Missed counts

bpf/lib/bpf_event.h

@@ -16,4 +16,39 @@ struct {
 	__type(value, struct event);
 } tcpmon_map SEC(".maps");
 
+struct {
+	__uint(type, BPF_MAP_TYPE_PERCPU_HASH);
+	__uint(max_entries, 255);
+	__type(key, __u32);
+	__type(value, __u64);
+} lost_event SEC(".maps");
+
+static inline __attribute__((always_inline)) void
+inc_lost_event(void *ctx, __u8 op)
+{
+	__u64 *lost, val = 0;
+	__u32 idx = op;
+
+	lost = map_lookup_elem(&lost_event, &idx);
+	if (!lost) {
+		map_update_elem(&lost_event, &idx, &val, BPF_ANY);
+		lost = map_lookup_elem(&lost_event, &idx);
+	}
+
+	if (lost)
+		(*lost)++;
+}
+
+#define ENOSPC 28
+
+static inline __attribute__((always_inline)) void
+send_event(void *ctx, void *data, size_t total, __u8 op)
+{
+	long err;
+
+	err = perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, data, total);
+	if (err == -ENOSPC)
+		inc_lost_event(ctx, op);
+}
+
 #endif // __BPF_EVENT_H

bpf/process/bpf_execve_event.c

@@ -278,6 +278,6 @@ execve_send(struct sched_execve_args *ctx)
 		sizeof(struct msg_execve_key) + sizeof(__u64) +
 		sizeof(struct msg_capabilities) + sizeof(struct msg_ns) +
 		sizeof(struct msg_execve_key) + p->size);
-	perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, event, size);
+	send_event(ctx, event, size, MSG_OP_EXECVE);
 	return 0;
 }

bpf/process/bpf_exit.h

@@ -61,8 +61,7 @@ static inline __attribute__((always_inline)) void event_exit_send(void *ctx, __u
 		probe_read(&exit->info.code, sizeof(exit->info.code),
 			   _(&task->exit_code));
 
-		perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, exit,
-				  size);
+		send_event(ctx, exit, size, MSG_OP_EXIT);
 	}
 	execve_map_delete(tgid);
 }

bpf/process/bpf_fork.c

@@ -88,8 +88,7 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 		/* Last: set any encountered error when setting cgroup info */
 		msg.flags |= error_flags;
 
-		perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, &msg,
-				  size);
+		send_event(ctx, &msg, size, MSG_OP_CLONE);
 	}
 	return 0;
 }

bpf/process/bpf_loader.c

@@ -134,6 +134,6 @@ loader_kprobe(struct pt_regs *ctx)
 	msg->common.op = MSG_OP_LOADER;
 	msg->common.flags = 0;
 
-	perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, msg, total);
+	send_event(ctx, msg, total, MSG_OP_LOADER);
 	return 0;
 }

bpf/process/data_event.h

@@ -32,8 +32,7 @@ __do_bytes(void *ctx, struct msg_data *msg, unsigned long uptr, size_t bytes)
 		return err;
 
 	msg->common.size = offsetof(struct msg_data, arg) + bytes;
-	perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, msg,
-			  msg->common.size);
+	send_event(ctx, msg, msg->common.size, MSG_OP_DATA);
 	return bytes;
 b:
 	return -1;
@@ -106,7 +105,7 @@ __do_str(void *ctx, struct msg_data *msg, unsigned long arg, bool *done)
 		     :
 		     : [size] "+r"(size)
 		     :);
-	perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, msg, size);
+	send_event(ctx, msg, size, MSG_OP_DATA);
 	return err;
 }
 

bpf/process/types/basic.h

@@ -1969,7 +1969,7 @@ generic_output(void *ctx, struct bpf_map_def *heap)
 		     :
 		     : [total] "+r"(total)
 		     :);
-	perf_event_output(ctx, &tcpmon_map, BPF_F_CURRENT_CPU, e, total);
+	send_event(ctx, e, total, e->common.op);
 	return 1;
 }