refactoring eBPF: reduce stack-usage by writing directly into allocated buffer instead of onto stack

rust/backend/ebpf/README.md

@@ -14,7 +14,7 @@ The maps `<hook-name>_PIDS` are HashMaps that store the pid as key and as value
 
 |               | type       | functions to hook                                                            | map<entry-type>                             |  
 |---------------|------------|------------------------------------------------------------------------------|---------------------------------------------|  
-| vfs_write     | KProbe     | `vfs_write`, `vfs_write_ret`                                                 | `VFS_WRITE_CALLS<VfsWriteCall>`             |  
+| vfs_write     | KProbe     | `vfs_write`, `vfs_write_ret`                                                 | `VFS_WRITE_EVENTS<VfsWriteCall>`             |  
 | sendmsg       | Tracepoint | `sys_enter_sendmsg`, `sys_exit_sendmsg`                                      | `SYS_SENDMSG_CALLS<SysSendmsgCall>`         |
 | JNIReferences | UProbe     | `trace_add_local`, `trace_del_local`, `trace_add_global`, `trace_del_global` | `JNI_REF_CALLS<JNIRefCall>`, `JNI_REF_PIDS` |
 | ...           | ...        | ...                                                                          | ...                                         |

rust/backend/ebpf/src/jni_references.rs

@@ -27,13 +27,6 @@ fn handle_trace(ctx: ProbeContext, method: JNIMethodName) -> u32 {
         return 0;
     }
 
-    let call = JNICall {
-        pid,
-        tid,
-        begin_time_stamp: time_stamp,
-        method_name: method,
-    };
-
     let mut entry = match JNI_REF_CALLS.reserve::<JNICall>(0) {
         Some(entry) => entry,
         None => {
@@ -42,7 +35,16 @@ fn handle_trace(ctx: ProbeContext, method: JNIMethodName) -> u32 {
         }
     };
 
-    entry.write(call);
+    let entry_mut = entry.as_mut_ptr();
+
+    unsafe {
+        (&raw mut (*entry_mut).pid).write(pid);
+        (&raw mut (*entry_mut).pid).write(pid);
+        (&raw mut (*entry_mut).tid).write(tid);
+        (&raw mut (*entry_mut).begin_time_stamp).write(time_stamp);
+        (&raw mut (*entry_mut).method_name).write(method);
+    }
+
     entry.submit(0);
 
     0

rust/backend/ebpf/src/sys_sendmsg.rs

@@ -2,6 +2,7 @@
 //
 // SPDX-License-Identifier: MIT
 
+
 use aya_ebpf::{macros::{tracepoint, map}, maps::{HashMap, RingBuf}, programs::{TracePointContext}, EbpfContext, helpers::gen::bpf_ktime_get_ns};
 use aya_log_ebpf::error;
 use backend_common::{generate_id, SysSendmsgCall};
@@ -59,9 +60,8 @@ pub fn sys_exit_sendmsg(ctx: TracePointContext) -> u32 {
         Some(duration) => duration,
     };
 
-
-    let tgid = ctx.tgid();
-    let call_id = generate_id(pid, tgid);
+    let tid = ctx.tgid();
+    let call_id = generate_id(pid, tid);
     let data = match unsafe { SYS_SENDMSG_TIMESTAMPS.get(&call_id) } {
         None => {return 1}
         Some(entry) => {entry}
@@ -74,19 +74,25 @@ pub fn sys_exit_sendmsg(ctx: TracePointContext) -> u32 {
         return 0;
     }
 
-    let result_data = SysSendmsgCall::new(pid, tgid, data.begin_time_stamp, data.fd, duration_nano_sec);
-
     let mut entry = match SYS_SENDMSG_EVENTS.reserve::<SysSendmsgCall>(0) {
         Some(entry) => entry,
         None => {
-            error!(&ctx, "could not reserve space in SYS_SENDMSG_MAP");
+            error!(&ctx, "could not reserve space in map: SYS_SENDMSG_CALLS");
             return 1;
         }
     };
 
-    entry.write(result_data);
-    entry.submit(0);
+    let entry_mut = entry.as_mut_ptr();
 
+    unsafe {
+        (&raw mut (*entry_mut).pid).write(pid);
+        (&raw mut (*entry_mut).tid).write(tid);
+        (&raw mut (*entry_mut).begin_time_stamp).write(data.begin_time_stamp);
+        (&raw mut (*entry_mut).fd).write(data.fd);
+        (&raw mut (*entry_mut).duration_nano_sec).write(duration_nano_sec);
+    }
+
+    entry.submit(0);
 
     0
 }

rust/backend/ebpf/src/vfs_write.rs

@@ -2,6 +2,7 @@
 //
 // SPDX-License-Identifier: MIT
 
+
 use aya_ebpf::{
     macros::{kprobe, map, kretprobe},
     maps::{HashMap, RingBuf},
@@ -75,8 +76,8 @@ pub fn vfs_write_ret(ctx: RetProbeContext) -> Result<(), u32> {
         Some(duration) => duration,
     };
 
-    let tgid = ctx.tgid();
-    let call_id = generate_id(pid, tgid);
+    let tid = ctx.tgid();
+    let call_id = generate_id(pid, tid);
     let data = match unsafe { VFS_WRITE_TIMESTAMPS.get(&call_id) } {
         None => {return Err(0)}
         Some(entry) => {entry}
@@ -88,17 +89,24 @@ pub fn vfs_write_ret(ctx: RetProbeContext) -> Result<(), u32> {
         return Ok(());
     }
 
-    let data = VfsWriteCall::new(pid, tgid, data.begin_time_stamp, data.fp, data.bytes_written);
-
     let mut entry = match VFS_WRITE_EVENTS.reserve::<VfsWriteCall>(0) {
         Some(entry) => entry,
         None => {
-            error!(&ctx, "could not reserve space in VFS_WRITE_MAP");
+            error!(&ctx, "could not reserve space in map: VFS_WRITE_EVENTS");
             return Err(0)
         },
     };
 
-    entry.write(data);
+    let entry_mut = entry.as_mut_ptr();
+
+    unsafe {
+        (&raw mut (*entry_mut).pid).write(pid);
+        (&raw mut (*entry_mut).tid).write(tid);
+        (&raw mut (*entry_mut).begin_time_stamp).write(data.begin_time_stamp);
+        (&raw mut (*entry_mut).fp).write(data.fp);
+        (&raw mut (*entry_mut).bytes_written).write(data.bytes_written);
+    }
+
     entry.submit(0);