Where Do the Bytes Go?

Summary

Or perhaps more precisely, how do they get there? What happens when you call write?trapThe write function in libc sets things up and makes the system call, which probably enters somewhere in locore.s like Xsyscall_meltdown, but eventually we end up in syscall in arch/amd64/amd64/trap.c. Or we might be in svc_handler in arch/arm64/arm64/syscall.c. But at this point, the code should look pretty similar. The tortured mechanics of the syscall ABI are more tedious than interesting. uvmexp.syscalls++; code = frame->tf_rax; args = (register_t *)&frame->tf_rdi; if (code <= 0 || code >= SYS_MAXSYSCALL) goto bad; callp = sysent + code; rval[0] = 0; rval[1] = 0; error = mi_syscall(p, code, callp, args, rval);We check the syscall code to make sure it’s within bounds, do some minor accounting, and finally dive into the machine independent syscall handler, mi_syscall from sys/syscall_mi.h. There’s a full page of code just checking for debug flags and trace points and stack validity and also pledge and pins. The bytes aren’t really going anywhere while this is happening.mi_syscall prologstatic inline int mi_syscall(struct proc *p, register_t code, const struct sysent *callp, register_t *argp, register_t retval[2]) { uint64_t tval; int lock = !(callp->sy_flags & SY_NOLOCK); int error, pledged; /* refresh the thread's cache of the process's creds */ refreshcreds(p); #ifdef SYSCALL_DEBUG KERNEL_LOCK(); scdebug_call(p, code, argp); KERNEL_UNLOCK(); #endif TRACEPOINT(raw_syscalls, sys_enter, code, NULL); #if NDT > 0 DT_ENTER(syscall, code, callp->sy_argsize, argp); #endif #ifdef KTRACE if (KTRPOINT(p, KTR_SYSCALL)) { /* convert to mask, then include with code */ ktrsyscall(p, code, callp->sy_argsize, argp); } #endif /* SP must be within MAP_STACK space */ if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p), "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n", uvm_map_inentry_sp, p->p_vmspace->vm_map.sserial)) return (EPERM); if ((error = pin_check(p, code))) return (error); pledged =...