Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ebpf): hidden_kernel_module fix max iterations #3936

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(ebpf): hidden_kernel_module fix max iterations #3936

wants to merge 1 commit into from

Conversation

OriGlassman
Copy link
Collaborator

1. Explain what the PR does

A change was depicted on kernel 6.5 where mod_tree contains duplicate modules and thus MAX_NUM_MODULES is not enough to iterate on the tree, which yielded a warning.
The fix is to use bpf_loop helper, which is available on kernels 5.17 and above, and do more iterations.

"Replace me with make check-pr output"

2. Explain how to test it

./dist/tracee -e=hidden_kernel_module

3. Other comments

AlonZivony
AlonZivony reviewed Mar 27, 2024
View reviewed changes
Copy link
Collaborator

@AlonZivony AlonZivony left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

pkg/ebpf/c/tracee.bpf.c Show resolved Hide resolved
pkg/ebpf/c/tracee.bpf.c Outdated Show resolved Hide resolved
pkg/ebpf/c/tracee.bpf.c
@@ -657,6 +657,7 @@ int tracepoint__sched__sched_process_fork(struct bpf_raw_tracepoint_args *ctx)

// number of iterations - value that the verifier was seen to cope with - the higher, the better
#define MAX_NUM_MODULES 450
#define MAX_NUM_LOOPS_MODULES 100000
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its a bit much, no?
Why not 10k or even less?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It stops when finishes - so I want a value that if it happens, it'll certainly indicate a problem. 10k is also probably ok but doesn't make much different than 100k.

@OriGlassman @randomname21
fix(ebpf): hidden_kernel_module fix max iterations
ae16a9e 
A change was depicted on kernel 6.5 where mod_tree contains duplicate
modules and thus MAX_NUM_MODULES is not enough to iterate on the tree,
which yielded a warning.
The fix is to use bpf_loop helper, which is available on kernels 5.17 and
above, and do more iterations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlonZivony AlonZivony AlonZivony left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@OriGlassman OriGlassman

Labels
area/ebpf
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@OriGlassman @AlonZivony