Invalid filename/mode in openat tracepoint data


Hello everyone,

I'll start with some backstory first: I wrote my own BPF library to trace functions/syscalls and yesterday I noticed that I am sometimes receiving broken openat() tracepoint data. This happens randomly, often when processes are created in a short burst (like opening a new terminal instance with zsh + oh-my-zsh installed).

I initially thought it was my fault, and proceeded to debug the generated IR code and double check my tracepoint data definition (which, for reference, can be found here: I ended up giving up, not finding the reason this was failing.

Today, I have tried to replicate the same functionality using BCC so I could compare the output with my library and I ended up inside the same weird behavior:

Full script here:

bpf_trace_printk("sys_enter_openat mode:%ld "
"filename:%s (%ld)\\n",

2608.223222000 b'git' 8998 b'sys_enter_openat mode:0 filename: (93849603522670)

I was able to replicate this problem on Ubuntu 20.20 (5.4.0), Arch Linux (5.7.9) and Ubuntu 19.10 (5.3.0).

Has anyone ever encountered this problem, or has a few pointers as to why it happening?



Join to automatically receive all group messages.