Skip to content

Commit ae722d7

Browse files
roikolroikol
authored
event fix: bpf_attach map key (#2295)
change bpf_attach_map key to prog_id only, so we won't have context mismatches and loose the event
1 parent 58399f0 commit ae722d7

File tree

1 file changed

+5
-13
lines changed

1 file changed

+5
-13
lines changed

pkg/ebpf/c/tracee.bpf.c

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -959,8 +959,8 @@ BPF_PROG_ARRAY(sys_exit_init_tail, MAX_EVENT_ID); // store prog
959959
BPF_STACK_TRACE(stack_addresses, MAX_STACK_ADDRESSES); // store stack traces
960960
BPF_HASH(module_init_map, u32, kmod_data_t, 256); // holds module information between
961961
BPF_LRU_HASH(fd_arg_path_map, fd_arg_task_t, fd_arg_path_t, 1024); // store fds paths by task
962-
BPF_LRU_HASH(bpf_attach_map, bpf_attach_key_t, bpf_attach_t, 256); // holds bpf prog info
963-
BPF_LRU_HASH(bpf_attach_tmp_map, u32, bpf_attach_t, 256); // temporarily hold bpf_attach_t
962+
BPF_LRU_HASH(bpf_attach_map, u32, bpf_attach_t, 1024); // holds bpf prog info
963+
BPF_LRU_HASH(bpf_attach_tmp_map, u32, bpf_attach_t, 1024); // temporarily hold bpf_attach_t
964964
// clang-format on
965965

966966
// EBPF PERF BUFFERS -------------------------------------------------------------------------------
@@ -4032,11 +4032,7 @@ send_bpf_attach(event_data_t *data, struct file *bpf_prog_file, struct file *per
40324032
bpf_probe_read_str(&prog_name, BPF_OBJ_NAME_LEN, READ_KERN(prog_aux->name));
40334033

40344034
// get usage of helper bpf_probe_write_user
4035-
bpf_attach_key_t key = {0};
4036-
key.host_tid = data->context.task.host_tid;
4037-
key.prog_id = prog_id;
4038-
4039-
bpf_attach_t *val = bpf_map_lookup_elem(&bpf_attach_map, &key);
4035+
bpf_attach_t *val = bpf_map_lookup_elem(&bpf_attach_map, &prog_id);
40404036
if (val == NULL)
40414037
return 0;
40424038

@@ -4052,7 +4048,7 @@ send_bpf_attach(event_data_t *data, struct file *bpf_prog_file, struct file *per
40524048
events_perf_submit(data, BPF_ATTACH, 0);
40534049

40544050
// delete from map
4055-
bpf_map_delete_elem(&bpf_attach_map, &key);
4051+
bpf_map_delete_elem(&bpf_attach_map, &prog_id);
40564052

40574053
return 0;
40584054
}
@@ -5901,11 +5897,7 @@ int BPF_KPROBE(trace_security_bpf_prog)
59015897
if (existing_val != NULL)
59025898
val.write_user = existing_val->write_user;
59035899

5904-
bpf_attach_key_t key = {0};
5905-
key.host_tid = data.context.task.host_tid;
5906-
key.prog_id = prog_id;
5907-
5908-
bpf_map_update_elem(&bpf_attach_map, &key, &val, BPF_ANY);
5900+
bpf_map_update_elem(&bpf_attach_map, &prog_id, &val, BPF_ANY);
59095901

59105902
bpf_map_delete_elem(&bpf_attach_tmp_map, &data.context.task.host_tid);
59115903

0 commit comments

Comments
 (0)