Kretprobes (kprobes that fire on function return) have one parameter called maxactive:
maxactive - The maximum number of instances of the probed function
that can be active concurrently. For example, if the function is non-
recursive and is called with a spinlock or mutex held, maxactive = 1
should be enough. If the function is non-recursive and can never
relinquish the CPU (e.g., via a semaphore or preemption), NR_CPUS should
be enough. maxactive is used to determine how many kretprobe_instance
objects to allocate for this particular probed function. If maxactive
<= 0, it is set to a default value (if CONFIG_PREEMPT
maxactive=max(10, 2 * NR_CPUS) else maxactive=NR_CPUS)
Originally this parameter was only available to kprobes set by the kernel. Starting in Linux v4.12+, it is exposed in the kprobe_events file (commit).
The socket dataset is not aware of this parameter, so it's using the default value for it. As a side effect of this value being exposed in kprobe_events, Auditbeat is unable to uninstall it's own kretprobes, because it's expecting the entries to start with r: while they are rNN: where NN is the maxactive value.
We should:
Kretprobes (kprobes that fire on function return) have one parameter called maxactive:
Originally this parameter was only available to kprobes set by the kernel. Starting in Linux v4.12+, it is exposed in the kprobe_events file (commit).
The socket dataset is not aware of this parameter, so it's using the default value for it. As a side effect of this value being exposed in kprobe_events, Auditbeat is unable to uninstall it's own kretprobes, because it's expecting the entries to start with
r:while they arerNN:where NN is the maxactive value.We should: