Re: Invalid filename/mode in openat tracepoint data


Tristan Mayfield
 

Alessandro,

I figured out that it's non-deterministic. So sometimes certain commands (git, awk, rm, uname, etc.) will have an openat with no filename, but other times they will.
I ran these commands experimentally and got results similar to what I have below for all of them:

$ rm something
sys_enter_openat comm: rm pid:3512 filename:/etc/ld.so.cache (140398792747904)
sys_enter_openat comm: rm pid:3512 filename:/lib/x86_64-linux-gnu/libc.so.6 (140398792789520)
sys_enter_openat comm: rm pid:3512 filename:/usr/lib/locale/locale-archive (140398792339408)

sys_enter_openat comm: rm pid:3514 filename:/etc/ld.so.cache (139648615484288)
sys_enter_openat comm: rm pid:3514 filename:/lib/x86_64-linux-gnu/libc.so.6 (139648615525904)
sys_enter_openat comm: rm pid:3514 filename: (139648615075792)

Because it's been so consistent, I believe the missing file is... always? Most of the time? At least a good part of the time "/usr/lib/locale/locale-archive".
I'm not sure why an archive file would behave differently, but it seems to be causing this issue. You can use the below bpftrace script to figure out which commands most often create the no-name situation.

tracepoint:syscalls:sys_enter_open,
tracepoint:syscalls:sys_enter_openat
{
        if( str(args->filename) == "") {
        printf("sys_enter_openat comm: %s pid:%d filename:%s (%ld)\n",comm,pid, str(args->filename), args->filename);
        }
}

Tristan

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.