When eBPF pt_regs reads return garbage on the latest Linux kernels, blame Fred

TLDR; Starting from Linux kernel version 6.9 on x86_64, there’s a new config option CONFIG_X86_FRED enabled and it adds 16 bytes to the starting point of a task’s kernel stack area, so you’ll need to account for this extra padding in your “raw” kernel stack & pt_regs lookup code. Introduction I’ve been using Ubuntu 24.04 as my main eBPF development and testing platform without issues since its release. It is shipped with Linux kernel version 6.8.0, but Canonical recently released an optional newer kernel (HWE) version 6.11 for it too. So, naturally I upgraded to the latest version (linux-image-generic-hwe-24.04 -> 6.11.0) and moved on. Then, suddenly my 0x.tools xcapture-next (v3) eBPF prototype started returning garbage values for the current system call and argument samples of its monitored OS threads. No problem when booting up with the old 6.8.0 kernel. The xcapture-next (v3) tool passively samples other threads’ activity & state by reading their task_struct kernel memory as a ... Read full article.