4

This is a canonical question. I want to understand why a specific system call is failing. Is it possible to display the kernel stack trace of the syscall:

  • when the return is non-zero or is negative (it depends on syscall to know when it fails, maybe we should base the failure on errno)
  • and when the execution reaches the return instruction?

Tried with trace/trace-bpfcc from bcc-tools(Fedora)/bpfcc-tools(Ubuntu):

$ sudo /usr/sbin/trace-bpfcc -K 'r::do_sys_open "%llx", retval'&
$ touch /root  # As normal user
15979   15979   touch           do_sys_open      fffffffffffffffe
        kretprobe_trampoline+0x0 [kernel]
        do_syscall_64+0x5a [kernel]
        entry_SYSCALL_64_after_hwframe+0x44 [kernel]

But the stack trace is meaningless.

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37
Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
  • I expect to be possible with one of these tools: BPF, ftrace, systemtap, perf. But I couldn't find anything about. – Mircea Vutcovici Feb 18 '19 at 17:32
  • I'm not too sure I understand your question. You get a stack trace when you hit an error such as a `SEGV` to know the location of the event. If you have a "permission denied" error, what kind of stack trace do you expect? Maybe you're just looking for a "trace" (i.e. see what gets executed)? Although without the debug version of the kernel you'd just get assembly instructions and that could bit a lot of them... or maybe you'd like to see all the functions being called? – Alexis Wilke Apr 04 '21 at 19:43
  • The decision to return an error is in the kernel. I want to see where exactly in the kernel was taken that decision. E.g. when trying to open(2) a file for reading you can get EPERM from a file system permission, extended ACL, SELinux, mount options, or an invalid request for a specific file for special file systems like sysfs and devtmpfs. How do you know in a generic way what happened? – Mircea Vutcovici Apr 04 '21 at 20:10

0 Answers0