Server : Apache System : Linux server2.corals.io 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 15 09:17:08 EST 2021 x86_64 User : corals ( 1002) PHP Version : 7.4.33 Disable Function : exec,passthru,shell_exec,system Directory : /opt/rh/gcc-toolset-11/root/usr/share/systemtap/tapset/linux/ |
# llseek _____________________________________________________
# long sys_llseek(unsigned int fd,
# unsigned long offset_high,
# unsigned long offset_low,
# loff_t __user * result,
# unsigned int whence)
@define _SYSCALL_LLSEEK_NAME
%(
name = "llseek"
%)
@define _SYSCALL_LLSEEK_ARGSTR
%(
argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high,
offset_low, result_uaddr, whence_str)
%)
@define _SYSCALL_LLSEEK_REGARGS
%(
fd = int_arg(1)
offset_high = ulong_arg(2)
offset_low = ulong_arg(3)
result_uaddr = pointer_arg(4)
whence = uint_arg(5)
whence_str = _seek_whence_str(whence)
%)
@define _SYSCALL_LLSEEK_REGARGS_STORE
%(
if (@probewrite(fd))
set_int_arg(1, fd)
if (@probewrite(offset_high))
set_ulong_arg(2, offset_high)
if (@probewrite(offset_low))
set_ulong_arg(3, offset_low)
if (@probewrite(result_uaddr))
set_pointer_arg(4, result_uaddr)
if (@probewrite(whence))
set_uint_arg(5, whence)
%)
probe syscall.llseek = dw_syscall.llseek !, nd_syscall.llseek ? {}
probe syscall.llseek.return = dw_syscall.llseek.return !, nd_syscall.llseek.return ? {}
# dw_llseek _____________________________________________________
probe dw_syscall.llseek = kernel.function("sys_llseek").call ?
{
@_SYSCALL_LLSEEK_NAME
fd = __int32($fd)
offset_high = $offset_high
offset_low = $offset_low
result_uaddr = $result
whence = @choose_defined($whence, $origin)
whence_str = _seek_whence_str(@choose_defined($whence, $origin))
@_SYSCALL_LLSEEK_ARGSTR
}
probe dw_syscall.llseek.return = kernel.function("sys_llseek").return ?
{
@_SYSCALL_LLSEEK_NAME
@SYSC_RETVALSTR($return)
}
# nd_llseek _____________________________________________________
probe nd_syscall.llseek = nd1_syscall.llseek!, nd2_syscall.llseek!, tp_syscall.llseek
{ }
probe nd1_syscall.llseek = kprobe.function("sys_llseek") ?
{
@_SYSCALL_LLSEEK_NAME
asmlinkage()
@_SYSCALL_LLSEEK_REGARGS
@_SYSCALL_LLSEEK_ARGSTR
}
/* kernel 4.17+ */
probe nd2_syscall.llseek = kprobe.function(@arch_syscall_prefix "sys_llseek") ?
{
__set_syscall_pt_regs(pointer_arg(1))
@_SYSCALL_LLSEEK_NAME
@_SYSCALL_LLSEEK_REGARGS
@_SYSCALL_LLSEEK_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_LLSEEK_REGARGS_STORE %)
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.llseek = kernel.trace("sys_enter")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR__llseek"), @const("__NR_compat__llseek"))
@_SYSCALL_LLSEEK_NAME
@_SYSCALL_LLSEEK_REGARGS
@_SYSCALL_LLSEEK_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_LLSEEK_REGARGS_STORE %)
}
probe nd_syscall.llseek.return = nd1_syscall.llseek.return!, nd2_syscall.llseek.return!, tp_syscall.llseek.return
{ }
probe nd1_syscall.llseek.return = kprobe.function("sys_llseek").return ?
{
@_SYSCALL_LLSEEK_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 4.17+ */
probe nd2_syscall.llseek.return = kprobe.function(@arch_syscall_prefix "sys_llseek").return ?
{
@_SYSCALL_LLSEEK_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.llseek.return = kernel.trace("sys_exit")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR__llseek"), @const("__NR_compat__llseek"))
@_SYSCALL_LLSEEK_NAME
@SYSC_RETVALSTR($ret)
}