tcpv4tracer: get the kernel TGID instead of the PID

bfp_get_current_pid_tgid() returns a u64 containing "current->tgid << 32 | current->pid". We were storing the return value in a u32, which means we got "current->pid". In kernel terms, the PID is actually what userspace calls a thread ID. What we actually want is what the userspace calls PID, and that's the kernel's TGID. Store the return value of bfp_get_current_pid_tgid() in a u64 and store it right-shifted 32 bits so we get the actual PID (TGID).
iovisor · Oct 18, 2016 · a0d1de7 · a0d1de7
1 parent 8b6ced9
commit a0d1de7
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/examples/tracing/tcpv4tracer.py b/examples/tracing/tcpv4tracer.py
@@ -47,12 +47,12 @@
 };
 
 BPF_PERF_OUTPUT(tcp_event);
-BPF_HASH(connectsock, u32, struct sock *);
-BPF_HASH(closesock, u32, struct sock *);
+BPF_HASH(connectsock, u64, struct sock *);
+BPF_HASH(closesock, u64, struct sock *);
 
 int kprobe__tcp_v4_connect(struct pt_regs *ctx, struct sock *sk)
 {
-	u32 pid = bpf_get_current_pid_tgid();
+	u64 pid = bpf_get_current_pid_tgid();
 
 	##FILTER_PID##
 
@@ -65,7 +65,7 @@
 int kretprobe__tcp_v4_connect(struct pt_regs *ctx)
 {
 	int ret = PT_REGS_RC(ctx);
-	u32 pid = bpf_get_current_pid_tgid();
+	u64 pid = bpf_get_current_pid_tgid();
 
 	struct sock **skpp;
 	skpp = connectsock.lookup(&pid);
@@ -104,7 +104,7 @@
 	// output
 	struct tcp_event_t evt = {
 		.type = TCP_EVENT_TYPE_CONNECT,
-		.pid = pid,
+		.pid = pid >> 32,
 		.saddr = saddr,
 		.daddr = daddr,
 		.sport = ntohs(sport),
@@ -126,7 +126,7 @@
 
 int kprobe__tcp_close(struct pt_regs *ctx, struct sock *sk)
 {
-	u32 pid = bpf_get_current_pid_tgid();
+	u64 pid = bpf_get_current_pid_tgid();
 
 	##FILTER_PID##
 
@@ -138,7 +138,7 @@
 
 int kretprobe__tcp_close(struct pt_regs *ctx)
 {
-	u32 pid = bpf_get_current_pid_tgid();
+	u64 pid = bpf_get_current_pid_tgid();
 
 	struct sock **skpp;
 	skpp = closesock.lookup(&pid);
@@ -169,7 +169,7 @@
 	// output
 	struct tcp_event_t evt = {
 		.type = TCP_EVENT_TYPE_CLOSE,
-		.pid = pid,
+		.pid = pid >> 32,
 		.saddr = saddr,
 		.daddr = daddr,
 		.sport = ntohs(sport),
@@ -192,7 +192,7 @@
 int kretprobe__inet_csk_accept(struct pt_regs *ctx)
 {
 	struct sock *newsk = (struct sock *)PT_REGS_RC(ctx);
-	u32 pid = bpf_get_current_pid_tgid();
+	u64 pid = bpf_get_current_pid_tgid();
 
 	##FILTER_PID##
 
@@ -226,7 +226,8 @@
 	##FILTER_NETNS##
 
 	if (family == AF_INET) {
-		struct tcp_event_t evt = {.type = TCP_EVENT_TYPE_ACCEPT, .pid = pid, .netns = net_ns_inum};
+		struct tcp_event_t evt = {.type = TCP_EVENT_TYPE_ACCEPT, .netns = net_ns_inum};
+		evt.pid = pid >> 32;
 		bpf_probe_read(&evt.saddr, sizeof(u32),
 			&newsk->__sk_common.skc_rcv_saddr);
 		bpf_probe_read(&evt.daddr, sizeof(u32),