug info>} 0xffffffff828023c0 <__x86_return_thunk>

So, ftrace trampoline is to wrong address at the end, I meet some panic whenever i use kprobe with KPROBE_FTRACE.

Is there similar issued reported?

This post has been answered by Alexandre Chartre-Oracle on Nov 17 2022
Jump to Answer
Post Details
Added on Nov 10 2022