Kprobe was created but didn't return any trace data
by pjhades from LinuxQuestions.org on (#5DN6H)
I'm learning kprobes on CentOS 7 (Linux 4.16.6):
Code:root@host # uname -r
4.16.6-1.el7.elrepo.x86_64Following the document, I added a kprobe to trace sys_clone calls:
Code:root@host # grep sys_clone /proc/kallsyms
ffffffff81084c70 T sys_clone
root@host # echo 'p:testprobe sys_clone' >/sys/kernel/tracing/kprobe_events
root@host # cat /sys/kernel/tracing/kprobe_events
p:kprobes/testprobe sys_clone
root@host # cat /sys/kernel/tracing/events/kprobes/testprobe/id
1874Now after enabling it and then triggering it by running whatever commands in another terminal, trace_pipe did not contain any data:
Code:root@host # echo 1 > /sys/kernel/tracing/events/kprobes/testprobe/enable
root@host # cat /sys/kernel/tracing/tracing_on
1
root@host # cat /sys/kernel/tracing/events/kprobes/testprobe/enable
1
root@host # cat /sys/kernel/tracing/events/kprobes/enable
1
root@host # cat /sys/kernel/tracing/trace_pipe
^C <-- it blocks hereThe kernel configuration looked fine:
Code:root@host # grep KPROBE /boot/config-4.16.6-1.el7.elrepo.x86_64
CONFIG_KPROBES=y
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
CONFIG_KPROBE_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not setI noticed that the installed kprobe above had a different address in /sys/kernel/debug/kprobes/list:
Code:# cat /sys/kernel/debug/kprobes/list
00000000da58e98c k SyS_clone+0x0 [DISABLED][FTRACE]Here the address 00000000da58e98c differs from ffffffff81084c70 shown by /proc/kallsyms
My questions:
1) What could be the possible cause of kprobes not working?
2) Why do /sys/kernel/debug/kprobes/list and /proc/kallsyms report different addresses?
Code:root@host # uname -r
4.16.6-1.el7.elrepo.x86_64Following the document, I added a kprobe to trace sys_clone calls:
Code:root@host # grep sys_clone /proc/kallsyms
ffffffff81084c70 T sys_clone
root@host # echo 'p:testprobe sys_clone' >/sys/kernel/tracing/kprobe_events
root@host # cat /sys/kernel/tracing/kprobe_events
p:kprobes/testprobe sys_clone
root@host # cat /sys/kernel/tracing/events/kprobes/testprobe/id
1874Now after enabling it and then triggering it by running whatever commands in another terminal, trace_pipe did not contain any data:
Code:root@host # echo 1 > /sys/kernel/tracing/events/kprobes/testprobe/enable
root@host # cat /sys/kernel/tracing/tracing_on
1
root@host # cat /sys/kernel/tracing/events/kprobes/testprobe/enable
1
root@host # cat /sys/kernel/tracing/events/kprobes/enable
1
root@host # cat /sys/kernel/tracing/trace_pipe
^C <-- it blocks hereThe kernel configuration looked fine:
Code:root@host # grep KPROBE /boot/config-4.16.6-1.el7.elrepo.x86_64
CONFIG_KPROBES=y
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
CONFIG_KPROBE_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not setI noticed that the installed kprobe above had a different address in /sys/kernel/debug/kprobes/list:
Code:# cat /sys/kernel/debug/kprobes/list
00000000da58e98c k SyS_clone+0x0 [DISABLED][FTRACE]Here the address 00000000da58e98c differs from ffffffff81084c70 shown by /proc/kallsyms
My questions:
1) What could be the possible cause of kprobes not working?
2) Why do /sys/kernel/debug/kprobes/list and /proc/kallsyms report different addresses?