# sigsuspend _________________________________________________ # #ifdef CONFIG_OLD_SIGSUSPEND # SYSCALL_DEFINE1(sigsuspend, old_sigset_t, mask) # #endif # #ifdef CONFIG_OLD_SIGSUSPEND3 # SYSCALL_DEFINE3(sigsuspend, int, unused1, int, unused2, old_sigset_t, mask) # #endif # asmlinkage long # sys32_sigsuspend(int history0, int history1, old_sigset_t mask) # long sys_sigsuspend(old_sigset_t mask) @define _SYSCALL_SIGSUSPEND_NAME %( name = "sigsuspend" %) @define _SYSCALL_SIGSUSPEND_ARGSTR %( argstr = sprintf("%s", mask_str) %) @define _SYSCALL_GATE %( %( arch == "s390" && kernel_v >= "3.15" %? # s390 switched from assembly compat wrappers to C-based # wrappers in kernel 3.15. @__syscall_gate_compat_simple %) %) probe syscall.sigsuspend = dw_syscall.sigsuspend !, nd_syscall.sigsuspend ? {} probe syscall.sigsuspend.return = dw_syscall.sigsuspend.return !, nd_syscall.sigsuspend.return ? {} # dw_sigsuspend _____________________________________________________ probe dw_syscall.sigsuspend = __syscall.sigsuspend ?, kernel.function("sys32_sigsuspend").call ?, kernel.function("compat_sys_sigsuspend").call ? { @_SYSCALL_SIGSUSPEND_NAME %( arch == "mips" && CONFIG_TRAD_SIGNALS == "y" %? mask = __ulong($uset) %: mask = __ulong($mask) %) mask_str = _stp_sigmask_str(mask) @_SYSCALL_SIGSUSPEND_ARGSTR } probe __syscall.sigsuspend = kernel.function("sys_sigsuspend").call ? { @_SYSCALL_GATE } probe dw_syscall.sigsuspend.return = __syscall.sigsuspend.return ?, kernel.function("sys32_sigsuspend").return ?, kernel.function("compat_sys_sigsuspend").return ? { @_SYSCALL_SIGSUSPEND_NAME @SYSC_RETVALSTR($return) } probe __syscall.sigsuspend.return = kernel.function("sys_sigsuspend").return ? { @_SYSCALL_GATE } # nd_sigsuspend _____________________________________________________ probe nd_syscall.sigsuspend = nd1_syscall.sigsuspend!, nd2_syscall.sigsuspend!, tp_syscall.sigsuspend { } probe nd1_syscall.sigsuspend = __nd1_syscall.sigsuspend ?, __nd1_syscall.sys32_sigsuspend ? { @_SYSCALL_SIGSUSPEND_NAME mask_str = _stp_sigmask_str(mask) @_SYSCALL_SIGSUSPEND_ARGSTR } probe __nd1_syscall.sigsuspend = __nd1_syscall.sys_sigsuspend ?, kprobe.function("compat_sys_sigsuspend") ? { asmlinkage() %( CONFIG_OLD_SIGSUSPEND == "y" %? mask = ulong_arg(1) %: # CONFIG_OLD_SIGSUSPEND3 has mask as the 3rd argument. mask = ulong_arg(3) %) } probe __nd1_syscall.sys_sigsuspend = kprobe.function("sys_sigsuspend") ? { asmlinkage() @_SYSCALL_GATE } probe __nd1_syscall.sys32_sigsuspend = kprobe.function("sys32_sigsuspend") ? { asmlinkage() mask = ulong_arg(3) } /* kernel 4.17+ */ probe nd2_syscall.sigsuspend = kprobe.function(@arch_syscall_prefix "sys_sigsuspend") ? { __set_syscall_pt_regs(pointer_arg(1)) @_SYSCALL_SIGSUSPEND_NAME mask = ulong_arg(3) mask_str = _stp_sigmask_str(mask) @_SYSCALL_SIGSUSPEND_ARGSTR } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.sigsuspend = kernel.trace("sys_enter") { __set_syscall_pt_regs($regs) @__syscall_compat_gate(@const("__NR_sigsuspend"), @const("__NR_compat_sigsuspend")) @_SYSCALL_SIGSUSPEND_NAME %( CONFIG_OLD_SIGSUSPEND == "y" %? mask = ulong_arg(1) %: # CONFIG_OLD_SIGSUSPEND3 has mask as the 3rd argument. mask = ulong_arg(3) %) mask_str = _stp_sigmask_str(mask) @_SYSCALL_SIGSUSPEND_ARGSTR } probe nd_syscall.sigsuspend.return = nd1_syscall.sigsuspend.return!, nd2_syscall.sigsuspend.return!, tp_syscall.sigsuspend.return { } probe nd1_syscall.sigsuspend.return = __nd1_syscall.sigsuspend.return ?, kprobe.function("sys32_sigsuspend").return ?, kprobe.function("compat_sys_sigsuspend").return ? { @_SYSCALL_SIGSUSPEND_NAME @SYSC_RETVALSTR(returnval()) } probe __nd1_syscall.sigsuspend.return = kprobe.function("sys_sigsuspend").return ? { @_SYSCALL_GATE } /* kernel 4.17+ */ probe nd2_syscall.sigsuspend.return = kprobe.function(@arch_syscall_prefix "sys_sigsuspend").return ? { @_SYSCALL_SIGSUSPEND_NAME @SYSC_RETVALSTR(returnval()) } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.sigsuspend.return = kernel.trace("sys_exit") { __set_syscall_pt_regs($regs) @__syscall_compat_gate(@const("__NR_sigsuspend"), @const("__NR_compat_sigsuspend")) @_SYSCALL_SIGSUSPEND_NAME @SYSC_RETVALSTR($ret) }