Removed the unsupported fentry/vfs_pwritev probe and cleaned up the loader/attach paths so only the standard write hooks remain. Updates: ebpf/diffkeeper.bpf.c drops the pwritev program; pkg/ebpf/bpf_objects_linux.go removes the program binding/close; pkg/ebpf/manager_linux.go now only attaches write/writev and counts successful attaches.

Shane Wall · Shane Wall · commit 11f3708c8ebc · 2025-11-29T07:44:31.000+11:00
diff --git a/ebpf/diffkeeper.bpf.c b/ebpf/diffkeeper.bpf.c
@@ -79,22 +79,6 @@ int BPF_PROG(fentry_vfs_writev, struct kiocb *iocb, struct iovec *iov,
 	return emit_syscall_event(file, total);
 }
 
-SEC("fentry/vfs_pwritev")
-int BPF_PROG(fentry_vfs_pwritev, struct file *file, struct iovec *iov,
-	     unsigned long nr_segs, loff_t *pos)
-{
-	size_t total = 0;
-
-#pragma unroll
-	for (int i = 0; i < 6; i++) {
-		if (i >= nr_segs)
-			break;
-		size_t len = BPF_CORE_READ(&iov[i], iov_len);
-		total += len;
-	}
-	return emit_syscall_event(file, total);
-}
-
 SEC("tracepoint/sched/sched_process_exec")
 int handle_sched_exec(struct trace_event_raw_sched_process_exec *ctx)
 {
diff --git a/pkg/ebpf/bpf_objects_linux.go b/pkg/ebpf/bpf_objects_linux.go
@@ -15,12 +15,11 @@ var diffkeeperObject []byte
 
 // bpfObjects mirrors the maps and programs compiled into diffkeeper.bpf.o.
 type bpfObjects struct {
-	Events           *ebpf.Map     `ebpf:"events"`
-	LifecycleEvents  *ebpf.Map     `ebpf:"lifecycle_events"`
-	FentryVfsWrite   *ebpf.Program `ebpf:"fentry_vfs_write"`
-	FentryVfsWritev  *ebpf.Program `ebpf:"fentry_vfs_writev"`
-	FentryVfsPwritev *ebpf.Program `ebpf:"fentry_vfs_pwritev"`
-	HandleSchedExec  *ebpf.Program `ebpf:"handle_sched_exec"`
+	Events          *ebpf.Map     `ebpf:"events"`
+	LifecycleEvents *ebpf.Map     `ebpf:"lifecycle_events"`
+	FentryVfsWrite  *ebpf.Program `ebpf:"fentry_vfs_write"`
+	FentryVfsWritev *ebpf.Program `ebpf:"fentry_vfs_writev"`
+	HandleSchedExec *ebpf.Program `ebpf:"handle_sched_exec"`
 }
 
 func (o *bpfObjects) Close() error {
@@ -40,9 +39,6 @@ func (o *bpfObjects) Close() error {
 	if o.FentryVfsWritev != nil {
 		o.FentryVfsWritev.Close()
 	}
-	if o.FentryVfsPwritev != nil {
-		o.FentryVfsPwritev.Close()
-	}
 	if o.HandleSchedExec != nil {
 		o.HandleSchedExec.Close()
 	}
diff --git a/pkg/ebpf/manager_linux.go b/pkg/ebpf/manager_linux.go
@@ -144,9 +144,9 @@ func (m *kernelManager) attachSyscallProbes() error {
 	probes := []*ebpf.Program{
 		m.objs.FentryVfsWrite,
 		m.objs.FentryVfsWritev,
-		m.objs.FentryVfsPwritev,
 	}
 
+	attached := 0
 	for _, prog := range probes {
 		if prog == nil {
 			continue
@@ -161,9 +161,10 @@ func (m *kernelManager) attachSyscallProbes() error {
 			continue
 		}
 		m.links = append(m.links, l)
+		attached++
 	}
 
-	if len(m.links) == 0 {
+	if attached == 0 {
 		return fmt.Errorf("failed to attach any write probes")
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -144,9 +144,9 @@ func (m *kernelManager) attachSyscallProbes() error {`
`144`	`144`	`probes := []*ebpf.Program{`
`145`	`145`	`m.objs.FentryVfsWrite,`
`146`	`146`	`m.objs.FentryVfsWritev,`
`147`		`- m.objs.FentryVfsPwritev,`
`148`	`147`	`}`
`149`	`148`
	`149`	`+ attached := 0`
`150`	`150`	`for _, prog := range probes {`
`151`	`151`	`if prog == nil {`
`152`	`152`	`continue`
`@@ -161,9 +161,10 @@ func (m *kernelManager) attachSyscallProbes() error {`
`161`	`161`	`continue`
`162`	`162`	`}`
`163`	`163`	`m.links = append(m.links, l)`
	`164`	`+ attached++`
`164`	`165`	`}`
`165`	`166`
`166`		`- if len(m.links) == 0 {`
	`167`	`+ if attached == 0 {`
`167`	`168`	`return fmt.Errorf("failed to attach any write probes")`
`168`	`169`	`}`
`169`	`170`