i7 classify memory P3 syscalls as mem kind

author: Paul Buetow <paul@buetow.org> 2026-05-21 11:48:49 +0300
committer: Paul Buetow <paul@buetow.org> 2026-05-21 11:48:49 +0300
commit: e05a19f5847693600f0c424b699d94594306c2d7 (patch)
tree: f6c5593e153d02fa143ce2c50cd6133d23811111 /internal/c
parent: 8bd5f17ae2cd662b21fcd45a849c4b701a3aa40f (diff)
2 files changed, 56 insertions, 28 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index d85508c..9f2f283 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -12035,7 +12035,7 @@ int handle_sys_exit_process_madvise(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_mseal is a struct null_event (kind=null)
+/// sys_enter_mseal is a struct mem_event (kind=mem)
 SEC("tracepoint/syscalls/sys_enter_mseal")
 int handle_sys_enter_mseal(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -12045,15 +12045,19 @@ int handle_sys_enter_mseal(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_MSEAL))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_MEM_EVENT;
     ev->trace_id = SYS_ENTER_MSEAL;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->addr = (__u64)ctx->args[0];
+    ev->length = (__u64)ctx->args[1];
+    ev->length2 = 0;
+    ev->flags = (__u64)ctx->args[2];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -12593,7 +12597,7 @@ int handle_sys_exit_munmap(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_remap_file_pages is a struct null_event (kind=null)
+/// sys_enter_remap_file_pages is a struct mem_event (kind=mem)
 SEC("tracepoint/syscalls/sys_enter_remap_file_pages")
 int handle_sys_enter_remap_file_pages(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -12603,15 +12607,19 @@ int handle_sys_enter_remap_file_pages(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_REMAP_FILE_PAGES))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_MEM_EVENT;
     ev->trace_id = SYS_ENTER_REMAP_FILE_PAGES;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->addr = (__u64)ctx->args[0];
+    ev->length = (__u64)ctx->args[1];
+    ev->length2 = (__u64)ctx->args[3];
+    ev->flags = (__u64)ctx->args[4];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -12643,7 +12651,7 @@ int handle_sys_exit_remap_file_pages(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_mlock is a struct null_event (kind=null)
+/// sys_enter_mlock is a struct mem_event (kind=mem)
 SEC("tracepoint/syscalls/sys_enter_mlock")
 int handle_sys_enter_mlock(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -12653,15 +12661,19 @@ int handle_sys_enter_mlock(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_MEM_EVENT;
     ev->trace_id = SYS_ENTER_MLOCK;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->addr = (__u64)ctx->args[0];
+    ev->length = (__u64)ctx->args[1];
+    ev->length2 = 0;
+    ev->flags = 0;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -12693,7 +12705,7 @@ int handle_sys_exit_mlock(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_mlock2 is a struct null_event (kind=null)
+/// sys_enter_mlock2 is a struct mem_event (kind=mem)
 SEC("tracepoint/syscalls/sys_enter_mlock2")
 int handle_sys_enter_mlock2(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -12703,15 +12715,19 @@ int handle_sys_enter_mlock2(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK2))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_MEM_EVENT;
     ev->trace_id = SYS_ENTER_MLOCK2;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->addr = (__u64)ctx->args[0];
+    ev->length = (__u64)ctx->args[1];
+    ev->length2 = 0;
+    ev->flags = (__u64)ctx->args[2];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -12743,7 +12759,7 @@ int handle_sys_exit_mlock2(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_munlock is a struct null_event (kind=null)
+/// sys_enter_munlock is a struct mem_event (kind=mem)
 SEC("tracepoint/syscalls/sys_enter_munlock")
 int handle_sys_enter_munlock(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -12753,15 +12769,19 @@ int handle_sys_enter_munlock(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNLOCK))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_MEM_EVENT;
     ev->trace_id = SYS_ENTER_MUNLOCK;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->addr = (__u64)ctx->args[0];
+    ev->length = (__u64)ctx->args[1];
+    ev->length2 = 0;
+    ev->flags = 0;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -12893,7 +12913,7 @@ int handle_sys_exit_munlockall(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_mincore is a struct null_event (kind=null)
+/// sys_enter_mincore is a struct mem_event (kind=mem)
 SEC("tracepoint/syscalls/sys_enter_mincore")
 int handle_sys_enter_mincore(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -12903,15 +12923,19 @@ int handle_sys_enter_mincore(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_MINCORE))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_MEM_EVENT;
     ev->trace_id = SYS_ENTER_MINCORE;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->addr = (__u64)ctx->args[0];
+    ev->length = (__u64)ctx->args[1];
+    ev->length2 = 0;
+    ev->flags = 0;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -19256,7 +19280,7 @@ int handle_sys_exit_unshare(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_map_shadow_stack is a struct null_event (kind=null)
+/// sys_enter_map_shadow_stack is a struct mem_event (kind=mem)
 SEC("tracepoint/syscalls/sys_enter_map_shadow_stack")
 int handle_sys_enter_map_shadow_stack(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -19266,15 +19290,19 @@ int handle_sys_enter_map_shadow_stack(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_MAP_SHADOW_STACK))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_MEM_EVENT;
     ev->trace_id = SYS_ENTER_MAP_SHADOW_STACK;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->addr = (__u64)ctx->args[0];
+    ev->length = (__u64)ctx->args[1];
+    ev->length2 = 0;
+    ev->flags = (__u64)ctx->args[2];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 85dc95f..ed07ec6 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -154,19 +154,19 @@ sys_enter_lsm_get_self_attr is a struct null_event (kind=null)
 sys_enter_lsm_list_modules is a struct null_event (kind=null)
 sys_enter_lsm_set_self_attr is a struct null_event (kind=null)
 sys_enter_madvise is a struct null_event (kind=null)
-sys_enter_map_shadow_stack is a struct null_event (kind=null)
+sys_enter_map_shadow_stack is a struct mem_event (kind=mem)
 sys_enter_mbind is a struct null_event (kind=null)
 sys_enter_membarrier is a struct null_event (kind=null)
 sys_enter_memfd_create is a struct eventfd_event (kind=eventfd)
 sys_enter_memfd_secret is a struct eventfd_event (kind=eventfd)
 sys_enter_migrate_pages is a struct null_event (kind=null)
-sys_enter_mincore is a struct null_event (kind=null)
+sys_enter_mincore is a struct mem_event (kind=mem)
 sys_enter_mkdir is a struct path_event (kind=pathname)
 sys_enter_mkdirat is a struct path_event (kind=pathname)
 sys_enter_mknod is a struct path_event (kind=pathname)
 sys_enter_mknodat is a struct path_event (kind=pathname)
-sys_enter_mlock is a struct null_event (kind=null)
-sys_enter_mlock2 is a struct null_event (kind=null)
+sys_enter_mlock is a struct mem_event (kind=mem)
+sys_enter_mlock2 is a struct mem_event (kind=mem)
 sys_enter_mlockall is a struct null_event (kind=null)
 sys_enter_mmap is a struct fd_event (kind=fd)
 sys_enter_modify_ldt is a struct null_event (kind=null)
@@ -182,13 +182,13 @@ sys_enter_mq_timedreceive is a struct fd_event (kind=fd)
 sys_enter_mq_timedsend is a struct fd_event (kind=fd)
 sys_enter_mq_unlink is a struct path_event (kind=pathname)
 sys_enter_mremap is a struct mem_event (kind=mem)
-sys_enter_mseal is a struct null_event (kind=null)
+sys_enter_mseal is a struct mem_event (kind=mem)
 sys_enter_msgctl is a struct null_event (kind=null)
 sys_enter_msgget is a struct null_event (kind=null)
 sys_enter_msgrcv is a struct null_event (kind=null)
 sys_enter_msgsnd is a struct null_event (kind=null)
 sys_enter_msync is a struct null_event (kind=null)
-sys_enter_munlock is a struct null_event (kind=null)
+sys_enter_munlock is a struct mem_event (kind=mem)
 sys_enter_munlockall is a struct null_event (kind=null)
 sys_enter_munmap is a struct mem_event (kind=mem)
 sys_enter_name_to_handle_at is a struct path_event (kind=pathname)
@@ -243,7 +243,7 @@ sys_enter_reboot is a struct null_event (kind=null)
 sys_enter_recvfrom is a struct fd_event (kind=fd)
 sys_enter_recvmmsg is a struct fd_event (kind=fd)
 sys_enter_recvmsg is a struct fd_event (kind=fd)
-sys_enter_remap_file_pages is a struct null_event (kind=null)
+sys_enter_remap_file_pages is a struct mem_event (kind=mem)
 sys_enter_removexattr is a struct path_event (kind=pathname)
 sys_enter_removexattrat is a struct path_event (kind=pathname)
 sys_enter_rename is a struct name_event (kind=name)
author	Paul Buetow <paul@buetow.org>	2026-05-21 11:48:49 +0300
committer	Paul Buetow <paul@buetow.org>	2026-05-21 11:48:49 +0300
commit	e05a19f5847693600f0c424b699d94594306c2d7 (patch)
tree	f6c5593e153d02fa143ce2c50cd6133d23811111 /internal/c
parent	8bd5f17ae2cd662b21fcd45a849c4b701a3aa40f (diff)