bpf: unify resolve null dereference detection

The previous commit gave us some additional instruction budget that
allows us support null dereference detection on 4.19.

Signed-off-by: Andy Strohman <[email protected]>

Author: andrewstrohman

bpf/process/generic_calls.h

@@ -221,13 +221,9 @@ FUNC_INLINE bool is_read_arg_1(long type)
 
 FUNC_INLINE long write_arg_status(struct msg_generic_kprobe *e, unsigned long offset, __u32 status)
 {
-#ifdef __LARGE_BPF_PROG
 	char *args = args_off(e, offset);
 	*(__u32 *)args = status;
 	return (offset + sizeof(__u32)) & 16383;
-#else
-	return offset;
-#endif
 }
 
 FUNC_INLINE long
@@ -340,11 +336,7 @@ __read_arg_1(void *ctx, int type, long orig_off, unsigned long arg, int argm, ch
 		size = 0;
 		break;
 	}
-#ifdef __LARGE_BPF_PROG
 	return size + sizeof(__u32);
-#else
-	return size;
-#endif
 }
 
 FUNC_INLINE long
@@ -422,11 +414,7 @@ __read_arg_2(void *ctx, int type, long orig_off, unsigned long arg, int argm, ch
 		size = 0;
 		break;
 	}
-#ifdef __LARGE_BPF_PROG
 	return size + sizeof(__u32);
-#else
-	return size;
-#endif
 }
 
 /**
@@ -445,12 +433,8 @@ __read_arg_2(void *ctx, int type, long orig_off, unsigned long arg, int argm, ch
 FUNC_INLINE long
 read_arg(void *ctx, int index, int type, long orig_off, unsigned long arg, int argm, int process)
 {
-#ifdef __LARGE_BPF_PROG
 	// min size of type plus the size of the header which indicates arg read status
 	size_t min_size = type_to_min_size(type, argm) + sizeof(__u32);
-#else
-	size_t min_size = type_to_min_size(type, argm);
-#endif
 
 	struct msg_generic_kprobe *e;
 	char *args;
@@ -467,26 +451,18 @@ read_arg(void *ctx, int index, int type, long orig_off, unsigned long arg, int a
 
 	orig_off &= 16383;
 
-#ifdef __LARGE_BPF_PROG
 	index &= MAX_SELECTORS_MASK;
 	orig_off = write_arg_status(e, orig_off, e->arg_error_status[index]);
 	/* Cache args offset for filter use later */
 	e->argsoff[index] = orig_off;
 	if (e->arg_error_status[index])
 		return sizeof(__u32);
-#else
-	/* Cache args offset for filter use later */
-	e->argsoff[index & MAX_SELECTORS_MASK] = orig_off;
-#endif
+
 	args = args_off(e, orig_off);
 
 	path_arg = get_path(type, arg, &path_buf);
 	if (path_arg)
-#ifdef __LARGE_BPF_PROG
 		return copy_path(args, path_arg) + sizeof(__u32);
-#else
-		return copy_path(args, path_arg);
-#endif
 	/*
 	 * Separate argument processing based on the process const
 	 * for 4.19 kernels..
@@ -629,9 +605,7 @@ FUNC_INLINE long generic_read_arg(void *ctx, int index, long off, struct bpf_map
 #endif
 #endif
 
-#ifdef __LARGE_BPF_PROG
 	e->arg_error_status[index] = 0;
-#endif
 
 #if defined(GENERIC_TRACEPOINT) || defined(GENERIC_USDT)
 	a = (&e->a0)[index];
@@ -1351,15 +1325,11 @@ FUNC_INLINE int generic_retprobe(void *ctx, struct bpf_map_def *calls, unsigned
 
 	switch (do_copy) {
 	case char_buf:
-#ifdef __LARGE_BPF_PROG
 		size = write_arg_status(e, size, 0);
-#endif
 		size += __copy_char_buf(ctx, size, info.ptr, ret, false, e);
 		break;
 	case char_iovec:
-#ifdef __LARGE_BPF_PROG
 		size = write_arg_status(e, size, 0);
-#endif
 		size += __copy_char_iovec(size, info.ptr, info.cnt, ret, e);
 		break;
 	default:

bpf/process/generic_path.h

@@ -198,24 +198,16 @@ FUNC_INLINE long generic_path_offload(void *ctx, long ty, unsigned long arg,
 	if (!buffer)
 		return 0;
 
-#ifdef __LARGE_BPF_PROG
 	index &= MAX_SELECTORS_MASK;
 
 	orig_off = write_arg_status(e, orig_off, e->arg_error_status[index]);
 
 	e->argsoff[index] = orig_off;
 	if (e->arg_error_status[index])
 		return sizeof(__u32);
-#else
-	e->argsoff[index & MAX_SELECTORS_MASK] = orig_off;
-#endif
 	args = args_off(e, orig_off);
 	buf = get_buf(buffer, gp->off);
-#ifdef __LARGE_BPF_PROG
 	return store_path(args, buf, gp->path, MAX_BUF_LEN - gp->off - 1, 0) + sizeof(__u32);
-#else
-	return store_path(args, buf, gp->path, MAX_BUF_LEN - gp->off - 1, 0);
-#endif
 }
 
 FUNC_INLINE bool should_offload_path(long type)

bpf/process/types/basic.h

@@ -2105,10 +2105,9 @@ selector_arg_offset(void *ctx, struct bpf_map_def *tailcalls,
 		if (index > 5)
 			return 0;
 
-#ifdef __LARGE_BPF_PROG
 		if (e->arg_error_status[index])
 			return 0;
-#endif
+
 		args = get_arg(e, index);
 		if (!filter_arg(e, filter, args, process))
 			return 0;
@@ -2329,17 +2328,9 @@ rate_limit(__u64 ratelimit_interval, __u64 ratelimit_scope, struct msg_generic_k
 		if (i < MAX_POSSIBLE_ARGS - 1 && arg_idx(i + 1) != -1)
 			arg_size = e->argsoff[i + 1] - e->argsoff[i];
 		else
-#ifdef __LARGE_BPF_PROG
 			arg_size = e->common.size - e->argsoff[i] + sizeof(__u32);
-#else
-			arg_size = e->common.size - e->argsoff[i];
-#endif
 		if (arg_size > 0) {
-#ifdef __LARGE_BPF_PROG
 			key_index = (e->argsoff[i] - sizeof(__u32)) & 16383;
-#else
-			key_index = e->argsoff[i] & 16383;
-#endif
 			if (arg_size > KEY_BYTES_PER_ARG)
 				arg_size = KEY_BYTES_PER_ARG;
 			asm volatile("%[arg_size] &= 0x3f;\n" // ensure this mask is greater than KEY_BYTES_PER_ARG

pkg/sensors/tracing/args_linux.go

@@ -13,7 +13,6 @@ import (
 	"github.com/cilium/tetragon/pkg/api/dataapi"
 	processapi "github.com/cilium/tetragon/pkg/api/processapi"
 	api "github.com/cilium/tetragon/pkg/api/tracingapi"
-	"github.com/cilium/tetragon/pkg/config"
 	gt "github.com/cilium/tetragon/pkg/generictypes"
 	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
 	"github.com/cilium/tetragon/pkg/logger"
@@ -91,24 +90,22 @@ func getArg(r *bytes.Reader, a argPrinter) api.MsgGenericKprobeArg {
 	var err error
 	var status uint32
 
-	if config.EnableLargeProgs() {
-		err = binary.Read(r, binary.LittleEndian, &status)
-		if err != nil {
-			logger.GetLogger().Warn("Status header error", "arg.usertype", gt.GenericUserTypeToString(a.userType), logfields.Error, err)
-			return nil
-		}
+	err = binary.Read(r, binary.LittleEndian, &status)
+	if err != nil {
+		logger.GetLogger().Warn("Status header error", "arg.usertype", gt.GenericUserTypeToString(a.userType), logfields.Error, err)
+		return nil
+	}
 
-		if status != 0 {
-			var arg api.MsgGenericKprobeArgError
-			ptr_name := "pointer"
-			if len(a.BTFPtrNames[status-1]) != 0 {
-				ptr_name = a.BTFPtrNames[status-1]
-			}
-			arg.Message = "failed to dereference " + ptr_name
-			arg.Index = uint64(a.index)
-			arg.Label = a.label
-			return arg
+	if status != 0 {
+		var arg api.MsgGenericKprobeArgError
+		ptr_name := "pointer"
+		if len(a.BTFPtrNames[status-1]) != 0 {
+			ptr_name = a.BTFPtrNames[status-1]
 		}
+		arg.Message = "failed to dereference " + ptr_name
+		arg.Index = uint64(a.index)
+		arg.Label = a.label
+		return arg
 	}
 
 	switch a.ty {

pkg/sensors/tracing/generictracepoint.go

@@ -862,24 +862,22 @@ func handleMsgGenericTracepoint(
 			continue
 		}
 
-		if config.EnableLargeProgs() {
-			err := binary.Read(r, binary.LittleEndian, &status)
+		err := binary.Read(r, binary.LittleEndian, &status)
 
-			if err != nil {
-				logger.GetLogger().Warn(fmt.Sprintf("Arg status size type error sizeof %d", m.Common.Size), logfields.Error, err)
-				break
-			}
+		if err != nil {
+			logger.GetLogger().Warn(fmt.Sprintf("Arg status size type error sizeof %d", m.Common.Size), logfields.Error, err)
+			break
+		}
 
-			if status != 0 {
-				var arg tracingapi.MsgGenericKprobeArgError
-				ptr_name := "pointer"
-				if len(tp.args[idx].btfPtrNames[status-1]) != 0 {
-					ptr_name = tp.args[idx].btfPtrNames[status-1]
-				}
-				arg.Message = "failed to dereference " + ptr_name
-				unix.Args = append(unix.Args, arg)
-				continue
+		if status != 0 {
+			var arg tracingapi.MsgGenericKprobeArgError
+			ptr_name := "pointer"
+			if len(tp.args[idx].btfPtrNames[status-1]) != 0 {
+				ptr_name = tp.args[idx].btfPtrNames[status-1]
 			}
+			arg.Message = "failed to dereference " + ptr_name
+			unix.Args = append(unix.Args, arg)
+			continue
 		}
 
 		switch out.genericTypeId {