ARM64: eBPF crashes when Tracee starts with flags pprof and pyroscope

[rscampos]

Description

If both flags are used to start Tracee, eBPF will crash:

sudo ./dist/tracee --pprof --pyroscope

eBPF Crash Snippet:

1697: (07) r1 += -136
; return BPF_CORE_READ(dentry, d_parent);
1698: (b7) r2 = 8
1699: (85) call bpf_probe_read_kernel#113
last_idx 1699 first_idx 1692
regs=4 stack=0 before 1698: (b7) r2 = 8
; if (dentry == mnt_root || dentry == d_parent) {
1700: (79) r3 = *(u64 *)(r10 -88)
processed 1960 insns (limit 1000000) max_states_per_insn 1 total_states 135 peak_states 135 mark_read 107
-- END PROG LOAD LOG --
{"level":"warn","ts":1737988051.9114196,"msg":"libbpf: prog 'sys_enter_submit': failed to load: -11"}
{"level":"warn","ts":1737988051.9122999,"msg":"libbpf: failed to load object ''"}
{"level":"fatal","ts":1737988051.9231942,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: resource temporarily unavailable"}

Note: If Tracee is started with --pprof or --pyroscope separately, no crash occurs. The crash only happens when both flags are used together.

Output of tracee version:

Tracee version: main-a6ea82edf

Output of uname -a:

Linux ip-172-31-41-137 5.15.0-67-generic #74-Ubuntu SMP Wed Feb 22 14:14:39 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

Additional details

Works in kernel 6.8 and 6.12 (arm64)

[ShohamBit]

hey @rscampos this issue only happens on the aarch64 architecture system, do you know how I can recreate this on my local machine?

[geyslan]

@ShohamBit you can try changing Vagrantfile to use an image like https://portal.cloud.hashicorp.com/vagrant/discover/perk/ubuntu-20.04-arm64. You need to set it to use qemu as provider instead of vbox.

[rscampos]

Thanks @geyslan ... I think this should be the fast way to setup a env.