new(driver): update exit events PPME_SYSCALL_WRITE_X and PPME_SYSCALL_PWRITE_X with enter params

driver/SCHEMA_VERSION

@@ -1 +1 @@
-3.5.0
+3.6.0

driver/bpf/fillers.h

@@ -454,10 +454,19 @@ FILLER(sys_write_x, true) {
 	/* If the syscall doesn't fail we use the return value as `size`
 	 * otherwise we need to rely on the syscall parameter provided by the user.
 	 */
-	unsigned long bytes_to_read = retval > 0 ? retval : bpf_syscall_get_argument(data, 2);
+	size_t size = bpf_syscall_get_argument(data, 2);
+	unsigned long bytes_to_read = retval > 0 ? retval : size;
 	unsigned long sent_data_pointer = bpf_syscall_get_argument(data, 1);
-	data->fd = bpf_syscall_get_argument(data, 0);
-	return __bpf_val_to_ring(data, sent_data_pointer, bytes_to_read, PT_BYTEBUF, -1, true, USER);
+	data->fd = (int32_t)bpf_syscall_get_argument(data, 0);
+	res = __bpf_val_to_ring(data, sent_data_pointer, bytes_to_read, PT_BYTEBUF, -1, true, USER);
+	CHECK_RES(res);
+
+	/* Parameter 3: fd (type: PT_FD) */
+	res = bpf_push_s64_to_ring(data, (int64_t)data->fd);
+	CHECK_RES(res);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	return bpf_push_u32_to_ring(data, (uint32_t)size);
 }
 
 #define POLL_MAXFDS 16
@@ -5078,6 +5087,39 @@ FILLER(sys_pwrite64_e, true) {
 	return bpf_push_u64_to_ring(data, pos);
 }
 
+FILLER(sys_pwrite64_x, true) {
+#ifndef CAPTURE_64BIT_ARGS_SINGLE_REGISTER
+#error Implement this
+#endif
+	/* Parameter 1: res (type: PT_ERRNO) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_push_s64_to_ring(data, retval);
+	CHECK_RES(res);
+
+	/* Parameter 2: data (type: PT_BYTEBUF) */
+	/* If the syscall doesn't fail we use the return value as `size`
+	 * otherwise we need to rely on the syscall parameter provided by the user.
+	 */
+	size_t size = bpf_syscall_get_argument(data, 2);
+	unsigned long bytes_to_read = retval > 0 ? retval : size;
+	unsigned long sent_data_pointer = bpf_syscall_get_argument(data, 1);
+	data->fd = (int32_t)bpf_syscall_get_argument(data, 0);
+	res = __bpf_val_to_ring(data, sent_data_pointer, bytes_to_read, PT_BYTEBUF, -1, true, USER);
+	CHECK_RES(res);
+
+	/* Parameter 3: fd (type: PT_FD) */
+	res = bpf_push_s64_to_ring(data, (int64_t)data->fd);
+	CHECK_RES(res);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	res = bpf_push_u32_to_ring(data, (uint32_t)size);
+	CHECK_RES(res);
+
+	/* Parameter 3: pos (type: PT_UINT64) */
+	uint64_t pos = (uint64_t)bpf_syscall_get_argument(data, 3);
+	return bpf_push_u64_to_ring(data, pos);
+}
+
 FILLER(sys_renameat_x, true) {
 	unsigned long val;
 	long retval;

driver/event_table.c

@@ -98,14 +98,17 @@ const struct ppm_event_info g_event_info[] = {
                                   {"size", PT_UINT32, PF_DEC}}},
         [PPME_SYSCALL_WRITE_E] = {"write",
                                   EC_IO_WRITE | EC_SYSCALL,
-                                  EF_USES_FD | EF_WRITES_TO_FD,
+                                  EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
                                   2,
                                   {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}}},
         [PPME_SYSCALL_WRITE_X] = {"write",
                                   EC_IO_WRITE | EC_SYSCALL,
-                                  EF_USES_FD | EF_WRITES_TO_FD,
-                                  2,
-                                  {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
+                                  EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
+                                  4,
+                                  {{"res", PT_ERRNO, PF_DEC},
+                                   {"data", PT_BYTEBUF, PF_NA},
+                                   {"fd", PT_FD, PF_DEC},
+                                   {"size", PT_UINT32, PF_DEC}}},
         [PPME_SYSCALL_BRK_1_E] =
                 {"brk", EC_MEMORY | EC_SYSCALL, EF_OLD_VERSION, 1, {{"size", PT_UINT32, PF_DEC}}},
         [PPME_SYSCALL_BRK_1_X] =
@@ -597,16 +600,20 @@ const struct ppm_event_info g_event_info[] = {
                                    {"pos", PT_UINT64, PF_DEC}}},
         [PPME_SYSCALL_PWRITE_E] = {"pwrite",
                                    EC_IO_WRITE | EC_SYSCALL,
-                                   EF_USES_FD | EF_WRITES_TO_FD,
+                                   EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
                                    3,
                                    {{"fd", PT_FD, PF_DEC},
                                     {"size", PT_UINT32, PF_DEC},
                                     {"pos", PT_UINT64, PF_DEC}}},
         [PPME_SYSCALL_PWRITE_X] = {"pwrite",
                                    EC_IO_WRITE | EC_SYSCALL,
-                                   EF_USES_FD | EF_WRITES_TO_FD,
-                                   2,
-                                   {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
+                                   EF_USES_FD | EF_WRITES_TO_FD | EF_TMP_CONVERTER_MANAGED,
+                                   5,
+                                   {{"res", PT_ERRNO, PF_DEC},
+                                    {"data", PT_BYTEBUF, PF_NA},
+                                    {"fd", PT_FD, PF_DEC},
+                                    {"size", PT_UINT32, PF_DEC},
+                                    {"pos", PT_UINT64, PF_DEC}}},
         [PPME_SYSCALL_READV_E] = {"readv",
                                   EC_IO_READ | EC_SYSCALL,
                                   EF_USES_FD | EF_READS_FROM_FD,

driver/fillers_table.c

@@ -115,7 +115,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_PREAD_E] = {FILLER_REF(sys_pread64_e)},
         [PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_pread64_x)},
         [PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_pwrite64_e)},
-        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_write_x)},
+        [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_pwrite64_x)},
         [PPME_SYSCALL_READV_E] = {FILLER_REF(sys_readv_e)},
         [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_preadv_x)},
         [PPME_SYSCALL_WRITEV_E] = {FILLER_REF(sys_writev_e)},

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwrite64.bpf.c

@@ -66,7 +66,8 @@ int BPF_PROG(pwrite64_x, struct pt_regs *regs, long ret) {
 	        .only_port_range = false,
 	        .evt_type = PPME_SYSCALL_PWRITE_X,
 	};
-	int64_t bytes_to_read = ret > 0 ? ret : extract__syscall_argument(regs, 2);
+	size_t size = extract__syscall_argument(regs, 2);
+	int64_t bytes_to_read = ret > 0 ? ret : size;
 	uint16_t snaplen = maps__get_snaplen();
 	apply_dynamic_snaplen(regs, &snaplen, &snaplen_args);
 	if((int64_t)snaplen > bytes_to_read) {
@@ -77,6 +78,17 @@ int BPF_PROG(pwrite64_x, struct pt_regs *regs, long ret) {
 	unsigned long data_pointer = extract__syscall_argument(regs, 1);
 	auxmap__store_bytebuf_param(auxmap, data_pointer, snaplen, USER);
 
+	/* Parameter 3: fd (type: PT_FD) */
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
+	auxmap__store_s64_param(auxmap, (int64_t)fd);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	auxmap__store_u32_param(auxmap, size);
+
+	/* Parameter 5: pos (type: PT_UINT64) */
+	uint64_t pos = (uint64_t)extract__syscall_argument(regs, 3);
+	auxmap__store_u64_param(auxmap, pos);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/write.bpf.c

@@ -62,7 +62,8 @@ int BPF_PROG(write_x, struct pt_regs *regs, long ret) {
 	        .only_port_range = false,
 	        .evt_type = PPME_SYSCALL_WRITE_X,
 	};
-	int64_t bytes_to_read = ret > 0 ? ret : extract__syscall_argument(regs, 2);
+	size_t size = extract__syscall_argument(regs, 2);
+	int64_t bytes_to_read = ret > 0 ? ret : size;
 	uint16_t snaplen = maps__get_snaplen();
 	apply_dynamic_snaplen(regs, &snaplen, &snaplen_args);
 	if((int64_t)snaplen > bytes_to_read) {
@@ -73,6 +74,13 @@ int BPF_PROG(write_x, struct pt_regs *regs, long ret) {
 	unsigned long data_pointer = extract__syscall_argument(regs, 1);
 	auxmap__store_bytebuf_param(auxmap, data_pointer, snaplen, USER);
 
+	/* Parameter 3: fd (type: PT_FD) */
+	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
+	auxmap__store_s64_param(auxmap, (int64_t)fd);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	auxmap__store_u32_param(auxmap, size);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/ppm_fillers.c

@@ -460,6 +460,7 @@ int f_sys_write_x(struct event_filler_arguments *args) {
 	int res;
 	int64_t retval;
 	unsigned long bufsize;
+	size_t size = 0;
 
 	/*
 	 * Retrieve the FD. It will be used for dynamic snaplen calculation.
@@ -474,14 +475,21 @@ int f_sys_write_x(struct event_filler_arguments *args) {
 
 	/* Parameter 2: data (type: PT_BYTEBUF) */
 	/* Get the size from userspace paramater */
-	syscall_get_arguments_deprecated(args, 2, 1, &val);
-	bufsize = retval > 0 ? retval : val;
-
+	syscall_get_arguments_deprecated(args, 2, 1, &size);
+	bufsize = retval > 0 ? retval : size;
 	syscall_get_arguments_deprecated(args, 1, 1, &val);
 	args->enforce_snaplen = true;
 	res = val_to_ring(args, val, bufsize, true, 0);
 	CHECK_RES(res);
 
+	/* Parameter 3: fd (type: PT_FD) */
+	res = val_to_ring(args, (int64_t)args->fd, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	res = val_to_ring(args, (uint32_t)size, 0, false, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
 }
 
@@ -4183,6 +4191,68 @@ int f_sys_pwrite64_e(struct event_filler_arguments *args) {
 	return add_sentinel(args);
 }
 
+int f_sys_pwrite64_x(struct event_filler_arguments *args) {
+	unsigned long val;
+	int res;
+	int64_t retval;
+	unsigned long bufsize;
+	size_t size = 0;
+	unsigned long pos64 = 0;
+
+	/*
+	 * Retrieve the FD. It will be used for dynamic snaplen calculation.
+	 */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	args->fd = (int)val;
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: data (type: PT_BYTEBUF) */
+	/* Get the size from userspace paramater */
+	syscall_get_arguments_deprecated(args, 2, 1, &size);
+	bufsize = retval > 0 ? retval : size;
+	syscall_get_arguments_deprecated(args, 1, 1, &val);
+	args->enforce_snaplen = true;
+	res = val_to_ring(args, val, bufsize, true, 0);
+	CHECK_RES(res);
+
+	/* Parameter 3: fd (type: PT_FD) */
+	res = val_to_ring(args, (int64_t)args->fd, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	res = val_to_ring(args, (uint32_t)size, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 5: pos (type: PT_UINT64) */
+#ifndef CAPTURE_64BIT_ARGS_SINGLE_REGISTER
+	{
+		unsigned long pos0 = 0;
+		unsigned long pos1 = 0;
+#if defined CONFIG_X86
+		syscall_get_arguments_deprecated(args, 3, 1, &pos0);
+		syscall_get_arguments_deprecated(args, 4, 1, &pos1);
+#elif defined CONFIG_ARM && CONFIG_AEABI
+		syscall_get_arguments_deprecated(args, 4, 1, &pos0);
+		syscall_get_arguments_deprecated(args, 5, 1, &pos1);
+#else
+#error This architecture/abi not yet supported
+#endif
+		pos64 = merge_64(pos1, pos0);
+	}
+#else
+	syscall_get_arguments_deprecated(args, 3, 1, &pos64);
+#endif /* CAPTURE_64BIT_ARGS_SINGLE_REGISTER*/
+
+	res = val_to_ring(args, pos64, 0, false, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 int f_sys_preadv_e(struct event_filler_arguments *args) {
 	unsigned long val;
 	int res;

driver/ppm_fillers.h

@@ -196,6 +196,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_process_vm_writev_x)          \
 	FN(sys_delete_module_x)              \
 	FN(sys_pread64_x)                    \
+	FN(sys_pwrite64_x)                   \
 	FN(terminate_filler)
 
 #define FILLER_ENUM_FN(x) PPM_FILLER_##x,

test/drivers/test_suites/actions_suite/dynamic_snaplen.cpp

@@ -79,7 +79,7 @@ TEST(Actions, dynamic_snaplen_negative_fd) {
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(2);
+	evt_test->assert_num_params_pushed(4);
 }
 
 TEST(Actions, dynamic_snaplen_no_socket) {
@@ -158,7 +158,7 @@ TEST(Actions, dynamic_snaplen_no_socket) {
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(2);
+	evt_test->assert_num_params_pushed(4);
 }
 
 #if defined(__NR_sendto) && defined(__NR_socket) && defined(__NR_shutdown) && \

test/drivers/test_suites/syscall_exit_suite/pwrite64_x.cpp

@@ -48,9 +48,18 @@ TEST(SyscallExit, pwrite64X_no_snaplen) {
 	/* Parameter 2: data (type: PT_BYTEBUF) */
 	evt_test->assert_bytebuf_param(2, buf, DEFAULT_SNAPLEN / 2);
 
+	/* Parameter 3: fd (type: PT_FD) */
+	evt_test->assert_numeric_param(3, (int64_t)fd);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	evt_test->assert_numeric_param(4, (uint32_t)data_len);
+
+	/* Parameter 5: pos (type: PT_UINT64) */
+	evt_test->assert_numeric_param(5, (uint64_t)off);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(2);
+	evt_test->assert_num_params_pushed(5);
 }
 
 TEST(SyscallExit, pwrite64X_snaplen) {
@@ -90,9 +99,18 @@ TEST(SyscallExit, pwrite64X_snaplen) {
 	/* Parameter 2: data (type: PT_BYTEBUF) */
 	evt_test->assert_bytebuf_param(2, buf, DEFAULT_SNAPLEN);
 
+	/* Parameter 3: fd (type: PT_FD) */
+	evt_test->assert_numeric_param(3, (int64_t)-1);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	evt_test->assert_numeric_param(4, (uint32_t)data_len);
+
+	/* Parameter 5: pos (type: PT_UINT64) */
+	evt_test->assert_numeric_param(5, (uint64_t)off);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(2);
+	evt_test->assert_num_params_pushed(5);
 }
 
 TEST(SyscallExit, pwrite64X_fail) {
@@ -133,9 +151,18 @@ TEST(SyscallExit, pwrite64X_fail) {
 	/* Parameter 2: data (type: PT_BYTEBUF) */
 	evt_test->assert_empty_param(2);
 
+	/* Parameter 3: fd (type: PT_FD) */
+	evt_test->assert_numeric_param(3, (int64_t)-1);
+
+	/* Parameter 4: size (type: PT_UINT32) */
+	evt_test->assert_numeric_param(4, (uint32_t)data_len);
+
+	/* Parameter 5: pos (type: PT_UINT64) */
+	evt_test->assert_numeric_param(5, (uint64_t)off);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(2);
+	evt_test->assert_num_params_pushed(5);
 }
 
 #endif