The beginnings of a no-dwarf version of syscalls.stp. Selected

aliases refer to args by number rather than name.

1 files changed, 2845 insertions, 0 deletions

diff --git a/tapset/nd_syscalls.stp b/tapset/nd_syscalls.stp
new file mode 100644
index 00000000..eb5efda0
--- /dev/null
+++ b/tapset/nd_syscalls.stp
@@ -0,0 +1,2845 @@
+// syscalls tapset part 1 [A-M]
+// Copyright (C) 2005 IBM Corp.
+// Copyright (C) 2005-2007 Red Hat Inc.
+// Copyright (C) 2007 Quentin Barnes.
+//
+// This file is part of systemtap, and is free software.  You can
+// redistribute it and/or modify it under the terms of the GNU General
+// Public License (GPL); either version 2, or (at your option) any
+// later version.
+
+
+/* Each syscall returns the calls parameters. In addition, the following
+* variables are set:
+*
+* name - generally the syscall name minus the "sys_".
+*
+* argstr - a string containing the decoded args in an easy-to-read format.
+*          It doesn't need to contain everything, but should have all the
+*          important args. Set in entry probes only. Values enclosed in
+*          square brackets are user-space pointers. Values in curly
+*          braces are decoded structs.
+*
+* retstr - a string containing the return value in an easy-to-read format.
+*          Set in return probes only. 
+*/
+
+
+# accept _____________________________________________________
+# long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
+#                 int __user *upeer_addrlen)
+probe nd_syscall.accept = kernel.function("sys_accept") ? {
+	name = "accept"
+	// sockfd = $fd
+	// addr_uaddr = $upeer_sockaddr
+	// addrlen_uaddr = $upeer_addrlen
+	// argstr = sprintf("%d, %p, %p", $fd, $upeer_sockaddr, $upeer_addrlen)
+	asmlinkage()
+	sockfd = int_arg(1)
+	addr_uaddr = pointer_arg(2)
+	addrlen_uaddr = int_arg(3)
+	argstr = sprintf("%d, %p, %p", sockfd, addr_uaddr, addrlen_uaddr)
+}
+probe nd_syscall.accept.return = kernel.function("sys_accept").return ? {
+	name = "accept"
+	retstr = returnstr(1)
+}
+
+# access _____________________________________________________
+# long sys_access(const char __user * filename, int mode)
+probe nd_syscall.access = kernel.function("sys_access") {
+	name = "access"
+	// pathname = user_string($filename)
+	// mode = $mode
+	// mode_str = _access_mode_str($mode)
+	// argstr = sprintf("%s, %s", user_string_quoted($filename), mode_str)
+	asmlinkage()
+	pathname = user_string(pointer_arg(1))
+	mode = int_arg(2)
+	mode_str = _access_mode_str(mode)
+	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str)
+}
+probe nd_syscall.access.return = kernel.function("sys_access").return {
+	name = "access"
+	retstr = returnstr(1)
+}
+
+# acct _______________________________________________________
+# long sys_acct(const char __user *name)
+probe nd_syscall.acct = kernel.function("sys_acct") ? {
+	name = "acct"
+        // filename = user_string($name)
+	// argstr = user_string_quoted($name)
+	asmlinkage()
+	filename = user_string(pointer_arg(1))
+	argstr = user_string_quoted(pointer_arg(1))
+}
+probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
+	name = "acct"
+	retstr = returnstr(1)
+}
+
+# add_key ____________________________________________________
+# long sys_add_key(const char __user *_type,
+#             const char __user *_description,
+#             const void __user *_payload,
+#             size_t plen,
+#             key_serial_t ringid)
+#
+probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
+	name = "add_key"
+	type_uaddr = $_type
+	description_auddr = $_description
+	payload_uaddr = $_payload
+	plen = $plen
+	ringid = $ringid
+	argstr = sprintf("%s, %s, %s, %d, %d", 
+			user_string_quoted($_type),
+			user_string_quoted($_description),
+			text_strn(user_string($_payload),syscall_string_trunc,1),
+			$plen, $ringid)
+}
+probe nd_syscall.add_key.return = kernel.function("sys_add_key").return ? {
+	name = "add_key"
+	retstr = returnstr(1)
+}
+
+# adjtimex ___________________________________________________
+# long sys_adjtimex(struct timex __user *txc_p)
+probe nd_syscall.adjtimex = kernel.function("sys_adjtimex") {
+	name = "adjtimex"
+	
+	/*
+	* buf_offset       = __uget_timex_m($txc_p,1)
+	* buf_freq         = __uget_timex_m($txc_p,2)
+	* buf_maxerror     = __uget_timex_m($txc_p,3)
+	* buf_esterror     = __uget_timex_m($txc_p,4)
+	* buf_status       = __uget_timex_m($txc_p,5)
+	* buf_constant     = __uget_timex_m($txc_p,6)
+	* buf_precision    = __uget_timex_m($txc_p,7)
+	* buf_tolerance    = __uget_timex_m($txc_p,8)
+	* buf_time_tv_sec  = __uget_timex_m($txc_p,9)
+	* buf_time_tv_usec = __uget_timex_m($txc_p,10)
+	* buf_tick         = __uget_timex_m($txc_p,11)
+	*/
+	argstr = sprintf("%p", $txc_p)
+}
+probe nd_syscall.adjtimex.return = kernel.function("sys_adjtimex").return {
+	name = "adjtimex"
+	retstr = _adjtimex_return_str($return)
+}
+# long compat_sys_adjtimex(struct compat_timex __user *utp)
+probe nd_syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? {
+	name = "compat_adjtimex"
+	argstr = sprintf("%p", $utp)
+}
+probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? {
+	name = "compat_adjtimex"
+	retstr = returnstr(1)
+}
+
+# alarm ______________________________________________________
+# unsigned long sys_alarm (unsigned int seconds)
+# long sys32_alarm(unsigned int seconds)
+#
+probe nd_syscall.alarm =
+		kernel.function("sys_alarm") ?,
+		kernel.function("sys32_alarm") ?
+{
+	name = "alarm"
+	seconds = $seconds
+	argstr = sprint($seconds)
+}
+probe nd_syscall.alarm.return =
+		kernel.function("sys_alarm").return ?,
+		kernel.function("sys32_alarm").return ?
+{
+	name = "alarm"
+	retstr = returnstr(1)
+}
+
+# bdflush ____________________________________________________
+# long sys_bdflush(int func,long data)
+probe nd_syscall.bdflush = kernel.function("sys_bdflush") ? {
+	name = "bdflush"
+	func = $func
+	data = $data
+        if (($func>=2)&&($func%2==0))
+                data_str = sprintf("%p", $data)
+        else
+                data_str = sprintf("%d", $data)
+        argstr = sprintf("%d, %s",func, data_str)
+}
+probe nd_syscall.bdflush.return = kernel.function("sys_bdflush").return ? {
+	name = "bdflush"
+	retstr = returnstr(1)
+}
+
+# bind _______________________________________________________
+# long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
+probe nd_syscall.bind = kernel.function("sys_bind") ? {
+	name = "bind"
+	sockfd = $fd
+	my_addr_uaddr = $umyaddr
+	addrlen = $addrlen
+	argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen)
+}
+probe nd_syscall.bind.return = kernel.function("sys_bind").return ? {
+	name = "bind"
+	retstr = returnstr(1)
+}
+
+# brk ________________________________________________________
+# unsigned long sys_brk(unsigned long brk)
+probe nd_syscall.brk =
+		kernel.function("sys_brk"),
+		kernel.function("ia64_brk") ?
+{
+	name = "brk"
+	brk = $brk
+	argstr = sprintf("%p", brk)
+}
+probe nd_syscall.brk.return =
+		kernel.function("sys_brk").return,
+		kernel.function("ia64_brk").return ?
+{
+	name = "brk"
+	retstr = returnstr(1)
+}
+
+# capget _____________________________________________________
+/*
+ *  NOTE
+ *   this  is  probably not a good function
+ *   to probe. The  structures  are  always
+ *   changing.  It also  seems  like  it is
+ *   not really  used. Cscope  produced  no
+ *   reference  of  this  function  in  the
+ *   kernel  (returned no callers). Perhaps
+ *   cap_get_proc / cap_set_proc are better
+ *   functions to export.
+ */
+# long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
+probe nd_syscall.capget = kernel.function("sys_capget") {
+	name = "capget"
+	header_uaddr = $header
+	data_uaddr = $dataptr
+	argstr = sprintf("%p, %p", $header, $dataptr)
+}
+probe nd_syscall.capget.return = kernel.function("sys_capget").return {
+	name = "capget"
+	retstr = returnstr(1)
+}
+# capset _____________________________________________________
+/*
+ *  NOTE
+ *   this  is  probably not a good function
+ *   to probe. The  structures  are  always
+ *   changing.  It also  seems  like  it is
+ *   not really  used. Cscope  produced  no
+ *   reference  of  this  function  in  the
+ *   kernel  (returned no callers). Perhaps
+ *   cap_get_proc / cap_set_proc are better
+ *   functions to export.
+ */
+# long sys_capset(cap_user_header_t header, const cap_user_data_t data)
+probe nd_syscall.capset = kernel.function("sys_capset") {
+	name = "capset"
+	header_uaddr = $header
+	data_uaddr = $data
+	argstr = sprintf("%p, %p", $header, $data)
+}
+probe nd_syscall.capset.return = kernel.function("sys_capset").return {
+	name = "capset"
+	retstr = returnstr(1)
+}
+
+# chdir ______________________________________________________
+# long sys_chdir(const char __user * filename)
+probe nd_syscall.chdir = kernel.function("sys_chdir") {
+	name = "chdir"
+	path = user_string($filename)
+	argstr = user_string_quoted($filename)
+}
+probe nd_syscall.chdir.return = kernel.function("sys_chdir").return {
+	name = "chdir"
+	retstr = returnstr(1)
+}
+
+# chmod ______________________________________________________
+# long sys_chmod(const char __user * filename, mode_t mode)
+probe nd_syscall.chmod = kernel.function("sys_chmod") {
+	name = "chmod"
+	path = user_string($filename)
+	mode = $mode
+	argstr = sprintf("%s, %#o", user_string_quoted($filename), mode)
+}
+probe nd_syscall.chmod.return = kernel.function("sys_chmod").return {
+	name = "chmod"
+	retstr = returnstr(1)
+}
+
+# chown ______________________________________________________
+# long sys_chown(const char __user * filename, uid_t user, gid_t group)
+probe nd_syscall.chown = kernel.function("sys_chown") {
+	name = "chown"
+	path = user_string($filename)
+	owner = __int32($user)
+	group = __int32($group)
+	argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group) 
+}
+probe nd_syscall.chown.return = kernel.function("sys_chown").return {
+	name = "chown"
+	retstr = returnstr(1)
+}
+# chown16 ___________________________________________________
+# long sys_chown16(const char __user * filename, old_uid_t user, 
+#			old_gid_t group)
+#
+probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
+	name = "chown16"
+	path = user_string($filename)
+	owner = __short($user)
+	group = __short($group)
+	argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+}
+probe nd_syscall.chown16.return = kernel.function("sys_chown16").return ? {
+	name = "chown16"
+	retstr = returnstr(1)
+}
+
+# chroot _____________________________________________________
+# long sys_chroot(const char __user * filename)
+probe nd_syscall.chroot = kernel.function("sys_chroot") {
+	name = "chroot"
+	path = user_string($filename)
+	argstr = user_string_quoted($filename)
+}
+probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
+	name = "chroot"
+	retstr = returnstr(1)
+}
+
+# clock_getres _______________________________________________
+# long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
+# long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp)
+# 
+probe nd_syscall.clock_getres =
+		kernel.function("sys_clock_getres"),
+		kernel.function("compat_clock_getres") ?
+{
+	name = "clock_getres"
+	clk_id = $which_clock
+	clk_id_str = _get_wc_str($which_clock)
+	res_uaddr = $tp
+	argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
+}
+probe nd_syscall.clock_getres.return =
+		kernel.function("sys_clock_getres").return,
+		kernel.function("compat_clock_getres").return ?
+{
+	name = "clock_getres"
+	retstr = returnstr(1)
+}
+
+# clock_gettime ______________________________________________
+# long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
+#
+probe nd_syscall.clock_gettime =
+		kernel.function("sys_clock_gettime")
+{
+	name = "clock_gettime"
+	clk_id = $which_clock
+	clk_id_str = _get_wc_str($which_clock)
+	argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
+}
+probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return
+{
+	name = "clock_gettime"
+	retstr = returnstr(1)
+}
+
+# clock_nanosleep ____________________________________________
+# long sys_clock_nanosleep(clockid_t which_clock,
+#                     int flags,
+#                     const struct timespec __user *rqtp,
+#                     struct timespec __user *rmtp)
+#
+probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
+	name = "clock_nanosleep"
+	if ($flags == 1)
+		flag_str = "TIMER_ABSTIME"
+	else
+		flag_str = sprintf("0x%x", $flags)
+	argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
+			_struct_timespec_u($rqtp,1), $rmtp)
+}
+probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return {
+	name = "clock_nanosleep"
+	retstr = returnstr(1)
+}
+# compat_clock_nanosleep ________________________________________
+#
+# long compat_clock_nanosleep(clockid_t which_clock, int flags,
+#			struct compat_timespec __user *rqtp,
+#			struct compat_timespec __user *rmtp)
+#
+probe nd_syscall.compat_clock_nanosleep =
+		kernel.function("compat_clock_nanosleep") ?,
+		kernel.function("compat_sys_clock_nanosleep") ?
+{
+	name = "compat_clock_nanosleep"
+	if ($flags == 1)
+		flag_str = "TIMER_ABSTIME"
+	else
+		flag_str = sprintf("0x%x", $flags)
+	argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
+			_struct_compat_timespec_u($rqtp,1), $rmtp)
+}
+probe nd_syscall.compat_clock_nanosleep.return =
+		kernel.function("compat_clock_nanosleep").return ?,
+		kernel.function("compat_sys_clock_nanosleep").return ?
+{
+	name = "compat_clock_nanosleep"
+	retstr = returnstr(1)
+}
+
+# clock_settime ______________________________________________
+# long sys_clock_settime(clockid_t which_clock,
+#                   const struct timespec __user *tp)
+#
+probe nd_syscall.clock_settime = kernel.function("sys_clock_settime") {
+	name = "clock_settime"
+	clk_id = $which_clock
+	clk_id_str = _get_wc_str($which_clock)
+	tp_uaddr = $tp
+	argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1))
+}
+probe nd_syscall.clock_settime.return = kernel.function("sys_clock_settime").return {
+	name = "clock_settime"
+	retstr = returnstr(1)
+}
+
+# close ______________________________________________________
+# long sys_close(unsigned int fd)
+probe nd_syscall.close = kernel.function("sys_close") {
+	name = "close"
+	// fd = $fd
+	asmlinkage()
+	fd = int_arg(1)
+	argstr = sprint(fd)
+}
+probe nd_syscall.close.return = kernel.function("sys_close").return {
+	name = "close"
+	retstr = returnstr(1)
+}
+# connect ____________________________________________________
+# long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
+probe nd_syscall.connect = kernel.function("sys_connect") ? {
+	name = "connect"
+	sockfd = $fd
+	serv_addr_uaddr = $uservaddr
+	addrlen = $addrlen
+	argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen)
+}
+probe nd_syscall.connect.return =	kernel.function("sys_connect").return ? {
+	name = "connect"
+	retstr = returnstr(1)
+}
+
+# creat
+# long sys_creat(const char __user * pathname, int mode)
+probe nd_syscall.creat = kernel.function("sys_creat") ?
+{
+	name = "creat"
+	mode = $mode
+	pathname = user_string($pathname)
+	argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+}
+probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
+{
+	name = "creat"
+	retstr = returnstr(1)
+}
+
+# delete_module ______________________________________________
+# long sys_delete_module(const char __user *name_user, unsigned int flags)
+probe nd_syscall.delete_module = kernel.function("sys_delete_module") ? {
+	name = "delete_module"
+	name_user = user_string($name_user)
+	flags = $flags
+	argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+}
+probe nd_syscall.delete_module.return = kernel.function("sys_delete_module").return ? {
+	name = "delete_module"
+	retstr = returnstr(1)
+}
+
+# dup ________________________________________________________
+# long sys_dup(unsigned int fildes)
+probe nd_syscall.dup = kernel.function("sys_dup") {
+	name = "dup"
+	// oldfd = $fildes
+	// argstr = sprint($fildes)
+	asmlinkage()
+	old_fd = int_arg(1)
+	argstr = sprint(old_fd)
+}
+probe nd_syscall.dup.return = kernel.function("sys_dup").return {
+	name = "dup"
+	retstr = returnstr(1)
+}
+
+# dup2 _______________________________________________________
+# long sys_dup2(unsigned int oldfd, unsigned int newfd)
+probe nd_syscall.dup2 = kernel.function("sys_dup2") {
+	name = "dup2"
+	oldfd = $oldfd
+	newfd = $newfd
+	argstr = sprintf("%d, %d", $oldfd, $newfd)
+}
+probe nd_syscall.dup2.return = kernel.function("sys_dup2").return {
+	name = "dup2"
+	retstr = returnstr(1)
+}
+
+# epoll_create _______________________________________________
+# long sys_epoll_create(int size)
+probe nd_syscall.epoll_create = kernel.function("sys_epoll_create") ? {
+	name = "epoll_create"
+	size = $size
+	argstr = sprint($size)
+}
+probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").return ? {
+	name = "epoll_create"
+	retstr = returnstr(1)
+}
+
+# epoll_ctl __________________________________________________
+#
+# long sys_epoll_ctl(int epfd, int op, int fd, struct epoll_event __user *event)
+# long compat_sys_epoll_ctl(int epfd, int op, int fd,
+#			struct compat_epoll_event __user *event)
+#
+probe nd_syscall.epoll_ctl =
+		kernel.function("sys_epoll_ctl") ?,
+		kernel.function("compat_sys_epoll_ctl") ?
+{
+	name = "epoll_ctl"
+	epfd = $epfd
+	op = $op
+	op_str = _opoll_op_str($op)
+	fd = $fd
+	event_uaddr = $event
+	argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+}
+probe nd_syscall.epoll_ctl.return =
+		kernel.function("sys_epoll_ctl").return ?,
+		kernel.function("compat_sys_epoll_ctl").return ?
+{
+	name = "epoll_ctl"
+	retstr = returnstr(1)
+}
+
+# epoll_pwait _________________________________________________
+#
+# long sys_epoll_pwait(int epfd, struct epoll_event __user *events,
+#		int maxevents, int timeout, const sigset_t __user *sigmask,
+#		size_t sigsetsize)
+# long compat_sys_epoll_pwait(int epfd,
+#			struct compat_epoll_event __user *events,
+#			int maxevents, int timeout,
+#			const compat_sigset_t __user *sigmask,
+#			compat_size_t sigsetsize)
+#
+probe nd_syscall.epoll_pwait =
+		kernel.function("sys_epoll_pwait") ?,
+		kernel.function("compat_sys_epoll_pwait") ?
+{
+	name = "epoll_pwait"
+	argstr = sprintf("%d, %p, %d, %d, %p, %d",
+		$epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+}
+probe nd_syscall.epoll_pwait.return =
+		kernel.function("sys_epoll_pwait").return ?,
+		kernel.function("compat_sys_epoll_pwait").return ?
+{
+	name = "epoll_pwait"
+	retstr = returnstr(1)
+}
+
+# epoll_wait _________________________________________________
+#
+# long sys_epoll_wait(int epfd, struct epoll_event __user *events,
+#               int maxevents, int timeout)
+# long compat_sys_epoll_wait(int epfd,
+#		struct compat_epoll_event __user *events,
+#		int maxevents, int timeout)
+#
+probe nd_syscall.epoll_wait =
+		kernel.function("sys_epoll_wait") ?,
+		kernel.function("compat_sys_epoll_wait") ?
+{
+	name = "epoll_wait"
+	epfd = $epfd
+	events_uaddr = $events
+	maxevents = $maxevents
+	timeout = $timeout
+	argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+}
+probe nd_syscall.epoll_wait.return =
+		kernel.function("sys_epoll_wait").return ?,
+		kernel.function("compat_sys_epoll_wait").return ?
+{
+	name = "epoll_wait"
+	retstr = returnstr(1)
+}
+
+# eventfd _____________________________________________________
+# long sys_eventfd(unsigned int count)
+#
+probe nd_syscall.eventfd = kernel.function("sys_eventfd") ? {
+	name = "eventfd"
+	argstr = sprint($count)
+}
+probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
+	name = "eventfd"
+	retstr = returnstr(1)
+}
+
+# execve _____________________________________________________
+# int sys_execve(struct pt_regs regs)
+#   which breaks out the args and immediately calls
+# int do_execve(char * filename,
+#	char __user *__user *argv,
+#	char __user *__user *envp,
+#	struct pt_regs * regs)
+probe nd_syscall.execve = kernel.function("do_execve") {
+	name = "execve"
+	// filename = kernel_string($filename)
+	// args = __get_argv($argv, 0)
+	// argstr = sprintf("%s %s", filename, __get_argv($argv, 1))
+	filename = kernel_string(pointer_arg(1))
+	args = __get_argv(pointer_arg(2), 0)
+	argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1))
+}
+# v2.6.15-rc2 or earlier has problems with sys_execve return probes
+# another reason to probe on do_execve
+probe nd_syscall.execve.return = kernel.function("do_execve").return {
+	name = "execve"
+	retstr = returnstr(1)
+}
+# int compat_do_execve(char * filename,
+#	compat_uptr_t __user *argv,
+#	compat_uptr_t __user *envp,
+#	struct pt_regs * regs)
+probe nd_syscall.compat_execve = kernel.function("compat_do_execve") ? {
+	name = "compat_execve"
+	filename = kernel_string($filename)
+	args = __get_compat_argv($argv, 0)
+	argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+}
+probe nd_syscall.compat_execve.return = kernel.function("compat_do_execve").return  ? {
+	name = "compat_execve"
+	retstr = returnstr(1)
+}
+
+# exit _______________________________________________________
+# long sys_exit(int error_code)
+probe nd_syscall.exit = kernel.function("do_exit") {
+	name = "exit"
+	status = $code
+	argstr = sprint($code)
+}
+probe nd_syscall.exit.return = end {}
+
+# exit_group _________________________________________________
+# void sys_exit_group(int error_code)
+#
+probe nd_syscall.exit_group = kernel.function("sys_exit_group") {
+	name = "exit_group"
+	status = $error_code
+	argstr = sprint($error_code)
+}
+
+probe nd_syscall.exit_group.return = end {}
+
+%(arch != "x86_64" %?
+# fadvise64 __________________________________________________
+# long sys_fadvise64(int fd, loff_t offset, size_t len,  int advice)
+#
+probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") ? {
+	name = "fadvise64"
+	fs = $fd
+	offset = $offset
+	len = $len
+	advice = $advice
+	argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+}
+probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
+	name = "fadvise64"
+	retstr = returnstr(1)
+}
+
+# fadvise64_64 _______________________________________________
+# long sys_fadvise64_64(int fd, loff_t offset, loff_t len,  int advice)
+#
+probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+	name = "fadvise64_64"
+	fs = $fd
+	offset = $offset
+	len = $len
+	advice = $advice
+	argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+}
+probe nd_syscall.fadvise64_64.return =  kernel.function("sys_fadvise64_64").return {
+	name = "fadvise64_64"
+	retstr = returnstr(1)
+}
+%:
+# FIXME x86_64 has problems resolving parameters
+
+# fadvise64 __________________________________________________
+# long sys_fadvise64(int fd, loff_t offset, size_t len,  int advice)
+#
+probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") {
+	name = "fadvise64"
+	fs = 0
+	offset = 0
+	len = 0
+	advice = 0
+	argstr = ""
+}
+probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
+	name = "fadvise64"
+	retstr = returnstr(1)
+}
+
+# fadvise64_64 _______________________________________________
+# long sys_fadvise64_64(int fd, loff_t offset, loff_t len,  int advice)
+#
+probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+	name = "fadvise64_64"
+	fs = 0
+	offset = 0
+	len = 0
+	advice = 0
+	argstr = ""
+}
+probe nd_syscall.fadvise64_64.return =  kernel.function("sys_fadvise64_64").return {
+	name = "fadvise64_64"
+	retstr = returnstr(1)
+}
+%)
+
+# fchdir _____________________________________________________
+# long sys_fchdir(unsigned int fd)
+probe nd_syscall.fchdir = kernel.function("sys_fchdir") {
+	name = "fchdir"
+	fd = $fd
+	argstr = sprint($fd)
+}
+probe nd_syscall.fchdir.return = kernel.function("sys_fchdir").return {
+	name = "fchdir"
+	retstr = returnstr(1)
+}
+
+# fchmod _____________________________________________________
+# long sys_fchmod(unsigned int fd, mode_t mode)
+probe nd_syscall.fchmod = kernel.function("sys_fchmod") {
+	name = "fchmod"
+	fildes = $fd
+	mode = $mode
+	argstr = sprintf("%d, %#o", $fd, $mode)
+}
+probe nd_syscall.fchmod.return = kernel.function("sys_fchmod").return {
+	name = "fchmod"
+	retstr = returnstr(1)
+}
+
+# fchown _____________________________________________________
+# long sys_fchown(unsigned int fd, uid_t user, gid_t group)
+probe nd_syscall.fchown = kernel.function("sys_fchown") {
+	name = "fchown"
+	fd = $fd
+	owner = __int32($user)
+	group = __int32($group)
+	argstr = sprintf("%d, %d, %d", $fd, owner, group) 
+}
+probe nd_syscall.fchown.return = kernel.function("sys_fchown").return {
+	name = "fchown"
+	retstr = returnstr(1)
+}
+
+# fchown16 ___________________________________________________
+# long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
+probe nd_syscall.fchown16 = kernel.function("sys_fchown16") ? {
+	name = "fchown16"
+	fd = $fd
+	owner = __short($user)
+	group = __short($group)
+	argstr = sprintf("%d, %d, %d", $fd, owner, group)
+}
+probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
+	name = "fchown16"
+	retstr = returnstr(1)
+}
+
+# fcntl ______________________________________________________
+# long sys_fcntl(int fd, unsigned int cmd, unsigned long arg)
+# long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
+# long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
+# long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
+#
+probe nd_syscall.fcntl = 
+		kernel.function("sys_fcntl") ?,
+		kernel.function("sys_fcntl64") ?,
+		kernel.function("compat_sys_fcntl") ?,
+		kernel.function("compat_sys_fcntl64") ?
+{
+	name = "fcntl"
+	fd = $fd
+	cmd = $cmd
+	cmd_str = _fcntl_cmd_str($cmd)
+      	arg = $arg
+	argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
+}
+probe nd_syscall.fcntl.return = 
+		kernel.function("sys_fcntl").return ?,
+		kernel.function("sys_fcntl64").return ?,
+		kernel.function("compat_sys_fcntl").return ?,
+		kernel.function("compat_sys_fcntl64").return ?
+{
+	name = "fcntl"
+	retstr = returnstr(1)
+}
+
+# fdatasync __________________________________________________
+# long sys_fdatasync(unsigned int fd)
+probe nd_syscall.fdatasync = kernel.function("sys_fdatasync") {
+	name = "fdatasync"
+	fd = $fd
+	argstr = sprint(fd)
+}
+probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
+	name = "fdatasync"
+	retstr = returnstr(1)
+}
+
+# fgetxattr __________________________________________________
+# ssize_t sys_fgetxattr(int fd, char __user *name,
+# 		void __user *value, size_t size)
+probe nd_syscall.fgetxattr = kernel.function("sys_fgetxattr") {
+	name = "fgetxattr"
+	filedes = $fd
+#FIXME
+	name2 = user_string($name)
+	value_uaddr = $value
+	size  = $size
+	argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size)
+}
+probe nd_syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return {
+	name = "fgetxattr"
+	retstr = returnstr(1)
+}
+# flistxattr _________________________________________________
+# ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
+probe nd_syscall.flistxattr = kernel.function("sys_flistxattr") {
+	name = "flistxattr"
+	filedes = $fd
+	list_uaddr = $list
+	size = $size
+	argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
+}
+probe nd_syscall.flistxattr.return = kernel.function("sys_flistxattr").return {
+	name = "flistxattr"
+	retstr = returnstr(1)
+}
+
+# flock ______________________________________________________
+# long sys_flock(unsigned int fd, unsigned int cmd)
+probe nd_syscall.flock = kernel.function("sys_flock") {
+	name = "flock"
+	fd = $fd
+	operation = $cmd
+	argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
+}
+probe nd_syscall.flock.return = kernel.function("sys_flock").return {
+	name = "flock"
+	retstr = returnstr(1)
+}
+
+function __is_user_regs:long (regs:long) %{ /* pure */
+	struct pt_regs * regs = (void *)((unsigned long)THIS->regs);
+/* copied from asm/ptrace.h */
+#if defined(__i386__)
+#ifdef STAPCONF_X86_UNIREGS
+	int cs = kread(&regs->cs);
+#else
+	int cs = kread(&regs->xcs);
+#endif
+	THIS->__retvalue = (!!((cs & 3)));
+#elif defined(__x86_64__)
+	unsigned long cs = kread(&regs->cs);
+	THIS->__retvalue = (!!((cs & 3)));
+#elif defined(__ia64__)
+	unsigned long psr = kread(&regs->cr_ipsr);
+	THIS->__retvalue = (((struct ia64_psr *) &psr)->cpl != 0);
+#elif defined(__powerpc64__)
+	unsigned long msr = kread(&regs->msr);
+	THIS->__retvalue = ((msr >> MSR_PR_LG) & 0x1);
+#elif defined(__arm__)
+	long cpsr = kread(&regs->ARM_cpsr);
+	THIS->__retvalue = ((cpsr & 0xf) == 0);
+#elif defined(__s390__) || defined(__s390x__)
+	unsigned long mask = kread(&regs->psw.mask);
+	THIS->__retvalue = ((mask & PSW_MASK_PSTATE) != 0);
+#else
+#error "Unimplemented architecture"
+#endif
+CATCH_DEREF_FAULT();
+%}
+
+# fork _______________________________________________________
+# long do_fork(unsigned long clone_flags,
+#	unsigned long stack_start,
+#	struct pt_regs *regs,
+#	unsigned long stack_size,
+#	int __user *parent_tidptr,
+#	int __user *child_tidptr)
+probe nd_syscall.fork = kernel.function("do_fork") {
+	// clone_flags = $clone_flags
+	// stack_start = $stack_start
+	// regs = $regs
+	// stack_size = $stack_size
+	// parent_tid_uaddr = $parent_tidptr
+	// child_tid_uaddr = $child_tidptr
+	clone_flags = ulong_arg(1)
+	stack_start = ulong_arg(2)
+	regs = pointer_arg(3)
+	stack_size = ulong_arg(4)
+	parent_tid_uaddr = pointer_arg(5)
+	child_tid_uaddr = pointer_arg(6)
+	
+	if (!__is_user_regs(regs)) {
+		name = "fork_kernel_thread"
+		argstr = __fork_flags(clone_flags) 
+	} else if (clone_flags == 17)
+		name = "fork"
+	else if (clone_flags & 0x4000)
+		name = "vfork"
+	else {
+		name = "clone"
+		argstr = __fork_flags(clone_flags)
+	}
+}
+probe nd_syscall.fork.return = kernel.function("do_fork").return {
+	name = "fork"
+	retstr = returnstr(1)
+}
+# fremovexattr _______________________________________________
+# long sys_fremovexattr(int fd, char __user *name)
+probe nd_syscall.fremovexattr = kernel.function("sys_fremovexattr") {
+	name = "fremovexattr"
+	filedes = $fd
+	name_uaddr = $name
+	argstr = sprintf("FIXME PLEASE")
+}
+probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return {
+	name = "fremovexattr"
+	retstr = returnstr(1)
+}
+
+# fsetxattr __________________________________________________
+/*
+ * asmlinkage long
+ * sys_fsetxattr(int fd,
+ *               char __user *name,
+ *               void __user *value,
+ *               size_t size,
+ *               int flags)
+ */
+probe nd_syscall.fsetxattr = kernel.function("sys_fsetxattr") {
+	name = "fsetxattr"
+	filedes = $fd
+# FIXME
+	name2 = user_string($name)
+	value_uaddr = $value
+	size = $size
+	flags = $flags
+	argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
+}
+probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
+	name = "fsetxattr"
+	retstr = returnstr(1)
+}
+
+# fstat ______________________________________________________
+# long sys_fstat(unsigned int fd, struct __old_kernel_stat __user * statbuf)
+# long sys_fstat64(unsigned long fd, struct stat64 __user * statbuf)
+# long sys32_fstat64(unsigned int fd, struct stat64 __user *statbuf)
+# long sys_newfstat(unsigned int fd, struct stat __user * statbuf)
+# long sys_oabi_fstat64(char __user * filename,
+#			struct oldabi_stat64 __user * statbuf)
+# long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
+#
+probe nd_syscall.fstat = 
+		kernel.function("sys_fstat") ?, 
+		kernel.function("sys_fstat64") ?,
+		kernel.function("sys32_fstat64") ?,
+		kernel.function("sys_newfstat") ?,
+		kernel.function("sys_oabi_fstat64") ?,
+		kernel.function("compat_sys_newfstat") ?
+{
+	name = "fstat"
+	filedes = $fd
+	buf_uaddr = $statbuf
+	argstr = sprintf("%d, %p", $fd, $statbuf)
+}
+probe nd_syscall.fstat.return = 
+		kernel.function("sys_fstat").return ?,
+		kernel.function("sys_fstat64").return ?,
+		kernel.function("sys32_fstat64").return ?,
+		kernel.function("sys_newfstat").return ?,
+		kernel.function("sys_oabi_fstat64").return ?,
+		kernel.function("compat_sys_newfstat").return ?
+{
+	name = "fstat"
+	retstr = returnstr(1)
+}
+
+# fstatat ____________________________________________________
+# sys32_fstatat64(unsigned int dfd, char __user *filename, struct stat64_emu31 __user* statbuf, int flag)
+# long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag)
+# long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag)
+# long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag)
+probe nd_syscall.fstatat = 
+		kernel.function("sys_fstatat64") ?, 
+		kernel.function("sys_newfstatat") ?,
+		kernel.function("compat_sys_newfstatat") ?,
+		kernel.function("sys32_fstatat64") ?
+{
+	name = "fstatat"
+	dirfd = $dfd
+	path = user_string($filename)
+	buf_uaddr = $statbuf
+	argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+}
+probe nd_syscall.fstatat.return = 
+		kernel.function("sys_fstatat64").return ?, 
+		kernel.function("sys_newfstatat").return ?,
+		kernel.function("compat_sys_newfstatat").return ?,
+		kernel.function("sys32_fstatat64").return ?
+{
+	name = "fstatat"
+	retstr = returnstr(1)
+}
+
+# fstatfs ____________________________________________________
+# long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
+# long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
+#
+probe nd_syscall.fstatfs = 
+		kernel.function("sys_fstatfs"),
+		kernel.function("compat_sys_fstatfs") ?
+{
+	name = "fstatfs"
+	fd = $fd
+	buf_uaddr = $buf
+	argstr = sprintf("%d, %p", $fd, $buf)
+}
+probe nd_syscall.fstatfs.return = 
+		kernel.function("sys_fstatfs").return,
+		kernel.function("compat_sys_fstatfs").return ?
+{
+	name = "fstatfs"
+	retstr = returnstr(1)
+}
+
+# fstatfs64 __________________________________________________
+# long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
+# long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf)
+#
+probe nd_syscall.fstatfs64 = 
+		kernel.function("sys_fstatfs64") ?,
+		kernel.function("compat_sys_fstatfs64") ?
+{
+	name = "fstatfs"
+	fd = $fd
+	sz = $sz
+	buf_uaddr = $buf
+	argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+}
+probe nd_syscall.fstatfs64.return =
+		kernel.function("sys_fstatfs64").return ?,
+		kernel.function("compat_sys_fstatfs64").return ?
+{
+	name = "fstatfs"
+	retstr = returnstr(1)
+}
+
+# fsync ______________________________________________________
+# long sys_fsync(unsigned int fd)
+probe nd_syscall.fsync = kernel.function("sys_fsync") {
+	name = "fsync"
+	fd = $fd
+	argstr = sprint(fd)
+}
+probe nd_syscall.fsync.return = kernel.function("sys_fsync").return {
+	name = "fsync"
+	retstr = returnstr(1)
+}
+# ftruncate __________________________________________________
+# long sys_ftruncate(unsigned int fd, unsigned long length)
+probe nd_syscall.ftruncate = kernel.function("sys_ftruncate") {
+	name = "ftruncate"
+	fd = $fd
+	length = $length
+	argstr = sprintf("%d, %d", fd, length)
+}
+probe nd_syscall.ftruncate.return = kernel.function("sys_ftruncate").return {
+	name = "ftruncate"
+	retstr = returnstr(1)
+}
+
+# ftruncate64 ________________________________________________
+# long sys_ftruncate64(unsigned int fd, loff_t length)
+probe nd_syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? {
+	name = "ftruncate"
+	fd = $fd
+	length = $length
+	argstr = sprintf("%d, %d", fd, length)
+}
+probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
+	name = "ftruncate"
+	retstr = returnstr(1)
+}
+
+# futex ______________________________________________________
+# long sys_futex(u32 __user *uaddr,
+#           int op,
+#           int val,
+#           struct timespec __user *utime,
+#           u32 __user *uaddr2,
+#           int val3)
+# long compat_sys_futex(u32 __user *uaddr, int op, u32 val,
+#		struct compat_timespec __user *utime, u32 __user *uaddr2,
+#		u32 val3)
+#
+probe nd_syscall.futex = kernel.function("sys_futex") ? {
+	name = "futex"
+	futex_uaddr = $uaddr
+	op = $op
+	val = $val
+	utime_uaddr = $utime
+	uaddr2_uaddr = $uaddr2
+	val3 = $val3
+	if (op == 0)
+		argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), 
+			$val, _struct_timespec_u($utime,1)) 
+	else
+		argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), 
+			$val) 
+}
+probe nd_syscall.futex.return = kernel.function("sys_futex").return ? {
+	name = "futex"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
+	name = "futex"
+	futex_uaddr = $uaddr
+	op = $op
+	val = $val
+	utime_uaddr = $utime
+	uaddr2_uaddr = $uaddr2
+	val3 = $val3
+	if (op == 0)
+		argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), 
+			$val, _struct_compat_timespec_u($utime,1)) 
+	else
+		argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), 
+			$val) 
+}
+probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? {
+	name = "futex"
+	retstr = returnstr(1)
+}
+
+# futimesat _____________________________________________________
+#
+# long sys_futimesat(int dfd, char __user *filename, struct timeval __user *utimes)
+# long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t)
+#
+
+probe nd_syscall.futimesat = kernel.function("sys_futimesat") ? {
+	name = "futimesat"
+	dirfd = $dfd
+	filename_uaddr = $filename
+	filename = user_string($filename)
+	tvp_uaddr = $utimes
+	argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),  
+		_struct_timeval_u($utimes, 2))
+}
+probe nd_syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? {
+	name = "futimesat"
+	dirfd = $dfd
+	filename_uaddr = $filename
+	filename = user_string($filename)
+	tvp_uaddr = $t
+	argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),  
+		_struct_compat_timeval_u($t, 2))
+}
+probe nd_syscall.futimesat.return = kernel.function("sys_futimesat").return ? {
+	name = "futimesat"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? {
+	name = "futimesat"
+	retstr = returnstr(1)
+}
+
+# getcwd _____________________________________________________
+# long sys_getcwd(char __user *buf, unsigned long size)
+probe nd_syscall.getcwd = kernel.function("sys_getcwd") {
+	name = "getcwd"
+	buf_uaddr = $buf
+	size = $size
+	argstr = sprintf("%p, %d", buf_uaddr, size)
+}
+probe nd_syscall.getcwd.return = kernel.function("sys_getcwd").return {
+	name = "getcwd"
+	retstr = returnstr(1)
+}
+
+# getdents ___________________________________________________
+# long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
+# long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count)
+# long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
+# long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
+#
+probe nd_syscall.getdents =
+		kernel.function("sys_getdents") ?,
+		kernel.function("sys_getdents64") ?,
+		kernel.function("compat_sys_getdents") ?,
+		kernel.function("compat_sys_getdents64") ?
+{
+	name = "getdents"
+	fd = $fd
+	dirp_uaddr = $dirent
+	count = $count
+	argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+}
+probe nd_syscall.getdents.return =
+		kernel.function("sys_getdents").return ?,
+		kernel.function("sys_getdents64").return ?,
+		kernel.function("compat_sys_getdents").return ?,
+		kernel.function("compat_sys_getdents64").return ?
+{
+	name = "getdents"
+	retstr = returnstr(1)
+}
+
+# getegid ____________________________________________________
+# long sys_getegid(void)
+# long sys_getegid16(void)
+# long sys32_getegid16(void)
+#
+probe nd_syscall.getegid =
+		kernel.function("sys_getegid16") ?,
+		kernel.function("sys32_getegid16") ?,
+		kernel.function("sys_getegid")
+{
+	name = "getegid"
+	argstr = ""
+}
+probe nd_syscall.getegid.return =
+		kernel.function("sys_getegid16").return ?,
+		kernel.function("sys32_getegid16").return ?,
+		kernel.function("sys_getegid").return
+{
+	name = "getegid"
+	retstr = returnstr(1)
+}
+
+# geteuid ____________________________________________________
+# long sys_geteuid(void)
+# long sys32_geteuid16(void)
+#
+probe nd_syscall.geteuid = 
+		kernel.function("sys_geteuid16") ?,
+		kernel.function("sys32_geteuid16") ?,
+		kernel.function("sys_geteuid")
+{
+	name = "geteuid"
+	argstr = ""
+}
+probe nd_syscall.geteuid.return = 
+		kernel.function("sys_geteuid16").return ?,
+		kernel.function("sys32_geteuid16").return ?,
+		kernel.function("sys_geteuid").return
+{
+	name = "geteuid"
+	retstr = returnstr(1)
+}
+
+# getgid _____________________________________________________
+# long sys_getgid(void)
+# long sys32_getgid16(void)
+#
+probe nd_syscall.getgid = 
+		kernel.function("sys_getgid16") ?,
+		kernel.function("sys32_getgid16") ?,
+		kernel.function("sys_getgid") 
+{
+	name = "getgid"
+	argstr = ""
+}
+probe nd_syscall.getgid.return = 
+		kernel.function("sys_getgid16").return ?,
+		kernel.function("sys32_getgid16").return ?,
+		kernel.function("sys_getgid").return
+{
+	name = "getgid"
+	retstr = returnstr(1)
+}
+
+# getgroups __________________________________________________
+# long sys_getgroups(int gidsetsize, gid_t __user *grouplist)
+# long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
+# long sys32_getgroups16(int gidsetsize, u16 __user *grouplist)
+#
+probe nd_syscall.getgroups = 
+		kernel.function("sys_getgroups") ?,
+		kernel.function("sys_getgroups16") ?,
+		kernel.function("sys32_getgroups16") ?
+{
+	name = "getgroups"
+	size = $gidsetsize
+	list_uaddr = $grouplist
+	argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+}
+probe nd_syscall.getgroups.return = 
+		kernel.function("sys_getgroups").return ?,
+		kernel.function("sys_getgroups16").return ?,
+		kernel.function("sys32_getgroups16").return ?
+{
+	name = "getgroups"
+	retstr = returnstr(1)
+}
+
+# gethostname ________________________________________________
+# long sys_gethostname(char __user *name, int len)
+probe nd_syscall.gethostname = kernel.function("sys_gethostname") ? {
+	name = "gethostname"
+	name_uaddr = $name
+	len = $len
+	argstr = sprintf ("%p, %d", name_uaddr, len)
+}
+probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return ? {
+	name = "gethostname"
+	retstr = returnstr(1)
+}
+
+# getitimer __________________________________________________
+# sys_getitimer(int which, struct itimerval __user *value)
+#
+probe nd_syscall.getitimer = kernel.function("sys_getitimer") {
+	name = "getitimer"
+	which = $which
+	value_uaddr = $value
+	argstr = sprintf("%s, %p", _itimer_which_str($which), $value) 
+}
+probe nd_syscall.getitimer.return = kernel.function("sys_getitimer").return {
+	name = "getitimer"
+	retstr = returnstr(1)
+}
+# long compat_sys_getitimer(int which, struct compat_itimerval __user *it
+probe nd_syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? {
+	name = "getitimer"
+	which = $which
+	value_uaddr = $it
+	argstr = sprintf("%s, %p", _itimer_which_str($which), $it) 
+}
+probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? {
+	name = "getitimer"
+	retstr = returnstr(1)
+}
+
+# get_mempolicy ______________________________________________
+# long sys_get_mempolicy(int __user *policy,
+#                   unsigned long __user *nmask,
+#                   unsigned long maxnode,
+#                   unsigned long addr,
+#                   unsigned long flags)
+# long compat_sys_get_mempolicy(int __user *policy,
+#		     compat_ulong_t __user *nmask,
+#		     compat_ulong_t maxnode,
+#		     compat_ulong_t addr, compat_ulong_t flags)
+#
+probe nd_syscall.get_mempolicy = 
+		kernel.function("sys_get_mempolicy") ?,
+		kernel.function("compat_sys_get_mempolicy") ?
+{
+	name = "get_mempolicy"
+	policy_uaddr = $policy
+	nmask_uaddr = $nmask
+	maxnode = $maxnode
+	addr = $addr
+	flags = $flags
+	argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
+			$nmask, $maxnode, $addr, $flags)
+}
+probe nd_syscall.get_mempolicy.return = 
+	kernel.function("sys_get_mempolicy").return ?,
+	kernel.function("compat_sys_get_mempolicy").return ?
+{
+	name = "get_mempolicy"
+	retstr = returnstr(1)
+}
+
+# getpeername ________________________________________________
+# long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
+#
+probe nd_syscall.getpeername = kernel.function("sys_getpeername") ? {
+	name = "getpeername"
+	s = $fd
+	name_uaddr = $usockaddr
+	namelen_uaddr = $usockaddr_len
+	argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+}
+probe nd_syscall.getpeername.return = kernel.function("sys_getpeername").return ? {
+	name = "getpeername"
+	retstr = returnstr(1)
+}
+
+# getpgid ____________________________________________________
+# long sys_getpgid(pid_t pid)
+probe nd_syscall.getpgid = kernel.function("sys_getpgid") {
+	name = "getpgid"
+	pid = $pid
+	argstr = sprintf("%d", $pid)
+}
+probe nd_syscall.getpgid.return = kernel.function("sys_getpgid").return {
+	name = "getpgid"
+	retstr = returnstr(1)
+}
+
+# getpgrp ____________________________________________________
+# long sys_getpgrp(void)
+probe nd_syscall.getpgrp = kernel.function("sys_getpgrp") ? {
+	name = "getpgrp"
+	argstr = ""
+}
+probe nd_syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? {
+	name = "getpgrp"
+	retstr = returnstr(1)
+}
+
+# getpid _____________________________________________________
+# long sys_getpid(void)
+probe nd_syscall.getpid = kernel.function("sys_getpid") {
+	name = "getpid"
+	argstr = ""
+}
+probe nd_syscall.getpid.return = kernel.function("sys_getpid").return {
+	name = "getpid"
+	retstr = returnstr(1)
+}
+
+# getppid ____________________________________________________
+# long sys_getppid(void)
+probe nd_syscall.getppid = kernel.function("sys_getppid") {
+	name = "getppid"
+	argstr = ""
+}
+probe nd_syscall.getppid.return = kernel.function("sys_getppid").return {
+	name = "getppid"
+	retstr = returnstr(1)
+}
+
+# getpriority ________________________________________________
+# long sys_getpriority(int which, int who)
+probe nd_syscall.getpriority = kernel.function("sys_getpriority") {
+	name = "getpriority"
+	which = $which
+	who = $who
+	argstr = sprintf("%s, %d", _priority_which_str(which), who)
+}
+probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return {
+	name = "getpriority"
+	retstr = returnstr(1)
+}
+
+# getresgid __________________________________________________
+# long sys_getresgid(gid_t __user *rgid,
+#                    gid_t __user *egid,
+#                    gid_t __user *sgid)
+# long sys_getresgid16(old_uid_t __user *rgid,
+#                 old_uid_t __user *egid,
+#                 old_uid_t __user *sgid)
+probe nd_syscall.getresgid =
+		kernel.function("sys_getresgid16") ?,
+		kernel.function("sys_getresgid") 
+{
+	name = "getresgid"
+	rgid_uaddr = $rgid
+	egid_uaddr = $egid
+	sgid_uaddr = $sgid
+	argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+}
+probe nd_syscall.getresgid.return =
+		kernel.function("sys_getresgid16").return ?,
+		kernel.function("sys_getresgid").return
+{
+	name = "getresgid"
+	retstr = returnstr(1)
+}
+
+# getresuid __________________________________________________
+# long sys_getresuid(uid_t __user *ruid, 
+#		uid_t __user *euid,
+#		uid_t __user *suid)
+probe nd_syscall.getresuid = 
+		kernel.function("sys_getresuid16") ?,
+		kernel.function("sys_getresuid")
+{
+	name = "getresuid"
+	ruid_uaddr = $ruid
+	euid_uaddr = $euid
+	suid_uaddr = $suid
+	argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+}
+probe nd_syscall.getresuid.return =
+		kernel.function("sys_getresuid16").return ?,
+		kernel.function("sys_getresuid").return 
+{
+	name = "getresuid"
+	retstr = returnstr(1)
+}
+
+# getrlimit __________________________________________________
+# long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
+# long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
+# long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim)
+probe nd_syscall.getrlimit = kernel.function("sys_getrlimit"),
+                          kernel.function("sys_old_getrlimit") ?,
+                          kernel.function("compat_sys_getrlimit") ?
+{
+	name = "getrlimit"
+	resource = $resource
+	rlim_uaddr = $rlim
+	argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+}
+probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
+                                 kernel.function("sys_old_getrlimit").return ?,
+	                         kernel.function("compat_sys_getrlimit").return ?
+{
+	name = "getrlimit"
+	retstr = returnstr(1)
+}
+
+# getrusage __________________________________________________
+# long sys_getrusage(int who, struct rusage __user *ru)
+probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
+	name = "getrusage"
+	who = $who
+	if($who==-2)
+	{
+		# RUSAGE_BOTH is not valid argument for sys_getrusage
+		who_str = sprintf("UNKNOWN VALUE: %d", $who)
+	}
+	else
+	{
+		who_str = _rusage_who_str($who)
+	}
+	usage_uaddr = $ru
+	argstr = sprintf("%s, %p", who_str, usage_uaddr)
+}
+probe nd_syscall.getrusage.return = kernel.function("sys_getrusage").return {
+	name = "getrusage"
+	retstr = returnstr(1)
+}
+
+# getsid _____________________________________________________
+# long sys_getsid(pid_t pid)
+probe nd_syscall.getsid = kernel.function("sys_getsid") {
+	name = "getsid"
+	pid = $pid
+	argstr = sprint(pid)
+}
+probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
+	name = "getsid"
+	retstr = returnstr(1)
+}
+
+# getsockname ________________________________________________
+# long sys_getsockname(int fd,
+#		struct sockaddr __user *usockaddr,
+#		int __user *usockaddr_len)
+probe nd_syscall.getsockname = kernel.function("sys_getsockname") ? {
+	name = "getsockname"
+	s = $fd
+	name_uaddr = $usockaddr
+	namelen_uaddr = $usockaddr_len
+	argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+}
+probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return ? {
+	name = "getsockname"
+	retstr = returnstr(1)
+}
+
+# getsockopt _________________________________________________
+# long sys_getsockopt(int fd,
+#                int level,
+#                int optname,
+#                char __user *optval,
+#                int __user *optlen)
+#
+probe nd_syscall.getsockopt = 
+		kernel.function("sys_getsockopt") ?,
+		kernel.function("compat_sys_getsockopt") ?
+{
+	name = "getsockopt"
+	fd = $fd
+	level = $level
+	level_str = _sockopt_level_str($level)
+	optname = $optname
+	optname_str = _sockopt_optname_str($optname)
+	optval_uaddr = $optval
+	optlen_uaddr = $optlen
+	argstr = sprintf("%d, %s, %s, %p, %p", $fd,  _sockopt_level_str($level),
+			_sockopt_optname_str($optname), $optval, $optlen)
+}
+probe nd_syscall.getsockopt.return =
+		kernel.function("sys_getsockopt").return ?,
+		kernel.function("compat_sys_getsockopt").return ? 
+{
+	name = "getsockopt"
+	retstr = returnstr(1)
+}
+
+# gettid _____________________________________________________
+# long sys_gettid(void)
+probe nd_syscall.gettid = kernel.function("sys_gettid") {
+	name = "gettid"
+	argstr = ""
+}
+probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
+	name = "gettid"
+	retstr = returnstr(1)
+}
+
+# gettimeofday _______________________________________________
+# long sys_gettimeofday(struct timeval  __user *tv,
+#	struct timezone __user *tz)
+# long sys32_gettimeofday(struct compat_timeval __user *tv, 
+#	struct timezone __user *tz)
+# long compat_sys_gettimeofday(struct compat_timeval __user *tv,
+#	struct timezone __user *tz)
+probe nd_syscall.gettimeofday = 
+		kernel.function("sys_gettimeofday"),
+		kernel.function("sys32_gettimeofday") ?,
+		kernel.function("compat_sys_gettimeofday") ?
+{
+	name = "gettimeofday"
+	tv_uaddr = $tv
+	tz_uaddr = $tz
+	argstr = sprintf("%p, %p", $tv, $tz)
+}
+
+probe nd_syscall.gettimeofday.return = 
+		kernel.function("sys_gettimeofday").return,
+		kernel.function("sys32_gettimeofday").return ?,
+		kernel.function("compat_sys_gettimeofday").return ?
+{
+	name = "gettimeofday"
+	retstr = returnstr(1)
+}
+
+# getuid _____________________________________________________
+# long sys_getuid(void
+# long sys_getuid16(void)
+# long sys32_getuid16(void)
+#
+probe nd_syscall.getuid =
+		kernel.function("sys_getuid16") ?,
+		kernel.function("sys32_getuid16") ?,
+		kernel.function("sys_getuid")
+{
+	name = "getuid"
+	argstr = ""
+}
+probe nd_syscall.getuid.return =
+		kernel.function("sys_getuid16").return ?,
+		kernel.function("sys32_getuid16").return ?,
+		kernel.function("sys_getuid").return
+{
+	name = "getuid"
+	retstr = returnstr(1)
+}
+
+# getxattr ___________________________________________________
+# ssize_t sys_getxattr(char __user *path, char __user *name,
+#		void __user *value, size_t size)
+probe nd_syscall.getxattr = kernel.function("sys_getxattr") {
+	name = "getxattr"
+	path = user_string($path)
+	# FIXME
+	name2 = user_string($name)
+	value_uaddr = $value
+	size = $size
+	argstr = sprintf("%s, %s, %p, %d", 
+		user_string_quoted($path), 
+		user_string_quoted($name),
+		value_uaddr, size)
+}
+probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
+	name = "getxattr"
+	retstr = returnstr(1)
+}
+
+# init_module ________________________________________________
+# long sys_init_module(void __user *umod,
+#		unsigned long len,
+#		const char __user *uargs)
+#
+probe nd_syscall.init_module = kernel.function("sys_init_module") ? {
+	name = "init_module"
+	umod_uaddr = $umod
+	len = $len
+	uargs = user_string($uargs)
+	argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+}
+probe nd_syscall.init_module.return = kernel.function("sys_init_module").return ? {
+	name = "init_module"
+	retstr = returnstr(1)
+}
+
+# inotify_add_watch __________________________________________
+#
+# long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
+#
+probe nd_syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") ? {
+	name = "inotify_add_watch"
+	fd = $fd
+	path_uaddr = $path
+	path = user_string($path)
+	mask = $mask
+	argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+}
+probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return ? {
+	name = "inotify_add_watch"
+	retstr = returnstr(1)
+}
+
+# inotify_init _______________________________________________
+#
+# long sys_inotify_init(void)
+#
+probe nd_syscall.inotify_init = kernel.function("sys_inotify_init") ? {
+	name = "inotify_init"
+	argstr = ""
+}
+probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? {
+	name = "inotify_init"
+	retstr = returnstr(1)
+}
+
+# inotify_rm_watch ___________________________________________
+#
+# long sys_inotify_rm_watch(int fd, u32 wd)
+#
+probe nd_syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") ? {
+	name = "inotify_rm_watch"
+	fd = $fd
+	wd = $wd
+	argstr = sprintf("%d, %d", $fd, $wd)
+}
+probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return ? {
+	name = "inotify_rm_watch"
+	retstr = returnstr(1)
+}
+
+# io_cancel __________________________________________________
+# long sys_io_cancel(aio_context_t ctx_id,
+#		struct iocb __user *iocb,
+#		struct io_event __user *result)
+probe nd_syscall.io_cancel = kernel.function("sys_io_cancel") {
+	name = "io_cancel"
+	ctx_id = $ctx_id
+	iocb_uaddr = $iocb
+	result_uaddr = $result
+	argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)	
+}
+probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
+	name = "io_cancel"
+	retstr = returnstr(1)
+}
+
+# ioctl ______________________________________________________
+# long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
+# long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
+#
+probe nd_syscall.ioctl =
+		kernel.function("sys_ioctl") ?,
+		kernel.function("compat_sys_ioctl") ?
+{
+	name = "ioctl"
+	fd = $fd
+	request = $cmd
+	argp = $arg
+	argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+}
+probe nd_syscall.ioctl.return =
+		kernel.function("sys_ioctl").return ?,
+		kernel.function("compat_sys_ioctl").return ?
+{
+	name = "ioctl"
+	retstr = returnstr(1)
+}
+
+# io_destroy _________________________________________________
+# long sys_io_destroy(aio_context_t ctx)
+probe nd_syscall.io_destroy = kernel.function("sys_io_destroy") {
+	name = "io_destroy"
+	ctx = $ctx
+	argstr = sprintf("%d", ctx)
+}
+probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
+	name = "io_destroy"
+	retstr = returnstr(1)
+}
+
+# io_getevents _______________________________________________
+# long sys_io_getevents(aio_context_t ctx_id,
+#		long min_nr,
+#		long nr,
+#		struct io_event __user *events,
+#		struct timespec __user *timeout)
+# long compat_sys_io_getevents(aio_context_t ctx_id,
+#		 unsigned long min_nr,
+#		 unsigned long nr,
+#		 struct io_event __user *events,
+#		 struct compat_timespec __user *timeout)
+#
+probe nd_syscall.io_getevents =
+		kernel.function("sys_io_getevents") ?,
+		kernel.function("compat_sys_io_getevents") ?
+{
+	name = "io_getevents"
+	ctx_id = $ctx_id
+	min_nr = $min_nr
+	nr = $nr
+	events_uaddr = $events
+	timeout_uaddr = $timeout
+	timestr = _struct_timespec_u($timeout,1)
+	argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
+		$nr, $events, $timeout, timestr)
+}
+probe nd_syscall.io_getevents.return =
+		kernel.function("sys_io_getevents").return ?,
+		kernel.function("compat_sys_io_getevents").return ?
+{
+	name = "io_getevents"
+	retstr = returnstr(1)
+}
+
+# ioperm _____________________________________________________
+# long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
+#
+probe nd_syscall.ioperm = kernel.function("sys_ioperm") ? {
+	name = "ioperm"
+	from = $from
+	num = $num
+	turn_on = $turn_on
+	argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+}
+probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
+	name = "ioperm"
+	retstr = returnstr(1)
+}
+
+# io_setup ___________________________________________________
+# long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
+# 
+probe nd_syscall.io_setup = kernel.function("sys_io_setup") {
+	name = "io_setup"
+	maxevents = $nr_events
+	ctxp_uaddr = $ctxp
+	argstr = sprintf("%d, %p", $nr_events, $ctxp)
+}
+
+probe nd_syscall.io_setup.return = kernel.function("sys_io_setup").return {
+	name = "io_setup"
+	retstr = returnstr(1)
+}
+# long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
+#
+probe nd_syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? {
+	name = "io_setup"
+	maxevents = $nr_reqs
+	ctxp_uaddr = $ctx32p
+	argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+}
+
+probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? {
+	name = "io_setup"
+	retstr = returnstr(1)
+}
+
+# io_submit __________________________________________________
+# long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp)
+#
+probe nd_syscall.io_submit = kernel.function("sys_io_submit") {
+	name = "io_submit"
+	ctx_id = $ctx_id
+	nr = $nr
+	iocbpp_uaddr = $iocbpp
+	argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+}
+probe nd_syscall.io_submit.return = kernel.function("sys_io_submit").return {
+	name = "io_submit"
+	retstr = returnstr(1)
+}
+# long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb)
+#
+probe nd_syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? {
+	name = "io_submit"
+	ctx_id = $ctx_id
+	nr = $nr
+	iocbpp_uaddr = $iocb
+	argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+}
+probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? {
+	name = "io_submit"
+	retstr = returnstr(1)
+}
+
+# ioprio_get _________________________________________________
+# long sys_ioprio_get(int which, int who)
+#
+probe nd_syscall.ioprio_get = kernel.function("sys_ioprio_get") ? {
+	name = "ioprio_get"
+	which = $which
+	who = $who
+	argstr = sprintf("%d, %d", $which, $who)
+}
+probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? {
+	name = "ioprio_get"
+	retstr = returnstr(1)
+}
+
+# ioprio_set _________________________________________________
+# long sys_ioprio_set(int which, int who, int ioprio)
+#
+probe nd_syscall.ioprio_set = kernel.function("sys_ioprio_set") ? {
+	name = "ioprio_set"
+	which = $which
+	who = $who
+	ioprio = $ioprio
+	argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+}
+probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? {
+	name = "ioprio_set"
+	retstr = returnstr(1)
+}
+
+# kexec_load _________________________________________________
+# long sys_kexec_load(unsigned long entry,
+#                unsigned long nr_segments,
+#                struct kexec_segment __user *segments,
+#                unsigned long flags)
+# long compat_sys_kexec_load(unsigned long entry,
+#		unsigned long nr_segments,
+#		struct compat_kexec_segment __user *segments,
+#		unsigned long flags)
+#
+probe nd_syscall.kexec_load = 
+		kernel.function("sys_kexec_load") ?,
+		kernel.function("compat_sys_kexec_load") ?
+{
+	name = "kexec_load"
+	entry = $entry
+	nr_segments = $nr_segments
+	segments_uaddr = $segments
+	flags = $flags
+	argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+}
+probe nd_syscall.kexec_load.return = 
+		kernel.function("sys_kexec_load").return ?,
+		kernel.function("compat_sys_kexec_load").return ?
+{
+	name = "kexec_load"
+	retstr = returnstr(1)	
+}
+
+# keyctl _____________________________________________________
+# long sys_keyctl(int option,
+#            unsigned long arg2,
+#            unsigned long arg3,
+#            unsigned long arg4,
+#            unsigned long arg5)
+# long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5)
+#
+probe nd_syscall.keyctl =
+		kernel.function("sys_keyctl") ?,
+		kernel.function("compat_sys_keyctl") ?
+{
+	name = "keyctl"
+	argstr = sprintf("%d, ...", $option)
+
+}
+probe nd_syscall.keyctl.return =
+		kernel.function("sys_keyctl").return ?,
+		kernel.function("compat_sys_keyctl").return ?
+{
+	name = "keyctl"
+	retstr = returnstr(1)
+}
+
+# kill _______________________________________________________
+# long sys_kill(int pid, int sig)
+probe nd_syscall.kill = kernel.function("sys_kill") {
+	name = "kill"
+	pid = $pid
+	sig = $sig
+	argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+}
+probe nd_syscall.kill.return = kernel.function("sys_kill").return {
+	name = "kill"
+	retstr = returnstr(1)
+}
+
+# lchown _____________________________________________________
+# long sys_lchown(const char __user * filename, uid_t user, gid_t group)
+#
+probe nd_syscall.lchown = kernel.function("sys_lchown") {
+	name = "lchown"
+	path = user_string($filename)
+	owner = __int32($user)
+	group = __int32($group)
+	argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+}	
+probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
+	name = "lchown"
+	retstr = returnstr(1)
+}
+
+# lchown16 ___________________________________________________
+# long sys_lchown16(const char __user * filename, old_uid_t user, 
+#			old_gid_t group)
+#
+probe nd_syscall.lchown16 = kernel.function("sys_lchown16") ? {
+	name = "lchown16"
+	path = user_string($filename)
+	owner = __short($user)
+	group = __short($group)
+	argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+}
+probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
+	name = "lchown16"
+	retstr = returnstr(1)
+}
+# lgetxattr __________________________________________________
+# ssize_t sys_lgetxattr(char __user *path,
+#               char __user *name,
+#               void __user *value,
+#               size_t size)
+#
+probe nd_syscall.lgetxattr = kernel.function("sys_lgetxattr") {
+	name = "lgetxattr"
+	path = user_string($path)
+	# FIXME
+	name2 = user_string($name)
+	value_uaddr = $value
+	size = $size
+	argstr = sprintf("%s, %s, %p, %d", 
+		user_string_quoted($path), 
+		user_string_quoted($name),
+		value_uaddr, size)
+}
+probe nd_syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return {
+	name = "lgetxattr"
+	retstr = returnstr(1)
+}
+# link _______________________________________________________
+# long sys_link(const char __user * oldname,
+#          const char __user * newname)
+probe nd_syscall.link = kernel.function("sys_link") {
+	name = "link"
+	oldpath = user_string($oldname)
+	newpath = user_string($newname)
+	argstr = sprintf("%s, %s", 
+		user_string_quoted($oldname), 
+		user_string_quoted($newname))
+}
+probe nd_syscall.link.return = kernel.function("sys_link").return {
+	name = "link"
+	retstr = returnstr(1)	
+}
+
+# listen _____________________________________________________
+# long sys_listen(int fd, int backlog)
+probe nd_syscall.listen = kernel.function("sys_listen") ? {
+	name = "listen"
+	sockfd = $fd
+      	backlog = $backlog
+	argstr = sprintf("%d, %d", $fd, $backlog) 
+}	
+probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
+	name = "listen"
+	retstr = returnstr(1)
+}
+
+# listxattr __________________________________________________
+# ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
+#
+probe nd_syscall.listxattr = kernel.function("sys_listxattr") {
+	name = "listxattr"
+	path_uaddr = $path
+	path = user_string($path)
+	list_uaddr = $list
+	size = $size
+	argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+}
+probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
+	name = "listxattr"
+	retstr = returnstr(1)
+}
+
+# llistxattr _________________________________________________
+# ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
+#
+probe nd_syscall.llistxattr = kernel.function("sys_llistxattr") {
+	name = "llistxattr"
+	path_uaddr = $path
+	path = user_string($path)
+	list_uaddr = $list
+	size = $size
+	argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+}
+probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
+	name = "llistxattr"
+	retstr = returnstr(1)
+}
+
+# llseek _____________________________________________________
+# long sys_llseek(unsigned int fd,
+#            unsigned long offset_high,
+#            unsigned long offset_low,
+#            loff_t __user * result,
+#            unsigned int origin)
+probe nd_syscall.llseek = kernel.function("sys_llseek") ? {
+	name = "llseek"
+	fd = $fd
+	offset_high = $offset_high
+	offset_low = $offset_low
+	result_uaddr = $result
+	whence = $origin
+	whence_str = _seek_whence_str($origin)
+	argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
+		$offset_low, $result, whence_str)
+}
+probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
+	name = "llseek"
+	retstr = returnstr(1)
+}
+
+# lookup_dcookie _____________________________________________
+# long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
+#
+probe nd_syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") ? {
+	name = "lookup_dcookie"
+	cookie = $cookie64
+	buffer_uaddr = $buf
+	len = $len
+	argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+}
+probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return ? {
+	name = "lookup_dcookie"
+	retstr = returnstr(1)
+}
+
+# lremovexattr _______________________________________________
+# long sys_lremovexattr(char __user *path, char __user *name)
+#
+probe nd_syscall.lremovexattr = kernel.function("sys_lremovexattr") {
+	name = "lremovexattr"
+	path_uaddr = $path
+	path = user_string($path)
+	name_uaddr = $name
+	name2 = user_string($name)
+	argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name)) 
+}
+probe nd_syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return {
+	name = "lremovexattr"
+	retstr = returnstr(1)
+}
+
+# lseek ______________________________________________________
+# off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
+probe nd_syscall.lseek = kernel.function("sys_lseek") {
+	name = "lseek"
+	fildes = $fd
+#	offset = __int32($offset)
+	offset = $offset
+	whence = $origin
+	whence_str = _seek_whence_str($origin)
+	argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
+}
+probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
+	name = "lseek"
+	retstr = returnstr(1)
+}
+
+# lsetxattr __________________________________________________
+# long sys_lsetxattr(char __user *path,
+#               char __user *name,
+#               void __user *value,
+#               size_t size,
+#               int flags)
+#
+probe nd_syscall.lsetxattr = kernel.function("sys_lsetxattr") {
+	name = "lsetxattr"
+	path_uaddr = $path
+	path = user_string($path)
+	name_uaddr = $name
+	name_str = user_string($name)
+	value_uaddr = $value
+	size = $size
+	flags = $flags
+	argstr = sprintf("%s, %s, %p, %d, %d", 
+			user_string_quoted($path), 
+			user_string_quoted($name),
+			value_uaddr, $size, $flags)
+}
+probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
+	name = "lsetxattr"
+	retstr = returnstr(1)
+}
+
+# lstat ______________________________________________________
+# long sys_lstat(char __user * filename, struct __old_kernel_stat __user * statbuf)
+# long sys_newlstat(char __user * filename, struct stat __user * statbuf)
+# long compat_sys_newlstat(char __user * filename, struct compat_stat __user *statbuf)
+# long sys32_lstat64(char * filename, struct stat64 __user *statbuf)
+# long sys_lstat64(char __user * filename, struct stat64 __user * statbuf)
+# long sys_oabi_lstat64(char __user * filename,
+#			struct oldabi_stat64 __user * statbuf)
+#
+probe nd_syscall.lstat = 
+		kernel.function("sys_lstat") ?,
+		kernel.function("sys_newlstat") ?,
+		kernel.function("compat_sys_newlstat") ?,
+		kernel.function("sys32_lstat64") ?,
+		kernel.function("sys_lstat64") ?,
+		kernel.function("sys_oabi_lstat64") ?
+{
+	name = "lstat"
+	path = user_string($filename)
+	buf_uaddr = $statbuf
+	argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf) 
+}
+probe nd_syscall.lstat.return = 
+		kernel.function("sys_lstat").return ?,
+		kernel.function("sys_newlstat").return ?,
+		kernel.function("compat_sys_newlstat").return ?,
+		kernel.function("sys32_lstat64").return ?,
+		kernel.function("sys_lstat64").return ?,
+		kernel.function("sys_oabi_lstat64").return ?
+{ 
+	name = "lstat"
+	retstr = returnstr(1)
+}
+
+# madvise ____________________________________________________
+# long sys_madvise(unsigned long start, size_t len_in, int behavior)
+#
+probe nd_syscall.madvise = kernel.function("sys_madvise") ? {
+	name = "madvise"
+	start = $start
+	length = $len_in
+	advice = $behavior
+	advice_str = _madvice_advice_str($behavior)
+	argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+}
+probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
+	name = "madvise"
+	retstr = returnstr(1)
+}
+
+# mbind ______________________________________________________
+# long sys_mbind(unsigned long start,
+#	unsigned long len,
+#	unsigned long mode,
+#	unsigned long __user *nmask,
+#	unsigned long maxnode,
+#	unsigned flags)
+#
+# long compat_sys_mbind(compat_ulong_t start,
+#	compat_ulong_t len,
+#	compat_ulong_t mode,
+#	compat_ulong_t __user *nmask,
+#	compat_ulong_t maxnode,
+#	compat_ulong_t flags)
+#
+probe nd_syscall.mbind = 
+		kernel.function("sys_mbind") ?,
+		kernel.function("compat_sys_mbind") ?
+{
+	name = "mbind"
+	start = $start
+	len = $len
+	mode = $mode
+	nmask_uaddr = $nmask
+	maxnode = $maxnode
+	flags = $flags
+	argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
+				$nmask, $maxnode, $flags)
+}
+probe nd_syscall.mbind.return = 
+		kernel.function("sys_mbind").return ?,
+		kernel.function("compat_sys_mbind").return ?
+{
+	name = "mbind"
+	retstr = returnstr(1)
+}
+
+# migrate_pages ____________________________________________________
+# long sys_migrate_pages(pid_t pid, unsigned long maxnode,
+#		const unsigned long __user *old_nodes,
+#		const unsigned long __user *new_nodes)
+probe nd_syscall.migrate_pages = kernel.function("sys_migrate_pages") ? {
+	name = "migrate_pages"
+	argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+}
+probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").return ? {
+	name = "migrate_pages"
+	retstr = returnstr(1)
+}
+
+# mincore ____________________________________________________
+# long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
+#
+probe nd_syscall.mincore = kernel.function("sys_mincore") ? {
+	name = "mincore"
+	start = $start
+	length = $len
+	vec_uaddr = $vec
+	argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+}
+probe nd_syscall.mincore.return = kernel.function("sys_mincore").return ? {
+	name = "mincore"
+	retstr = returnstr(1)	
+}
+
+# mkdir ______________________________________________________
+# long sys_mkdir(const char __user * pathname, int mode)
+probe nd_syscall.mkdir = kernel.function("sys_mkdir") {
+	name = "mkdir"
+	pathname_uaddr = $pathname
+	pathname = user_string($pathname)
+	mode = $mode
+	argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+}
+probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
+	name = "mkdir"
+	retstr = returnstr(1)	
+}
+
+# mkdirat ____________________________________________________
+# new function with 2.6.16
+# long sys_mkdirat(int dfd, const char __user *pathname, int mode)
+probe nd_syscall.mkdirat = kernel.function("sys_mkdirat") ? {
+	name = "mkdirat"
+	dirfd = $dfd
+	pathname = user_string($pathname)
+	mode = $mode
+	argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+}
+probe nd_syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? {
+	name = "mkdirat"
+	retstr = returnstr(1)
+}
+
+# mknod
+# long sys_mknod(const char __user * filename, int mode, unsigned dev)
+probe nd_syscall.mknod = kernel.function("sys_mknod") {
+	name = "mknod"
+      	pathname = user_string($filename)
+	mode = $mode
+	dev = $dev
+	argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+}
+
+probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
+	name = "mknod"
+	retstr = returnstr(1)
+}
+
+# mlock ______________________________________________________
+#
+# long sys_mlock(unsigned long start, size_t len)
+#
+probe nd_syscall.mlock = kernel.function("sys_mlock") ? {
+	name = "mlock"
+	addr = $start
+	len = $len
+	argstr = sprintf("%p, %d", $start, $len)
+}
+probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
+	name = "mlock"
+	retstr = returnstr(1)
+}
+# mlockall ___________________________________________________
+#
+# long sys_mlockall(int flags)
+#
+probe nd_syscall.mlockall = kernel.function("sys_mlockall") ? {
+	name = "mlockall"
+	flags = $flags
+	argstr = _mlockall_flags_str($flags)
+}
+probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
+	name = "mlockall"
+	retstr = returnstr(1)
+}
+
+# modify_ldt _________________________________________________
+# int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
+#
+probe nd_syscall.modify_ldt = kernel.function("sys_modify_ldt") ? {
+	name = "modify_ldt"
+	func = $func
+	ptr_uaddr = $ptr
+	bytecount = $bytecount
+	argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+}
+probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
+	name = "modify_ldt"
+	retstr = returnstr(1)
+}
+
+# move_pages ____________________________________________________
+# long sys_move_pages(pid_t pid, unsigned long nr_pages,
+#			const void __user * __user *pages,
+#			const int __user *nodes,
+#			int __user *status,
+#			int flags)
+#
+# long compat_sys_move_pages(pid_t pid, unsigned long nr_pages,
+#                compat_uptr_t __user *pages32,
+#                const int __user *nodes,
+#                int __user *status,
+#                int flags)
+#
+probe nd_syscall.move_pages = 
+		kernel.function("sys_move_pages") ?,
+		kernel.function("compat_sys_move_pages") ?
+{
+	name = "move_pages"
+	argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+}
+probe nd_syscall.move_pages.return = 
+		kernel.function("sys_move_pages").return ?,
+		kernel.function("compat_sys_move_pages").return ?
+{
+	name = "move_pages"
+	retstr = returnstr(1)
+}
+
+# mount ______________________________________________________
+# long sys_mount(char __user * dev_name,
+# 		char __user * dir_name,
+# 		char __user * type,
+# 		unsigned long flags,
+# 		void __user * data)
+# long compat_sys_mount(char __user * dev_name, 
+#		char __user * dir_name,
+#		char __user * type, 
+#		unsigned long flags, 
+#		void __user * data)
+probe nd_syscall.mount = 
+		kernel.function("sys_mount"),
+		kernel.function("compat_sys_mount") ?
+{
+	name = "mount"
+	source = user_string($dev_name)
+	target = user_string($dir_name)
+	filesystemtype = user_string($type)
+	mountflags = $flags
+	mountflags_str = _mountflags_str($flags)
+	data = text_strn(user_string($data),syscall_string_trunc,1)
+	argstr = sprintf("%s, %s, %s, %s, %s", 
+		user_string_quoted($dev_name), 
+		user_string_quoted($dir_name), 
+		user_string_quoted($type), 
+		mountflags_str, data)
+}
+probe nd_syscall.mount.return = 
+		kernel.function("sys_mount").return, 
+		kernel.function("compat_sys_mount").return ?
+{
+	name = "mount"
+	retstr = returnstr(1)
+}
+
+# mprotect ___________________________________________________
+# long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
+#
+probe nd_syscall.mprotect = kernel.function("sys_mprotect") ? {
+	name = "mprotect"
+	addr = $start
+	len = $len
+	prot = $prot
+	prot_str = _mprotect_prot_str($prot)
+	argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+}
+probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
+	name = "mprotect"
+	retstr = returnstr(1)
+}
+
+# mq_getsetattr ______________________________________________
+# long sys_mq_getsetattr(mqd_t mqdes,
+#                  const struct mq_attr __user *u_mqstat,
+#                  struct mq_attr __user *u_omqstat)
+# long compat_sys_mq_getsetattr(mqd_t mqdes,
+#			const struct compat_mq_attr __user *u_mqstat,
+#			struct compat_mq_attr __user *u_omqstat)
+#
+probe nd_syscall.mq_getsetattr =
+		kernel.function("sys_mq_getsetattr") ?,
+		kernel.function("compat_sys_mq_getsetattr") ?
+{
+	name = "mq_getsetattr"
+	mqdes = $mqdes
+	u_mqstat_uaddr = $u_mqstat
+	u_omqstat_uaddr = $u_omqstat
+	argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+}
+probe nd_syscall.mq_getsetattr.return =
+		kernel.function("sys_mq_getsetattr").return ?,
+		kernel.function("compat_sys_mq_getsetattr").return ?
+{
+	name = "mq_getsetattr"
+	retstr = returnstr(1)
+}
+
+# mq_notify __________________________________________________
+# long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
+# long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification)
+#
+probe nd_syscall.mq_notify =
+		kernel.function("sys_mq_notify") ?,
+		kernel.function("compat_sys_mq_notify") ?
+{
+	name = "mq_notify"
+	mqdes = $mqdes
+	notification_uaddr = $u_notification
+	argstr = sprintf("%d, %p", $mqdes, $u_notification)
+}
+probe nd_syscall.mq_notify.return =
+		kernel.function("sys_mq_notify").return ?,
+		kernel.function("compat_sys_mq_notify").return ?
+{
+	name = "mq_notify"
+	retstr = returnstr(1)
+}
+
+# mq_open ____________________________________________________
+# long  sys_mq_open(const char __user *u_name,
+#             int oflag,
+#             mode_t mode,
+#             struct mq_attr __user *u_attr)
+# long compat_sys_mq_open(const char __user *u_name,
+#			int oflag, compat_mode_t mode,
+#			struct compat_mq_attr __user *u_attr)
+#
+probe nd_syscall.mq_open =
+		kernel.function("sys_mq_open") ?,
+		kernel.function("compat_sys_mq_open") ?
+{
+	name = "mq_open"
+	name_uaddr = $u_name
+	filename = user_string($u_name)
+	mode = $mode
+	u_attr_uaddr = $u_attr
+	oflag = $oflag
+	if (oflag & 64)
+		argstr = sprintf("%s, %s, %#o, %p", user_string_quoted($u_name), 
+			_sys_open_flag_str($oflag), $mode, $u_attr)
+	else
+		argstr = sprintf("%s, %s", user_string_quoted($u_name), _sys_open_flag_str($oflag))
+}
+probe nd_syscall.mq_open.return =
+		kernel.function("sys_mq_open").return ?,
+		kernel.function("compat_sys_mq_open").return ?
+{
+	name = "mq_open"
+	retstr = returnstr(1)
+}
+
+# mq_timedreceive ____________________________________________
+# ssize_t sys_mq_timedreceive(mqd_t mqdes,
+#                     char __user *u_msg_ptr,
+#                     size_t msg_len,
+#                     unsigned int __user *u_msg_prio,
+#                     const struct timespec __user *u_abs_timeout)
+# ssize_t compat_sys_mq_timedreceive(mqd_t mqdes,
+#			char __user *u_msg_ptr,
+#			size_t msg_len, unsigned int __user *u_msg_prio,
+#			const struct compat_timespec __user *u_abs_timeout)
+#
+probe nd_syscall.mq_timedreceive =
+		kernel.function("sys_mq_timedreceive") ?,
+		kernel.function("compat_sys_mq_timedreceive") ?
+{
+	name = "mq_timedreceive"
+	mqdes = $mqdes
+	msg_ptr_uaddr = $u_msg_ptr
+	msg_len = $msg_len
+	msg_prio_uaddr = $u_msg_prio
+	abs_timout_uaddr = $u_abs_timeout
+	argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
+			$u_msg_prio, $u_abs_timeout)
+}
+probe nd_syscall.mq_timedreceive.return =
+		kernel.function("sys_mq_timedreceive").return ?,
+		kernel.function("compat_sys_mq_timedreceive").return ?
+{
+	name = "mq_timedreceive"
+	retstr = returnstr(1)
+}
+
+# mq_timedsend _______________________________________________
+# long sys_mq_timedsend(mqd_t mqdes,
+#                  const char __user *u_msg_ptr,
+#                  size_t msg_len,
+#                  unsigned int msg_prio,
+#                  const struct timespec __user *u_abs_timeout)
+#  long compat_sys_mq_timedsend(mqd_t mqdes,
+#			const char __user *u_msg_ptr,
+#			size_t msg_len, unsigned int msg_prio,
+#			const struct compat_timespec __user *u_abs_timeout)
+#
+probe nd_syscall.mq_timedsend =
+		kernel.function("sys_mq_timedsend") ?,
+		kernel.function("compat_sys_mq_timedsend") ?
+{
+	name = "mq_timedsend"
+	mqdes = $mqdes
+	msg_ptr_uaddr = $u_msg_ptr
+	msg_len = $msg_len
+	msg_prio = $msg_prio
+	abs_timeout_uaddr = $u_abs_timeout
+	argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
+			$msg_prio, $u_abs_timeout)
+}
+probe nd_syscall.mq_timedsend.return =
+		kernel.function("sys_mq_timedsend").return ?,
+		kernel.function("compat_sys_mq_timedsend").return ?
+{
+	name = "mq_timedsend"
+	retstr = returnstr(1)
+}
+
+# mq_unlink __________________________________________________
+# long sys_mq_unlink(const char __user *u_name)
+#
+probe nd_syscall.mq_unlink = kernel.function("sys_mq_unlink") ? {
+	name = "mq_unlink"
+	u_name_uaddr = $u_name
+	u_name = user_string($u_name)
+	argstr = user_string_quoted($u_name)
+}
+probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
+	name = "mq_unlink"
+	retstr = returnstr(1)
+}
+
+# mremap _____________________________________________________
+# unsigned long sys_mremap(unsigned long addr,
+#            unsigned long old_len,
+#            unsigned long new_len,
+#            unsigned long flags,
+#            unsigned long new_addr)
+#
+probe nd_syscall.mremap =
+		kernel.function("sys_mremap") ?,
+		kernel.function("ia64_mremap") ?
+{
+	name = "mremap"
+	old_address = $addr
+	old_size = $old_len
+	new_size = $new_len
+	flags = $flags
+	new_address = $new_addr
+	argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
+		_mremap_flags($flags), $new_addr)
+}
+probe nd_syscall.mremap.return =
+		kernel.function("sys_mremap").return ?,
+		kernel.function("ia64_mremap").return ?
+{
+	name = "mremap"
+	retstr = returnstr(2)
+}
+
+# msgctl _____________________________________________________
+# long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
+#
+probe nd_syscall.msgctl = kernel.function("sys_msgctl") ? {
+	name = "msgctl"
+	msqid = $msqid
+	cmd = $cmd
+	buf_uaddr = $buf
+	argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+}
+probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
+	name = "msgctl"
+	retstr = returnstr(1)
+}
+# compat_sys_msgctl ________________________________________
+#
+# long compat_sys_msgctl(int first, int second, void __user *uptr)
+#
+probe nd_syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? {
+	name = "compat_sys_msgctl"
+	argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+}
+probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? {
+	name = "compat_sys_msgctl"
+	retstr = returnstr(1)
+}
+
+# msgget _____________________________________________________
+# long sys_msgget (key_t key, int msgflg)
+#
+probe nd_syscall.msgget = kernel.function("sys_msgget") ? {
+	name = "msgget"
+	key = $key
+	msgflg = $msgflg
+	msgflg_str = _sys_open_flag_str($msgflg)
+	argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+}
+probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
+	name = "msgget"
+	retstr = returnstr(1)
+}
+
+# msgrcv _____________________________________________________
+# long sys_msgrcv (int msqid,
+#             struct msgbuf __user *msgp,
+#             size_t msgsz,
+#             long msgtyp,
+#             int msgflg)
+#
+probe nd_syscall.msgrcv = kernel.function("sys_msgrcv") ? {
+	name = "msgrcv"
+	msqid = $msqid
+	msgp_uaddr = $msgp
+	msgsz = $msgsz
+	msgtyp = $msgtyp
+	msgflg = $msgflg
+	argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
+}
+probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
+	name = "msgrcv"
+	retstr = returnstr(1)
+}
+# compat_sys_msgrcv ________________________________________
+#
+# long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
+#			int version, void __user *uptr)
+#
+probe nd_syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? {
+	name = "compat_sys_msgrcv"
+	argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+}
+probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? {
+	name = "compat_sys_msgrcv"
+	retstr = returnstr(1)
+}
+
+# msgsnd _____________________________________________________
+# long sys_msgsnd (int msqid,
+#             struct msgbuf __user *msgp,
+#             size_t msgsz,
+#             int msgflg)
+#
+probe nd_syscall.msgsnd = kernel.function("sys_msgsnd") ? {
+	name = "msgsnd"
+	msqid = $msqid
+	msgp_uaddr = $msgp
+	msgsz = $msgsz
+	msgflg = $msgflg
+	argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+}
+probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
+	name = "msgsnd"
+	retstr = returnstr(1)
+}
+# compat_sys_msgsnd ________________________________________
+#
+# long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
+#
+probe nd_syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? {
+	name = "compat_sys_msgsnd"
+	argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+}
+probe nd_syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? {
+	name = "compat_sys_msgsnd"
+	retstr = returnstr(1)
+}
+
+# msync ______________________________________________________
+# long sys_msync(unsigned long start, size_t len, int flags)
+probe nd_syscall.msync = kernel.function("sys_msync") ? {
+	name = "msync"
+	start = $start
+	length = $len
+	flags = $flags
+	argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags))
+}
+probe nd_syscall.msync.return = kernel.function("sys_msync").return ? {
+	name = "msync"
+	retstr = returnstr(1)
+}
+
+# munlock ____________________________________________________
+# long sys_munlock(unsigned long start, size_t len)
+probe nd_syscall.munlock = kernel.function("sys_munlock") ? {
+	name = "munlock"
+	addr = $start
+	len = $len
+	argstr = sprintf("%p, %d", addr, len)
+}
+probe nd_syscall.munlock.return = kernel.function("sys_munlock").return ? {
+	name = "munlock"
+	retstr = returnstr(1)
+}
+
+# munlockall _________________________________________________
+# long sys_munlockall(void)
+probe nd_syscall.munlockall = kernel.function("sys_munlockall") ? {
+	name = "munlockall"
+	argstr = ""
+}
+probe nd_syscall.munlockall.return = kernel.function("sys_munlockall").return ? {
+	name = "munlockall"
+	retstr = returnstr(1)
+}
+
+# munmap _____________________________________________________
+# long sys_munmap(unsigned long addr, size_t len)
+probe nd_syscall.munmap = kernel.function("sys_munmap") {
+	name = "munmap"
+	start = $addr
+	length = $len
+	argstr = sprintf("%p, %d", start, length)
+}
+probe nd_syscall.munmap.return = kernel.function("sys_munmap").return {
+	name = "munmap"
+	retstr = returnstr(1)
+}