Change format of syscall event trace output to ftrace

Question

I enabled ftrace event tracing for sys_enter_openat syscall. The respective output format given at events/syscalls/sys_enter_openat/format is

print fmt: "dfd: 0x%08lx, filename: 0x%08lx, flags: 0x%08lx, mode: 0x%08lx", ((unsigned long)(REC->dfd)), ((unsigned long)(REC->filename)), ((unsigned long)(REC->flags)), ((unsigned long)(REC->mode))

As expected a sample output line to ftrace is something like

msm_irqbalance-1338  [000] ...1 211710.033931: sys_openat(dfd: ffffff9c, filename: 5af693f224, flags: 2, mode: 0)

Is there a way to change output format such that filename: 5af693f224 can be shown as filename: <string> instead of address? I guess this would have been possible using systemtap or krpobe but my setup does not allow its use as of now.

Answer 1

You can define kprobe events with your own format:

cd /sys/kernel/debug/tracing
echo 'p:open do_sys_open file=+0(%si):string' > kprobe_events
echo 1 > events/kprobes/open/enable
cat trace_pipe

which outputs:

cat-123 [001] .... 123.123: open: (do_sys_open+0x0/0x80) file="/etc/fstab"
cat-123 [001] .... 123.124: open: (do_sys_open+0x0/0x80) file="/dev/zero"

For details, see: https://events19.linuxfoundation.org/wp-content/uploads/2017/12/oss-eu-2018-fun-with-dynamic-trace-events_steven-rostedt.pdf