[CWS] Do not use fentry if tasks_rcu_exit_srcu kernel symbol is fou…

…nd (#33866)
DataDog · Feb 10, 2025 · 8b14106 · 8b14106
1 parent 1192d9f
commit 8b14106
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/pkg/ebpf/kernel_bugs.go b/pkg/ebpf/kernel_bugs.go
@@ -0,0 +1,21 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package ebpf
+
+// HasTasksRCUExitLockSymbol returns true if the tasks_rcu_exit_srcu symbol is found in the kernel symbols.
+// The tasks_rcu_exit_srcu lock might cause a deadlock when removing fentry trampolines.
+// This was fixed by https://github.com/torvalds/linux/commit/1612160b91272f5b1596f499584d6064bf5be794
+func HasTasksRCUExitLockSymbol() (bool, error) {
+	const tasksRCUExitLockSymbol = "tasks_rcu_exit_srcu"
+	missingSymbols, err := VerifyKernelFuncs(tasksRCUExitLockSymbol)
+	if err != nil {
+		return false, err
+	}
+
+	// VerifyKernelFuncs returns the missing symbols
+	_, isMissing := missingSymbols[tasksRCUExitLockSymbol]
+	return !isMissing, nil
+}
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -244,6 +244,19 @@ func (p *EBPFProbe) selectFentryMode() {
 		return
 	}
 
+	hasPotentialFentryDeadlock, err := ddebpf.HasTasksRCUExitLockSymbol()
+	if err != nil {
+		p.useFentry = false
+		seclog.Warnf("fentry enabled but failed to verify kernel symbols, falling back to kprobe mode")
+		return
+	}
+
+	if hasPotentialFentryDeadlock {
+		p.useFentry = false
+		seclog.Warnf("fentry enabled but lock responsible for deadlock was found in kernel symbols, falling back to kprobe mode")
+		return
+	}
+
 	p.useFentry = true
 }