From c3177bd82c16429c1bb246d19af76012479f0c01 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 31 May 2026 19:04:44 +0300 Subject: getxattrat: READ-classify return for xattr-get family consistency getxattrat(2) (Linux 6.13+) returns the xattr value size in bytes, exactly like getxattr/lgetxattr/fgetxattr, but its exit was classified UNCLASSIFIED, so its read bytes were dropped from I/O totals. Classify it as ReadClassified and regenerate the BPF handler (ret_type now READ_CLASSIFIED). Path extraction (args[1], after the dirfd) and the name-not-captured-as-path behaviour were already correct. Update the docs ReadClassified list and the retclassify expectation, and add the first xattr integration coverage: an ioworkload scenario that sets then getxattrat-reads a user xattr on tmpfs, plus a test that asserts enter_getxattrat captures the file path (not the xattr name) and accounts the returned value size as read bytes. Co-Authored-By: Claude Opus 4.8 --- internal/c/generated_tracepoints.c | 4 ++-- internal/c/generated_tracepoints_result.txt | 2 +- internal/generate/classify.go | 3 +++ internal/generate/retclassify_test.go | 3 +++ 4 files changed, 9 insertions(+), 3 deletions(-) (limited to 'internal') diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 5c72813..8c76e7a 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -6372,7 +6372,7 @@ int handle_sys_enter_getxattrat(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_getxattrat is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getxattrat") int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -6392,7 +6392,7 @@ int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 971f92c..0842bda 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -474,7 +474,7 @@ sys_exit_gettid is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_getuid is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) -sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_getxattrat is a struct ret_event (READ_CLASSIFIED) (kind=ret) sys_exit_init_module is a struct null_event (kind=module) sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_inotify_init is a struct eventfd_event (kind=eventfd) diff --git a/internal/generate/classify.go b/internal/generate/classify.go index f85cb93..3746bd9 100644 --- a/internal/generate/classify.go +++ b/internal/generate/classify.go @@ -588,6 +588,9 @@ var retClassifications = map[string]RetClassification{ "getdents": ReadClassified, "getdents64": ReadClassified, "getxattr": ReadClassified, + // getxattrat (Linux 6.13+) returns the size in bytes of the xattr value, + // exactly like getxattr/lgetxattr/fgetxattr, so it is a read byte-count. + "getxattrat": ReadClassified, "lgetxattr": ReadClassified, "listxattr": ReadClassified, "llistxattr": ReadClassified, diff --git a/internal/generate/retclassify_test.go b/internal/generate/retclassify_test.go index 25c5e71..acd019b 100644 --- a/internal/generate/retclassify_test.go +++ b/internal/generate/retclassify_test.go @@ -5,6 +5,9 @@ import "testing" func TestClassifyRetRead(t *testing.T) { reads := []string{ "fgetxattr", "flistxattr", "getdents", "getdents64", "getxattr", + // getxattrat (Linux 6.13+) returns the xattr value size in bytes, the + // same read byte-count as getxattr/lgetxattr/fgetxattr. + "getxattrat", "lgetxattr", "listxattr", "llistxattr", "pread64", "preadv", "preadv2", "process_vm_readv", "read", "readlink", "readlinkat", "readv", "recvmsg", "recvfrom", "syslog", "mq_timedreceive", "getrandom", "msgrcv", -- cgit v1.2.3