Why do I get -38 error, while trying to insmod a kernel module probing do_fork?

insmod: error
insmod: error: could not insert module operation not permitted
kprobe
kprobe example

I am trying to insmod a jprobe module to a rooted Android phone:

 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/kprobes.h>

 /*
  * Jumper probe for do_fork.
  * Mirror principle enables access to arguments of the probed routine
  * from the probe handler.
  */

 /* Proxy routine having the same arguments as actual do_fork() routine */
 static long jdo_fork(unsigned long clone_flags, unsigned long stack_start,
               struct pt_regs *regs, unsigned long stack_size,
               int __user *parent_tidptr, int __user *child_tidptr)
 {
         printk(KERN_INFO "jprobe: clone_flags = 0x%lx, stack_size = 0x%lx,"
                         " regs = 0x%p\n",
                clone_flags, stack_size, regs);

         /* Always end with a call to jprobe_return(). */
         jprobe_return();
         return 0;
 }

 static struct jprobe my_jprobe = {
         .entry                  = jdo_fork,
         .kp = {
                 .symbol_name    = "do_fork",
         },
 };

 static int __init jprobe_init(void)
 {
         int ret;

         ret = register_jprobe(&my_jprobe);
         if (ret < 0) {
                 printk(KERN_INFO "register_jprobe failed, returned %d\n", ret);
                 return -1;
         }
         printk(KERN_INFO "Planted jprobe at %p, handler addr %p\n",
                my_jprobe.kp.addr, my_jprobe.entry);
         return 0;
 }

 static void __exit jprobe_exit(void)
 {
         unregister_jprobe(&my_jprobe);
         printk(KERN_INFO "jprobe at %p unregistered\n", my_jprobe.kp.addr);
 }

module_init(jprobe_init)
module_exit(jprobe_exit)
MODULE_LICENSE("GPL");

but it is failed:

  root@android:# insmod my_jprobe.ko
  [3223.32]register_jprobe failed, returned -38

I get -38 error, and couldn't understand what is it, the only return value on failure I saw is -22, is it possible to insmod a jprobe module on arm based chip?

do_fork is in the System.map and is in the object table.

What flags do I need to turn on in the config file to support jpobes?

If you don't have register_probe or register_kprobe in your System.map, that means that CONFIG_KPROBES is not enabled in your current kernel config.

You would need to build kernel for your platform with it enabled and then try your module.

probes on grsec-enabled kernel, I'm trying to play with kernel probes (kprobe, jprobe & kretprobe) but it from "​CONFIG_GRKERNSEC_HIDESYM", is there a way to make it compatible ? insmod /lib/modules/3.9.9-hardened/kernel/samples/kprobes/kretprobe_example​.ko [ 990.206134] Planted return probe at do_fork: ffffffff81042e90 2. Process and Interrupt Management. 2.1 Task Structure and Process Table. Every process under Linux is dynamically allocated a struct task_struct structure. The maximum number of processes which can be created on Linux is limited only by the amount of physical memory present, and is equal to (see kernel/fork.c:fork_init()):

CONFIG_OPTPROBES=y
CONFIG_PREEMPT=y
CONFIG_OPTPROBES=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULES=y
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_DEBUG_INFO=y

And one more config flag I needed specific to my platform:

CONFIG_MODULE_FORCE_LOAD=y

http://www.kernel.org/doc/Documentation/kprobes.txt

register_kprobe undefined symbol on 2.6.11 of X86_64, build the kernel and installed, I cannot insert my kernel space probes. It seems the error message is prompted after running the command "insmod". And, I even find the register_kprobe in the Module.symvers file. Have you tried adding this line to the end of your .c file? Currently, I am monitoring the do_fork function. Kernel development process in Documentation/process/ How to Participate in the Linux Community from Linux Foundation; Linux kernel development cycle: Linux kernel code flow: 1.7 Linux Kernel Related Books. Linux Kernel Development, 3rd Edition. Robert Love Done on 2014-01-12; Understanding the Linux Kernel, 3rd Edition.

I was facing the same issue with Linux 4.17.0.

I found that jprobes has been abolished after 4.15: https://lwn.net/Articles/735667/

Documentation/kprobes.txt - Git at, When a kprobe is registered, Kprobes makes a copy of the probed make sure "​Loadable module support" (CONFIG_MODULES) and "Module no attempt to chase down all inline instances of the function and for instrumentation and error reporting.) stack trace and selected i386 registers when do_fork() is called. Pool of Memory in Kernel driver for Multiple processes memory-management,linux-kernel,linux-device-driver,kernel-module,kmalloc Suppose we want to maintain a pool of memory in a device driver or module. How can that pool be created and be available to multiple processes lets say 4 processes, accessing this driver/module.

Add Documentation/kprobes.txt [LWN.net], A kprobe can be inserted +on virtually any instruction in the kernel. The module's init function installs ("registers") +one or more probes, and the exit The jprobe +handler routine should have the same signature (arg list and When the probe is hit, Kprobes makes a copy of +the saved registers and a  While this didn't cause harm on my UP laptop with mainline kernels, it made 'insmod snd-es1968' hang on kernel 2.6.9-mm1-RT-V0.6.9. The patch assumes that 2 callpaths don't need explicit spinlock protection: 1: The trigger callback, because it is called with IRQs disabled. 2.

The Dynamic Probe Event Handler, This interface: The Generalised Kernel Hooks Interface (GKHI) is described in We have attempted to divorce dynamic trace from trace and have generalised it's Probes are inserted whenever a page within a probed module is loaded into is quietly terminated with an error indication in the temporary log buffer, which is  kernel execution into kprobe handler. ARM v8 support single stepping to be enabled while exception return (ERET) with next PC in exception return address (ELR_EL1).

1.4 Preparation: Installing and Configuring DTrace, The DTrace dtrace-utils package is available from ULN. If the appropriate dtrace-modules package for the running kernel is not present on the system, the  : 1->0, we use a semaphore to prevent something else trying to get a: reference after or during this).: The open/remove race is actually irrelevant because even if we open : an: already removed object, all that will happen is that we get a: reference to a device that always returns EIO.

Comments
  • If I'm right to assume that register_jprobe returns standard error codes, -38 means ENOSYS or "Function not implemented".
  • @tangrs ,you are right register_jprobe and register_kprobe aren't in the system.map. how can I add them?