Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot compile sysdig/libscap bpf driver in 6.11.2-zen kernel #2110

Open
unknowndevQwQ opened this issue Oct 13, 2024 · 2 comments
Open

Cannot compile sysdig/libscap bpf driver in 6.11.2-zen kernel #2110

unknowndevQwQ opened this issue Oct 13, 2024 · 2 comments
Labels
kind/bug Something isn't working
Milestone
0.19.0

Comments

@unknowndevQwQ
Copy link

Describe the bug

When trying to use sysdig --bpf ... I was unable to download the prebuilt bpf probe, and compiling the bpf probe resulted in the error.

How to reproduce it

run sysdig --bpf ...

Expected behaviour

*Capturing events with sysdig.

Screenshots

* Running scap-driver-loader for: driver version=0.17.2, arch=x86_64, kernel release=6.11.2-zen1-1-zen, kernel version=1
* Running scap-driver-loader with: driver=bpf, compile=yes, download=yes
* Filename 'scap_arch_6.11.2-zen1-1-zen_1.o' is composed of:
 - driver name: scap
 - target identifier: arch
 - kernel release: 6.11.2-zen1-1-zen
 - kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.sysdig.com/scap-drivers/0.17.2/x86_64/scap_arch_6.11.2-zen1-1-zen_1.o
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt scap eBPF probe
* Trying to compile the eBPF probe (scap_arch_6.11.2-zen1-1-zen_1.o)
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:12:
In file included from ./arch/x86/include/asm/current.h:10:
In file included from ./include/linux/cache.h:6:
In file included from ./arch/x86/include/asm/cache.h:5:
In file included from ./include/linux/linkage.h:8:
In file included from ./arch/x86/include/asm/linkage.h:6:
./arch/x86/include/asm/ibt.h:77:8: warning: 'nocf_check' attribute ignored; use -fcf-protection to enable the attribute [-Wignored-attributes]
   77 | extern __noendbr u64 ibt_save(bool disable);
      |        ^
./arch/x86/include/asm/ibt.h:32:34: note: expanded from macro '__noendbr'
   32 | #define __noendbr       __attribute__((nocf_check))
      |                                        ^
./arch/x86/include/asm/ibt.h:78:8: warning: 'nocf_check' attribute ignored; use -fcf-protection to enable the attribute [-Wignored-attributes]
   78 | extern __noendbr void ibt_restore(u64 save);
      |        ^
./arch/x86/include/asm/ibt.h:32:34: note: expanded from macro '__noendbr'
   32 | #define __noendbr       __attribute__((nocf_check))
      |                                        ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:12:
./arch/x86/include/asm/current.h:47:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
   47 |                 return this_cpu_read_const(const_pcpu_hot.current_task);
      |                        ^
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
  577 | #define this_cpu_read_const(pcp)                        __raw_cpu_read_const(pcp)
      |                                                         ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
  163 | #define __raw_cpu_read_const(pcp)       __raw_cpu_read(, , pcp)
      |                                         ^
./arch/x86/include/asm/percpu.h:155:30: note: expanded from macro '__raw_cpu_read'
  155 |         *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp));               \
      |                                     ^
note: (skipping 1 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
   94 | #define __my_cpu_type(var)      typeof(var) __percpu_seg_override
      |                                             ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
   45 | # define __percpu_seg_override  __seg_gs
      |                                 ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
  358 | #define __seg_gs __attribute__((address_space(256)))
      |                                 ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:12:
./arch/x86/include/asm/current.h:47:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
  577 | #define this_cpu_read_const(pcp)                        __raw_cpu_read_const(pcp)
      |                                                         ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
  163 | #define __raw_cpu_read_const(pcp)       __raw_cpu_read(, , pcp)
      |                                         ^
./arch/x86/include/asm/percpu.h:155:9: note: expanded from macro '__raw_cpu_read'
  155 |         *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp));               \
      |                ^
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
   94 | #define __my_cpu_type(var)      typeof(var) __percpu_seg_override
      |                                             ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
   45 | # define __percpu_seg_override  __seg_gs
      |                                 ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
  358 | #define __seg_gs __attribute__((address_space(256)))
      |                                 ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:13:
./arch/x86/include/asm/processor.h:543:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
  543 |                 return this_cpu_read_const(const_pcpu_hot.top_of_stack);
      |                        ^
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
  577 | #define this_cpu_read_const(pcp)                        __raw_cpu_read_const(pcp)
      |                                                         ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
  163 | #define __raw_cpu_read_const(pcp)       __raw_cpu_read(, , pcp)
      |                                         ^
./arch/x86/include/asm/percpu.h:155:30: note: expanded from macro '__raw_cpu_read'
  155 |         *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp));               \
      |                                     ^
note: (skipping 1 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
   94 | #define __my_cpu_type(var)      typeof(var) __percpu_seg_override
      |                                             ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
   45 | # define __percpu_seg_override  __seg_gs
      |                                 ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
  358 | #define __seg_gs __attribute__((address_space(256)))
      |                                 ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:13:
./arch/x86/include/asm/processor.h:543:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
  577 | #define this_cpu_read_const(pcp)                        __raw_cpu_read_const(pcp)
      |                                                         ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
  163 | #define __raw_cpu_read_const(pcp)       __raw_cpu_read(, , pcp)
      |                                         ^
./arch/x86/include/asm/percpu.h:155:9: note: expanded from macro '__raw_cpu_read'
  155 |         *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp));               \
      |                ^
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
   94 | #define __my_cpu_type(var)      typeof(var) __percpu_seg_override
      |                                             ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
   45 | # define __percpu_seg_override  __seg_gs
      |                                 ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
  358 | #define __seg_gs __attribute__((address_space(256)))
      |                                 ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:766:9: warning: cast to 'void *' from smaller integer type 'compat_uptr_t' (aka 'unsigned int') [-Wint-to-void-pointer-cast]
  766 |                                                                 (void*)compat_iov[j].iov_base))
      |                                                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/src/scap-0.17.2/bpf/fillers.h:2525:48: warning: passing 'volatile long *' to parameter of type 'long *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
 2525 |                 res = bpf_accumulate_argv_or_env(data, argv, &args_len);
      |                                                              ^~~~~~~~~
/usr/src/scap-0.17.2/bpf/fillers.h:2063:19: note: passing argument to parameter 'args_len' here
 2063 |                                                       long *args_len)
      |                                                             ^
/usr/src/scap-0.17.2/bpf/fillers.h:3032:22: error: no member named '__i_ctime' in 'struct inode'
 3032 |         time = _READ(inode->__i_ctime);
      |                      ~~~~~  ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:21:28: note: expanded from macro '_READ'
   21 | #define _READ(P) ({ typeof(P) _val;                                     \
      |                            ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:3032:22: error: no member named '__i_ctime' in 'struct inode'
 3032 |         time = _READ(inode->__i_ctime);
      |                      ~~~~~  ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:22:51: note: expanded from macro '_READ'
   22 |                     bpf_probe_read_kernel(&_val, sizeof(_val), &P);     \
      |                                                                 ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:3041:22: error: no member named '__i_mtime' in 'struct inode'
 3041 |         time = _READ(inode->__i_mtime);
      |                      ~~~~~  ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:21:28: note: expanded from macro '_READ'
   21 | #define _READ(P) ({ typeof(P) _val;                                     \
      |                            ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:3041:22: error: no member named '__i_mtime' in 'struct inode'
 3041 |         time = _READ(inode->__i_mtime);
      |                      ~~~~~  ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:22:51: note: expanded from macro '_READ'
   22 |                     bpf_probe_read_kernel(&_val, sizeof(_val), &P);     \
      |                                                                 ^
8 warnings and 4 errors generated.
make[3]: *** [/usr/src/scap-0.17.2/bpf/Makefile:74: /usr/src/scap-0.17.2/bpf/probe.o] Error 1
make[2]: *** [/usr/lib/modules/6.11.2-zen1-1-zen/build/Makefile:1924: /usr/src/scap-0.17.2/bpf] Error 2
make[1]: *** [Makefile:224: __sub-make] Error 2
make: *** [Makefile:23: all] Error 2
mv: cannot stat '/usr/src/scap-0.17.2/bpf/probe.o': No such file or directory
Unable to load the scap eBPF probe
Unable to load the BPF probe
BPF probe is compiled for 6.10.10-zen1-1-zen, but running version is 6.11.2-zen1-1-zen

Environment

  • Falco version: not installed falco, from sysdig: sysdig version 0.38.1
  • System info: not installed falco, none
  • Cloud provider or hardware configuration: VirtualBox 7.1.0
  • OS: Arch
  • Kernel: Linux arch 6.11.2-zen1-1-zen update: delete notices about chisels #1 ZEN SMP PREEMPT_DYNAMIC Fri, 04 Oct 2024 21:51:07 +0000 x86_64 GNU/Linux
  • Installation method: pacman

Additional context

In Arch, the patch from #1884 fixes the problem that kmod cannot be compiled in 6.10+ kernel, but does not solve the problem that bpf cannot be used.
@unknowndevQwQ unknowndevQwQ added the kind/bug Something isn't working label Oct 13, 2024
@FedeDP
Copy link
Contributor

FedeDP commented Oct 18, 2024

Hi! Thanks for opening this issue!
Driver 7.3.0+driver fixed build against linux 6.11 on x86_64; unfortunately, a small typo prevented the same fix to be applied to arm64 too (and that will be fixed by next driver release).
That's not your case because you are on x86_64 though. You need to use version 0.39.0 that includes latest driver release: https://github.com/draios/sysdig/releases/tag/0.39.0

@FedeDP
Copy link
Contributor

FedeDP commented Oct 18, 2024

/milestone 0.19.0

@poiana poiana added this to the 0.19.0 milestone Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
0.19.0
Development

No branches or pull requests
3 participants
@FedeDP @poiana @unknowndevQwQ