I am trying to see the kernel stack with the following bpftrace
command:
root@ubuntu:~$ bpftrace -e 'k:vfs_read{@[kstack] = count()}'
Attaching 1 probe...
^C
@[
0xffffffffa78d2dc1
0xffffffffa78d306a
0xffffffffa7604fd7
0xffffffffa82000a4
]: 5
What should I do to see kernel function names instead of the addresses?
Take a look at
/proc/kallsyms
. If the first column is all zeros, it probably means that there are some restrictions placed on exposing kernel addresses. Here's a sample output:The restrictions can be dropped by setting
/proc/sys/kernel/kptr_restrict
to0
(consider1
as well to keep some of the protections on):At least in my case, this was enough to get the addresses to resolve to function names in the output of
kstack()
:Additional documentation: