falco: eBPF module fails to load on Fedora 32

Describe the bug falco fails to start when configured to use the BPF module with a verifier exception.

How to reproduce it

# FALCO_BPF_PROBE="" falco -v
...
jump out of range from insn 8 to 584
processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
jump out of range from insn 8 to 584
processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
Thu Jun  4 17:09:56 2020: Runtime error: bpf_load_program() err=22 event=filler/sys_single message=jump out of range from insn 8 to 584
processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
. Exiting.

Expected behaviour Successful start of falco with eBPF functionality.

Environment

  • Falco version:
Falco version: 0.23.0
Driver version: 96bd9bc560f67742738eb7255aeb4d03046b8045
  • System info:
{
  "machine": "x86_64",
  "nodename": "falco.example.com",
  "release": "5.6.15-300.fc32.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Fri May 29 14:23:59 UTC 2020"
}
  • Cloud provider or hardware configuration: KVM VM
  • OS:
NAME=Fedora
VERSION="32 (Cloud Edition)"
ID=fedora
VERSION_ID=32
VERSION_CODENAME=""
PLATFORM_ID="platform:f32"
PRETTY_NAME="Fedora 32 (Cloud Edition)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:32"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=32
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=32
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Cloud Edition"
VARIANT_ID=cloud
  • Kernel: Linux falco.example.com 5.6.15-300.fc32.x86_64 #1 SMP Fri May 29 14:23:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • Installation method: RPM

Additional context

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 20 (12 by maintainers)

Most upvoted comments

Good job 😍

Thanks for taking the time to report back what it worked on 5.9 with clang 9. I didn’t try yet on 5.9 but I’ll report back some matrix of what works vs what does not when I find some time to follow on this.

Do you mind sending over the output of:

llvm-objdump -S /root/.falco/falco-bpf.o

Since the code for the eBPF probe still lives in the sysdig repo, I put together some collections there: https://github.com/draios/sysdig/issues/1658 - It’d be very useful to have the output of what you got too!

+1
fntlnz on Oct 29, 2020
Read more comments on GitHub
← falco: double qoute in rule's condition is not working as expected
falco: Facing error in Falco helm installation on AWS EKS →