Re: ptrace in 2.6.5

From: OGAWA Hirofumi
Date: Mon May 10 2004 - 16:51:35 EST


Fabiano Ramos <ramos_fabiano@xxxxxxxxxxxx> writes:

> > > Is ptrace(), in singlestep mode, required to stop after a int 0x80?
> > > When tracing a sequence like
> > >
> > > mov ...
> > > int 0x80
> > > mov ....
> > >
> > > ptrace would notify the tracer after the two movs, but not after the
> > > int 0x80. I want to know if it is a bug or the expected behaviour.
> >
> > What happens is that after the int 0x80 the CPU is in ring 0 (you
> > don't get an trace event in that mode unless you use a kernel debugger).
> > Then when the kernel returns the last instruction executed before it is an
> > IRET. But the IRET is also executed still in ring 0 and you should not get
> > an event for it (you can not even access its code from user space).
>
> I got it. But I need it to stop after the instruction. I am a newbie,
> so is it trivial to patch the kernel so that it STOPS after the int
> 0x80? Can you give me some light on it?

This is the behavior of CPU, not kernel. "iret" after "int 0x80",
it restores the eip to "mov ...".

int 0x80
does syscall
iret
mov ....
<---- exception here (eip = "next insn")
next insn

So single-step exception happen *after* executed the "mov ...".
Probably you need to use the breakpoint instead of single-step.
--
OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/