1 # x86_64-specific system calls
3 # arch_prctl _________________________________________________
4 # long sys_arch_prctl(int code, unsigned long addr)
8 probe nd_syscall.arch_prctl = kprobe.function("sys_arch_prctl")
13 // argstr = sprintf("%d, %p", $code, $addr)
14 // NB: no asmlinkage()
16 code_str = _stp_arch_prctl_func_str(code)
18 argstr = sprintf("%s, %u", code_str, addr)
20 probe nd_syscall.arch_prctl.return = kprobe.function("sys_arch_prctl").return
26 # get_thread_area ____________________________________________
29 * sys_get_thread_area(struct user_desc __user *u_info)
30 * asmlinkage long sys32_get_thread_area(struct user_desc __user *u_info)
32 probe nd_syscall.get_thread_area = kprobe.function("sys_get_thread_area") ?,
33 kprobe.function("sys32_get_thread_area") ?
35 name = "get_thread_area"
37 u_info_uaddr = pointer_arg(1)
38 argstr = sprintf("%s", _struct_user_desc_u(u_info_uaddr))
40 probe nd_syscall.get_thread_area.return =
41 kprobe.function("sys_get_thread_area").return ?,
42 kprobe.function("sys32_get_thread_area").return ?
44 name = "get_thread_area"
48 # iopl _______________________________________________________
49 # long sys_iopl(unsigned int level, struct pt_regs *regs);
50 # NOTE. This function is only in i386 and x86_64 and its args vary
51 # between those two archs.
53 probe nd_syscall.iopl = kprobe.function("sys_iopl")
56 // level = (@defined($level) ? $level : $new_iopl)
59 argstr = sprint(level)
61 probe nd_syscall.iopl.return = kprobe.function("sys_iopl").return
67 # set_thread_area ____________________________________________
70 * sys_set_thread_area(struct user_desc __user *u_info)
71 * asmlinkage long sys32_set_thread_area(struct user_desc __user *u_info)
73 probe nd_syscall.set_thread_area = kprobe.function("sys_set_thread_area") ?,
74 kprobe.function("sys32_set_thread_area") ?
76 name = "set_thread_area"
78 u_info_uaddr = pointer_arg(1)
79 argstr = sprintf("%s", _struct_user_desc_u(u_info_uaddr))
81 probe nd_syscall.set_thread_area.return =
82 kprobe.function("sys_set_thread_area").return ?,
83 kprobe.function("sys32_set_thread_area").return ?
85 name = "set_thread_area"
89 %( CONFIG_GENERIC_SIGALTSTACK == "n" || kernel_v < "3.8" %?
90 # sigaltstack ________________________________________________
91 # long sys_sigaltstack(const stack_t __user *uss, stack_t __user *uoss,
92 # struct pt_regs *regs)
94 # NOTE: args vary between archs.
96 probe nd_syscall.sigaltstack = kprobe.function("sys_sigaltstack"),
97 kprobe.function("sys32_sigaltstack").call ?
101 uss_uaddr = pointer_arg(1)
102 uoss_uaddr = pointer_arg(2)
103 %(systemtap_v < "2.3" %?
104 regs_uaddr = pointer_arg(3)
105 regs = pointer_arg(3)
107 argstr = sprintf("%s, %p",
108 (@__compat_task ? _stp_compat_sigaltstack_u(uss_uaddr)
109 : _stp_sigaltstack_u(uss_uaddr)), uoss_uaddr)
111 probe nd_syscall.sigaltstack.return = kprobe.function("sys_sigaltstack").return,
112 kprobe.function("sys32_sigaltstack").return ?
115 retstr = returnstr(1)
119 # sysctl _____________________________________________________
121 # long sys32_sysctl(struct sysctl_ia32 __user *args32)
123 probe nd_syscall.sysctl32 = kprobe.function("sys32_sysctl") ?
126 // argstr = sprintf("%p", $args32)
128 argstr = sprintf("%p", pointer_arg(1))
130 probe nd_syscall.sysctl32.return = kprobe.function("sys32_sysctl").return ?
133 retstr = returnstr(1)
136 # In kernels < 2.6.33, mmap()/mmap2() was handled by arch-specific
137 # code. In kernels >= 2.6.33, the arch-specific code just calls
138 # generic sys_mmap_pgoff().
139 %( kernel_v < "2.6.33" %?
141 # long sys_mmap(unsigned long addr, unsigned long len,
142 # unsigned long prot, unsigned long flags,
143 # unsigned long fd, unsigned long off)
144 probe nd_syscall.mmap = kprobe.function("sys_mmap") ?
152 # Although the kernel gets an unsigned long fd, on the
153 # user-side it is a signed int. Fix this.
155 offset = ulong_arg(6)
156 argstr = sprintf("%p, %u, %s, %s, %d, %d", start, len,
157 _mprotect_prot_str(prot), _mmap_flags(flags), fd, offset)
159 probe nd_syscall.mmap.return = kprobe.function("sys_mmap").return ?
162 retstr = returnstr(2)
166 # sys32_mmap(struct mmap_arg_struct __user *arg)
168 probe nd_syscall.mmap32 = kprobe.function("sys32_mmap")
172 __args = &@cast(pointer_arg(1), "unsigned int", "kernel<linux/types.h>")
173 start = user_uint32(&(__args)[0])
174 len = user_uint32(&(__args)[1])
175 prot = user_uint32(&(__args)[2])
176 flags = user_uint32(&(__args)[3])
177 fd = user_int(&(__args)[4])
178 offset = user_uint32(&(__args)[5])
179 argstr = sprintf("%p, %u, %s, %s, %d, %d", start, len,
180 _mprotect_prot_str(prot), _mmap_flags(flags),
183 probe nd_syscall.mmap32.return = kprobe.function("sys32_mmap").return
186 retstr = returnstr(2)
189 # sys32_mmap2(unsigned long addr, unsigned long len,
190 # unsigned long prot, unsigned long flags,
191 # unsigned long fd, unsigned long pgoff)
193 probe nd_syscall.mmap2 = __nd_syscall.mmap2 ?, __nd_syscall.mmap_pgoff ?
195 @__syscall_compat_gate(%{ __NR_mmap2 %}, %{ __NR_ia32_mmap2 %})
198 length = ulong_arg(2)
200 prot_str = _mprotect_prot_str(prot)
202 flags_str = _mmap_flags(flags)
204 argstr = sprintf("%p, %u, %s, %s, %d, %d", start, length,
205 prot_str, flags_str, fd, pgoffset)
207 probe __nd_syscall.mmap2 = kprobe.function("sys32_mmap2")
210 pgoffset = ulong_arg(6)
212 probe __nd_syscall.mmap_pgoff = kprobe.function("sys_mmap_pgoff")
215 # $pgoff is the number of pages. Convert this back into a
217 pgoffset = ulong_arg(6) * %{ /* pure */ PAGE_SIZE %}
219 probe nd_syscall.mmap2.return = kprobe.function("sys32_mmap2").return ?,
220 kprobe.function("sys_mmap_pgoff").return ?
222 @__syscall_compat_gate(%{ __NR_mmap2 %}, %{ __NR_ia32_mmap2 %})
224 retstr = returnstr(2)
228 # vm86_warning _____________________________________________________
230 # long sys32_vm86_warning(void)
232 probe nd_syscall.vm86_warning = kprobe.function("sys32_vm86_warning") ?
234 name = "vm86_warning"
237 probe nd_syscall.vm86_warning.return =
238 kprobe.function("sys32_vm86_warning").return ?
240 name = "wm86_warning"
241 retstr = returnstr(1)
244 # pipe _______________________________________________________
246 # long sys32_pipe(int __user *fd)
248 probe nd_syscall.pipe32 = kprobe.function("sys32_pipe")?
251 // argstr = sprintf("%p", $fd)
253 argstr = sprintf("%p", pointer_arg(1))
255 probe nd_syscall.pipe32.return = kprobe.function("sys32_pipe").return?
258 retstr = returnstr(1)
261 # ftruncate _______________________________________________________
263 # asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
264 # unsigned long offset_high)
266 probe nd_syscall.compat_ftruncate64 = kprobe.function("sys32_ftruncate64") ?
271 length = ((uint_arg(3) << 32) | uint_arg(2))
272 argstr = sprintf("%d, %d", fd, length)
274 probe nd_syscall.compat_ftruncate64.return =
275 kprobe.function("sys32_ftruncate64").return ?
278 retstr = returnstr(1)
281 # truncate _______________________________________________________
283 # asmlinkage long sys32_truncate64(const char __user *filename,
284 # unsigned long offset_low,
285 # unsigned long offset_high)
287 probe nd_syscall.compat_truncate64 = kprobe.function("sys32_truncate64") ?
291 path_uaddr = pointer_arg(1)
292 path = user_string_quoted(path_uaddr)
293 length = ((uint_arg(3) << 32) | uint_arg(2))
294 argstr = sprintf("%s, %d", user_string_quoted(path_uaddr), length)
296 probe nd_syscall.compat_truncate64.return =
297 kprobe.function("sys32_truncate64").return ?
300 retstr = returnstr(1)
303 # fadvise64 _______________________________________________________
305 # asmlinkage long sys32_fadvise64(int fd, unsigned offset_lo,
306 # unsigned offset_hi,
307 # size_t len, int advice)
309 probe nd_syscall.compat_fadvise64 = kprobe.function("sys32_fadvise64") ?
314 offset = ((uint_arg(3) << 32) | uint_arg(2))
317 argstr = sprintf("%d, %d, %d, %s", fd, offset, len,
318 _fadvice_advice_str(advice))
320 probe nd_syscall.compat_fadvise64.return =
321 kprobe.function("sys32_fadvise64").return ?
324 retstr = returnstr(1)
327 # fadvise64_64 __________________________________________________
329 # long sys32_fadvise64_64(int fd, __u32 offset_low, __u32 offset_high,
330 # __u32 len_low, __u32 len_high, int advice)
331 probe nd_syscall.compat_fadvise64_64 = kprobe.function("sys32_fadvise64_64") ?
335 offset = ((uint_arg(3) << 32) | uint_arg(2))
336 len = ((uint_arg(5) << 32) | uint_arg(4))
338 argstr = sprintf("%d, %d, %d, %s", fd, offset, len,
339 _fadvice_advice_str(advice))
341 probe nd_syscall.compat_fadvise64_64.return =
342 kprobe.function("sys32_fadvise64_64").return ?
345 retstr = returnstr(1)
348 # readahead __________________________________________________
351 # ssize_t sys32_readahead(int fd, unsigned off_lo, unsigned off_hi, size_t count)
353 probe nd_syscall.compat_readahead = kprobe.function("sys32_readahead") ?
358 offset = ((uint_arg(3) << 32) | uint_arg(2))
360 argstr = sprintf("%d, %d, %u", fd, offset, count)
362 probe nd_syscall.compat_readahead.return =
363 kprobe.function("sys32_readahead").return ?
366 retstr = returnstr(1)
369 # fallocate __________________________________________________
371 # asmlinkage long sys32_fallocate(int fd, int mode, unsigned offset_lo,
372 # unsigned offset_hi, unsigned len_lo,
374 probe nd_syscall.compat_fallocate = kprobe.function("sys32_fallocate") ?
380 offset = ((uint_arg(4) << 32) | uint_arg(3))
381 len = ((uint_arg(6) << 32) | uint_arg(5))
382 argstr = sprintf("%d, %s, %#x, %u", fd, _stp_fallocate_mode_str(mode),
385 probe nd_syscall.compat_fallocate.return =
386 kprobe.function("sys32_fallocate").return ?
389 retstr = returnstr(1)
392 %( kernel_v < "3.7" %?
393 # execve _____________________________________________________
395 # In kernels < 3.7, sys_execve() was in arch-specific code (and had
396 # varying arguments). It was just a wrapper around generic
397 # do_execve(), but the wrapper could error out before calling
398 # do_execve(). So, we'll have to handle it in arch-specific tapset
399 # code to catch all calls.
401 # long sys_execve(char __user *name, char __user * __user *argv,
402 # char __user * __user *envp, struct pt_regs regs)
403 probe nd_syscall.execve = kprobe.function("sys_execve")
406 filename = user_string_quoted(pointer_arg(1))
407 args = __get_argv(pointer_arg(2), 0)
408 env_str = __count_envp(pointer_arg(3))
409 argstr = sprintf("%s, %s, %s", filename, args, env_str)
411 probe nd_syscall.execve.return = kprobe.function("sys_execve").return
414 retstr = returnstr(1)
417 # execve _____________________________________________________
419 # asmlinkage long sys32_execve(char __user *name, compat_uptr_t __user *argv,
420 # compat_uptr_t __user *envp, struct pt_regs *regs)
421 probe nd_syscall.compat_execve = kprobe.function("sys32_execve") ?
425 filename = user_string_quoted(pointer_arg(1))
426 args = __get_compat_argv(pointer_arg(2), 0)
427 env_str = __count_compat_envp(pointer_arg(3))
428 argstr = sprintf("%s, %s, %s", filename, args, env_str)
430 probe nd_syscall.compat_execve.return = kprobe.function("sys32_execve").return ?
433 retstr = returnstr(1)
437 # lookup_dcookie _____________________________________________
438 # COMPAT_SYSCALL_DEFINE4(lookup_dcookie, u32, w0, u32, w1, char __user *,
439 # buf, compat_size_t, len)
440 # long sys32_lookup_dcookie(u32 addr_low, u32 addr_high, char __user *buf,
443 probe nd_syscall.compat_lookup_dcookie =
444 kprobe.function("compat_sys_lookup_dcookie") ?,
445 kprobe.function("sys32_lookup_dcookie") ?
447 name = "lookup_dcookie"
449 cookie = ((uint_arg(2) << 32) | uint_arg(1))
450 buffer_uaddr = pointer_arg(3)
452 argstr = sprintf("%#lx, %p, %#x", cookie, buffer_uaddr, len)
454 probe nd_syscall.compat_lookup_dcookie.return =
455 kprobe.function("compat_sys_lookup_dcookie").return ?,
456 kprobe.function("sys32_lookup_dcookie").return ?
458 name = "lookup_dcookie"
459 retstr = returnstr(1)