Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing parent issue in clone events #1708

Merged
merged 3 commits into from
Nov 9, 2023
Merged

Fix missing parent issue in clone events #1708

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6b4d4dc
ebpf: Remove unused error_flags in event_wake_up_new_task
tpapagian Nov 3, 2023
9b82c3f
ebpf: Fix missing parent issue in clone events
tpapagian Nov 3, 2023
05d0638
ebpf: Ignore kernel threads during clone events
tpapagian Nov 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 33 additions & 27 deletions bpf/process/bpf_fork.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,23 @@ __attribute__((section("kprobe/wake_up_new_task"), used)) int
BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
{
struct execve_map_value *curr, *parent;
struct msg_clone_event msg;
u64 msg_size = sizeof(struct msg_clone_event);
u32 tgid = 0;

if (!task)
return 0;

tgid = BPF_CORE_READ(task, tgid);

/* Do not try to create any msg or calling execve_map_get
* (that will add a new process in the execve_map) if we
* cannot find it's parent in the execve_map.
*/
parent = __event_find_parent(task);
if (!parent)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to have a counter for this! I'm curious if it will ever happen, when the second patch is also applied.
That being said, since we are not sending an event if we don't find the parent, there is no point in adding an entry to the map. So this patch makes sense to me as is.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I have in mind to add a counter for that (and other cases in exec/exit events) to check if this happens in a follow-up PR.

return 0;

curr = execve_map_get(tgid);
if (!curr)
return 0;
Expand All @@ -38,35 +48,31 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
if (curr->key.ktime != 0)
return 0;

/* Setup the execve_map entry. */
curr->flags = EVENT_COMMON_FLAG_CLONE;
parent = __event_find_parent(task);
if (parent) {
curr->key.pid = tgid;
curr->key.ktime = ktime_get_ns();
curr->nspid = get_task_pid_vnr();
curr->binary = parent->binary;
curr->pkey = parent->key;
curr->key.pid = tgid;
curr->key.ktime = ktime_get_ns();
curr->nspid = get_task_pid_vnr();
curr->binary = parent->binary;
curr->pkey = parent->key;

/* Setup the msg_clone_event and sent to the user. */
msg.common.op = MSG_OP_CLONE;
msg.common.size = msg_size;
msg.common.ktime = curr->key.ktime;
msg.parent = curr->pkey;
msg.tgid = curr->key.pid;
/* Per thread tracking rules TID == PID :
* Since we generate one event per thread group, then when this task
* wakes up it will be the only one in the thread group, and it is
* the leader. Ensure to pass TID to user space.
*/
msg.tid = BPF_CORE_READ(task, pid);
msg.ktime = curr->key.ktime;
msg.nspid = curr->nspid;
msg.flags = curr->flags;

u64 size = sizeof(struct msg_clone_event);
struct msg_clone_event msg = {
.common.op = MSG_OP_CLONE,
.common.size = size,
.common.ktime = curr->key.ktime,
.parent = curr->pkey,
.tgid = curr->key.pid,
/**
* Per thread tracking rules TID == PID :
* Since we generate one event per thread group, then when this task
* wakes up it will be the only one in the thread group, and it is
* the leader. Ensure to pass TID to user space.
*/
.tid = BPF_CORE_READ(task, pid),
.ktime = curr->key.ktime,
.nspid = curr->nspid,
.flags = curr->flags,
};
perf_event_output_metric(ctx, MSG_OP_CLONE, &tcpmon_map, BPF_F_CURRENT_CPU, &msg, msg_size);

perf_event_output_metric(ctx, MSG_OP_CLONE, &tcpmon_map, BPF_F_CURRENT_CPU, &msg, size);
}
return 0;
}