Fix BPF tracepoint attachment failure on kernel 6.12+ (EACCES)#3
Open
ardnew wants to merge 2 commits into
Open
Fix BPF tracepoint attachment failure on kernel 6.12+ (EACCES)#3ardnew wants to merge 2 commits into
ardnew wants to merge 2 commits into
Conversation
Kernel 6.12+ changed the sched_process_fork tracepoint's parent_comm and child_comm fields from fixed char[16] arrays to __data_loc char[] (4 bytes each) due to configurable TASK_COMM_LEN. The old struct layout caused the BPF program to declare context accesses up to byte 48, but the tracepoint data area is only 24 bytes. The kernel rejects this in __perf_event_set_bpf_prog() where max_ctx_offset > trace_event_get_offsets() returns EACCES. Replace the manual tp_fork_ctx struct with CO-RE reads (BPF_CORE_READ) against trace_event_raw_sched_process_fork from vmlinux.h. The CO-RE loader relocates the parent_pid and child_pid field offsets at load time based on the running kernel's BTF, so the same compiled program works on both pre-6.12 and 6.12+ kernels. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR fixes a BPF tracepoint attachment failure on Linux kernels ≥ 6.12 by avoiding hard-coded sched_process_fork tracepoint context layouts and instead relying on CO-RE field offset relocation at load time.
Changes:
- Remove the manual
tp_fork_ctxstruct that no longer matches kernel 6.12+ tracepoint layouts. - Update the
sched/sched_process_forktracepoint program to readparent_pid/child_pidviaBPF_CORE_READfromtrace_event_raw_sched_process_fork.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Hey thanks for this! Will give this a test and get back to you. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The sensor fails to start on kernels ≥ 6.12 with:
Root cause
Kernel 6.12 made
TASK_COMM_LENconfigurable, which changed thesched_process_forktracepoint format. Theparent_commandchild_commfields went from fixedchar[16]arrays to__data_loc char[]descriptors (4 bytes each), shrinking the tracepoint data area from 48 to 24 bytes.Our
tp_fork_ctxstruct still usedchar[16]for both fields, so the BPF verifier recordedmax_ctx_offset = 48. At attachment time, the kernel checksprog->aux->max_ctx_offset > trace_event_get_offsets()and returnsEACCESwhen the program would read out of bounds.Fix
Replace the manual
tp_fork_ctxstruct with CO-RE reads (BPF_CORE_READ) againsttrace_event_raw_sched_process_forkfromvmlinux.h. The CO-RE loader relocates theparent_pidandchild_pidfield offsets at load time based on the running kernel's BTF, so the same compiled BPF object works on both pre-6.12 and 6.12+ kernels. Novmlinux.hupdate is required.Testing
TestSensorDetections/*)go vetclean