관리-도구

편집 파일: sysc_llseek.stp

# llseek _____________________________________________________
# long sys_llseek(unsigned int fd,
#            unsigned long offset_high,
#            unsigned long offset_low,
#            loff_t __user * result,
#            unsigned int whence)

@define _SYSCALL_LLSEEK_NAME
%(
	name = "llseek"
%)

@define _SYSCALL_LLSEEK_ARGSTR
%(
	argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high,
	                 offset_low, result_uaddr, whence_str)
%)

@define _SYSCALL_LLSEEK_REGARGS
%(
	fd = int_arg(1)
	offset_high = ulong_arg(2)
	offset_low = ulong_arg(3)
	result_uaddr = pointer_arg(4)
	whence = uint_arg(5)
	whence_str = _seek_whence_str(whence)
%)

probe syscall.llseek = dw_syscall.llseek !, nd_syscall.llseek ? {}
probe syscall.llseek.return = dw_syscall.llseek.return !, nd_syscall.llseek.return ? {}

# dw_llseek _____________________________________________________

probe dw_syscall.llseek = kernel.function("sys_llseek").call ?
{
	@_SYSCALL_LLSEEK_NAME
	fd = __int32($fd)
	offset_high = $offset_high
	offset_low = $offset_low
	result_uaddr = $result
	whence = @choose_defined($whence, $origin)
	whence_str = _seek_whence_str(@choose_defined($whence, $origin))
	@_SYSCALL_LLSEEK_ARGSTR
}
probe dw_syscall.llseek.return = kernel.function("sys_llseek").return ?
{
	@_SYSCALL_LLSEEK_NAME
	@SYSC_RETVALSTR($return)
}

# nd_llseek _____________________________________________________

probe nd_syscall.llseek = nd1_syscall.llseek!, nd2_syscall.llseek!, tp_syscall.llseek
  { }

probe nd1_syscall.llseek = kprobe.function("sys_llseek") ?
{
	@_SYSCALL_LLSEEK_NAME
	asmlinkage()
	@_SYSCALL_LLSEEK_REGARGS
	@_SYSCALL_LLSEEK_ARGSTR
}

/* kernel 4.17+ */
probe nd2_syscall.llseek = kprobe.function(@arch_syscall_prefix "sys_llseek") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_LLSEEK_NAME
	@_SYSCALL_LLSEEK_REGARGS
	@_SYSCALL_LLSEEK_ARGSTR
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.llseek = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR__llseek"), @const("__NR_compat__llseek"))
	@_SYSCALL_LLSEEK_NAME
	@_SYSCALL_LLSEEK_REGARGS
	@_SYSCALL_LLSEEK_ARGSTR
}

probe nd_syscall.llseek.return = nd1_syscall.llseek.return!, nd2_syscall.llseek.return!, tp_syscall.llseek.return
  { }
  
probe nd1_syscall.llseek.return = kprobe.function("sys_llseek").return ?
{
	@_SYSCALL_LLSEEK_NAME
	@SYSC_RETVALSTR(returnval())
}

/* kernel 4.17+ */
probe nd2_syscall.llseek.return = kprobe.function(@arch_syscall_prefix "sys_llseek").return ?
{
	@_SYSCALL_LLSEEK_NAME
	@SYSC_RETVALSTR(returnval())
}
 
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.llseek.return = kernel.trace("sys_exit")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR__llseek"), @const("__NR_compat__llseek"))
	@_SYSCALL_LLSEEK_NAME
	@SYSC_RETVALSTR($ret)
}