Skip to content

Commit

Permalink
fix(events): check if init finished in hidden kernel module
Browse files Browse the repository at this point in the history
On startup, there could be a case where a kernel module is being loaded before
the hidden kernel module initialization function is called and
finished.
  • Loading branch information
OriGlassman authored and randomname21 committed Oct 28, 2024
1 parent a23b9f6 commit c1dd700
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion pkg/events/derive/hidden_kernel_module.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ var (
newModuleOnlyMap *bpf.BPFMap
recentDeletedModulesMap *bpf.BPFMap
wakeupChannel = make(chan ScanRequest)
isInitialized = false
)

const (
Expand All @@ -53,6 +54,11 @@ func HiddenKernelModule() DeriveFunction {

func deriveHiddenKernelModulesArgs() multiDeriveArgsFunction {
return func(event trace.Event) ([][]interface{}, []error) {
if !isInitialized {
logger.Debugw("hidden kernel module derive logic: not initialized yet... skipping")
return nil, nil
}

address, err := parse.ArgVal[uint64](event.Args, "address")
if err != nil {
return nil, []error{err}
Expand Down Expand Up @@ -115,7 +121,12 @@ func InitHiddenKernelModules(modsMap *bpf.BPFMap, newModMap *bpf.BPFMap, deleted
}

eventsFromHistoryScan, err = lru.New[*trace.Event, struct{}](50) // If there are more hidden modules found in history scan, it'll report only the size of the LRU
return err
if err != nil {
return err
}

isInitialized = true
return nil
}

// handleHistoryScanFinished handles the case where the history scan finished
Expand Down

0 comments on commit c1dd700

Please sign in to comment.