From 36899612d2a83e9c3e798138a9def489456bf413 Mon Sep 17 00:00:00 2001
From: Vitaly Pryakhin <v.pryakhin@gmail.com>
Date: Fri, 16 Jan 2026 22:51:05 +0200
Subject: [PATCH 1/3] fix Makefile: build vmlinux before generate

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 715cf93..8793ff6 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,7 @@ LDFLAGS := -X github.com/loresuso/psc/cmd.Version=$(VERSION) \
 
 all: build
 
-generate:
+generate: vmlinux
 	go run github.com/cilium/ebpf/cmd/bpf2go -go-package main -cc clang -no-strip -target bpfel -cflags "-O2 -g -Wall -I$(LIBBPF_INCLUDE)" tasks bpf/tasks.c
 	go run github.com/cilium/ebpf/cmd/bpf2go -go-package main -cc clang -no-strip -target bpfel -cflags "-O2 -g -Wall -I$(LIBBPF_INCLUDE)" files bpf/files.c
 

From 9954c6551e5bdb942c836785f856b9818480697d Mon Sep 17 00:00:00 2001
From: Vitaly Pryakhin <v.pryakhin@gmail.com>
Date: Fri, 16 Jan 2026 23:22:35 +0200
Subject: [PATCH 2/3] fix build on ubuntu 22.04

---
 bpf/tasks.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/bpf/tasks.c b/bpf/tasks.c
index 2aedd71..ee761e0 100644
--- a/bpf/tasks.c
+++ b/bpf/tasks.c
@@ -3,6 +3,7 @@
 #include "vmlinux.h"
 #include "constants.h"
 #include <bpf/bpf_helpers.h>
+#include <bpf/bpf_core_read.h>
 
 char LICENSE[] SEC("license") = "GPL";
 
@@ -58,9 +59,18 @@ static __always_inline void fill_task_descriptor(struct task_descriptor *td, str
 	td->stime = task->stime;
 
 	// Capabilities from credentials
-	td->cap_effective = task->cred->cap_effective.val;
-	td->cap_permitted = task->cred->cap_permitted.val;
-	td->cap_inheritable = task->cred->cap_inheritable.val;
+	// kernel_cap_struct has cap[2] (two __u32 values), combine into __u64
+	struct kernel_cap_struct cap_eff = {};
+	struct kernel_cap_struct cap_perm = {};
+	struct kernel_cap_struct cap_inh = {};
+	
+	bpf_probe_read_kernel(&cap_eff, sizeof(cap_eff), &task->cred->cap_effective);
+	bpf_probe_read_kernel(&cap_perm, sizeof(cap_perm), &task->cred->cap_permitted);
+	bpf_probe_read_kernel(&cap_inh, sizeof(cap_inh), &task->cred->cap_inheritable);
+	
+	td->cap_effective = ((__u64)cap_eff.cap[1] << 32) | cap_eff.cap[0];
+	td->cap_permitted = ((__u64)cap_perm.cap[1] << 32) | cap_perm.cap[0];
+	td->cap_inheritable = ((__u64)cap_inh.cap[1] << 32) | cap_inh.cap[0];
 
 	// Get memory info from mm_struct
 	mm = task->mm;
@@ -71,9 +81,15 @@ static __always_inline void fill_task_descriptor(struct task_descriptor *td, str
 		// RSS: sum of file, anon, and shmem pages (approximation using base count)
 		// Note: This is the base count only, actual RSS may be slightly different
 		// due to per-CPU deltas in percpu_counter
-		rss_file = mm->rss_stat[MM_FILEPAGES].count;
-		rss_anon = mm->rss_stat[MM_ANONPAGES].count;
-		rss_shmem = mm->rss_stat[MM_SHMEMPAGES].count;
+		// rss_stat is a struct with count[4] array (atomic_long_t = atomic64_t)
+		// atomic64_t has a .counter field containing the actual value
+		atomic64_t count_file, count_anon, count_shmem;
+		bpf_probe_read_kernel(&count_file, sizeof(count_file), &mm->rss_stat.count[MM_FILEPAGES]);
+		rss_file = BPF_CORE_READ(&count_file, counter);
+		bpf_probe_read_kernel(&count_anon, sizeof(count_anon), &mm->rss_stat.count[MM_ANONPAGES]);
+		rss_anon = BPF_CORE_READ(&count_anon, counter);
+		bpf_probe_read_kernel(&count_shmem, sizeof(count_shmem), &mm->rss_stat.count[MM_SHMEMPAGES]);
+		rss_shmem = BPF_CORE_READ(&count_shmem, counter);
 		
 		// Ensure non-negative (percpu counters can temporarily go negative)
 		if (rss_file < 0) rss_file = 0;

From 8ef322d14f80a621a03cd5aacf5e290f1aa761ca Mon Sep 17 00:00:00 2001
From: Vitaly Pryakhin <v.pryakhin@gmail.com>
Date: Fri, 16 Jan 2026 23:26:58 +0200
Subject: [PATCH 3/3] fix the error "BPF program is too large"

---
 bpf/tasks.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bpf/tasks.c b/bpf/tasks.c
index ee761e0..33d8b5a 100644
--- a/bpf/tasks.c
+++ b/bpf/tasks.c
@@ -139,6 +139,10 @@ int ps_task(struct bpf_iter__task *ctx)
 }
 
 // Iterate stack traces
+// NOTE: Commented out because BPF_SEQ_PRINTF with %pB format specifier causes
+// the BPF verifier to generate too many instructions (program too large error).
+// This function is not currently used in the codebase.
+/*
 SEC("iter/task")
 int dump_task_stack(struct bpf_iter__task *ctx)
 {
@@ -164,3 +168,4 @@ int dump_task_stack(struct bpf_iter__task *ctx)
 
 	return 0;
 }
+*/