Serious eBPF driver regression starting with 0.16.x libs #1890
Comments
|
Initially posted eBPF compiler issues for the VM test suite, however it was caused by commit 209243e I can now run the test suite against the past releases for comparison and post here later. |
|
Ran the VM test suites against past 2 release branches. I observed few consistent verifier issues we might be able to address for the following tail calls:
release/0.16.x Driver (clang -> bpf, gcc -> kmod) kernel compatibility matrix [compiled]
Driver (clang -> bpf, gcc -> kmod) kernel compatibility matrix [compiled + success]
libscap: bpf_load_program() event=raw_tracepoint/filler/sys_recvfrom_x: Operation not permitted (1) release/0.17.x clang-12 nothing ran anymore, manually added the red crosses below Driver (clang -> bpf, gcc -> kmod) kernel compatibility matrix [compiled]
Driver (clang -> bpf, gcc -> kmod) kernel compatibility matrix [compiled + success]
libscap: bpf_load_program() event=raw_tracepoint/filler/sys_readv_preadv_x: Operation not permitted (1) [STATUS] FAILED /libs/test/vm/build/driver/clang-12/5.14.15-1.el7.elrepo.x86_64 libscap: bpf_load_program() event=raw_tracepoint/filler/sys_readv_preadv_x: Operation not permitted (1) [STATUS] FAILED /libs/test/vm/build/driver/clang-12/5.19.17-051917-generic libscap: bpf_load_program() event=raw_tracepoint/filler/sys_readv_preadv_x: Operation not permitted (1) |
|
Re the scap errors I observed, I have to look more into it next week when I will more consistently go through test conditions. I had never encountered these type of scap errors related to the driver loading before. |
|
@leogr yes I was on branch release/0.17.x, see #1890 (comment) |
|
@FedeDP here is the output for your PR. I just ran it for clang, primary issues seem fixed now, especially for clang-12. I know you are still working on the 4.14 kernels improvements. [Note that the output matrix auto-adjusts and for the 6.x kernels I need to add new / better builder containers as they just don't compile right now, so ignore that -> only focus on blue dot turning green or not] Driver (clang -> bpf, gcc -> kmod) kernel compatibility matrix [compiled]
Driver (clang -> bpf, gcc -> kmod) kernel compatibility matrix [compiled + success]
|
|
@FedeDP I tried updating the builder containers to check on the 6.5.0-060500 ubuntu test kernels, but I still get legitimate compile erros, not the fault of the builder container. Edit: Exact same issues when compiling the eBPF probe for 6.5.8-1.el7.elrepo.x86_64 ... Btw my IDE also highlights issues with that line ( |
|
Updated the test/vm setup #1897, right now on master, also given #1890 (comment) updates oddly changed a bit the matrix wrt what compiled, and the issue outlined here #1890 (comment) is now even more prevalent across multiple clang versions etc. |
We have a bpf configure module for this: https://github.com/falcosecurity/libs/tree/master/driver/bpf/configure/RSS_STAT_ARRAY |
|
I saw in test/vm/scripts/compile_drivers.sh that you are indeed configuring libs sources with cmake; that should work fine then!
EDIT: i was wrong, it works fine from |
When I last forked off usptream (libs 0.15.x) the eBPF driver (legacy and modern_ebpf) continued to work wonderfully as they did did for almost 1.5 years.
However, now there seem to be serious issues and regressions for older kernels, but I have also observed issues with modern_ebpf depending on the compiler version used.
I tried clang 12, 14, 16, 18 with some updated builder containers. While the eBPF probes compiled I have either observed eBPF verifier issues (one time for sys_poll, another time for sys_preadv). I also observed scap errors during initialization or map type not allowed errors ... in summary, it does not appear to be very clear what the issue is, especially because there were a lot of changes.
The text was updated successfully, but these errors were encountered: