Missing child clone call on arm64

[albe19029]

Good day, this bug is related to the linux kernel, but the problem was found when sysdig is running with bpf driver. So maybe you will help me to understand how to resolve it faster, as there is no reaction from kernel team.
This bug was created for kernel team: https://bugzilla.kernel.org/show_bug.cgi?id=218298

Have found next issue on my arm64 machine.

If I run next bpf tracepoint code with bpftrace on x64 machine:

bpftrace -e 'tracepoint:syscalls:sys_exit_clone { printf("clone %d %d\n", pid, args->ret);}'

and run any program, for example 'ls -la'
I will get 2 logs (tracepoint calls):

clone 2266 2267
clone 2267 0

One for parent process, second for child process.

But if I run this code on arm64 machine (checked on AWS and M2 Mac processors) I get only parent syscall.

I have also checked kprobes by running this code on x64 machine:

bpftrace -e 'kretprobe:__x64_sys_clone { printf("clone %d %d\n", pid, retval);}'

And in this case I also get only parent syscall.

So as I understand this child tracepoint call - is some special case.

So the question is what behaviour is correct for tracepoints - to get both calls (parent and child) or only parent. For our application logic we need both.

Have checked this issue on kernel 6.7 - rc6.

[albe19029]

have found next comment in your code:
///////////////////////////////
// CAPTURE_SCHED_PROC_FORK
///////////////////////////////

/* In some architectures we are not able to catch the `clone exit child

• eventfrom thesys_exit` tracepoint. This is because there is no
• default behavior among different architectures... you can find more
• info here:
• https://www.spinics.net/lists/linux-trace/msg01001.html
• Anyway, to not lose this event, we need to instrument a new kernel tracepoint:
• • sched_process_fork: allows us to catch every new process that is spawned.
• In this way we can detect when a child is spawned and we can send to userspace
• a PPME_SYSCALL_CLONE_X event as we do with the sys_exit tracepoint.
• Please note: in BPF we need to use raw_tracepoint programs to access
• the raw tracepoint arguments! This is essential for sched_process_fork
• tracepoint since the only way we have to access the child task struct
• is through its raw arguments. All the architectures that need this
• patch can use our BPF probe only with kernel versions greater or equal
• than 4.17, since BPF_PROG_TYPE_RAW_TRACEPOINT programs have been
• introduced in this kernel release:
• torvalds/linux@c4f6699
• If you run old kernels, you can use the kernel module which requires
• kernel versions greater or equal than 2.6, since this tracepoint has
• been introduced in the following kernel release:
• torvalds/linux@0a16b60