elastic · nicholasberlin · Sep 24, 2025 · Sep 22, 2025
@@ -195,24 +195,20 @@ int BPF_PROG(sched_process_exec,
 // The problem is taskstats_exit__enter happens before file descriptors are
 // closed in exit_files(), so instead of emiting the event here, record that we
 // saw group_dead and delay emiting the event until sched_process_exit().
-static int taskstats_exit__enter(const struct task_struct *task, int group_dead)
-{
-    struct ebpf_events_state state = {};
-
-    if (!group_dead || is_kernel_thread(task))
-        return 0;
-
-    ebpf_events_state__set(EBPF_EVENTS_STATE_GROUP_DEAD, &state);
-
-    return 0;
-}
-
-SEC("tp_btf/sched_process_exit")
-int BPF_PROG(sched_process_exit, const struct task_struct *task)
+//
+// UPDATE: taskstats_exit can be compiled out of the kernel based on
+// configuration. So, instead we use disassociate_ctty (guarded by CONFIG_TTY),
+// which is hopefully less common of being compiled out. disassociate_ctty is
+// called from do_exit() only when group_dead is true, and in that case,
+// the parameter, on_exit, is set to true, and we can use current to populate
+// event data. Finally, sched_process_exit() is not called after exit_files,
+// but disassociate_ctty is.
+static int disassociate_ctty__enter(int on_exit)
 {
+    const struct task_struct *task = (struct task_struct *)bpf_get_current_task();
     struct ebpf_process_exit_event *event;
 
-    if (ebpf_events_state__get(EBPF_EVENTS_STATE_GROUP_DEAD) == NULL)
+    if (!on_exit || is_kernel_thread(task))
         return 0;
 
     event = get_event_buffer();
@@ -247,16 +243,16 @@ int BPF_PROG(sched_process_exit, const struct task_struct *task)
     return 0;
 }
 
-SEC("fentry/taskstats_exit")
-int BPF_PROG(fentry__taskstats_exit, const struct task_struct *task, int group_dead)
+SEC("fentry/disassociate_ctty")
+int BPF_PROG(fentry__disassociate_ctty, int on_exit)
 {
-    return taskstats_exit__enter(task, group_dead);
+    return disassociate_ctty__enter(on_exit);
 }
 
-SEC("kprobe/taskstats_exit")
-int BPF_KPROBE(kprobe__taskstats_exit, const struct task_struct *task, int group_dead)
+SEC("kprobe/disassociate_ctty")
+int BPF_KPROBE(kprobe__disassociate_ctty, int on_exit)
 {
-    return taskstats_exit__enter(task, group_dead);
+    return disassociate_ctty__enter(on_exit);
 }
 
 // tracepoint/syscalls/sys_[enter/exit]_[name] tracepoints are not available

@@ -21,7 +21,6 @@ enum ebpf_events_state_op {
     EBPF_EVENTS_STATE_WRITE          = 7,
     EBPF_EVENTS_STATE_WRITEV         = 8,
     EBPF_EVENTS_STATE_CHOWN          = 9,
-    EBPF_EVENTS_STATE_GROUP_DEAD     = 10,
 };
 
 struct ebpf_events_key {
@@ -92,7 +91,6 @@ struct ebpf_events_state {
         struct ebpf_events_write_state write;
         struct ebpf_events_writev_state writev;
         struct ebpf_events_chown_state chown;
-        /* struct ebpf_events_group_dead group_dead; nada */
     };
 };
 

@@ -381,7 +381,7 @@ static int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj, uint6
         err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__do_filp_open, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kprobe__vfs_rename, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__vfs_rename, false);
-        err = err ?: bpf_program__set_autoload(obj->progs.kprobe__taskstats_exit, false);
+        err = err ?: bpf_program__set_autoload(obj->progs.kprobe__disassociate_ctty, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kprobe__commit_creds, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__inet_csk_accept, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kprobe__tcp_v4_connect, false);
@@ -403,7 +403,7 @@ static int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj, uint6
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__do_filp_open, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fentry__vfs_rename, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__vfs_rename, false);
-        err = err ?: bpf_program__set_autoload(obj->progs.fentry__taskstats_exit, false);
+        err = err ?: bpf_program__set_autoload(obj->progs.fentry__disassociate_ctty, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fentry__commit_creds, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__inet_csk_accept, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__tcp_v4_connect, false);
@@ -473,7 +473,7 @@ static bool system_has_bpf_tramp(void)
         {.code = BPF_EXIT | BPF_JMP, .dst_reg = 0, .src_reg = 0, .off = 0, .imm = 0}};
     int insns_cnt = 2;
 
-    btf_id = btf__find_by_name(btf, "taskstats_exit");
+    btf_id = btf__find_by_name(btf, "disassociate_ctty");
     LIBBPF_OPTS(bpf_prog_load_opts, opts, .log_buf = NULL, .log_level = 0,
                 .expected_attach_type = BPF_TRACE_FENTRY, .attach_btf_id = btf_id);
     prog_fd = bpf_prog_load(BPF_PROG_TYPE_TRACING, NULL, "GPL", insns, insns_cnt, &opts);