You're reading from Linux Kernel Debugging Leverage proven tools and advanced techniques to effectively debug Linux kernels and kernel modules

Product type Paperback

Published in Aug 2022

Publisher Packt

ISBN-13 9781801075039

Length 638 pages

Edition 1st Edition

Tools

Linux

Concepts

System Administration

Author (1):

Kaiwan N. Billimoria

View More author details

Table of Contents (17) Chapters

Preface

1. Part 1: A General Introduction and Approaches to Kernel Debugging

2. Chapter 1: A General Introduction to Debugging Software FREE CHAPTER

3. Chapter 2: Approaches to Kernel Debugging

4. Part 2: Kernel and Driver Debugging Tools and Techniques

5. Chapter 3: Debug via Instrumentation – printk and Friends

6. Chapter 4: Debug via Instrumentation – Kprobes

7. Chapter 5: Debugging Kernel Memory Issues – Part 1

8. Chapter 6: Debugging Kernel Memory Issues – Part 2

9. Chapter 7: Oops! Interpreting the Kernel Bug Diagnostic

10. Chapter 8: Lock Debugging

11. Part 3: Additional Kernel Debugging Tools and Techniques

12. Chapter 9: Tracing the Kernel Flow

13. Chapter 10: Kernel Panic, Lockups, and Hangs

14. Chapter 11: Using Kernel GDB (KGDB)

15. Chapter 12: A Few More Kernel Debugging Approaches

16. Other Books You May Enjoy

Trapping into the execve() API – via perf and eBPF tooling

On Linux (and UNIX), user mode applications – processes – are launched or executed via a family of so-called exec C library (glibc) APIs: execl(), execlp(), execv(), execvp(), execle(), execvpe(), and execve().

A quick couple of things to know about these seven APIs: the first six are merely glibc wrappers that transform their arguments and ultimately invoke the execve() API – it is the actual system call, the one that causes the process context to switch to kernel mode and run the kernel code corresponding to the system call. Also, FYI, execvpe() is a GNU extension (and thus practically only seen on Linux).

The point here is simply this: ultimately, pretty much all processes (and thus apps) are executed via the kernel code of execve()! Within the kernel, execve() becomes the sys_execve() function (in a bit of an indirect fashion, via the SYSCALL_DEFINE3() macro), which invokes the actual worker...