3 files changed, 18 insertions, 10 deletions

diff --git a/internal/generate/bpfhandler.go b/internal/generate/bpfhandler.go
index 2c0d648..3d76ac4 100644
--- a/internal/generate/bpfhandler.go
+++ b/internal/generate/bpfhandler.go
@@ -9,9 +9,17 @@ func generateBPFHandler(tp GeneratedTracepoint) string {
 	f := tp.Format
 	isEnter := strings.Split(f.Name, "_")[1] == "enter"
 
-	ctxStruct := "trace_event_raw_sys_exit"
+	// Use the kernel's actual tracepoint context structs (syscall_trace_enter/exit)
+	// rather than the BTF-emitted trace_event_raw_sys_enter/exit aliases. On RHEL 9
+	// kernels (5.14 with the rt-merge backport that added preempt_lazy_count to
+	// trace_entry) the two diverge: trace_event_raw_sys_* grows by 8 bytes and
+	// the args/ret offsets shift, but the real context handed to the BPF program
+	// is still syscall_trace_*. Reading via the wider alias trips the verifier's
+	// max_ctx_offset check and the attach fails with EACCES. The two structs are
+	// identical on non-RHEL kernels, so this is a no-op everywhere else.
+	ctxStruct := "syscall_trace_exit"
 	if isEnter {
-		ctxStruct = "trace_event_raw_sys_enter"
+		ctxStruct = "syscall_trace_enter"
 	}
 
 	eventStruct := eventStructName(tp.Classification.Kind)
diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index caad340..7a7d469 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -16,7 +16,7 @@ func TestGenerateFdHandler(t *testing.T) {
 	output := generateFromPair(t, FormatRead, FormatExitRead)
 
 	requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_read")`)
-	requireContains(t, output, "struct trace_event_raw_sys_enter *ctx")
+	requireContains(t, output, "struct syscall_trace_enter *ctx")
 	requireContains(t, output, "struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);")
 	requireContains(t, output, "ev->event_type = ENTER_FD_EVENT;")
 	requireContains(t, output, "ev->trace_id = SYS_ENTER_READ;")
@@ -70,7 +70,7 @@ func TestGenerateRetHandlerRead(t *testing.T) {
 	output := generateFromPair(t, FormatRead, FormatExitRead)
 
 	requireContains(t, output, `SEC("tracepoint/syscalls/sys_exit_read")`)
-	requireContains(t, output, "struct trace_event_raw_sys_exit *ctx")
+	requireContains(t, output, "struct syscall_trace_exit *ctx")
 	requireContains(t, output, "struct ret_event *ev")
 	requireContains(t, output, "ev->event_type = EXIT_RET_EVENT;")
 	requireContains(t, output, "ev->trace_id = SYS_EXIT_READ;")
@@ -226,7 +226,7 @@ func TestGenerateDefinesSortedByIDDesc(t *testing.T) {
 func TestGenerateHandlerStructure(t *testing.T) {
 	output := generateFromPair(t, FormatClose, FormatExitClose)
 
-	requireContains(t, output, "int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) {")
+	requireContains(t, output, "int handle_sys_enter_close(struct syscall_trace_enter *ctx) {")
 	requireContains(t, output, "__u32 pid, tid;")
 	requireContains(t, output, "if (filter(&pid, &tid))")
 	requireContains(t, output, "ev->pid = pid;")
diff --git a/internal/generate/tracepointsgo_test.go b/internal/generate/tracepointsgo_test.go
index cd24942..978633b 100644
--- a/internal/generate/tracepointsgo_test.go
+++ b/internal/generate/tracepointsgo_test.go
@@ -16,25 +16,25 @@ const sampleGeneratedC = `// Code generated - don't change manually!
 
 /// sys_enter_read is a struct fd_event
 SEC("tracepoint/syscalls/sys_enter_read")
-int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) {
+int handle_sys_enter_read(struct syscall_trace_enter *ctx) {
     return 0;
 }
 
 /// sys_exit_read is a struct ret_event (READ_CLASSIFIED)
 SEC("tracepoint/syscalls/sys_exit_read")
-int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) {
+int handle_sys_exit_read(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
 /// sys_enter_close is a struct fd_event
 SEC("tracepoint/syscalls/sys_enter_close")
-int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) {
+int handle_sys_enter_close(struct syscall_trace_enter *ctx) {
     return 0;
 }
 
 /// sys_exit_close is a struct ret_event (UNCLASSIFIED)
 SEC("tracepoint/syscalls/sys_exit_close")
-int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) {
+int handle_sys_exit_close(struct syscall_trace_exit *ctx) {
     return 0;
 }
 `
@@ -93,7 +93,7 @@ func TestExtractTracepointsPackageHeader(t *testing.T) {
 
 func TestExtractTracepointsMalformedSEC(t *testing.T) {
 	input := `SEC("tracepoint/not_matching_pattern")
-int handle_something(struct trace_event_raw_sys_enter *ctx) {
+int handle_something(struct syscall_trace_enter *ctx) {
     return 0;
 }
 SEC("some/garbage")