diff options
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/filter.c | 8 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints.c | 29 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 1 |
3 files changed, 6 insertions, 32 deletions
diff --git a/internal/c/filter.c b/internal/c/filter.c index 48907d8..5440bcc 100644 --- a/internal/c/filter.c +++ b/internal/c/filter.c @@ -79,9 +79,11 @@ static __always_inline int ior_on_syscall_enter(__u32 tid, __u32 enter_trace_id) } // ior_on_noreturn_syscall_enter is the enter hook for noreturn syscalls -// (exit, exit_group). Unlike ior_on_syscall_enter it deliberately does NOT -// write a per-tid entry into syscall_enter_state_map. A noreturn syscall never -// returns to userspace, so its sys_exit tracepoint never fires and the matching +// (exit, exit_group, rt_sigreturn). Unlike ior_on_syscall_enter it deliberately +// does NOT write a per-tid entry into syscall_enter_state_map. A noreturn +// syscall never returns to the syscall site (exit/exit_group terminate; +// rt_sigreturn restores the pre-signal context), so its sys_exit tracepoint +// never fires and the matching // exit handler is suppressed by the generator (see internal/generate/codegen.go // isNoreturnSyscall). With no exit handler, nothing would ever look up or // bpf_map_delete_elem that enter-state entry, so recording it would only leave diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index a8437df..5c72813 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -732,7 +732,6 @@ #define SYS_ENTER_IOPL 93 #define SYS_EXIT_IOPL 92 #define SYS_ENTER_RT_SIGRETURN 57 -#define SYS_EXIT_RT_SIGRETURN 56 /// sys_enter_socket is a struct socket_event (kind=socket) SEC("tracepoint/syscalls/sys_enter_socket") @@ -19659,7 +19658,7 @@ int handle_sys_enter_rt_sigreturn(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; - if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGRETURN)) + if (!ior_on_noreturn_syscall_enter(SYS_ENTER_RT_SIGRETURN)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); @@ -19676,29 +19675,3 @@ int handle_sys_enter_rt_sigreturn(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_rt_sigreturn is a struct ret_event (UNCLASSIFIED) (kind=ret) -SEC("tracepoint/syscalls/sys_exit_rt_sigreturn") -int handle_sys_exit_rt_sigreturn(struct syscall_trace_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - if (!ior_on_syscall_exit(tid, SYS_ENTER_RT_SIGRETURN, ctx->ret)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RT_SIGRETURN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 3587939..971f92c 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -622,7 +622,6 @@ sys_exit_rt_sigaction is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_rt_sigpending is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_rt_sigprocmask is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_rt_sigqueueinfo is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_rt_sigreturn is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_rt_sigsuspend is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_rt_sigtimedwait is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_rt_tgsigqueueinfo is a struct ret_event (UNCLASSIFIED) (kind=ret) |