Create nd_syscalls2.stp

This contains an initial transformation of syscalls2.stp to start using
numbered parameter access instead of relying on dwarf.

Signed-off-by: Josh Stone <jistone@redhat.com>

1 files changed, 3916 insertions, 0 deletions

diff --git a/tapset/nd_syscalls2.stp b/tapset/nd_syscalls2.stp
new file mode 100644
index 00000000..a67ebd22
--- /dev/null
+++ b/tapset/nd_syscalls2.stp
@@ -0,0 +1,3916 @@
+// syscalls tapset part 2 [N-Z]
+// Copyright (C) 2005 IBM Corp.
+// Copyright (C) 2005, 2006, 2007 Red Hat Inc.
+// Copyright (C) 2007 Quentin Barnes.
+//
+// This file is part of systemtap, and is free software.  You can
+// redistribute it and/or modify it under the terms of the GNU General
+// Public License (GPL); either version 2, or (at your option) any
+// later version.
+
+/* Each syscall returns the calls parameters. In addition, the following
+* variables are set:
+*
+* name - generally the syscall name minus the "sys_".
+*
+* argstr - a string containing the decoded args in an easy-to-read format.
+*          It doesn't need to contain everything, but should have all the
+*          important args. Set in entry probes only.
+*
+* retstr - a string containing the return value in an easy-to-read format.
+*          Set in return probes only.
+*/
+
+# nanosleep __________________________________________________
+#
+# long sys_nanosleep(struct timespec __user *rqtp,
+#		struct timespec __user *rmtp)
+# long compat_sys_nanosleep(struct compat_timespec __user *rqtp,
+#		struct compat_timespec __user *rmtp)
+#
+probe nd_syscall.nanosleep = kernel.function("sys_nanosleep") {
+	name = "nanosleep"
+	// req_uaddr = $rqtp
+	// rem_uaddr = $rmtp
+	// argstr = sprintf("%s, %p", _struct_timespec_u($rqtp,1), $rmtp)
+	asmlinkage()
+	req_uaddr = pointer_arg(1)
+	rem_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", _struct_timespec_u(req_uaddr,1), rem_uaddr)
+}
+probe nd_syscall.nanosleep.return = kernel.function("sys_nanosleep").return {
+	name = "nanosleep"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_nanosleep = kernel.function("compat_sys_nanosleep") ? {
+	name = "nanosleep"
+	// req_uaddr = $rqtp
+	// rem_uaddr = $rmtp
+	// argstr = sprintf("%s, %p", _struct_compat_timespec_u($rqtp,1), $rmtp)
+	asmlinkage()
+	req_uaddr = pointer_arg(1)
+	rem_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", _struct_compat_timespec_u(req_uaddr,1), rem_uaddr)
+}
+probe nd_syscall.compat_nanosleep.return = kernel.function("compat_sys_nanosleep").return ? {
+	name = "nanosleep"
+	retstr = returnstr(1)
+}
+
+# nfsservctl _________________________________________________
+#
+# long sys_nfsservctl(int cmd, struct nfsctl_arg __user *arg, void __user *res)
+# long compat_sys_nfsservctl(int cmd, struct compat_nfsctl_arg __user *arg,
+#					union compat_nfsctl_res __user *res)
+#
+probe nd_syscall.nfsservctl =
+		kernel.function("sys_nfsservctl") ?,
+		kernel.function("compat_sys_nfsservctl") ?
+{
+	name = "nfsservctl"
+	// cmd = $cmd
+	// argp_uaddr = $arg
+	// resp_uaddr = $res
+	// argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str($cmd), $arg, $res)
+	asmlinkage()
+	cmd = int_arg(1)
+	argp_uaddr = pointer_arg(2)
+	resp_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str(cmd), argp_uaddr, resp_uaddr)
+}
+probe nd_syscall.nfsservctl.return = 
+		kernel.function("sys_nfsservctl").return ?,
+		kernel.function("compat_sys_nfsservctl").return ?
+{
+	name = "nfsservctl"
+	retstr = returnstr(1)
+}
+
+# nice _______________________________________________________
+# long sys_nice(int increment)
+#
+probe nd_syscall.nice = kernel.function("sys_nice") ? {
+	name = "nice"
+	// inc = $increment
+	// argstr = sprintf("%d", $increment)
+	asmlinkage()
+	inc = int_arg(1)
+	argstr = sprintf("%d", inc)
+}
+probe nd_syscall.nice.return = kernel.function("sys_nice").return ? {
+	name = "nice"
+	retstr = returnstr(1)
+}
+
+# ni_syscall _________________________________________________
+#
+# long sys_ni_syscall(void)
+#
+probe nd_syscall.ni_syscall = kernel.function("sys_ni_syscall") {
+	name = "ni_syscall"
+	argstr = ""
+}
+probe nd_syscall.ni_syscall.return = kernel.function("sys_ni_syscall").return {
+	name = "ni_syscall"
+	retstr = returnstr(1)
+}
+
+# open _______________________________________________________
+# long sys_open(const char __user * filename, int flags, int mode)
+# (obsolete) long sys32_open(const char * filename, int flags, int mode)
+#
+probe nd_syscall.open = 
+		kernel.function("sys_open") ?,
+		kernel.function("compat_sys_open") ?,
+		kernel.function("sys32_open") ?
+{
+	name = "open"
+	// filename = user_string($filename)
+	// flags = $flags
+	// mode = $mode
+	// if (flags & 64)
+	// 	argstr = sprintf("%s, %s, %#o", user_string_quoted($filename), 
+	// 			_sys_open_flag_str($flags), $mode)
+	// else
+	// 	argstr = sprintf("%s, %s", user_string_quoted($filename), 
+	//    		_sys_open_flag_str($flags))
+	asmlinkage()
+	filename = user_string(pointer_arg(1))
+	flags = int_arg(2)
+	mode = int_arg(3)
+	if (flags & 64)
+		argstr = sprintf("%s, %s, %#o", user_string_quoted(pointer_arg(1)), 
+				_sys_open_flag_str(flags), mode)
+	else
+		argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), 
+			_sys_open_flag_str(flags))
+}
+probe nd_syscall.open.return = 
+		kernel.function("sys_open").return ?, 
+		kernel.function("compat_sys_open").return ?, 
+		kernel.function("sys32_open").return ?
+{
+	name = "open"
+	retstr = returnstr(1)
+}
+
+# openat _______________________________________________________
+# long sys_openat(int dfd, const char __user *filename, int flags, int mode)
+# long compat_sys_openat(unsigned int dfd, const char __user *filename, int flags, int mode)
+#
+probe nd_syscall.openat = 
+		kernel.function("sys_openat") ?,
+		kernel.function("compat_sys_openat") ?
+{
+	name = "openat"
+	// filename = user_string($filename)
+	// flags = $flags
+	// mode = $mode
+	// if ($flags & 64)
+	// 	argstr = sprintf("%s, %s, %s, %#o", _dfd_str($dfd),
+	// 			user_string_quoted($filename), 
+	// 			_sys_open_flag_str($flags), $mode)
+	// else
+	// 	argstr = sprintf("%s, %s, %s", _dfd_str($dfd),
+	// 		user_string_quoted($filename), 
+	// 		_sys_open_flag_str($flags))
+	asmlinkage()
+	filename = user_string(pointer_arg(2))
+	flags = int_arg(3)
+	mode = int_arg(4)
+	if (flags & 64)
+		argstr = sprintf("%s, %s, %s, %#o", _dfd_str(int_arg(1)),
+				user_string_quoted(pointer_arg(2)), 
+				_sys_open_flag_str(flags), mode)
+	else
+		argstr = sprintf("%s, %s, %s", _dfd_str(int_arg(1)),
+			user_string_quoted(pointer_arg(2)), 
+			_sys_open_flag_str(flags))
+}
+probe nd_syscall.openat.return = 
+		kernel.function("sys_openat").return ?,
+		kernel.function("compat_sys_openat").return ?
+{
+	name = "openat"
+	retstr = returnstr(1)
+}
+
+# pause ______________________________________________________
+#
+# sys_pause(void)
+#
+probe nd_syscall.pause = kernel.function("sys_pause") ?,
+		      kernel.function("sys32_pause") ?,
+		      kernel.function("compat_sys_pause") ?
+{	
+	name = "pause"
+	argstr = ""
+}
+probe nd_syscall.pause.return = kernel.function("sys_pause").return ?, 
+			     kernel.function("sys32_pause").return ?,
+			     kernel.function("compat_sys_pause").return ?
+{
+	name = "pause"
+	retstr = returnstr(1)
+}
+
+# pciconfig_iobase ___________________________________________
+#
+# asmlinkage long
+# sys_pciconfig_iobase(long which,
+#			    unsigned long bus,
+#			    unsigned long dfn)
+#
+#
+#probe nd_syscall.pciconfig_iobase = kernel.function("sys_pciconfig_iobase") {
+#	name = "pciconfig_iobase"
+#	which = $which
+#	bus = $bus
+#	dfn = $dfn
+#	argstr = sprintf("%p, %p, %p", which, bus, dfn)
+#}
+#probe nd_syscall.pciconfig_iobase.return = kernel.function("sys_pciconfig_iobase").return {
+#	name = "pciconfig_iobase"
+#	retstr = returnstr(1)
+#}
+# pciconfig_read _____________________________________________
+#
+# asmlinkage int
+# sys_pciconfig_read(unsigned long bus,
+#			  unsigned long dfn,
+#			  unsigned long off,
+#			  unsigned long len,
+#			  unsigned char *buf)
+#			  { return 0; }
+#
+#
+#probe nd_syscall.pciconfig_read = kernel.function("sys_pciconfig_read") {
+#	name = "pciconfig_read"
+#	bus = $bus
+#	dfn = $dfn
+#	off = $off
+#	len = $len
+#	buf_uaddr = $buf
+#	argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
+#				len, buf_uaddr)
+#}
+#probe nd_syscall.pciconfig_read.return =
+#	kernel.function("sys_pciconfig_read").return {
+#	name = "pciconfig_read"
+#	retstr = returnstr(1)
+#}
+# pciconfig_write ____________________________________________
+#
+# asmlinkage int
+# sys_pciconfig_write(unsigned long bus,
+#			   unsigned long dfn,
+#			   unsigned long off,
+#			   unsigned long len,
+#			   unsigned char *buf)
+#
+#
+#probe nd_syscall.pciconfig_write = kernel.function("sys_pciconfig_write") {
+#	name = "pciconfig_write"
+#	bus = $bus
+#	dfn = $dfn
+#	off = $off
+#	len = $len
+#	buf_uaddr = $buf
+#	argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
+#				len, buf_uaddr)
+#}
+#probe nd_syscall.pciconfig_write.return =
+#	kernel.function("sys_pciconfig_write").return {
+#	name = "pciconfig_write"
+#	retstr = returnstr(1)
+#}
+# personality ________________________________________________
+#
+# asmlinkage long
+# sys_personality(u_long personality)
+#
+probe nd_syscall.personality = kernel.function("sys_personality") {
+	name = "personality"
+	// persona = $personality
+	asmlinkage()
+	persona = ulong_arg(1)
+	argstr = sprintf("%p", persona);
+}
+probe nd_syscall.personality.return = kernel.function("sys_personality").return {
+	name = "personality"
+	retstr = returnstr(1)
+}
+# pipe _______________________________________________________
+#
+# asmlinkage int
+# sys_pipe(unsigned long __user * fildes)
+#
+probe nd_syscall.pipe = kernel.function("sys_pipe") {
+	name = "pipe"
+%( arch == "ia64" %?
+# ia64 just returns value directly, no fildes argument
+	argstr = ""
+%:
+	// fildes_uaddr = $fildes
+	// argstr = _fildes_u($fildes)
+	%( arch != "ppc64" %? asmlinkage() %)
+	fildes_uaddr = pointer_arg(1)
+	argstr = _fildes_u(fildes_uaddr)
+%)
+}
+
+probe nd_syscall.pipe.return = kernel.function("sys_pipe").return {
+	name = "pipe"
+	retstr = returnstr(1)
+}
+
+# pivot_root _________________________________________________
+#
+# long sys_pivot_root(const char __user *new_root, const char __user *put_old)
+#
+probe nd_syscall.pivot_root = kernel.function("sys_pivot_root") {
+	name = "pivot_root"
+	// new_root_str = user_string($new_root)
+	// old_root_str = user_string($put_old)
+	// argstr = sprintf("%s, %s", user_string_quoted($new_root),
+	// 	user_string_quoted($put_old))	
+	asmlinkage()
+	new_root_str = user_string(pointer_arg(1))
+	old_root_str = user_string(pointer_arg(2))
+	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+		user_string_quoted(pointer_arg(2)))	
+}
+probe nd_syscall.pivot_root.return = kernel.function("sys_pivot_root").return {
+	name = "pivot_root"
+	retstr = returnstr(1)
+}
+
+# poll _______________________________________________________
+#
+# long sys_poll(struct pollfd __user * ufds, unsigned int nfds, long timeout)
+#
+probe nd_syscall.poll = kernel.function("sys_poll") {
+	name = "poll"
+	// ufds_uaddr = $ufds
+	// nfds = $nfds
+	// timeout = $timeout
+	// argstr = sprintf("%p, %d, %d", $ufds, $nfds, timeout)
+	asmlinkage()
+	ufds_uaddr = pointer_arg(1)
+	nfds = uint_arg(2)
+	timeout = long_arg(3)
+	argstr = sprintf("%p, %d, %d", ufds_uaddr, nfds, timeout)
+}
+probe nd_syscall.poll.return = kernel.function("sys_poll").return {
+	name = "poll"
+	retstr = returnstr(1)
+}
+
+# ppoll _______________________________________________________
+#
+# long sys_ppoll(struct pollfd __user *ufds, unsigned int nfds,
+#	struct timespec __user *tsp, const sigset_t __user *sigmask,
+#	size_t sigsetsize)
+#
+probe nd_syscall.ppoll = kernel.function("sys_ppoll") ? {
+	name = "ppoll"
+	// argstr = sprintf("%p, %d, %s, %p, %d", 
+	// 	$ufds,
+	// 	$nfds,
+	// 	_struct_timespec_u($tsp,1), 
+	// 	$sigmask,
+	// 	$sigsetsize)
+	asmlinkage()
+	argstr = sprintf("%p, %d, %s, %p, %d", 
+		pointer_arg(1),
+		uint_arg(2),
+		_struct_timespec_u(pointer_arg(3),1), 
+		pointer_arg(4),
+		ulong_arg(5))
+}
+probe nd_syscall.ppoll.return = kernel.function("sys_ppoll").return ? {
+	name = "ppoll"
+	retstr = returnstr(1)
+}
+# long compat_sys_ppoll(struct pollfd __user *ufds,
+#	unsigned int nfds, struct compat_timespec __user *tsp,
+#	const compat_sigset_t __user *sigmask, compat_size_t sigsetsize)
+#
+probe nd_syscall.compat_ppoll = kernel.function("compat_sys_ppoll") ? {
+	name = "ppoll"
+	// argstr = sprintf("%p, %d, %s, %p, %d", 
+	// 	$ufds,
+	// 	$nfds,
+	// 	_struct_compat_timespec_u($tsp,1), 
+	// 	$sigmask,
+	// 	$sigsetsize)
+	asmlinkage()
+	argstr = sprintf("%p, %d, %s, %p, %d", 
+		pointer_arg(1),
+		uint_arg(2),
+		_struct_compat_timespec_u(pointer_arg(3),1), 
+		pointer_arg(4),
+		u32_arg(5))
+}
+probe nd_syscall.compat_ppoll.return = kernel.function("compat_sys_ppoll").return ? {
+	name = "ppoll"
+	retstr = returnstr(1)
+}
+
+# prctl ______________________________________________________
+#
+# asmlinkage long
+# sys_prctl(int option,
+#	     unsigned long arg2,
+#	     unsigned long arg3,
+#	     unsigned long arg4,
+#	     unsigned long arg5)
+#
+probe nd_syscall.prctl = kernel.function("sys_prctl") {
+	name = "prctl"
+	// option = $option
+	// arg2 = $arg2
+	// arg3 = $arg3
+	// arg4 = $arg4
+	// arg5 = $arg5
+	asmlinkage()
+	option = int_arg(1)
+	arg2 = ulong_arg(2)
+	arg3 = ulong_arg(3)
+	arg4 = ulong_arg(4)
+	arg5 = ulong_arg(5)
+	argstr = sprintf("%p, %p, %p, %p, %p", option, arg2, arg3,
+				arg4, arg5)
+}
+probe nd_syscall.prctl.return = kernel.function("sys_prctl").return {
+	name = "prctl"
+	retstr = returnstr(1)
+}
+# pread64 ____________________________________________________
+#
+# ssize_t sys_pread64(unsigned int fd,
+#		 char __user *buf,
+#		 size_t count,
+#		 loff_t pos)
+#
+probe nd_syscall.pread = kernel.function("sys_pread64") {
+	name = "pread"
+	// fd = $fd
+	// buf_uaddr = $buf
+	// count = $count
+	// offset = $pos
+	// argstr = sprintf("%d, %p, %d, %d", $fd, $buf, $count, $pos)
+	asmlinkage()
+	fd = uint_arg(1)	
+	buf_uaddr = pointer_arg(2)
+	count = ulong_arg(3)
+	offset = longlong_arg(4)
+	argstr = sprintf("%d, %p, %d, %d", fd, buf_uaddr, count, offset)
+}
+probe nd_syscall.pread.return = kernel.function("sys_pread64").return {
+	name = "pread"
+	retstr = returnstr(1)
+}
+
+# pselect6 _____________________________________________________
+#
+# long sys_pselect6(int n, fd_set __user *inp, fd_set __user *outp,
+#	fd_set __user *exp, struct timespec __user *tsp, void __user *sig)
+#
+probe nd_syscall.pselect6 = kernel.function("sys_pselect6") ? {
+	name = "pselect6"
+	// argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
+	//			_struct_timespec_u($tsp,1), $sig)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
+				_struct_timespec_u(pointer_arg(5),1), pointer_arg(6))
+}
+probe nd_syscall.pselect6.return = kernel.function("sys_pselect6").return ? {
+	name = "pselect6"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_pselect6 = kernel.function("compat_sys_pselect6") ? {
+	name = "pselect6"
+	// argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
+	//			_struct_compat_timespec_u($tsp,1), $sig)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1), pointer_arg(2), pointer_arg(3), pointer_arg(4),
+				_struct_compat_timespec_u(pointer_arg(5),1), pointer_arg(6))
+}
+probe nd_syscall.compat_pselect6.return = kernel.function("compat_sys_pselect6").return ? {
+	name = "pselect6"
+	retstr = returnstr(1)
+}
+
+# pselect7 _____________________________________________________
+#
+# long sys_pselect7(int n, fd_set __user *inp, fd_set __user *outp,
+#	fd_set __user *exp, struct timespec __user *tsp, 
+#	const sigset_t __user *sigmask, size_t sigsetsize)
+#
+probe nd_syscall.pselect7 = kernel.function("sys_pselect7") ? {
+	name = "pselect7"
+	// argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
+	//			_struct_timespec_u($tsp,1), $sigmask, $sigsetsize)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
+				_struct_timespec_u(pointer_arg(5),1), pointer_arg(6), ulong_arg(7))
+}
+probe nd_syscall.pselect7.return = kernel.function("sys_pselect7").return ? {
+	name = "pselect7"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_pselect7a = kernel.function("compat_sys_pselect7") ? {
+	name = "pselect7"
+	//argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
+	//			_struct_compat_timespec_u($tsp,1), $sigmask, $sigsetsize)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
+				_struct_timespec_u(pointer_arg(5),1), pointer_arg(6), ulong_arg(7))
+}
+probe nd_syscall.compat_pselect7.return = kernel.function("compat_sys_pselect7").return ? {
+	name = "pselect7"
+	retstr = returnstr(1)
+}
+
+# ptrace _____________________________________________________
+#
+# int sys_ptrace(long request,
+#		long pid,
+#		long addr,
+#		long data)
+#
+probe nd_syscall.ptrace = kernel.function("sys_ptrace") ? {
+	name = "ptrace"	
+	// request = $request
+	// pid = $pid
+	// addr = $addr
+	// data = $data
+	asmlinkage()
+	request = long_arg(1)
+	pid = long_arg(2)
+	addr = long_arg(3)
+	data = long_arg(4)
+	argstr = sprintf("%d, %d, %p, %p", request, pid, addr, data)
+}
+probe nd_syscall.ptrace.return = kernel.function("sys_ptrace").return ? {
+	name = "ptrace"
+	retstr = returnstr(1)
+}
+
+# pwrite64 ___________________________________________________
+#
+# ssize_t sys_pwrite64(unsigned int fd,
+#		  const char __user *buf,
+#		  size_t count,
+#		  loff_t pos)
+#
+probe nd_syscall.pwrite = kernel.function("sys_pwrite64") {
+	name = "pwrite"
+	// fd = $fd
+	// buf_uaddr = $buf
+	// count = $count
+	// offset = $pos
+	// argstr = sprintf("%d, %s, %d, %d", $fd, 
+	// 		text_strn(user_string($buf),syscall_string_trunc,1),
+	// 			$count, $pos)
+	asmlinkage()
+	fd = uint_arg(1)
+	buf_uaddr = pointer_arg(2)
+	count = ulong_arg(3)
+	offset = longlong_arg(4)
+	argstr = sprintf("%d, %s, %d, %d", fd, 
+			text_strn(user_string(buf_uaddr),syscall_string_trunc,1),
+				count, offset)
+}
+probe nd_syscall.pwrite.return = kernel.function("sys_pwrite64").return {
+	name = "pwrite"
+	retstr = returnstr(1)
+}
+# long sys32_pwrite64(unsigned int fd, const char __user *ubuf,
+#				size_t count, u32 poshi, u32 poslo)
+probe nd_syscall.pwrite32 = kernel.function("sys32_pwrite64") ? {
+	name = "pwrite"
+	// fd = $fd
+	// buf_uaddr = $buf
+	// count = $count
+	// offset = ($poshi << 32) + $poslo
+// %( arch == "s390x" %?
+    //     buf_uaddr = $ubuf
+    //     argstr = sprintf("%d, %s, %d, %d", $fd,
+    //                     text_strn(user_string($ubuf),syscall_string_trunc,1),
+    //                             $count, ($poshi << 32) + $poslo)
+// %:
+	// buf_uaddr = $buf
+	// argstr = sprintf("%d, %s, %d, %d", $fd, 
+	// 		text_strn(user_string($buf),syscall_string_trunc,1),
+	// 			$count, ($poshi << 32) + $poslo)
+// %)
+	asmlinkage()
+	fd = uint_arg(1)
+	buf_uaddr = pointer_arg(2)
+	count = ulong_arg(3)
+	offset = (u32_arg(4) << 32) + u32_arg(5)
+	argstr = sprintf("%d, %s, %d, %d", fd, 
+			text_strn(user_string(buf_uaddr),syscall_string_trunc,1),
+				count, offset)
+}
+probe nd_syscall.pwrite32.return = kernel.function("sys32_pwrite64").return ? {
+	name = "pwrite"
+	retstr = returnstr(1)
+}
+
+# quotactl ___________________________________________________
+#
+# long sys_quotactl(unsigned int cmd,
+#		  const char __user *special,
+#		  qid_t id,
+#		  void __user *addr)
+#
+probe nd_syscall.quotactl = kernel.function("sys_quotactl") ? {
+	name = "quotactl"
+	// cmd = $cmd
+	// cmd_str = _quotactl_cmd_str($cmd)
+	// special = $special
+	// special_str = user_string($special)
+	// id = $id
+	// addr_uaddr = $addr
+	// argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, $id, $addr)
+	asmlinkage()
+	cmd = uint_arg(1)
+	cmd_str = _quotactl_cmd_str(cmd)
+	special = pointer_arg(2)
+	special_str = user_string(special)
+	id = uint_arg(3)
+	addr_uaddr = pointer_arg(4)
+	argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, id, addr_uaddr)
+}
+probe nd_syscall.quotactl.return = kernel.function("sys_quotactl").return ? {
+	name = "quotactl"
+	retstr = returnstr(1)
+}
+
+
+# read _______________________________________________________
+# ssize_t sys_read(unsigned int fd, char __user * buf, size_t count)
+probe nd_syscall.read = kernel.function("sys_read") {
+	name = "read"
+	// fd = $fd
+	// buf_uaddr = $buf
+	// count = $count
+	// argstr = sprintf("%d, %p, %d", $fd, $buf, $count)
+	asmlinkage()
+	fd = uint_arg(1)
+	buf_uaddr = pointer_arg(2)
+	count = ulong_arg(3)
+	argstr = sprintf("%d, %p, %d", fd, buf_uaddr, count)
+}
+probe nd_syscall.read.return = kernel.function("sys_read").return {
+	name = "read"
+	retstr = returnstr(1)
+}
+
+# readahead __________________________________________________
+#
+# asmlinkage ssize_t
+# sys_readahead(int fd,
+#		   loff_t offset,
+#		   size_t count)
+#
+probe nd_syscall.readahead = kernel.function("sys_readahead") {
+	name = "readahead"
+	// fd = $fd
+	// offset = $offset
+	// count = $count
+	asmlinkage()
+	fd = int_arg(1)
+	offset = longlong_arg(2)
+	count = ulong_arg(3)
+	argstr = sprintf("%d, %p, %p", fd, offset, count)
+}
+probe nd_syscall.readahead.return = kernel.function("sys_readahead").return {
+	name = "readahead"
+	retstr = returnstr(1)
+}
+
+# readdir ___________________________________________________
+#
+# long compat_sys_old_readdir(unsigned int fd, struct compat_old_linux_dirent __user *dirent, unsigned int count)
+# int old32_readdir(unsigned int fd, struct old_linux_dirent32 *dirent, unsigned int count)
+# 
+probe nd_syscall.readdir =
+		kernel.function("compat_sys_old_readdir") ?,
+		kernel.function("old32_readdir") ?
+{
+	name = "readdir"
+	// argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %d", uint_arg(1), pointer_arg(2), uint_arg(3))
+}
+probe nd_syscall.readdir.return =
+		kernel.function("compat_sys_old_readdir").return ?,
+		kernel.function("old32_readdir").return ?
+{
+	name = "readdir"
+	retstr = returnstr(1)
+}
+
+# readlink ___________________________________________________
+#
+# long sys_readlink(const char __user * path,
+#		  char __user * buf,
+#		  int bufsiz)
+#
+probe nd_syscall.readlink = kernel.function("sys_readlink") {
+	name = "readlink"
+	// path = user_string($path)
+	// buf_uaddr = $buf
+	// bufsiz = $bufsiz
+	// argstr = sprintf("%s, %p, %d", user_string_quoted($path), 
+	// 		$buf, $bufsiz)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	buf_uaddr = pointer_arg(2)
+	bufsiz = int_arg(3)
+	argstr = sprintf("%s, %p, %d", user_string_quoted(pointer_arg(1)), 
+			buf_uaddr, bufsiz)
+}
+probe nd_syscall.readlink.return = kernel.function("sys_readlink").return {
+	name = "readlink"
+	retstr = returnstr(1)
+}
+
+# readlinkat ___________________________________________________
+#
+# long sys_readlinkat(int dfd, const char __user * path,
+#		  char __user * buf,
+#		  int bufsiz)
+#
+probe nd_syscall.readlinkat = kernel.function("sys_readlinkat") ? {
+	name = "readlinkat"
+	//dfd = $dfd
+	// path = user_string($path)
+	// buf_uaddr = $buf
+	// bufsiz = $bufsiz
+	// argstr = sprintf("%s, %s, %p, %d", _dfd_str($dfd), user_string_quoted($path), 
+	// 		$buf, $bufsiz)
+	asmlinkage()
+	dfd = int_arg(1)
+	path = user_string(pointer_arg(2))
+	buf_uaddr = pointer_arg(3)
+	bufsiz = int_arg(4)
+	argstr = sprintf("%s, %s, %p, %d", _dfd_str(dfd), user_string_quoted(pointer_arg(2)), 
+			buf_uaddr, bufsiz)
+}
+probe nd_syscall.readlinkat.return = kernel.function("sys_readlinkat").return ? {
+	name = "readlinkat"
+	retstr = returnstr(1)
+}
+
+# readv ______________________________________________________
+#
+# ssize_t sys_readv(unsigned long fd,
+#		const struct iovec __user *vec,
+#		unsigned long vlen)
+# ssize_t compat_sys_readv(unsigned long fd, 
+#		const struct compat_iovec __user *vec, 
+#		unsigned long vlen)
+#
+probe nd_syscall.readv = 
+		kernel.function("sys_readv"),
+		kernel.function("compat_sys_readv") ?
+{
+	name = "readv"
+	// vector_uaddr = $vec
+	// count = $vlen
+/* FIXME: RHEL4 U3 ppc64 can't resolve $fd */
+// %( arch != "ppc64" %?
+	// fd = $fd
+	// argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
+// %:
+	// argstr = sprintf("unknown fd, %p, %d", $vec, $vlen)
+// %)
+	asmlinkage()
+	vector_uaddr = pointer_arg(2)
+	count = ulong_arg(3)
+	fd = ulong_arg(1)
+	argstr = sprintf("%d, %p, %d", fd, vector_uaddr, count)
+}
+probe nd_syscall.readv.return = 
+		kernel.function("sys_readv").return,
+		kernel.function("compat_sys_readv").return ?
+{
+	name = "readv"
+	retstr = returnstr(1)
+}
+
+# reboot _____________________________________________________
+#
+# long sys_reboot(int magic1,
+#		int magic2,
+#		unsigned int cmd,
+#		void __user * arg)
+#
+probe nd_syscall.reboot = kernel.function("sys_reboot") {
+	name = "reboot"
+	// magic = $magic1
+	// magic_str = _reboot_magic_str($magic1)
+	// magic2 = $magic2
+	// magic2_str =_reboot_magic_str($magic2)
+	// flag = $cmd
+	// flag_str =  _reboot_flag_str($cmd)
+	// arg_uaddr = $arg
+	// argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
+	// 			flag_str, $arg)
+	asmlinkage()
+	magic = int_arg(1)
+	magic_str = _reboot_magic_str(magic)
+	magic2 = int_arg(2)
+	magic2_str =_reboot_magic_str(magic2)
+	flag = uint_arg(3)
+	flag_str =  _reboot_flag_str(flag)
+	arg_uaddr = pointer_arg(4)
+	argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
+				flag_str, arg_uaddr)
+}
+probe nd_syscall.reboot.return = kernel.function("sys_reboot").return {
+	name = "reboot"
+	retstr = returnstr(1)
+}
+
+# recv _______________________________________________________
+#
+# long sys_recv(int fd, void __user *ubuf, size_t size, unsigned flags)
+#
+probe nd_syscall.recv = kernel.function("sys_recv") ? {
+	name = "recv"
+	// s = $fd
+	// buf_uaddr = $ubuf
+	// len = $size
+	// flags = $flags
+	// flags_str = _recvflags_str($flags)
+	// argstr = sprintf("%d, %p, %d, %s", $fd, $ubuf, $size, _recvflags_str($flags))
+	asmlinkage()
+	s = int_arg(1) 
+	buf_uaddr = pointer_arg(2)
+	len = ulong_arg(3)
+	flags = uint_arg(4)
+	flags_str = _recvflags_str(flags)
+	argstr = sprintf("%d, %p, %d, %s", s, buf_uaddr, len, flags_str)
+}
+probe nd_syscall.recv.return = kernel.function("sys_recv").return ? {
+	name = "recv"
+	retstr = returnstr(1)
+}
+
+# recvfrom ___________________________________________________
+#
+# long sys_recvfrom(int fd,
+#		  void __user * ubuf,
+#		  size_t size,
+#		  unsigned flags,
+#		  struct sockaddr __user *addr,
+#		  int __user *addr_len)
+#
+probe nd_syscall.recvfrom = kernel.function("sys_recvfrom") ? {
+	name = "recvfrom"
+	// s = $fd
+	// buf_uaddr = $ubuf
+	// len = $size
+	// flags = $flags
+	// flags_str = _recvflags_str($flags)
+	// addr_uaddr = $addr
+	// addrlen_uaddr = $addr_len
+	// argstr = sprintf("%d, %p, %d, %s, %p, %p",
+	// 	$fd, $ubuf, $size, _recvflags_str($flags), $addr, $addr_len)
+	asmlinkage()
+	s = int_arg(1)
+	buf_uaddr = pointer_arg(2)
+	len = ulong_arg(3)
+	flags = uint_arg(4)
+	flags_str = _recvflags_str(flags)
+	addr_uaddr = pointer_arg(5)
+	addrlen_uaddr = pointer_arg(6)
+	argstr = sprintf("%d, %p, %d, %s, %p, %p",
+		s, buf_uaddr, len, flags_str, addr_uaddr, addrlen_uaddr)
+}
+probe nd_syscall.recvfrom.return = kernel.function("sys_recvfrom").return ? {
+	name = "recvfrom"
+	retstr = returnstr(1)
+}
+
+# recvmsg ____________________________________________________
+#
+# long sys_recvmsg(int fd,
+#		 struct msghdr __user *msg,
+#		 unsigned int flags)
+#
+probe nd_syscall.recvmsg = kernel.function("sys_recvmsg") ? {
+	name = "recvmsg"
+	// s = $fd
+	// msg_uaddr = $msg
+	// flags = $flags
+	// flags_str = _recvflags_str($flags)
+	// argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
+	asmlinkage()
+	s = int_arg(1)
+	msg_uaddr = pointer_arg(2)
+	flags = uint_arg(3)
+	flags_str = _recvflags_str(flags)
+	argstr = sprintf("%d, %p, %s", s, msg_uaddr, flags_str)
+}
+probe nd_syscall.recvmsg.return = kernel.function("sys_recvmsg").return ? {
+	name = "recvmsg"
+	retstr = returnstr(1)
+}
+# compat_sys_recvmsg ________________________________________
+#
+# long compat_sys_recvmsg(int fd,
+#				struct compat_msghdr __user *msg,
+#				unsigned int flags)
+#
+probe nd_syscall.compat_sys_recvmsg = kernel.function("compat_sys_recvmsg") ? {
+	name = "compat_sys_recvmsg"
+	// s = $fd
+	// msg_uaddr = $msg
+	// flags = $flags
+	// argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
+	asmlinkage()
+	s = int_arg(1)
+	msg_uaddr = pointer_arg(2)
+	flags = uint_arg(3)
+	argstr = sprintf("%d, %p, %s", s, msg_uaddr, _recvflags_str(flags))
+}
+probe nd_syscall.compat_sys_recvmsg.return = kernel.function("compat_sys_recvmsg").return ? {
+	name = "compat_sys_recvmsg"
+	retstr = returnstr(1)
+}
+
+# remap_file_pages ___________________________________________
+#
+# long sys_remap_file_pages(unsigned long start,
+#			    unsigned long size,
+#			    unsigned long __prot,
+#			    unsigned long pgoff,
+#			    unsigned long flags)
+#
+probe nd_syscall.remap_file_pages = kernel.function("sys_remap_file_pages") ? {
+	name = "remap_file_pages"
+	// start = $start
+	// size = $size
+// %( kernel_vr >= "2.6.24" %?
+	// prot = $prot
+// %:
+	// prot = $__prot
+// %)
+	// pgoff = $pgoff
+	// flags = $flags
+	asmlinkage()
+	start = ulong_arg(1)
+	size = ulong_arg(2)
+	prot = ulong_arg(3)
+	pgoff = ulong_arg(4)
+	flags = ulong_arg(5)
+	argstr = sprintf("%p, %p, %p, %p, %p", start, size, prot,
+				pgoff, flags)
+}
+probe nd_syscall.remap_file_pages.return =
+	kernel.function("sys_remap_file_pages").return ? {
+	name = "remap_file_pages"
+	retstr = returnstr(1)
+}
+
+# removexattr ________________________________________________
+#
+# asmlinkage long
+# sys_removexattr(char __user *path,
+#		     char __user *name)
+#
+probe nd_syscall.removexattr = kernel.function("sys_removexattr") {
+	name = "removexattr"
+	// path = user_string($path)
+	// name_str = user_string($name)
+	// argstr = sprintf("%s, %s", user_string_quoted($path), 
+	// 	user_string_quoted($name))
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	name_str = user_string(pointer_arg(2))
+	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), 
+		user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.removexattr.return = kernel.function("sys_removexattr").return {
+	name = "removexattr"
+	retstr = returnstr(1)
+}
+# rename _____________________________________________________
+#
+# asmlinkage long
+# sys_rename(const char __user * oldname,
+#		const char __user * newname)
+#
+probe nd_syscall.rename = kernel.function("sys_rename") {
+	name = "rename"
+	// oldpath = user_string($oldname)
+	// newpath = user_string($newname)
+	// argstr = sprintf("%s, %s", user_string_quoted($oldname), 
+	// 		user_string_quoted($newname))
+	asmlinkage()
+	oldpath = user_string(pointer_arg(1))
+	newpath = user_string(pointer_arg(2))
+	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), 
+			user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.rename.return = kernel.function("sys_rename").return {
+	name = "rename"
+	retstr = returnstr(1)
+}
+
+# request_key ________________________________________________
+#
+# long sys_request_key(const char __user *_type,
+#		     const char __user *_description,
+#		     const char __user *_callout_info,
+#		     key_serial_t destringid)
+# compat_sys_request_key() calls sys_request_key, so don't need probe there.
+#
+probe nd_syscall.request_key = kernel.function("sys_request_key") ? {
+	name = "request_key"
+	// type_uaddr = $_type
+	// description_uaddr = $_description
+	// callout_info_uaddr = $_callout_info
+	// destringid = $destringid
+	// argstr = sprintf("%p, %p, %p, %p", $_type, $_description, $_callout_info, $destringid)
+	asmlinkage()
+	type_uaddr = pointer_arg(1)
+	description_uaddr = pointer_arg(2)
+	callout_info_uaddr = pointer_arg(3)
+	destringid = u32_arg(4)
+	argstr = sprintf("%p, %p, %p, %p", type_uaddr,description_uaddr, callout_info_uaddr, destringid)
+}
+probe nd_syscall.request_key.return = kernel.function("sys_request_key").return ? {
+	name = "request_key"
+	retstr = returnstr(1)
+}
+
+# restart_syscall ____________________________________________
+#
+# asmlinkage long
+# sys_restart_syscall(void)
+#
+probe nd_syscall.restart_syscall = kernel.function("sys_restart_syscall") {
+	name = "restart_syscall"
+	argstr = ""
+}
+probe nd_syscall.restart_syscall.return =
+	kernel.function("sys_restart_syscall").return {
+	name = "restart_syscall"
+	retstr = returnstr(1)
+}
+# rmdir ______________________________________________________
+#
+# asmlinkage long
+# sys_rmdir(const char __user * pathname)
+#
+probe nd_syscall.rmdir = kernel.function("sys_rmdir") {
+	name = "rmdir"
+	// pathname = user_string($pathname)
+	// argstr = user_string_quoted($pathname)
+	asmlinkage()
+	pathname = user_string(pointer_arg(1))
+	argstr = user_string_quoted(pointer_arg(1))
+}
+probe nd_syscall.rmdir.return = kernel.function("sys_rmdir").return {
+	name = "rmdir"
+	retstr = returnstr(1)
+}
+
+# rt_sigaction _______________________________________________
+#
+# sys_rt_sigaction(int sig,
+#			const struct sigaction __user *act,
+#			struct sigaction __user *oact,
+#			size_t sigsetsize)
+#
+probe nd_syscall.rt_sigaction = kernel.function("sys_rt_sigaction") ? {
+	name = "rt_sigaction"
+	// sig = $sig
+	// act_uaddr = $act
+	// oact_uaddr = $oact
+	// sigsetsize = $sigsetsize
+	// argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
+	//		_struct_sigaction_u($act), $oact, $sigsetsize)
+	asmlinkage()
+	sig = int_arg(1)
+	act_uaddr = pointer_arg(2)
+	oact_uaddr = pointer_arg(3)
+	sigsetsize = ulong_arg(4)
+	argstr = sprintf("%s, {%s}, %p, %d", _signal_name(sig),
+			_struct_sigaction_u(act_uaddr), oact_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigaction.return = kernel.function("sys_rt_sigaction").return ? {
+	name = "rt_sigaction"
+	retstr = returnstr(1)
+}
+
+#
+# long sys32_rt_sigaction(int sig, 
+#		struct sigaction32 __user *act,
+#		struct sigaction32 __user *oact,  
+#		unsigned int sigsetsize)
+# ppc only
+# compat_sys_rt_sigaction(int sig, 
+#			const struct sigaction32 __user *act,
+#			struct sigaction32 __user *oact, 
+#			size_t sigsetsize)
+
+probe nd_syscall.rt_sigaction32 = kernel.function("sys32_rt_sigaction") ?,
+		kernel.function("compat_sys_rt_sigaction") ?
+{
+	name = "rt_sigaction"
+	// sig = $sig
+	// act_uaddr = $act
+	// oact_uaddr = $oact
+	// sigsetsize = $sigsetsize
+	// argstr = sprintf("%s, %p, %p, %d", _signal_name($sig), $act, $oact, $sigsetsize)
+	asmlinkage()
+	sig = int_arg(1) 
+	act_uaddr = pointer_arg(2)
+	oact_uaddr = pointer_arg(3)
+	sigsetsize = uint_arg(4)
+	argstr = sprintf("%s, %p, %p, %d", _signal_name(sig), act_uadd, oact_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigaction32.return = kernel.function("sys32_rt_sigaction").return ?,
+		kernel.function("compat_sys_rt_sigaction").return ?
+{
+	name = "rt_sigaction"
+	retstr = returnstr(1)
+}
+
+# rt_sigpending ______________________________________________
+#
+# long sys_rt_sigpending(sigset_t __user *set, size_t sigsetsize)
+#
+probe nd_syscall.rt_sigpending = kernel.function("sys_rt_sigpending") ? {
+	name = "rt_sigpending"
+	// set_uaddr = $set
+	// sigsetsize = $sigsetsize
+	// argstr = sprintf("%p, %d", $set, $sigsetsize)
+	asmlinkage()
+	set_uaddr = pointer_arg(1)
+	sigsetsize = ulong_arg(2)
+	argstr = sprintf("%p, %d", set_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigpending.return = kernel.function("sys_rt_sigpending").return ? {
+	name = "rt_sigpending"
+	retstr = returnstr(1)
+}
+
+# rt_sigprocmask _____________________________________________
+# long sys32_rt_sigprocmask(u32 how, compat_sigset_t __user *set, compat_sigset_t __user *oset, size_t sigsetsize)
+# long compat_sys_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset, compat_size_t sigsetsize)
+# long sys_rt_sigprocmask(int how, sigset_t __user *set, sigset_t __user *oset, size_t sigsetsize)
+#
+probe nd_syscall.rt_sigprocmask = 
+		kernel.function("sys32_rt_sigprocmask") ?,
+		kernel.function("compat_sys_rt_sigprocmask") ?,
+		kernel.function("sys_rt_sigprocmask") ?
+{
+	name = "rt_sigprocmask"
+	// how  = $how
+	// how_str = _sigprocmask_how_str($how)
+	// set_uaddr    = $set
+	// oldset_uaddr = $oset
+	// argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u($set),
+	//			$oset, $sigsetsize)
+	if (probefunc() != "compat_sys_rt_sigprocmask")
+		asmlinkage()
+	how  = int_arg(1)  
+	how_str = _sigprocmask_how_str(how)
+	set_uaddr    = pointer_arg(2)
+	oldset_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u(set_uaddr),
+				oldset_uaddr, uint_arg(4))
+}
+probe nd_syscall.rt_sigprocmask.return = 
+		kernel.function("sys32_rt_sigprocmask").return ?,
+		kernel.function("compat_sys_rt_sigprocmask").return ?,
+		kernel.function("sys_rt_sigprocmask").return ?
+{
+	name = "rt_sigprocmask"
+	retstr = returnstr(1)
+}
+
+# rt_sigqueueinfo ____________________________________________
+#
+# long sys_rt_sigqueueinfo(int pid, int sig,siginfo_t __user *uinfo)
+#
+probe nd_syscall.rt_sigqueueinfo = kernel.function("sys_rt_sigqueueinfo") {
+	name = "rt_sigqueueinfo"
+	// pid = $pid
+	// sig = $sig
+	// uinfo_uaddr = $uinfo
+	// argstr = sprintf("%d, %s, %p", $pid, _signal_name($sig), $uinfo)
+	asmlinkage()
+	pid = int_arg(1)
+	sig = int_arg(2)
+	uinfo_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %s, %p", pid, _signal_name(sig), uinfo_uaddr)
+}
+probe nd_syscall.rt_sigqueueinfo.return =
+	kernel.function("sys_rt_sigqueueinfo").return {
+	name = "rt_sigqueueinfo"
+	retstr = returnstr(1)
+}
+
+# rt_sigreturn _______________________________________________
+# int sys_rt_sigreturn(unsigned long __unused)
+#
+probe nd_syscall.rt_sigreturn = 
+		kernel.function("sys_rt_sigreturn") ?,
+		kernel.function("sys32_rt_sigreturn") ? 
+{
+	name = "rt_sigreturn"
+	argstr = ""
+}
+probe nd_syscall.rt_sigreturn.return = 
+		kernel.function("sys_rt_sigreturn").return ?,
+		kernel.function("sys32_rt_sigreturn").return ? 
+{
+	name = "rt_sigreturn"
+	retstr = returnstr(1)
+}
+
+# rt_sigsuspend ______________________________________________
+#
+# sys_rt_sigsuspend(struct pt_regs regs)
+#
+probe nd_syscall.rt_sigsuspend = 
+		kernel.function("sys_rt_sigsuspend") ?,
+		kernel.function("compat_sys_rt_sigsuspend") ?,
+		kernel.function("ia64_rt_sigsuspend") ?
+{
+	name = "rt_sigsuspend"
+	argstr = ""
+}
+probe nd_syscall.rt_sigsuspend.return = 
+		kernel.function("sys_rt_sigsuspend").return ?,
+		kernel.function("compat_sys_rt_sigsuspend").return ?,
+		kernel.function("ia64_rt_sigsuspend").return ?
+{
+	name = "rt_sigsuspend"
+	retstr = returnstr(1)
+}
+
+# rt_sigtimedwait ____________________________________________
+#
+# long sys_rt_sigtimedwait(const sigset_t __user *uthese,
+#		   siginfo_t __user *uinfo,
+#		   const struct timespec __user *uts,
+#		   size_t sigsetsize)
+# long compat_sys_rt_sigtimedwait (compat_sigset_t __user *uthese,
+#		struct compat_siginfo __user *uinfo,
+#		struct compat_timespec __user *uts, compat_size_t sigsetsize)
+#
+probe nd_syscall.rt_sigtimedwait =
+		kernel.function("sys_rt_sigtimedwait"),
+		kernel.function("compat_sys_rt_sigtimedwait") ?
+{
+	name = "rt_sigtimedwait"
+	// uthese_uaddr = $uthese
+	// uinfo_uaddr = $uinfo
+	// uts_uaddr = $uts
+	// sigsetsize = $sigsetsize
+	// argstr = sprintf("%p, %p, %p, %d", $uthese, $uinfo, $uts, $sigsetsize)
+	asmlinkage()
+	uthese_uaddr = pointer_arg(1)
+	uinfo_uaddr = pointer_arg(2)
+	uts_uaddr = pointer_arg(3)
+	if (probefunc() == "sys_rt_sigtimedwait")
+		sigsetsize = ulong_arg(4)
+	else
+		sigsetsize = u32_arg(4)
+	argstr = sprintf("%p, %p, %p, %d", uthese_uaddr, uinfo_uaddr, uts_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigtimedwait.return =
+	kernel.function("sys_rt_sigtimedwait").return,
+	kernel.function("compat_sys_rt_sigtimedwait").return ?
+{
+	name = "rt_sigtimedwait"
+	retstr = returnstr(1)
+}
+
+# sched_getaffinity __________________________________________
+#
+# asmlinkage long
+# sys_sched_getaffinity(pid_t pid,
+#			     unsigned int len,
+#			     unsigned long __user *user_mask_ptr)
+#
+probe nd_syscall.sched_getaffinity = kernel.function("sys_sched_getaffinity") {
+	name = "sched_getaffinity"
+	// pid = $pid
+	// len = $len
+	// mask_uaddr = $user_mask_ptr
+	asmlinkage()
+	pid = int_arg(1)
+	len = uint_arg(2) 
+	mask_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %p, %p", pid, len, mask_uaddr)
+}
+probe nd_syscall.sched_getaffinity.return =
+	kernel.function("sys_sched_getaffinity").return {
+	name = "sched_getaffinity"
+	retstr = returnstr(1)
+}
+# sched_getparam _____________________________________________
+#
+# asmlinkage long
+# sys_sched_getparam(pid_t pid,
+#			  struct sched_param __user *param)
+#
+probe nd_syscall.sched_getparam = kernel.function("sys_sched_getparam") {
+	name = "sched_getparam"
+	// pid = $pid
+	// p_uaddr = $param
+	asmlinkage()
+	pid = int_arg(1)
+	p_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", pid, p_uaddr)
+}
+probe nd_syscall.sched_getparam.return =
+	kernel.function("sys_sched_getparam").return {
+	name = "sched_getparam"
+	retstr = returnstr(1)
+}
+# sched_get_priority_max _____________________________________
+#
+# asmlinkage long
+# sys_sched_get_priority_max(int policy)
+#
+probe nd_syscall.sched_get_priority_max =
+	kernel.function("sys_sched_get_priority_max") {
+	name = "sched_get_priority_max"
+	// policy = $policy
+	asmlinkage()
+	policy = int_arg(1)
+	argstr = sprint(policy)
+}
+probe nd_syscall.sched_get_priority_max.return =
+	kernel.function("sys_sched_get_priority_max").return {
+	name = "sched_get_priority_max"
+	retstr = returnstr(1)
+}
+# sched_get_priority_min _____________________________________
+#
+# asmlinkage long
+# sys_sched_get_priority_min(int policy)
+#
+probe nd_syscall.sched_get_priority_min =
+	kernel.function("sys_sched_get_priority_min") {
+	name = "sched_get_priority_min"
+	// policy = $policy
+	asmlinkage()
+	policy = int_arg(1)
+	argstr = sprint(policy)
+}
+probe nd_syscall.sched_get_priority_min.return =
+	kernel.function("sys_sched_get_priority_min").return {
+	name = "sched_get_priority_min"
+	retstr = returnstr(1)
+}
+# sched_getscheduler _________________________________________
+#
+# long sys_sched_getscheduler(pid_t pid)
+#
+probe nd_syscall.sched_getscheduler = kernel.function("sys_sched_getscheduler") {
+	name = "sched_getscheduler"
+	// pid = $pid
+	// argstr = sprint($pid)
+	asmlinkage()
+	pid = int_arg(1)
+	argstr = sprint(pid)
+}
+probe nd_syscall.sched_getscheduler.return = kernel.function("sys_sched_getscheduler").return {
+	name = "sched_getscheduler"
+	retstr = returnstr(1)
+}
+# sched_rr_get_interval ______________________________________
+#
+# long sys_sched_rr_get_interval(pid_t pid, struct timespec __user *interval)
+#
+probe nd_syscall.sched_rr_get_interval = kernel.function("sys_sched_rr_get_interval") {
+	name = "sched_rr_get_interval"
+	// pid = $pid
+	// tp_uaddr = $interval
+	// argstr = sprintf("%d, %s", $pid, _struct_timespec_u($interval,1))
+	asmlinkage()
+	pid = int_arg(1)
+	tp_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %s", pid, _struct_timespec_u(tp_uaddr,1))
+}
+probe nd_syscall.sched_rr_get_interval.return = kernel.function("sys_sched_rr_get_interval").return {
+	name = "sched_rr_get_interval"
+	retstr = returnstr(1)
+}
+
+# sched_setaffinity __________________________________________
+# long sys_sched_setaffinity(pid_t pid,
+#	unsigned int len,
+#	unsigned long __user *user_mask_ptr)
+# FIXME: why the problem with x86_64?
+#
+%( arch != "x86_64" %?
+probe nd_syscall.sched_setaffinity = kernel.function("sys_sched_setaffinity") {
+	name = "sched_setaffinity"
+	// pid = $pid
+	// len = $len
+	// mask_uaddr = $user_mask_ptr
+	// argstr = sprintf("%d, %d, %p", $pid, $len, $user_mask_ptr)
+	asmlinkage()
+	pid = int_arg(1)
+	len = uint_arg(2)
+	mask_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %d, %p", pid, len, mask_uaddr)
+}
+%:
+probe nd_syscall.sched_setaffinity = kernel.function("sys_sched_setaffinity") {
+	name = "sched_setaffinity"
+	// pid = $pid
+	// len = 0
+	// mask_uaddr = $user_mask_ptr
+	// argstr = sprintf("%d, <unknown>, %p", $pid, $user_mask_ptr)
+	asmlinkage()
+	pid = int_arg(1)
+	len = 0
+	mask_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, <unknown>, %p", pid, mask_uaddr)
+}
+%)
+probe nd_syscall.sched_setaffinity.return = kernel.function("sys_sched_setaffinity").return {
+	name = "sched_setaffinity"
+	retstr = returnstr(1)
+}
+
+# sched_setparam _____________________________________________
+#
+# long sys_sched_setparam(pid_t pid, struct sched_param __user *param)
+#
+probe nd_syscall.sched_setparam = kernel.function("sys_sched_setparam") ? {
+	name = "sched_setparam"
+	// pid = $pid
+	// p_uaddr = $param
+	// argstr = sprintf("%d, %p", $pid, $param)
+	asmlinkage()
+	pid = int_arg(1)
+	p_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", pid, p_uaddr)
+}
+probe nd_syscall.sched_setparam.return = kernel.function("sys_sched_setparam").return ? {
+	name = "sched_setparam"
+	retstr = returnstr(1)
+}
+
+# sched_setscheduler _________________________________________
+#
+# long sys_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param)
+#
+probe nd_syscall.sched_setscheduler = kernel.function("sys_sched_setscheduler") ? {
+	name = "sched_setscheduler"
+	// pid = $pid
+	// policy = $policy
+	// policy_str = _sched_policy_str($policy)
+	// p_uaddr = $param
+	// argstr = sprintf("%d, %s, %p", $pid, policy_str, $param)
+	asmlinkage()
+	pid = int_arg(1)
+	policy = int_arg(2)
+	policy_str = _sched_policy_str(policy)
+	p_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %s, %p", pid, policy_str, p_uaddr)
+}
+probe nd_syscall.sched_setscheduler.return = kernel.function("sys_sched_setscheduler").return ? {
+	name = "sched_setscheduler"
+	retstr = returnstr(1)
+}
+
+# sched_yield ________________________________________________
+# long sys_sched_yield(void)
+#
+probe nd_syscall.sched_yield = kernel.function("sys_sched_yield") {
+	name = "sched_yield"
+	argstr = ""
+}
+probe nd_syscall.sched_yield.return = kernel.function("sys_sched_yield").return {
+	name = "sched_yield"
+	retstr = returnstr(1)
+}
+
+# select _____________________________________________________
+# long sys_select(int n,
+#		fd_set __user *inp,
+#		fd_set __user *outp,
+#		fd_set __user *exp,
+#		struct timeval __user *tvp)
+#
+probe nd_syscall.select = kernel.function("sys_select") {
+	name = "select"
+	// n = $n
+	// readfds_uaddr = $inp
+	// writefds_uaddr = $outp
+	// exceptfds_uaddr = $exp
+	// timeout_uaddr = $tvp
+	// argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
+	// 			_struct_timeval_u($tvp, 1))
+	asmlinkage()
+	n = int_arg(1)
+	readfds_uaddr = pointer_arg(2)
+	writefds_uaddr = pointer_arg(3)
+	exceptfds_uaddr = pointer_arg(4)
+	timeout_uaddr = pointer_arg(5)
+	argstr = sprintf("%d, %p, %p, %p, %s", n, readfds_uaddr, writefds_uaddr, 
+				exceptfds_uaddr, _struct_timeval_u(timeout_uaddr, 1))
+}
+probe nd_syscall.select.return = kernel.function("sys_select").return {
+	name = "select"
+	retstr = returnstr(1)
+}
+# long compat_sys_select(int n, 
+#		compat_ulong_t __user *inp,
+#		compat_ulong_t __user *outp, 
+#		compat_ulong_t __user *exp,
+#		struct compat_timeval __user *tvp)
+#
+probe nd_syscall.compat_select = kernel.function("compat_sys_select") ? {
+	name = "select"
+	// n = $n
+	// readfds_uaddr = $inp
+	// writefds_uaddr = $outp
+	// exceptfds_uaddr = $exp
+	// timeout_uaddr = $tvp
+	// argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
+	// 			_struct_compat_timeval_u($tvp, 1))
+	asmlinkage()
+	n = int_arg(1)
+	readfds_uaddr = pointer_arg(2)
+	writefds_uaddr = pointer_arg(3)
+	exceptfds_uaddr = pointer_arg(4)
+	timeout_uaddr = pointer_arg(5)
+	argstr = sprintf("%d, %p, %p, %p, %s", n, readfds_uaddr, writefds_uaddr, 
+				exceptfds_uaddr, _struct_timeval_u(timeout_uaddr, 1))
+}
+probe nd_syscall.compat_select.return = kernel.function("compat_sys_select").return ? {
+	name = "select"
+	retstr = returnstr(1)
+}
+
+# semctl _____________________________________________________
+# long sys_semctl (int semid,
+#		 int semnum,
+#		 int cmd,
+#		 union semun arg)
+#
+probe nd_syscall.semctl = kernel.function("sys_semctl") ? {
+	name = "semctl"
+	// semid = $semid
+	// semnum = $semnum
+	// cmd = $cmd
+	/*
+	 * unsupported type tag identifier '$arg'
+	 * arg = $arg
+	 */
+	// argstr = sprintf("%d, %d, %s", $semid, $semnum, _semctl_cmd($cmd))
+	asmlinkage()
+	semid = int_arg(1)
+	semnum = int_arg(2)
+	cmd = int_arg(3)
+	argstr = sprintf("%d, %d, %s", semid, semnum, _semctl_cmd(cmd))	// ** jk done
+}
+probe nd_syscall.semctl.return = kernel.function("sys_semctl").return ? {
+	name = "semctl"
+	retstr = returnstr(1)
+}
+# compat_sys_semctl ________________________________________
+#
+# long compat_sys_semctl(int first, int second, int third, void __user *uptr)
+#
+probe nd_syscall.compat_sys_semctl = kernel.function("compat_sys_semctl") ? {
+	name = "compat_sys_semctl"
+	argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr) // ** not asmlinkage
+}
+probe nd_syscall.compat_sys_semctl.return = kernel.function("compat_sys_semctl").return ? {
+	name = "compat_sys_semctl"
+	retstr = returnstr(1)
+}
+
+# semget _____________________________________________________
+# long sys_semget (key_t key, int nsems, int semflg)
+#
+probe nd_syscall.semget = kernel.function("sys_semget") ? {
+	name = "semget"
+	// key = $key
+	// nsems = $nsems
+	// semflg = $semflg
+	// argstr = sprintf("%d, %d, %s", $key, $nsems, __sem_flags($semflg))
+	asmlinkage()
+	key = int_arg(1)
+	nsems = int_arg(2)
+	semflg = int_arg(3)
+	argstr = sprintf("%d, %d, %s", key, nsems, __sem_flags(semflg))
+}
+probe nd_syscall.semget.return = kernel.function("sys_semget").return ? {
+	name = "semget"
+	retstr = returnstr(1)
+}
+
+# semop ______________________________________________________
+#
+# long sys_semop (int semid,
+#		struct sembuf __user *tsops,
+#		unsigned nsops)
+#
+probe nd_syscall.semop = kernel.function("sys_semtimedop") ? {
+	name = "semop"
+	// semid = $semid
+	// tsops_uaddr = $tsops
+	// nsops = $nsops
+	// argstr = sprintf("%d, %p, %d", $semid, $tsops, $nsops)
+	asmlinkage()
+	semid = int_arg(1)
+	tsops_uaddr = pointer_arg(2)
+	nsops = uint_arg(3)
+	argstr = sprintf("%d, %p, %d", semid, tsops_uaddr, nsops)
+}
+probe nd_syscall.semop.return = kernel.function("sys_semtimedop").return ? {
+	name = "semop"
+	retstr = returnstr(1)
+}
+
+# semtimedop _________________________________________________
+#
+# long sys_semtimedop(int semid,
+#		    struct sembuf __user *tsops,
+#		    unsigned nsops,
+#		    const struct timespec __user *timeout)
+#
+probe nd_syscall.semtimedop = kernel.function("sys_semtimedop") ? {
+	name = "semtimedop"
+	// semid = $semid
+	// sops_uaddr = $tsops
+	// nsops = $nsops
+	// timeout_uaddr = $timeout
+	// argstr = sprintf("%d, %p, %d, %s", $semid, $tsops, $nsops,
+	// 			_struct_timespec_u($timeout,1))
+	asmlinkage()
+	semid = int_arg(1)
+	sops_uaddr = pointer_arg(2)
+	nsops = uint_arg(3)
+	timeout_uaddr = pointer_arg(4)
+	argstr = sprintf("%d, %p, %d, %s", semid, sops_uaddr, nsops,
+				_struct_timespec_u(timeout_uaddr,1))
+}
+probe nd_syscall.semtimedop.return = kernel.function("sys_semtimedop").return ? {
+	name = "semtimedop"
+	retstr = returnstr(1)
+}
+# compat_sys_semtimedop ________________________________________
+#
+# long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
+#		unsigned nsops, const struct compat_timespec __user *timeout)
+#
+probe nd_syscall.compat_sys_semtimedop = kernel.function("compat_sys_semtimedop") ? {
+	name = "compat_sys_semtimedop"
+	// semid = $semid
+	// sops_uaddr = $tsems
+	// nsops = $nsops
+	// timeout_uaddr = $timeout
+	// argstr = sprintf("%d, %p, %d, %s", $semid, $tsems, $nsops,
+	//		_struct_compat_timespec_u($timeout,1))
+	// no asmlinkage	
+	semid = int_arg(1) 
+	sops_uaddr = pointer_arg(2)
+	nsops = uint_arg(3)
+	timeout_uaddr = pointer_arg(4)
+	argstr = sprintf("%d, %p, %d, %s", semid, sops_uaddr, nsops,
+			_struct_compat_timespec_u(timeout_uaddr,1))
+}
+probe nd_syscall.compat_sys_semtimedop.return = kernel.function("compat_sys_semtimedop").return ? {
+	name = "compat_sys_semtimedop"
+	retstr = returnstr(1)
+}
+
+# send _______________________________________________________
+#
+# long sys_send(int fd,
+#		void __user * buff,
+#		size_t len,
+#		unsigned flags)
+#
+probe nd_syscall.send = kernel.function("sys_send") ? {
+	name = "send"
+	// s = $fd
+	// buf_uaddr = $buff
+	// len = $len
+	// flags = $flags
+	// flags_str = _sendflags_str($flags)
+	// argstr = sprintf("%d, %p, %d, %s", $fd, $buff, $len, flags_str)
+	asmlinkage()
+	s = int_arg(1)
+	buf_uaddr = pointer_arg(2)
+	len = ulong_arg(3)
+	flags = uint_arg(4)
+	flags_str = _sendflags_str(flags)
+	argstr = sprintf("%d, %p, %d, %s", s, buf_uaddr, len, flags_str)
+}
+probe nd_syscall.send.return = kernel.function("sys_send").return ? {
+	name = "send"
+	retstr = returnstr(1)
+}
+
+# sendfile ___________________________________________________
+#
+# ssize_t sys_sendfile[64](int out_fd,
+#		  int in_fd,
+#		  off_t __user *offset,
+#		  size_t count)
+#
+probe nd_syscall.sendfile =
+		kernel.function("sys_sendfile") ?,
+		kernel.function("sys_sendfile64") ?
+{
+	name = "sendfile"
+	// out_fd = $out_fd
+	// in_fd = $in_fd
+	// offset_uaddr = $offset
+	// count = $count
+	// argstr = sprintf("%d, %d, %p, %d", $out_fd, $in_fd, $offset,
+	// 			$count)
+	asmlinkage()
+	out_fd = int_arg(1)
+	in_fd = int_arg(2)
+	offset_uaddr = pointer_arg(3)
+	count = ulong_arg(4)
+	argstr = sprintf("%d, %d, %p, %d", out_fd, in_fd, offset_uaddr,
+				count)
+}
+probe nd_syscall.sendfile.return =
+		kernel.function("sys_sendfile").return ?,
+		kernel.function("sys_sendfile64").return ?
+{
+	name = "sendfile"
+	retstr = returnstr(1)
+}
+
+# sendmsg ____________________________________________________
+#
+# long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
+#
+probe nd_syscall.sendmsg = kernel.function("sys_sendmsg") ? {
+	name = "sendmsg"
+	// s = $fd
+	// msg_uaddr = $msg
+	// flags = $flags
+	// flags_str = _sendflags_str($flags)
+	// argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
+	asmlinkage()
+	s = int_arg(1)
+	msg_uaddr = pointer_arg(2)
+	flags = uint_arg(3)
+	flags_str = _sendflags_str(flags)
+	argstr = sprintf("%d, %p, %s", s, msg_uaddr, _sendflags_str(flags))
+}
+probe nd_syscall.sendmsg.return = kernel.function("sys_sendmsg").return ? {
+	name = "sendmsg"
+	retstr = returnstr(1)
+}
+# compat_sys_sendmsg ________________________________________
+#
+# long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags)
+#
+probe nd_syscall.compat_sys_sendmsg = kernel.function("compat_sys_sendmsg") ? {
+	name = "compat_sys_sendmsg"
+	// s = $fd
+	// msg_uaddr = $msg
+	// flags = $flags
+	// argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
+	asmlinkage()
+	s = int_arg(1)
+	msg_uaddr = pointer_arg(2)
+	flags = uint_arg(3)
+	argstr = sprintf("%d, %p, %s", s, msg_uaddr, _sendflags_str(flags))
+}
+probe nd_syscall.compat_sys_sendmsg.return = kernel.function("compat_sys_sendmsg").return ? {
+	name = "compat_sys_sendmsg"
+	retstr = returnstr(1)
+}
+
+# sendto _____________________________________________________
+#
+# long sys_sendto(int fd,
+#		void __user * buff,
+#		size_t len,
+#		unsigned flags,
+#		struct sockaddr __user *addr,
+#		int addr_len)
+#
+probe nd_syscall.sendto = kernel.function("sys_sendto") ? {
+	name = "sendto"
+	// s = $fd
+	// buf_uaddr = $buff
+	// len = $len
+	// flags = $flags
+	// flags_str = _sendflags_str($flags)
+	// to_uaddr = $addr
+	// tolen = $addr_len
+	// argstr = sprintf("%d, %p, %d, %s, %s, %d", $fd, $buff,
+	// 		$len, flags_str, _struct_sockaddr_u($addr,$addr_len), $addr_len)
+	asmlinkage()
+	s = int_arg(1)
+	buf_uaddr = pointer_arg(2)
+	len = ulong_arg(3)
+	flags = uint_arg(4)
+	flags_str = _sendflags_str(flags)
+	to_uaddr = pointer_arg(5)
+	tolen = int_arg(6)
+	argstr = sprintf("%d, %p, %d, %s, %s, %d", s, buf_uaddr,
+			len, flags_str, _struct_sockaddr_u(to_uaddr,tolen), tolen)
+}
+probe nd_syscall.sendto.return = kernel.function("sys_sendto").return ? {
+	name = "sendto"
+	retstr = returnstr(1)
+}
+
+# setdomainname ______________________________________________
+#
+# asmlinkage long
+# sys_setdomainname(char __user *name,
+#			 int len)
+#
+probe nd_syscall.setdomainname = kernel.function("sys_setdomainname") {
+	name = "setdomainname"
+	// hostname_uaddr = $name
+	// len = $len
+	// argstr = sprintf("%p, %d", $name, $len)
+	asmlinkage()
+	hostname_uaddr = pointer_arg(1)
+	len = int_arg(2)
+	argstr = sprintf("%p, %d", hostname_uaddr, len)
+}
+probe nd_syscall.setdomainname.return =
+	kernel.function("sys_setdomainname").return {
+	name = "setdomainname"
+	retstr = returnstr(1)
+}
+
+# setfsgid ___________________________________________________
+# long sys_setfsgid(gid_t gid)
+# long sys_setfsgid16(old_gid_t gid)
+#
+probe nd_syscall.setfsgid = 
+		kernel.function("sys_setfsgid") ?,
+		kernel.function("sys_setfsgid16") ?
+{
+	name = "setfsgid"
+	// fsgid = $gid
+	// argstr = sprint($gid)
+	asmlinkage()
+	fsgid = uint_arg(1)
+	argstr = sprint(fsgid)
+}
+probe nd_syscall.setfsgid.return = 
+		kernel.function("sys_setfsgid").return ?,
+		kernel.function("sys_setfsgid16").return ?
+{
+	name = "setfsgid"
+	retstr = returnstr(1)
+}
+
+# setfsuid ___________________________________________________
+# long sys_setfsuid(uid_t uid)
+# long sys_setfsuid16(old_uid_t uid)
+#
+probe nd_syscall.setfsuid = 
+		kernel.function("sys_setfsuid") ?,
+		kernel.function("sys_setfsuid16") ?
+{
+	name = "setfsuid"
+	// fsuid = $uid
+	// argstr = sprint($uid)
+	asmlinkage()
+	fsuid = uint_arg(1)
+	argstr = sprint(fsuid)
+}
+probe nd_syscall.setfsuid.return = 
+		kernel.function("sys_setfsuid").return ?,
+		kernel.function("sys_setfsuid16").return ?
+{
+	name = "setfsuid"
+	retstr = returnstr(1)
+}
+
+# setgid _____________________________________________________
+#
+# long sys_setgid(gid_t gid)
+# long sys_setgid16(old_gid_t gid)
+#
+probe nd_syscall.setgid = 
+		kernel.function("sys_setgid") ?, 
+		kernel.function("sys_setgid16") ?
+{
+	name = "setgid"
+	// gid = $gid
+	// argstr = sprint($gid)
+	asmlinkage()
+	gid = uint_arg(1)
+	argstr = sprint(gid)
+}
+probe nd_syscall.setgid.return = 
+		kernel.function("sys_setgid").return ?,
+		kernel.function("sys_setgid16").return ?
+{
+	name = "setgid"
+	retstr = returnstr(1)
+}
+
+# setgroups __________________________________________________
+#
+# long sys_setgroups(int gidsetsize, gid_t __user *grouplist)
+# long sys_setgroups16(int gidsetsize, old_gid_t __user *grouplist)
+# long sys32_setgroups16(int gidsetsize, u16 __user *grouplist)
+#
+probe nd_syscall.setgroups = 
+		kernel.function("sys_setgroups") ?,
+		kernel.function("sys_setgroups16") ?,
+		kernel.function("sys32_setgroups16") ?
+{
+	name = "setgroups"
+	// size = $gidsetsize
+	// list_uaddr = $grouplist
+	// argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+	asmlinkage()
+	size = int_arg(1) 
+	list_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", size, list_uaddr)
+}
+probe nd_syscall.setgroups.return = 
+		kernel.function("sys_setgroups").return ?,
+		kernel.function("sys_setgroups16").return ?,
+		kernel.function("sys32_setgroups16").return ?
+{
+	name = "setgroups"
+	retstr = returnstr(1)
+}
+
+# sethostname ________________________________________________
+#
+# asmlinkage long
+# sys_sethostname(char __user *name,
+#		     int len)
+#
+probe nd_syscall.sethostname = kernel.function("sys_sethostname") {
+	name = "sethostname"
+	// hostname_uaddr = $name
+	// name_str = user_string($name)
+	// len = $len
+	// argstr = sprintf("%s, %d", user_string_quoted($name), $len)
+	asmlinkage()
+	hostname_uaddr = pointer_arg(1)
+	name_str = user_string(hostname_uaddr)
+	len = int_arg(2)
+	argstr = sprintf("%s, %d", user_string_quoted(hostname_uaddr), len)
+}
+probe nd_syscall.sethostname.return = kernel.function("sys_sethostname").return {
+	name = "sethostname"
+	retstr = returnstr(1)
+}
+# setitimer __________________________________________________
+#
+# long sys_setitimer(int which,
+#		   struct itimerval __user *value,
+#		   struct itimerval __user *ovalue)
+#
+probe nd_syscall.setitimer = kernel.function("sys_setitimer") {
+	name = "setitimer"
+	// which = $which
+	// value_uaddr = $value
+	// ovalue_uaddr = $ovalue
+	// argstr = sprintf("%s, %s, %p", _itimer_which_str($which), 
+	// 	_struct_itimerval_u($value), $ovalue)
+	asmlinkage()
+	which = int_arg(1)
+	value_uaddr = pointer_arg(2)
+	ovalue_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %s, %p", _itimer_which_str(which), 
+		_struct_itimerval_u(value_uaddr), ovalue_uaddr)
+}
+probe nd_syscall.setitimer.return = kernel.function("sys_setitimer").return {
+	name = "setitimer"
+	retstr = returnstr(1)
+}
+#
+# long compat_sys_setitimer(int which,
+#		struct compat_itimerval __user *in,
+#		struct compat_itimerval __user *out)
+#
+probe nd_syscall.compat_setitimer = kernel.function("compat_sys_setitimer") ? {
+	name = "setitimer"
+	// which = $which
+	// value_uaddr = $in
+	// ovalue_uaddr = $out
+	// argstr = sprintf("%s, %s, %p", _itimer_which_str($which), 
+	// 	_struct_compat_itimerval_u($in), $out)
+	asmlinkage()
+	which = int_arg(1)
+	value_uaddr = pointer_arg(2)
+	ovalue_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %s, %p", _itimer_which_str(which), 
+		_struct_compat_itimerval_u(value_uaddr), ovalue_uaddr)
+}
+probe nd_syscall.compat_setitimer.return = kernel.function("compat_sys_setitimer").return ? {
+	name = "setitimer"
+	retstr = returnstr(1)
+}
+
+# set_mempolicy ______________________________________________
+# long sys_set_mempolicy(int mode,
+#	unsigned long __user *nmask,
+#	unsigned long maxnode)
+#
+probe nd_syscall.set_mempolicy =
+		kernel.function("sys_set_mempolicy") ?,
+		kernel.function("compat_sys_set_mempolicy") ?
+{
+	name = "set_mempolicy"
+	// mode = $mode
+	// nmask_uaddr = $nmask
+	// maxnode = $maxnode
+	// argstr = sprintf("%d, %p, %d", $mode, $nmask, $maxnode)
+	asmlinkage()
+	mode = int_arg(1)
+	nmask_uaddr = pointer_arg(2)
+	maxnode = ulong_arg(3)
+	argstr = sprintf("%d, %p, %d", mode, nmask_uaddr, maxnode)
+}
+probe nd_syscall.set_mempolicy.return =
+		kernel.function("sys_set_mempolicy").return ?,
+		kernel.function("compat_sys_set_mempolicy").return ?
+{
+	name = "set_mempolicy"
+	retstr = returnstr(1)
+}
+
+# setpgid ____________________________________________________
+#
+# asmlinkage long
+# sys_setpgid(pid_t pid,
+#		 pid_t pgid)
+#
+probe nd_syscall.setpgid = kernel.function("sys_setpgid") {
+	name = "setpgid"
+	// pid = $pid
+	// pgid = $pgid
+	// argstr = sprintf("%d, %d", $pid, $pgid)
+	asmlinkage()
+	pid = int_arg(1)
+	pgid = int_arg(2)
+	argstr = sprintf("%d, %d", pid, pgid)
+}
+probe nd_syscall.setpgid.return = kernel.function("sys_setpgid").return {
+	name = "setpgid"
+	retstr = returnstr(1)
+}
+# setpriority ________________________________________________
+#
+# asmlinkage long
+# sys_setpriority(int which,
+#		     int who,
+#		     int niceval)
+#
+probe nd_syscall.setpriority = kernel.function("sys_setpriority") {
+	name = "setpriority"
+	// which = $which
+	// which_str = _priority_which_str($which)
+	// who = $who
+	// prio = $niceval
+	// argstr = sprintf("%s, %d, %d", which_str, $who, $niceval)
+	asmlinkage()
+	which = int_arg(1)
+	which_str = _priority_which_str(which)
+	who = int_arg(2)
+	prio = int_arg(3)
+	argstr = sprintf("%s, %d, %d", which_str, who, prio)
+}
+probe nd_syscall.setpriority.return = kernel.function("sys_setpriority").return {
+	name = "setpriority"
+	retstr = returnstr(1)
+}
+
+# setregid ___________________________________________________
+# long sys_setregid(gid_t rgid, gid_t egid)
+#
+probe nd_syscall.setregid = kernel.function("sys_setregid") {
+	name = "setregid"
+	// rgid = __int32($rgid)
+	// egid = __int32($egid)
+	asmlinkage()
+	rgid = __int32(uint_arg(1))
+	egid = __int32(uint_arg(2))
+	argstr = sprintf("%d, %d", rgid, egid)
+}
+probe nd_syscall.setregid.return = kernel.function("sys_setregid").return {
+	name = "setregid"
+	retstr = returnstr(1)
+}
+# setregid16 _________________________________________________
+# long sys_setregid16(old_gid_t rgid, old_gid_t egid)
+#
+probe nd_syscall.setregid16 = kernel.function("sys_setregid16") ? {
+	name = "setregid"
+	// rgid = __short($rgid)
+	// egid = __short($egid)
+	asmlinkage()
+	rgid = __short(uint_arg(1))
+	egid = __short(uint_arg(2))
+	argstr = sprintf("%d, %d",rgid, egid)
+}
+probe nd_syscall.setregid16.return = kernel.function("sys_setregid16").return ? {
+	name = "setregid"
+	retstr = returnstr(1)
+}
+# setresgid __________________________________________________
+# long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
+#
+probe nd_syscall.setresgid = kernel.function("sys_setresgid") {
+	name = "setresgid"
+	// rgid = __int32($rgid)
+	// egid = __int32($egid)
+	// sgid = __int32($sgid)
+	asmlinkage()
+	rgid = __int32(uint_arg(1))
+	egid = __int32(uint_arg(2))
+	sgid = __int32(uint_arg(3))
+	argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
+}
+probe nd_syscall.setresgid.return = kernel.function("sys_setresgid").return {
+	name = "setresgid"
+	retstr = returnstr(1)
+}
+# setresgid16 ________________________________________________
+#
+# long sys_setresgid16(old_gid_t rgid,
+#		     old_gid_t egid,
+#		     old_gid_t sgid)
+#
+probe nd_syscall.setresgid16 = kernel.function("sys_setresgid16") ? {
+	name = "setresgid"
+	// rgid = __short($rgid)
+	// egid = __short($egid)
+	// sgid = __short($sgid)
+	asmlinkage()
+	rgid = __short(uint_arg(1))
+	egid = __short(uint_arg(2))
+	sgid = __short(uint_arg(3))
+	argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
+}
+probe nd_syscall.setresgid16.return = kernel.function("sys_setresgid16").return ? {
+	name = "setresgid16"
+	retstr = returnstr(1)
+}
+
+# setresuid __________________________________________________
+#
+# long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
+#
+probe nd_syscall.setresuid = kernel.function("sys_setresuid") {
+	name = "setresuid"
+	// ruid = __int32($ruid)
+	// euid = __int32($euid)
+	// suid = __int32($suid)
+	asmlinkage()
+	ruid = __int32(uint_arg(1))
+	euid = __int32(uint_arg(2))
+	suid = __int32(uint_arg(3))
+	argstr = sprintf("%d, %d, %d", ruid, euid, suid)
+}
+probe nd_syscall.setresuid.return = kernel.function("sys_setresuid").return {
+	name = "setresuid"
+	retstr = returnstr(1)
+}
+
+# setresuid16 ________________________________________________
+#
+# long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
+#
+probe nd_syscall.setresuid16 = kernel.function("sys_setresuid16") ? {
+	name = "setresuid"
+	// ruid = __short($ruid)
+	// reuid = __short($euid)
+	// rsuid = __short($suid)
+	asmlinkage()
+	ruid = __short(uint_arg(1))
+	euid = __short(uint_arg(2))
+	suid = __short(uint_arg(3))
+	argstr = sprintf("%d, %d, %d", ruid, euid, suid)
+}
+probe nd_syscall.setresuid16.return = kernel.function("sys_setresuid16").return ? {
+	name = "setresuid"
+	retstr = returnstr(1)
+}
+
+# setreuid ___________________________________________________
+# long sys_setreuid(uid_t ruid, uid_t euid)
+#
+probe nd_syscall.setreuid = kernel.function("sys_setreuid") {
+	name = "setreuid"
+	// ruid = __int32($ruid)
+	// euid = __int32($euid)
+	asmlinkage()
+	ruid = __int32(uint_arg(1))
+	euid = __int32(uint_arg(2))
+	argstr = sprintf("%d, %d", ruid, euid)
+}
+probe nd_syscall.setreuid.return = kernel.function("sys_setreuid").return {
+	name = "setreuid"
+	retstr = returnstr(1)
+}
+# setreuid16 _________________________________________________
+# long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
+#
+probe nd_syscall.setreuid16 = kernel.function("sys_setreuid16") ? {
+	name = "setreuid"
+	// ruid = __short($ruid)
+	// euid = __short($euid)
+	asmlinkage()
+	ruid = __short(uint_arg(1))
+	euid = __short(uint_arg(2))
+	argstr = sprintf("%d, %d", ruid, euid)
+}
+probe nd_syscall.setreuid16.return = kernel.function("sys_setreuid16").return ? {
+	name = "setreuid"
+	retstr = returnstr(1)
+}
+# setrlimit __________________________________________________
+#
+# asmlinkage long
+# sys_setrlimit(unsigned int resource,
+#		   struct rlimit __user *rlim)
+#
+probe nd_syscall.setrlimit = kernel.function("sys_setrlimit") {
+	name = "setrlimit"
+	// resource = $resource
+	// rlim_uaddr = $rlim
+	// argstr = sprintf("%s, %s", _rlimit_resource_str($resource),
+	// 			_struct_rlimit_u($rlim))
+	asmlinkage()
+	resource = uint_arg(1)
+	rlim_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %s", _rlimit_resource_str(resource),
+				_struct_rlimit_u(rlim_uaddr))
+}
+probe nd_syscall.setrlimit.return = kernel.function("sys_setrlimit").return {
+	name = "setrlimit"
+	retstr = returnstr(1)
+}
+# setsid _____________________________________________________
+#
+# long sys_setsid(void)
+#
+probe nd_syscall.setsid = kernel.function("sys_setsid") {
+	name = "setsid"
+	argstr = ""
+}
+probe nd_syscall.setsid.return = kernel.function("sys_setsid").return {
+	name = "setsid"
+	retstr = returnstr(1)
+}
+
+# setsockopt _________________________________________________
+#
+# long sys_setsockopt(int fd,
+#		    int level,
+#		    int optname,
+#		    char __user *optval,
+#		    int optlen)
+#
+probe nd_syscall.setsockopt = 
+		kernel.function("sys_setsockopt") ?,
+		kernel.function("compat_sys_setsockopt") ?
+{
+	name = "setsockopt"
+	// fd = $fd
+	// level = $level
+	// level_str = _sockopt_level_str($level)
+	// optname = $optname
+	// optname_str = _sockopt_optname_str($optname)
+	// optval_uaddr = $optval
+	// optlen = $optlen
+	// argstr = sprintf("%d, %s, %s, %p, %d", $fd, level_str,
+	// 			optname_str, $optval, $optlen)
+	asmlinkage()
+	fd = int_arg(1)
+	level = int_arg(2)
+	level_str = _sockopt_level_str(level)
+	optname = int_arg(3)
+	optname_str = _sockopt_optname_str(optname)
+	optval_uaddr = pointer_arg(4)
+	optlen = int_arg(5)
+	argstr = sprintf("%d, %s, %s, %p, %d", fd, level_str,
+				optname_str, optval_uaddr, optlen)
+}
+probe nd_syscall.setsockopt.return =
+		kernel.function("sys_setsockopt").return ?,
+		kernel.function("compat_sys_setsockopt").return ?
+{
+	name = "setsockopt"
+	retstr = returnstr(1)
+}
+
+# set_tid_address ____________________________________________
+#
+# asmlinkage long
+# sys_set_tid_address(int __user *tidptr)
+#
+probe nd_syscall.set_tid_address = kernel.function("sys_set_tid_address") {
+	name = "set_tid_address"
+	// tidptr_uaddr = $tidptr
+	asmlinkage()
+	tidptr_uaddr = pointer_arg(1)
+	argstr = sprintf("%p", tidptr_uaddr)
+}
+probe nd_syscall.set_tid_address.return =
+	kernel.function("sys_set_tid_address").return {
+	name = "set_tid_address"
+	retstr = returnstr(1)
+}
+# settimeofday _______________________________________________
+#
+# long sys_settimeofday(struct timeval __user *tv,
+#			struct timezone __user *tz)
+#
+probe nd_syscall.settimeofday = kernel.function("sys_settimeofday") {
+	name = "settimeofday"
+	// ttv_uaddr = $tv
+	// ttz_uaddr = $tz
+	// targstr = sprintf("%s, %s", _struct_timeval_u($tv, 1), _struct_timezone_u($tz))
+	asmlinkage()
+	tv_uaddr = pointer_arg(1)
+	tz_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %s", _struct_timeval_u(tv_uaddr, 1), _struct_timezone_u(tz_uaddr))
+}
+probe nd_syscall.settimeofday.return = kernel.function("sys_settimeofday").return {
+	name = "settimeofday"
+	retstr = returnstr(1)
+}
+#
+# long sys32_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
+# long compat_sys_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
+#
+probe nd_syscall.settimeofday32 = 
+		kernel.function("sys32_settimeofday") ?,
+		kernel.function("compat_sys_settimeofday") ?
+{
+	name = "settimeofday"
+	// tv_uaddr = $tv
+	// tz_uaddr = $tz
+	// argstr = sprintf("%s, %s", _struct_compat_timeval_u($tv, 1),_struct_timezone_u($tz))
+	asmlinkage()
+	tv_uaddr = pointer_arg(1)
+	tz_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %s", _struct_compat_timeval_u(tv_uaddr, 1),_struct_timezone_u(tz_uaddr))
+}
+probe nd_syscall.settimeofday32.return = 
+		kernel.function("sys32_settimeofday").return ?, 
+		kernel.function("compat_sys_settimeofday").return ?
+{
+	name = "settimeofday"
+	retstr = returnstr(1)
+}
+
+# setuid _____________________________________________________
+#
+# long sys_setuid(uid_t uid)
+# long sys_setuid16(old_uid_t uid)
+#
+probe nd_syscall.setuid =
+		kernel.function("sys_setuid16") ?,
+		kernel.function("sys_setuid")
+{
+	name = "setuid"
+	// uid = $uid
+	// argstr = sprint($uid)
+	asmlinkage()
+	uid = uint_arg(1)
+	argstr = sprint(uid)
+}
+probe nd_syscall.setuid.return =
+		kernel.function("sys_setuid16").return ?,
+		kernel.function("sys_setuid").return
+{
+	name = "setuid"
+	retstr = returnstr(1)
+}
+
+# setxattr ___________________________________________________
+# long sys_setxattr(char __user *path,
+#		  char __user *name,
+#		  void __user *value,
+#		  size_t size,
+#		  int flags)
+#
+probe nd_syscall.setxattr = kernel.function("sys_setxattr") {
+	name = "setxattr"
+	// path_uaddr = $path
+	// path = user_string($path)
+	// name_uaddr = $name
+	// name_str = user_string($name)
+	// value_uaddr = $value
+	// size = $size
+	// flags = $flags
+	// argstr = sprintf("%s, %s, %p, %d, %d", 
+	// 		user_string_quoted($path), 
+	// 		user_string_quoted($name),
+	// 		value_uaddr, $size, $flags)
+	asmlinkage()
+	path_uaddr = pointer_arg(1)
+	path = user_string(path_uaddr)
+	name_uaddr = pointer_arg(2)
+	name_str = user_string(name_uaddr)
+	value_uaddr = pointer_arg(3)
+	size = ulong_arg(4)
+	flags = int_arg(5)
+	argstr = sprintf("%s, %s, %p, %d, %d", 
+			user_string_quoted(path_uaddr), 
+			user_string_quoted(name_uaddr),
+			value_uaddr, size, flags)
+}
+probe nd_syscall.setxattr.return = kernel.function("sys_setxattr").return {
+	name = "setxattr"
+	retstr = returnstr(1)
+}
+# sgetmask ___________________________________________________
+#
+# sys_sgetmask(void)
+#
+probe nd_syscall.sgetmask = kernel.function("sys_sgetmask")? {
+	name = "sgetmask"
+	argstr = ""
+}
+probe nd_syscall.sgetmask.return = kernel.function("sys_sgetmask").return ? {
+	name = "sgetmask"
+	retstr = returnstr(1)
+}
+
+# shmat ______________________________________________________
+#
+# long sys_shmat(int shmid, char __user *shmaddr, int shmflg)
+#
+probe nd_syscall.shmat = kernel.function("sys_shmat") ? {
+	name = "shmat"	
+	// shmid = $shmid
+	// shmaddr_uaddr = $shmaddr
+	// shmflg = $shmflg
+	// argstr = sprintf("%d, %p, %s", $shmid, $shmaddr, _shmat_flags_str($shmflg))
+	asmlinkage()
+	shmid = int_arg(1)
+	shmaddr_uaddr = pointer_arg(2)
+	shmflg = int_arg(3)
+	argstr = sprintf("%d, %p, %s", shmid, shmaddr_uaddr, _shmat_flags_str(shmflg))
+}
+probe nd_syscall.shmat.return = kernel.function("sys_shmat").return ? {
+	name = "shmat"
+	retstr = returnstr(1)
+}
+# compat_sys_shmat ________________________________________
+#
+# long compat_sys_shmat(int first, int second, compat_uptr_t third,
+#			int version, void __user *uptr)
+#
+probe nd_syscall.compat_sys_shmat = kernel.function("compat_sys_shmat") ? {
+	name = "compat_sys_shmat"
+	// first = $first
+	// second = $second
+	// third = $third
+	// uptr_uaddr = $uptr
+	// argstr = sprintf("%d, %d, %d, %d, %p", $first, $second, $third, $version, $uptr)
+	// no asmlinkage
+	first = int_arg(1)
+	second = int_arg(2)
+	third = u32_arg(3)
+	uptr_uaddr = pointer_arg(5)
+	argstr = sprintf("%d, %d, %d, %d, %p", first, second, third, int_arg(4), uptr_uaddr)
+}
+probe nd_syscall.compat_sys_shmat.return =	kernel.function("compat_sys_shmat").return ? {
+	name = "compat_sys_shmat"
+	retstr = returnstr(1)
+}
+
+# shmctl _____________________________________________________
+#
+# long sys_shmctl (int shmid,
+#		 int cmd,
+#		 struct shmid_ds __user *buf)
+#
+probe nd_syscall.shmctl = kernel.function("sys_shmctl") ? {
+	name = "shmctl"
+	// shmid = $shmid
+	// cmd = $cmd
+	// buf_uaddr = $buf
+	// argstr = sprintf("%d, %s, %p", $shmid, _semctl_cmd($cmd), $buf)
+	asmlinkage()
+	shmid = int_arg(1)
+	cmd = int_arg(2)
+	buf_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %s, %p", shmid, _semctl_cmd(cmd), buf_uaddr)
+}
+probe nd_syscall.shmctl.return = kernel.function("sys_shmctl").return ? {
+	name = "shmctl"
+	retstr = returnstr(1)
+}
+# compat_sys_shmctl ________________________________________
+#
+# long compat_sys_shmctl(int first, int second, void __user *uptr)
+#
+probe nd_syscall.compat_sys_shmctl = kernel.function("compat_sys_shmctl") ? {
+	name = "compat_sys_shmctl"
+	// first = $first
+	// second = $second
+	// uptr_uaddr = $uptr
+	// argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+	// no asmlinkages
+	first = int_arg(1)
+	second = int_arg(2)
+	uptr_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %d, %p", first, second, uptr_uaddr)
+}
+probe nd_syscall.compat_sys_shmctl.return = kernel.function("compat_sys_shmctl").return ? {
+	name = "compat_sys_shmctl"
+	retstr = returnstr(1)
+}
+
+# shmdt ______________________________________________________
+#
+# long sys_shmdt(char __user *shmaddr)
+#
+probe nd_syscall.shmdt = kernel.function("sys_shmdt") ? {
+	name = "shmdt"
+	// shmaddr_uaddr = $shmaddr
+	// argstr = sprintf("%p", $shmaddr)
+	asmlinkage()
+	shmaddr_uaddr = pointer_arg(1)
+	argstr = sprintf("%p", shmaddr_uaddr)
+}
+probe nd_syscall.shmdt.return = kernel.function("sys_shmdt").return ? {
+	name = "shmdt"
+	retstr = returnstr(1)
+}
+
+# shmget _____________________________________________________
+#
+# long sys_shmget (key_t key,
+#		 size_t size,
+#		 int shmflg)
+#
+probe nd_syscall.shmget = kernel.function("sys_shmget") ? {
+	name = "shmget"
+	// key = $key
+	// size = $size
+	// shmflg = $shmflg
+	// argstr = sprintf("%d, %d, %d", $key, $size, $shmflg)
+	asmlinkage()
+	key = int_arg(1)
+	size = ulong_arg(2)
+	shmflg = int_arg(3)
+	argstr = sprintf("%d, %d, %d", key, size, shmflg)
+}
+probe nd_syscall.shmget.return = kernel.function("sys_shmget").return ? {
+	name = "shmget"
+	retstr = returnstr(1)
+}
+
+# shutdown ___________________________________________________
+#
+# long sys_shutdown(int fd, int how)
+#
+probe nd_syscall.shutdown = kernel.function("sys_shutdown") ? {
+	name = "shutdown"
+	// s = $fd
+	// how = $how
+	// how_str = _shutdown_how_str($how)
+	// argstr = sprintf("%d, %s", $fd, how_str)
+	asmlinkage()
+	s = int_arg(1)
+	how = int_arg(2)
+	how_str = _shutdown_how_str(how)
+	argstr = sprintf("%d, %s", s, how_str)
+}
+probe nd_syscall.shutdown.return = kernel.function("sys_shutdown").return ? {
+	name = "shutdown"
+	retstr = returnstr(1)
+}
+
+# sigaction __________________________________________________
+# sys_sigaction(int sig, const struct old_sigaction __user *act, struct old_sigaction __user *oact)
+# sys32_sigaction(int sig, struct old_sigaction32 __user *act, struct old_sigaction32 __user *oact)
+#
+probe nd_syscall.sigaction = kernel.function("sys_sigaction") ? {
+	name = "sigaction"
+	// sig = $sig
+	// act_uaddr = $act
+	// oact_uaddr = $oact
+	// argstr = sprintf("%s, {%s}, %p", _signal_name($sig), _struct_sigaction_u($act), $oact)
+	%( arch != "ppc64" %? asmlinkage() %)
+	sig = int_arg(1)
+	act_uaddr = pointer_arg(2)
+	oact_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, {%s}, %p", _signal_name(sig), _struct_sigaction_u(act_uaddr), oact_uaddr)
+}
+probe nd_syscall.sigaction.return = kernel.function("sys_sigaction").return ? {
+	name = "sigaction"
+	retstr = returnstr(1)
+}
+probe nd_syscall.sigaction32 = kernel.function("sys32_sigaction") ? {
+	name = "sigaction"
+	// sig = $sig
+	// sact_uaddr = $act
+	// soact_uaddr = $oact
+	// sargstr = sprintf("%s, %p, %p", _signal_name($sig), $act, $oact)
+	asmlinkage()
+	sig = int_arg(1)
+	act_uaddr = pointer_arg(2)
+	oact_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %p, %p", _signal_name(sig), sact_uaddr, soact_uaddr)
+}
+probe nd_syscall.sigaction32.return = kernel.function("sys32_sigaction").return ? {
+	name = "sigaction"
+	retstr = returnstr(1)
+}
+
+# signal _____________________________________________________
+# unsigned long sys_signal(int sig, __sighandler_t handler)
+#
+probe nd_syscall.signal = kernel.function("sys_signal") ? {
+	name = "signal"
+	// sig = $sig
+	// handler = $handler
+	// argstr = sprintf("%s, %s", _signal_name($sig), _sighandler_str($handler))
+	asmlinkage()
+	sig = int_arg(1)
+	handler =  pointer_arg(2)
+	argstr = sprintf("%s, %s", _signal_name(sig), _sighandler_str(handler))
+}
+probe nd_syscall.signal.return = kernel.function("sys_signal").return ? {
+	name = "signal"
+	retstr = returnstr(1)
+}
+
+# signalfd _____________________________________________________
+#
+# long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemask)
+# long compat_sys_signalfd(int ufd, const compat_sigset_t __user *sigmask,
+# 		 compat_size_t sigsetsize)
+#
+probe nd_syscall.signalfd = kernel.function("sys_signalfd") ? {
+	name = "signalfd"
+	// argstr = sprintf("%d, %p, %d", $ufd, $user_mask, $sizemask)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2), ulong_arg(3))
+}
+probe nd_syscall.signalfd.return = kernel.function("sys_signalfd").return ? {
+	name = "signalfd"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_signalfd = kernel.function("compat_sys_signalfd") ? {
+	name = "compat_signalfd"
+	// argstr = sprintf("%d, %p, %d", $ufd, $sigmask, $sigsetsize)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2), u32_arg(3))
+}
+probe nd_syscall.compat_signalfd.return = kernel.function("compat_sys_signalfd").return ? {
+	name = "compat_signalfd"
+	retstr = returnstr(1)
+}
+
+# sigpending _________________________________________________
+# long sys_sigpending(old_sigset_t __user *set)
+#
+probe nd_syscall.sigpending = kernel.function("sys_sigpending") ? {
+	name = "sigpending"
+	// argstr = sprintf("%p", $set)
+	asmlinkage()
+	argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sigpending.return = kernel.function("sys_sigpending").return ? {
+	name = "sigpending"
+	retstr = returnstr(1)
+}
+
+# sigprocmask ________________________________________________
+# long sys_sigprocmask(int how, old_sigset_t __user *set, old_sigset_t __user *oset)
+#
+probe nd_syscall.sigprocmask = kernel.function("sys_sigprocmask") ?
+{
+	name = "sigprocmask"
+	// how  = $how
+	// how_str = _sigprocmask_how_str($how)
+	// set_uaddr    = $set
+	// oldset_uaddr = $oset
+	// argstr = sprintf("%s, %p, %p", how_str, $set, $oset)
+	asmlinkage()
+	how  = int_arg(1)
+	how_str = _sigprocmask_how_str(how)
+	set_uaddr    = pointer_arg(2)
+	oldset_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %p, %p", how_str, set_uaddr, oldset_uaddr)
+}
+probe nd_syscall.sigprocmask.return = kernel.function("sys_sigprocmask").return ?
+{
+	name = "sigprocmask"
+	retstr = returnstr(1)
+}
+
+# sigreturn __________________________________________________
+# int sys_sigreturn(unsigned long __unused)
+#
+probe nd_syscall.sigreturn = 
+		kernel.function("sys_sigreturn") ?,
+		kernel.function("sys32_sigreturn") ?
+{
+	name = "sigreturn"
+	argstr = ""
+}
+probe nd_syscall.sigreturn.return = 
+		kernel.function("sys_sigreturn").return ?,
+		kernel.function("sys32_sigreturn").return ?
+{
+	name = "sigreturn"
+	retstr = returnstr(1)
+}
+
+# sigsuspend _________________________________________________
+# 
+probe nd_syscall.sigsuspend =
+	kernel.function("sys_sigsuspend") ?,
+	kernel.function("sys32_sigsuspend") ?
+{
+	name = "sigsuspend"
+	argstr = ""
+}
+probe nd_syscall.sigsuspend.return =
+		kernel.function("sys_sigsuspend").return ?,
+		kernel.function("sys32_sigsuspend").return ?
+{
+	name = "sigsuspend"
+	retstr = returnstr(1)
+}
+
+# socket _____________________________________________________
+# long sys_socket(int family, int type, int protocol)
+#
+probe nd_syscall.socket = kernel.function("sys_socket") ? {
+	name = "socket"
+	// family = $family
+	// type = $type
+	// protocol = $protocol
+	// argstr = sprintf("%s, %s, %d", _sock_family_str($family),
+	// 			_sock_type_str($type),
+	// 			$protocol)
+	asmlinkage()
+	family = int_arg(1)
+	type = int_arg(2)
+	protocol = int_arg(3)
+	argstr = sprintf("%s, %s, %d", _sock_family_str(family),
+				_sock_type_str(type),
+				protocol)
+}
+probe nd_syscall.socket.return = kernel.function("sys_socket").return ? {
+	name = "socket"
+	retstr = returnstr(1)
+}
+
+# commented out because this seems redundant
+# socketcall _________________________________________________
+#
+# long sys_socketcall(int call, unsigned long __user *args)
+#
+#probe nd_syscall.socketcall = kernel.function("sys_socketcall") ? {
+#	name = "socketcall"
+#	call = $call
+#	args_uaddr = $args
+#	argstr = sprintf("%d, %p", $call, args_uaddr)
+#}
+#probe nd_syscall.socketcall.return = kernel.function("sys_socketcall").return ? {
+#	name = "socketcall"
+#	retstr = returnstr(1)
+#}
+
+# socketpair _________________________________________________
+# long sys_socketpair(int family,
+#		    int type,
+#		    int protocol,
+#		    int __user *usockvec)
+#
+probe nd_syscall.socketpair = kernel.function("sys_socketpair") ? {
+	name = "socketpair"
+	// family = $family
+	// type = $type
+	// protocol = $protocol
+	// sv_uaddr = $usockvec
+	// argstr = sprintf("%s, %s, %d, %p", 
+	// 			_sock_family_str($family),
+	// 			_sock_type_str($type),
+	// 			$protocol, sv_uaddr)
+	asmlinkage()
+	family = int_arg(1)
+	type = int_arg(2)
+	protocol = int_arg(3)
+	sv_uaddr = pointer_arg(4)
+	argstr = sprintf("%s, %s, %d, %p", 
+				_sock_family_str(family),
+				_sock_type_str(type),
+				protocol, sv_uaddr)
+}
+probe nd_syscall.socketpair.return = kernel.function("sys_socketpair").return ? {
+	name = "socketpair"
+	retstr = returnstr(1)
+}
+
+# splice ___________________________________________________
+#
+# long sys_splice(int fd_in, loff_t __user *off_in,
+#		   int fd_out, loff_t __user *off_out,
+#		   size_t len, unsigned int flags)
+#
+probe nd_syscall.splice = kernel.function("sys_splice") ? {
+	name = "splice"
+	// argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
+	// 	$fd_in, $off_in, $fd_out, $off_out, $len, $flags)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
+		int_arg(1), pointer_arg(2), int_arg(3), pointer_arg(4), ulong_arg(5), uint_arg(6))
+}
+probe nd_syscall.splice.return = kernel.function("sys_splice").return ? {
+	name = "splice"
+	retstr = returnstr(1)
+}
+
+# ssetmask ___________________________________________________
+#
+# long sys_ssetmask(int newmask)
+#
+probe nd_syscall.ssetmask = kernel.function("sys_ssetmask") ? {
+	name = "ssetmask"
+	// newmask = $newmask
+	// argstr = sprint($newmask)
+	asmlinkage()
+	newmask = int_arg(1)
+	argstr = sprint(newmask)
+}
+probe nd_syscall.ssetmask.return = kernel.function("sys_ssetmask").return ? {
+	name = "ssetmask"
+	retstr = returnstr(1)
+}
+
+# stat _______________________________________________________
+# long sys_stat(char __user * filename, struct __old_stat __user * statbuf)
+# long sys32_stat64(char __user * filename, struct stat64 __user *statbuf)
+# long sys_stat64(char __user * filename, struct stat64 __user * statbuf)
+# long sys_oabi_stat64(char __user * filename, struct oldabi_stat64 __user * statbuf)
+# long compat_sys_newstat(char __user * filename, struct compat_stat __user *statbuf)
+probe nd_syscall.stat = 
+		kernel.function("sys_stat") ?, 
+		kernel.function("sys_newstat") ?,
+		kernel.function("sys32_stat64") ?,
+		kernel.function("sys_stat64") ?,
+		kernel.function("sys_oabi_stat64") ?,
+		kernel.function("compat_sys_newstat") ?
+{
+	name = "stat"
+	// filename_uaddr = $filename
+	// filename = user_string($filename)
+	// buf_uaddr = $statbuf
+	// argstr = sprintf("%s, %p", user_string_quoted($filename), buf_uaddr)
+	asmlinkage()
+	filename_uaddr = pointer_arg(1)
+	filename = user_string(filename_uaddr)
+	buf_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", user_string_quoted(filename_uaddr), buf_uaddr)
+}
+probe nd_syscall.stat.return = 
+		kernel.function("sys_stat").return ?, 
+		kernel.function("sys_newstat").return ?,
+		kernel.function("sys32_stat64").return ?,
+		kernel.function("sys_stat64").return ?,
+		kernel.function("sys_oabi_stat64").return ?,
+		kernel.function("compat_sys_newstat").return ? 
+{
+	name = "stat"
+	retstr = returnstr(1)
+}
+
+# statfs _____________________________________________________
+# long sys_statfs(const char __user * path, struct statfs __user * buf)
+# long compat_sys_statfs(const char __user *path, struct compat_statfs __user *buf)
+#
+probe nd_syscall.statfs = 
+		kernel.function("sys_statfs"),
+		kernel.function("compat_sys_statfs") ?
+{
+	name = "statfs"
+	// path = user_string($path)
+	// buf_uaddr = $buf
+	// argstr = sprintf("%s, %p", user_string_quoted($path), $buf)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	buf_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr)
+}
+probe nd_syscall.statfs.return = 
+		kernel.function("sys_statfs").return,
+		kernel.function("compat_sys_statfs").return ?
+{
+	name = "statfs"
+	retstr = returnstr(1)
+}
+
+# statfs64 ___________________________________________________
+#
+# long sys_statfs64(const char __user *path, size_t sz, struct statfs64 __user *buf)
+# long compat_sys_statfs64(const char __user *path, compat_size_t sz, struct compat_statfs64 __user *buf)
+#
+probe nd_syscall.statfs64 =
+		kernel.function("sys_statfs64") ?,
+		kernel.function("compat_sys_statfs64") ?
+{
+	name = "statfs"
+	// path = user_string($path)
+	// sz = $sz
+	// buf_uaddr = $buf
+	// argstr = sprintf("%s, %d, %p", user_string_quoted($path), $sz, $buf)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	sz = ulong_arg(2)
+	buf_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %d, %p", user_string_quoted(pointer_arg(1)), sz, buf_uaddr)
+}
+probe nd_syscall.statfs64.return =
+		kernel.function("sys_statfs64").return ?,
+		kernel.function("compat_sys_statfs64").return ?
+{
+	name = "statfs"
+	retstr = returnstr(1)
+}
+
+# stime ______________________________________________________
+#
+# long sys_stime(time_t __user *tptr)
+# long compat_sys_stime(compat_time_t __user *tptr)
+#
+probe nd_syscall.stime = 
+		kernel.function("sys_stime") ?,
+		kernel.function("compat_sys_stime") ?
+{
+	name = "stime"
+	// t_uaddr = $tptr
+	/* FIXME. Decode time */	
+	// argstr = sprintf("%p", $tptr)
+	asmlinkage()
+	t_uaddr = pointer_arg(1)	
+	argstr = sprintf("%p", t_uaddr)
+}
+probe nd_syscall.stime.return = 
+		kernel.function("sys_stime").return ?,
+		kernel.function("compat_sys_stime").return ?
+{
+	name = "stime"
+	retstr = returnstr(1)
+}
+
+# swapoff ____________________________________________________
+#
+# asmlinkage long
+# sys_swapoff(const char __user * specialfile)
+#
+probe nd_syscall.swapoff = kernel.function("sys_swapoff")?  {
+	name = "swapoff"
+	// path = user_string($specialfile)
+	// argstr = user_string_quoted($specialfile)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	argstr = user_string_quoted(pointer_arg(1))
+}
+probe nd_syscall.swapoff.return = kernel.function("sys_swapoff").return ? {
+	name = "swapoff"
+	retstr = returnstr(1)
+}
+# swapon _____________________________________________________
+#
+# asmlinkage long
+# sys_swapon(const char __user * specialfile,
+#		int swap_flags)
+#
+probe nd_syscall.swapon = kernel.function("sys_swapon") ? {
+	name = "swapon"
+	// path = user_string($specialfile)
+	// swapflags = $swap_flags
+	// argstr = sprintf("%s, %d", user_string_quoted($specialfile), swapflags)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	swapflags = int_arg(2)
+	argstr = sprintf("%s, %d", user_string_quoted(pointer_arg(1)), swapflags)
+}
+probe nd_syscall.swapon.return = kernel.function("sys_swapon").return ? {
+	name = "swapon"
+	retstr = returnstr(1)
+}
+# symlink ____________________________________________________
+# long sys_symlink(const char __user * oldname,
+#		 const char __user * newname)
+probe nd_syscall.symlink = kernel.function("sys_symlink") {
+	name = "symlink"
+	// oldpath = user_string($oldname)
+	// newpath = user_string($newname)
+	// argstr = sprintf("%s, %s", user_string_quoted($oldname),
+	// 		user_string_quoted($newname))
+	asmlinkage()
+	oldpath = user_string(pointer_arg(1))
+	newpath = user_string(pointer_arg(2))
+	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+			user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.symlink.return = kernel.function("sys_symlink").return {
+	name = "symlink"
+	retstr = returnstr(1)
+}
+
+
+# symlinkat __________________________________________________
+# new function with 2.6.16
+# long sys_symlinkat(const char __user *oldname, int newdfd,
+#	const char __user *newname)
+probe nd_syscall.symlinkat = kernel.function("sys_symlinkat") ? {
+	name = "symlinkat"
+//	oldname = $oldname
+//	oldname_str = user_string($oldname)
+//	newdfd = $newdfd
+//	newdfd_str = _dfd_str($newdfd)
+//	newname = $newname
+//	newname_str = user_string($newname)
+//	argstr = sprintf("%s, %s, %s", user_string_quoted($oldname),
+//		newdfd_str, user_string_quoted($newname))
+	asmlinkage()
+	oldname = pointer_arg(1)
+	oldname_str = user_string(oldname)
+	newdfd = int_arg(2)
+	newdfd_str = _dfd_str(newdfd)
+	newname = pointer_arg(3)
+	newname_str = user_string(newname)
+	argstr = sprintf("%s, %s, %s", user_string_quoted(oldname),
+		newdfd_str, user_string_quoted(newname))
+}
+probe nd_syscall.symlinkat.return = kernel.function("sys_symlinkat").return ? {
+	name = "symlinkat"
+	retstr = returnstr(1)
+}
+
+
+# sync _______________________________________________________
+#
+# sys_sync(void)
+#
+probe nd_syscall.sync = kernel.function("sys_sync") {
+	name = "sync"
+	argstr = ""
+}
+probe nd_syscall.sync.return = kernel.function("sys_sync").return {
+	name = "sync"
+	retstr = returnstr(1)
+}
+
+# sysctl _____________________________________________________
+#
+# long sys_sysctl(struct __sysctl_args __user *args)
+#
+probe nd_syscall.sysctl =
+		kernel.function("sys_sysctl") ?,
+		kernel.function("compat_sys_sysctl") ?
+{
+	name = "sysctl"
+	// argstr = sprintf("%p", $args)
+	asmlinkage()
+	argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sysctl.return =
+		kernel.function("sys_sysctl").return ?,
+		kernel.function("compat_sys_sysctl").return ?
+{
+	name = "sysctl"
+	retstr = returnstr(1)
+}
+
+# sysfs ______________________________________________________
+#
+# asmlinkage long
+# sys_sysfs(int option,
+#	     unsigned long arg1,
+#	     unsigned long arg2)
+#
+probe nd_syscall.sysfs = kernel.function("sys_sysfs") {
+	name = "sysfs"
+	// option = $option
+	// arg1 = $arg1
+	// arg2 = $arg2
+	// if (option == 1)
+	// 	argstr = sprintf("%d, %s, %d", $option, user_string_quoted($arg1), $arg2)
+	// else if (option == 2)
+	// 	argstr = sprintf("%d, %d, %p", $option, $arg1, $arg2)
+	// else if (option == 3)
+	// 	argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
+	// else
+	// 	argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
+	asmlinkage()
+	option = int_arg(1) 
+	arg1 = ulong_arg(2)
+	arg2 = ulong_arg(3)
+	if (option == 1)
+		argstr = sprintf("%d, %s, %d", option, user_string_quoted(arg1), arg2)
+	else if (option == 2)
+		argstr = sprintf("%d, %d, %p", option, arg1, arg2)
+	else
+		argstr = sprintf("%d, %d, %d", option, arg1, arg2)
+}
+probe nd_syscall.sysfs.return = kernel.function("sys_sysfs").return {
+	name = "sysfs"
+	retstr = returnstr(1)
+}
+# sysinfo ____________________________________________________
+#
+# long sys_sysinfo(struct sysinfo __user *info)
+# long compat_sys_sysinfo(struct compat_sysinfo __user *info)
+probe nd_syscall.sysinfo = 
+		kernel.function("sys_sysinfo"),
+		kernel.function("compat_sys_sysinfo") ?
+{
+	name = "sysinfo"
+	// info_uaddr = $info
+	// argstr = sprintf("%p", $info)
+	asmlinkage()
+	info_uaddr = pointer_arg(1)
+	argstr = sprintf("%p", info_uaddr)
+}
+probe nd_syscall.sysinfo.return = 
+		kernel.function("sys_sysinfo").return,
+		kernel.function("compat_sys_sysinfo").return ?
+{
+	name = "sysinfo"
+	retstr = returnstr(1)
+}
+
+# syslog _____________________________________________________
+#
+# long sys_syslog(int type, char __user * buf, int len)
+#
+probe nd_syscall.syslog = kernel.function("sys_syslog") {
+	name = "syslog"
+	// type = $type
+	// bufp_uaddr = $buf
+	// len = $len
+	// argstr = sprintf("%d, %p, %d", $type, $buf, $len)
+	asmlinkage()
+	type = int_arg(1)
+	bufp_uaddr = pointer_arg(2)
+	len = int_arg(3)
+	argstr = sprintf("%d, %p, %d", type, bufp_uaddr, len)
+}
+probe nd_syscall.syslog.return = kernel.function("sys_syslog").return {
+	name = "syslog"
+	retstr = returnstr(1)
+}
+
+# tee _____________________________________________________
+#
+# long sys_tee(int fdin, int fdout, size_t len, unsigned int flags)
+#
+probe nd_syscall.tee = kernel.function("sys_tee") ? {
+	name = "tee"
+	// argstr = sprintf("%d, %d, %d, 0x%x", $fdin, $fdout, $len, $flags)
+	asmlinkage()
+	argstr = sprintf("%d, %d, %d, 0x%x", int_arg(1), int_arg(2), ulong_arg(3), uint_arg(4))
+}
+probe nd_syscall.tee.return = kernel.function("sys_tee").return ? {
+	name = "tee"
+	retstr = returnstr(1)
+}
+
+# tgkill _____________________________________________________
+#
+# asmlinkage long
+# sys_tgkill(int tgid,
+#		int pid,
+#		int sig)
+#
+probe nd_syscall.tgkill = kernel.function("sys_tgkill") {
+	name = "tgkill"
+	// tgid = $tgid
+	// pid = $pid
+	// sig = $sig
+	// argstr = sprintf("%d, %d, %s", $tgid, $pid, _signal_name($sig))
+	asmlinkage()
+	tgid = int_arg(1)
+	pid = int_arg(2)
+	sig = int_arg(3)
+	argstr = sprintf("%d, %d, %s", tgid, pid, _signal_name(sig))
+}
+probe nd_syscall.tgkill.return = kernel.function("sys_tgkill").return {
+	name = "tgkill"
+	retstr = returnstr(1)
+}
+# time _______________________________________________________
+#
+# long sys_time(time_t __user * tloc)
+# long sys_time64(long __user * tloc)
+# long sys32_time(compat_time_t __user * tloc)
+# long compat_sys_time(compat_time_t __user * tloc)
+#
+probe nd_syscall.time = 
+		kernel.function("sys_time")?,
+		kernel.function("sys32_time") ?,
+		kernel.function("sys_time64") ?,
+		kernel.function("compat_sys_time") ?
+{
+	name = "time"
+	// t_uaddr = $tloc
+	// argstr = sprintf("%p", $tloc)
+	asmlinkage()
+	t_uaddr = pointer_arg(1)
+	argstr = sprintf("%p", t_uaddr)
+}
+probe nd_syscall.time.return = 
+		kernel.function("sys_time").return?,
+		kernel.function("sys32_time").return ?,
+		kernel.function("sys_time64").return ?,
+		kernel.function("compat_sys_time").return ?
+{
+	name = "time"
+	retstr = returnstr(1)
+}
+
+# timer_create _______________________________________________
+#
+# long sys_timer_create(clockid_t which_clock,
+#			struct sigevent __user *timer_event_spec,
+#			timer_t __user * created_timer_id)
+#
+probe nd_syscall.timer_create = kernel.function("sys_timer_create") {
+	name = "timer_create"
+	// clockid = $which_clock
+	// clockid_str = _get_wc_str($which_clock)
+	// evp_uaddr = $timer_event_spec
+	// timerid_uaddr = $created_timer_id
+	// argstr = sprintf("%s, %p, %p", clockid_str, $timer_event_spec, $created_timer_id)
+	asmlinkage()
+	clockid = int_arg(1)
+	clockid_str = _get_wc_str(clockid)
+	evp_uaddr = pointer_arg(2)
+	timerid_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %p, %p", clockid_str, evp_uaddr, timerid_uaddr)
+}
+probe nd_syscall.timer_create.return =
+	kernel.function("sys_timer_create").return {
+	name = "timer_create"
+	retstr = returnstr(1)
+}
+
+# timer_delete _______________________________________________
+#
+# long sys_timer_delete(timer_t timer_id)
+#
+probe nd_syscall.timer_delete = kernel.function("sys_timer_delete") {
+	name = "timer_delete"
+	// timerid = $timer_id
+	// argstr = sprint($timer_id)
+	asmlinkage()
+	timerid = int_arg(1)
+	argstr = sprint(timerid)
+}
+probe nd_syscall.timer_delete.return = kernel.function("sys_timer_delete").return {
+	name = "timer_delete"
+	retstr = returnstr(1)
+}
+
+# timer_getoverrun ___________________________________________
+#
+# long sys_timer_getoverrun(timer_t timer_id)
+#
+probe nd_syscall.timer_getoverrun = kernel.function("sys_timer_getoverrun") {
+	name = "timer_getoverrun"
+	// timerid = $timer_id
+	// argstr = sprint($timer_id)
+	asmlinkage()
+	timerid = int_arg(1)
+	argstr = sprint(timerid)
+}
+probe nd_syscall.timer_getoverrun.return =
+	kernel.function("sys_timer_getoverrun").return {
+	name = "timer_getoverrun"
+	retstr = returnstr(1)
+}
+
+# timer_gettime ______________________________________________
+#
+# long sys_timer_gettime(timer_t timer_id,
+#			 struct itimerspec __user *setting)
+#
+probe nd_syscall.timer_gettime = kernel.function("sys_timer_gettime") {
+	name = "timer_gettime"
+	// timerid = $timer_id
+	// value_uaddr = $setting
+	// argstr = sprintf("%d, %p", $timer_id, $setting)
+	asmlinkage()
+	timerid = int_arg(1)
+	value_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", timerid, value_uaddr)
+}
+probe nd_syscall.timer_gettime.return =
+	kernel.function("sys_timer_gettime").return {
+	name = "timer_gettime"
+	retstr = returnstr(1)
+}
+
+# timer_settime ______________________________________________
+#
+# long sys_timer_settime(timer_t timer_id,
+#			 int flags,
+#			 const struct itimerspec __user *new_setting,
+#			 struct itimerspec __user *old_setting)
+#
+probe nd_syscall.timer_settime = kernel.function("sys_timer_settime") {
+	name = "timer_settime"
+	// timerid = $timer_id
+	// flags = $flags
+	// value_uaddr  = $new_setting
+	// ovalue_uaddr = $old_setting
+	// argstr = sprintf("%d, %d, %s, %p", $timer_id, $flags,
+	// 			_struct_itimerspec_u($new_setting),
+	// 			$old_setting)
+	asmlinkage()
+	timerid = int_arg(1)
+	flags = int_arg(2)
+	value_uaddr  = pointer_arg(3)
+	ovalue_uaddr = pointer_arg(4)
+	argstr = sprintf("%d, %d, %s, %p", timerid, flags,
+				_struct_itimerspec_u(value_uaddr),
+				ovalue_uaddr)
+}
+probe nd_syscall.timer_settime.return =
+	kernel.function("sys_timer_settime").return {
+	name = "timer_settime"
+	retstr = returnstr(1)
+}
+
+# timerfd ______________________________________________
+#
+# long sys_timerfd(int ufd, int clockid, int flags,
+#	    const struct itimerspec __user *utmr)
+# long compat_sys_timerfd(int ufd, int clockid, int flags,
+#  	   const struct compat_itimerspec __user *utmr)
+#
+probe nd_syscall.timerfd =
+		kernel.function("sys_timerfd") ?,
+		kernel.function("compat_sys_timerfd") ?
+{
+	name = "timerfd"
+	// argstr = sprintf("%d, %d, 0x%x", $ufd, $clockid, $flags)
+	asmlinkage()
+	argstr = sprintf("%d, %d, 0x%x", int_arg(1), int_arg(2), int_arg(3))
+}
+probe nd_syscall.timerfd.return =
+		kernel.function("sys_timerfd").return ?,
+		kernel.function("compat_sys_timerfd").return ?
+{
+	name = "timerfd"
+	retstr = returnstr(1)
+}
+
+# times ______________________________________________________
+#
+# long sys_times(struct tms __user * tbuf)
+# long compat_sys_times(struct compat_tms __user *tbuf)
+probe nd_syscall.times = 
+		kernel.function("sys_times") ?,
+		kernel.function("compat_sys_times") ?
+{
+	name = "times"
+	// argstr = sprintf("%p", $tbuf) 
+	asmlinkage() 
+	argstr = sprintf("%p", pointer_arg(1)) 
+}
+probe nd_syscall.times.return = 
+		kernel.function("sys_times").return ?,
+		kernel.function("compat_sys_times").return ?
+{
+	name = "times"
+	retstr = returnstr(1)
+}
+
+# tkill ______________________________________________________
+#
+# asmlinkage long
+# sys_tkill(int pid,
+#	     int sig)
+#
+probe nd_syscall.tkill = kernel.function("sys_tkill") {
+	name = "tkill"
+	// pid = $pid
+	// sig = $sig
+	// argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+	asmlinkage()
+	pid = int_arg(1)
+	sig = int_arg(2)
+	argstr = sprintf("%d, %s", pid, _signal_name(sig))
+}
+probe nd_syscall.tkill.return = kernel.function("sys_tkill").return {
+	name = "tkill"
+	retstr = returnstr(1)
+}
+
+# truncate ___________________________________________________
+#
+# sys_truncate(const char __user * path, unsigned long length)
+# sys_truncate64(const char __user * path, loff_t length)
+#
+probe nd_syscall.truncate = kernel.function("sys_truncate")?, kernel.function("sys_truncate64") ? {
+	name = "truncate"
+	// path_uaddr = $path
+	// path = user_string($path)
+	// length = $length
+	// argstr = sprintf("%s, %d", user_string_quoted($path), $length)
+	asmlinkage()
+	path_uaddr = pointer_arg(1)
+	path = user_string(path_uaddr)
+	if (probefunc() == "sys_truncate")
+		length = ulong_arg(2)
+	else
+		length = longlong_arg(2)
+	argstr = sprintf("%s, %d", user_string_quoted(path_uaddr), length)
+}
+probe nd_syscall.truncate.return = kernel.function("sys_truncate").return ?, kernel.function("sys_truncate64").return ? {
+	name = "truncate"
+	retstr = returnstr(1)
+}
+
+# tux ________________________________________________________
+# long sys_tux (unsigned int action, user_req_t *u_info)
+#
+probe nd_syscall.tux = kernel.function("sys_tux") ? {
+	name = "tux"
+	// action = $action
+	// u_info_uaddr = $u_info
+	// argstr = sprintf("%d, %p", $action, $u_info)
+	// no sys_tux in recent kernels; guessing asmlinkage
+	asmlinkage()
+	action = uint_arg(1)
+	u_info_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", action, u_info_uaddr)
+}
+probe nd_syscall.tux.return = kernel.function("sys_tux").return ? {
+	name = "tux"
+	retstr = returnstr(1)
+}
+
+# umask ______________________________________________________
+# long sys_umask(int mask)
+#
+probe nd_syscall.umask = kernel.function("sys_umask") {
+	name = "umask"
+	// mask = $mask
+	// argstr = sprintf("%#o", $mask)
+	asmlinkage()
+	mask = int_arg(1)
+	argstr = sprintf("%#o", mask)
+}
+probe nd_syscall.umask.return = kernel.function("sys_umask").return {
+	name = "umask"
+	retstr = returnstr(3)
+}
+
+# umount _____________________________________________________
+# long sys_umount(char __user * name, int flags)
+#
+probe nd_syscall.umount = kernel.function("sys_umount") {
+	name = "umount"
+	// target = user_string($name)
+	// flags = $flags
+	// flags_str = _umountflags_str($flags)
+	// argstr = sprintf("%s, %s", user_string_quoted($name), flags_str)
+	asmlinkage()
+	target = user_string(pointer_arg(1))
+	flags = int_arg(2)
+	flags_str = _umountflags_str(flags)
+	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), flags_str)
+}
+probe nd_syscall.umount.return = kernel.function("sys_umount").return {
+	name = "umount"
+	retstr = returnstr(1)
+}
+# uname ______________________________________________________
+#
+# int sys_uname(struct old_utsname __user *name)
+# long sys_newuname(struct new_utsname __user * name)
+# int sys_olduname(struct oldold_utsname __user * name)
+# int sys32_olduname(struct oldold_utsname __user * name)
+# long sys32_uname(struct old_utsname __user * name)
+#
+probe nd_syscall.uname = 
+		kernel.function("sys_uname") ?,
+		kernel.function("sys_olduname") ?,
+		kernel.function("sys32_olduname") ?,
+		kernel.function("sys32_uname") ?,
+		kernel.function("sys_newuname") ?
+{
+	name = "uname"
+	// argstr = sprintf("%p", $name)
+	_func_name = probefunc()
+	if (_func_name != "sys32_uname") {
+		if (_func_name == "sys_uname" || _func_name == "sys_olduname") {
+			%( arch != "ppc64" %? asmlinkage() %)
+		} else
+			asmlinkage()
+	}	
+	argstr = sprintf("%p", pointer_arg(1))
+}
+
+probe nd_syscall.uname.return = 
+		kernel.function("sys_uname").return ?,
+		kernel.function("sys_olduname").return ?,
+		kernel.function("sys32_olduname").return ?,
+		kernel.function("sys32_uname").return ?,
+		kernel.function("sys_newuname").return ?
+{
+	name = "uname"
+	retstr = returnstr(1)
+}
+
+# unlink _____________________________________________________
+# long sys_unlink(const char __user * pathname)
+#
+probe nd_syscall.unlink = kernel.function("sys_unlink") {
+	name = "unlink"
+	// pathname_uaddr = $pathname
+	// pathname = user_string($pathname)
+	// argstr = user_string_quoted($pathname)
+	asmlinkage()
+	pathname_uaddr = pointer_arg(1)
+	pathname = user_string(pathname_uaddr)
+	argstr = user_string_quoted(pathname_uaddr)
+}
+probe nd_syscall.unlink.return = kernel.function("sys_unlink").return {
+	name = "unlink"
+	retstr = returnstr(1)
+}
+# uselib _____________________________________________________
+#
+# asmlinkage long
+# sys_uselib(const char __user * library)
+#
+probe nd_syscall.uselib = kernel.function("sys_uselib") {
+	name = "uselib"
+	// library_uaddr = $library
+	// library = user_string($library)
+	// argstr = user_string_quoted($library)
+	asmlinkage()
+	library_uaddr = pointer_arg(1)
+	library = user_string(library_uaddr)
+	argstr = user_string_quoted(library_uaddr)
+}
+probe nd_syscall.uselib.return = kernel.function("sys_uselib").return {
+	name = "uselib"
+	retstr = returnstr(1)
+}
+# ustat ______________________________________________________
+# long sys_ustat(unsigned dev, struct ustat __user * ubuf)
+#
+probe nd_syscall.ustat = kernel.function("sys_ustat") {
+	name = "ustat"
+	// dev = $dev
+	// ubuf_uaddr = $ubuf
+	// argstr = sprintf("%d, %p", $dev, $ubuf)
+	asmlinkage()
+	dev = uint_arg(1)
+	ubuf_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", dev, ubuf_uaddr)
+}
+
+#long sys32_ustat(unsigned dev, struct ustat32 __user *u32p)
+probe nd_syscall.ustat32 = kernel.function("sys32_ustat") ? {
+	name = "ustat"
+	// dev = $dev
+	// argstr = sprintf("%d, %p", $dev, $u32p)
+	// no asmlinkage 
+	dev = uint_arg(1)
+	argstr = sprintf("%d, %p", dev, pointer_arg(2))
+}
+
+probe nd_syscall.ustat.return = 
+	kernel.function("sys_ustat").return,
+	kernel.function("sys32_ustat").return ? 
+{
+	name = "ustat"
+	retstr = returnstr(1)
+}
+
+# utime ______________________________________________________
+# long sys_utime(char __user * filename, struct utimbuf __user * times)
+probe nd_syscall.utime = kernel.function("sys_utime") ? {
+	name = "utime"
+	asmlinkage()
+	filename_uaddr = pointer_arg(1)
+	filename = user_string_quoted(filename_uaddr)
+	buf_uaddr = pointer_arg(2)
+	actime = _struct_utimbuf_actime(buf_uaddr)
+	modtime = _struct_utimbuf_modtime(buf_uaddr)
+	argstr = sprintf("%s, [%s, %s]", filename,
+	       	 	 ctime(actime), ctime(modtime))
+}
+probe nd_syscall.utime.return = kernel.function("sys_utime").return ? {
+	name = "utime"
+	retstr = returnstr(1)
+}
+
+# long compat_sys_utime(char __user *filename, struct compat_utimbuf __user *t)
+probe nd_syscall.compat_utime = kernel.function("compat_sys_utime") ? {
+	name = "utime"
+	asmlinkage()
+	filename_uaddr = pointer_arg(1)
+	filename = user_string_quoted(filename_uaddr)
+	buf_uaddr = pointer_arg(2)
+	actime = _struct_compat_utimbuf_actime(buf_uaddr)
+	modtime = _struct_compat_utimbuf_modtime(buf_uaddr)
+	argstr = sprintf("%s, [%s, %s]", filename,
+	       	 	 ctime(actime), ctime(modtime))
+}
+probe nd_syscall.compat_utime.return = kernel.function("compat_sys_utime").return ? {
+	name = "utime"
+	retstr = returnstr(1)
+}
+
+# utimes _____________________________________________________
+#
+# long sys_utimes(char __user * filename, struct timeval __user * utimes)
+#
+probe nd_syscall.utimes = kernel.function("sys_utimes") {
+	name = "utimes"
+	// filename_uaddr = $filename
+	// filename = user_string($filename)
+	// tvp_uaddr = $utimes
+	// argstr = sprintf("%s, %s", user_string_quoted($filename),  
+	// 	_struct_timeval_u($utimes, 2))
+	asmlinkage()
+	filename_uaddr = pointer_arg(1)
+	filename = user_string(filename_uaddr)
+	tvp_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %s", user_string_quoted(filename_uaddr),  
+		_struct_timeval_u(tvp_uaddr, 2))
+}
+probe nd_syscall.utimes.return = kernel.function("sys_utimes").return {
+	name = "utimes"
+	retstr = returnstr(1)
+}
+# compat_sys_utimes ________________________________________
+#
+# long compat_sys_utimes(char __user *filename, struct compat_timeval __user *t)
+#
+probe nd_syscall.compat_sys_utimes = kernel.function("compat_sys_utimes") ? {
+	name = "utimes"
+	// filename = user_string($filename)
+	// argstr = sprintf("%s, %s", user_string_quoted($filename),
+	// 			 _struct_compat_timeval_u($t, 2))
+	asmlinkage()
+	filename = user_string(pointer_arg(1))
+	argstr = sprintf("%s, %s", user_string_quoted(filename),
+				 _struct_compat_timeval_u(pointer_arg(2), 2))
+}
+probe nd_syscall.compat_sys_utimes.return = kernel.function("compat_sys_utimes").return ? {
+	name = "utimes"
+	retstr = returnstr(1)
+}
+
+# utimensat ____________________________________________________
+# long sys_utimensat(int dfd, char __user *filename, struct timespec __user *utimes, int flags)
+# long compat_sys_utimensat(unsigned int dfd, char __user *filename, struct compat_timespec __user *t, int flags)
+# 
+probe nd_syscall.utimensat = kernel.function("sys_utimensat") ? {
+	name = "utimensat"
+	// argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_timespec_u($utimes,2),
+	// 	_at_flag_str($flags))
+	asmlinkage()
+	argstr = sprintf("%s, %s, %s, %s", _dfd_str(int_arg(1)), user_string_quoted(pointer_arg(2)), 
+				_struct_timespec_u(pointer_arg(3),2), _at_flag_str(int_arg(4)))
+}
+probe nd_syscall.compat_utimensat = kernel.function("compat_sys_utimensat") ? {
+	name = "utimensat"
+	// argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_compat_timespec_u($t,2),
+	// 	_at_flag_str($flags))
+	asmlinkage()
+	argstr = sprintf("%s, %s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
+				 _struct_compat_timespec_u(pointer_arg(3),2), _at_flag_str(int_arg(4)))
+}
+probe nd_syscall.utimensat.return =  kernel.function("sys_utimensat").return ? {
+	name = "utimensat"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_utimensat.return =  kernel.function("compat_sys_utimensat").return ? {
+	name = "utimensat"
+	retstr = returnstr(1)
+}
+
+# vhangup ____________________________________________________
+#
+# asmlinkage long
+# sys_vhangup(void)
+#
+probe nd_syscall.vhangup = kernel.function("sys_vhangup") {
+	name = "vhangup"
+	argstr = ""
+}
+probe nd_syscall.vhangup.return = kernel.function("sys_vhangup").return {
+	name = "vhangup"
+	retstr = returnstr(1)
+}
+
+# vmsplice ___________________________________________________
+#
+# long sys_vmsplice(int fd, const struct iovec __user *iov,
+#	    unsigned long nr_segs, unsigned int flags)
+# long compat_sys_vmsplice(int fd, const struct compat_iovec __user *iov32,
+#	    unsigned int nr_segs, unsigned int flags)
+#
+probe nd_syscall.vmsplice = kernel.function("sys_vmsplice") ? {
+	name = "vmsplice"
+	// argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov, $nr_segs, $flags)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), ulong_arg(3), uint_arg(4))
+}
+probe nd_syscall.compat_vmsplice = kernel.function("compat_sys_vmsplice") ? {
+	name = "vmsplice"
+	// argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov32, $nr_segs, $flags)
+	asmlinkage()
+	argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), uint_arg(3), uint_arg(4))
+}
+probe nd_syscall.vmsplice.return = kernel.function("sys_vmsplice").return ? {
+	name = "vmsplice"
+	retstr = returnstr(1)
+}
+probe nd_syscall.compat_vmsplice.return = kernel.function("compat_sys_vmsplice").return ? {
+	name = "vmsplice"
+	retstr = returnstr(1)
+}
+
+# wait4 ______________________________________________________
+#
+# long sys_wait4(pid_t pid,
+#	     int __user *stat_addr,
+#	     int options,
+#	     struct rusage __user *ru)
+#
+probe nd_syscall.wait4 = kernel.function("sys_wait4") {
+	name = "wait4"
+	// pid = %( kernel_vr >= "2.6.25" %? $upid %: $pid%)
+	// status_uaddr = $stat_addr
+	// options = $options
+	// options_str = _wait4_opt_str($options)
+	// rusage_uaddr = $ru
+	// argstr = sprintf("%d, %p, %s, %p",
+	// 		 %( kernel_vr >= "2.6.25" %? $upid %: $pid%),
+	// 		 $stat_addr,_wait4_opt_str($options), $ru)
+	asmlinkage()
+	pid = int_arg(1)	
+	status_uaddr = pointer_arg(2)
+	options = int_arg(3)
+	options_str = _wait4_opt_str(options)
+	rusage_uaddr = pointer_arg(4)
+	argstr = sprintf("%d, %p, %s, %p", pid, status_uaddr,_wait4_opt_str(options), rusage_uaddr)
+
+}
+probe nd_syscall.wait4.return = kernel.function("sys_wait4").return {
+	name = "wait4"
+	retstr = returnstr(1)
+}
+# waitid _____________________________________________________
+#
+# long sys_waitid(int which,
+#		pid_t pid,
+#		struct siginfo __user *infop,
+#		int options,
+#		struct rusage __user *ru)
+#
+probe nd_syscall.waitid = kernel.function("sys_waitid") {
+	name = "waitid"
+	// pid = %( kernel_vr >= "2.6.25" %? $upid %: $pid%)
+	// which = $which
+	// which_str = _waitid_which_str($which)
+	// infop_uaddr = $infop
+	// options = $options
+	// options_str = _waitid_opt_str($options)
+	// rusage_uaddr = $ru
+	// argstr = sprintf("%d, %d, %p, %s, %p", $which,
+	// 	   %( kernel_vr >= "2.6.25" %? $upid %: $pid%), $infop,
+	// 	    _waitid_opt_str($options), $ru)
+	asmlinkage()
+	pid =  int_arg(1)
+	which = int_arg(2)
+	which_str = _waitid_which_str(which)
+	infop_uaddr = pointer_arg(3)
+	options = int_arg(4)
+	options_str = _waitid_opt_str(options)
+	rusage_uaddr = pointer_arg(5)
+	argstr = sprintf("%d, %d, %p, %s, %p", which,
+			pid, infop_uaddr, _waitid_opt_str(options), rusage_uaddr)
+}
+probe nd_syscall.waitid.return = kernel.function("sys_waitid").return {
+	name = "waitid"
+	retstr = returnstr(1)
+}
+/* FIXME:
+# waitpid ____________________________________________________
+#
+# long sys_wait4(pid_t pid,
+#	     int __user *stat_addr,
+#	     int options,
+#	     struct rusage __user *ru)
+#
+probe nd_syscall.waitpid = kernel.function("sys_wait4") {
+	name = "waitpid"
+	pid = $pid
+	status_uaddr = $stat_addr
+	options = $options
+	options_str = _wait4_opt_str($options)
+	rusage_uaddr = $ru
+	argstr = sprintf("%d, %p, %s, %p", $pid, $stat_addr,
+				options_str, $ru)
+}
+probe nd_syscall.waitpid.return = kernel.function("sys_wait4").return {
+	name = "waitpid"
+	retstr = returnstr(1)
+}
+*/
+
+# write ______________________________________________________
+#
+# ssize_t sys_write(unsigned int fd,
+#	     const char __user * buf,
+#	     size_t count)
+#
+probe nd_syscall.write = kernel.function("sys_write") {
+	name = "write"
+	// fd = $fd
+	// buf_uaddr = $buf
+	// count = $count
+	// argstr = sprintf("%d, %s, %d", $fd, text_strn(user_string($buf),syscall_string_trunc,1), $count)
+	asmlinkage()
+	fd = uint_arg(1)
+	buf_uaddr = pointer_arg(2)
+	count = ulong_arg(3)
+	argstr = sprintf("%d, %s, %d", fd, text_strn(user_string(buf_uaddr),syscall_string_trunc,1), count)
+
+}
+probe nd_syscall.write.return = kernel.function("sys_write").return {
+	name = "write"
+	retstr = returnstr(1)
+}
+
+# writev _____________________________________________________
+#
+# ssize_t sys_writev(unsigned long fd,
+#		const struct iovec __user *vec,
+#		unsigned long vlen)
+# ssize_t compat_sys_writev(unsigned long fd, 
+#		const struct compat_iovec __user *vec, 
+#		unsigned long vlen)
+#
+probe nd_syscall.writev = 
+		kernel.function("sys_writev"),
+		kernel.function("compat_sys_writev") ?
+{
+	name = "writev"
+	// vector_uaddr = $vec
+	// count = $vlen
+/* FIXME: RHEL4 U3 ppc64 can't resolve $fd */ 
+// %( arch != "ppc64" %?
+    // fd = $fd
+	// argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
+// %:
+	// argstr = sprintf("unknown fd, %p, %d", $vec, $vlen)
+// %)
+	asmlinkage()
+	vector_uaddr = pointer_arg(2)
+	count = ulong_arg(3)
+	fd = ulong_arg(1)
+	argstr = sprintf("%d, %p, %d", fd, vector_uaddr, count)
+}
+
+probe nd_syscall.writev.return = 
+		kernel.function("sys_writev").return, 
+		kernel.function("compat_sys_writev").return ?
+{
+	name = "writev"
+	retstr = returnstr(1)
+}