6 files changed, 49 insertions, 24 deletions

diff --git a/docs/syscall-tracing-plan.md b/docs/syscall-tracing-plan.md
index 660c641..0f7cd98 100644
--- a/docs/syscall-tracing-plan.md
+++ b/docs/syscall-tracing-plan.md
@@ -61,14 +61,14 @@ sudo ./ior -trace-syscalls openat,recvmsg,nanosleep -no-trace-kinds null
 - eventfd: `epoll_create`, `epoll_create1`, `eventfd`, `eventfd2`, `fanotify_init`, `fsmount`, `fsopen`, `inotify_init`, `inotify_init1`, `landlock_create_ruleset`, `memfd_create`, `memfd_secret`, `signalfd`, `signalfd4`, `timerfd_create`, `userfaultfd`
 - exec: `execve`, `execveat`
 - fcntl: `fcntl`
-- fd: `bind`, `cachestat`, `close`, `connect`, `copy_file_range`, `dup`, `dup2`, `epoll_pwait`, `epoll_pwait2`, `epoll_wait`, `fadvise64`, `fallocate`, `fchdir`, `fchmod`, `fchown`, `fdatasync`, `fgetxattr`, `finit_module`, `flistxattr`, `flock`, `fremovexattr`, `fsconfig`, `fsetxattr`, `fstatfs`, `fsync`, `ftruncate`, `getdents`, `getdents64`, `getpeername`, `getsockname`, `getsockopt`, `inotify_add_watch`, `inotify_rm_watch`, `io_uring_enter`, `io_uring_register`, `ioctl`, `kexec_file_load`, `landlock_add_rule`, `landlock_restrict_self`, `listen`, `lseek`, `mmap`, `mq_getsetattr`, `mq_notify`, `mq_timedreceive`, `mq_timedsend`, `newfstat`, `pidfd_getfd`, `pidfd_send_signal`, `pread64`, `preadv`, `preadv2`, `process_madvise`, `process_mrelease`, `pwrite64`, `pwritev`, `pwritev2`, `quotactl_fd`, `read`, `readahead`, `readv`, `recvfrom`, `recvmmsg`, `recvmsg`, `sendfile64`, `sendmmsg`, `sendmsg`, `sendto`, `setns`, `setsockopt`, `shutdown`, `sync_file_range`, `syncfs`, `vmsplice`, `write`, `writev`
+- fd: `bind`, `cachestat`, `close`, `connect`, `copy_file_range`, `dup`, `dup2`, `epoll_pwait`, `epoll_pwait2`, `epoll_wait`, `fadvise64`, `fallocate`, `fchdir`, `fchmod`, `fchown`, `fdatasync`, `fgetxattr`, `finit_module`, `flistxattr`, `flock`, `fremovexattr`, `fsconfig`, `fsetxattr`, `fstatfs`, `fsync`, `ftruncate`, `getdents`, `getdents64`, `getpeername`, `getsockname`, `getsockopt`, `inotify_add_watch`, `inotify_rm_watch`, `io_uring_enter`, `io_uring_register`, `ioctl`, `kexec_file_load`, `landlock_add_rule`, `landlock_restrict_self`, `listen`, `lseek`, `mmap`, `mq_getsetattr`, `mq_notify`, `mq_timedreceive`, `mq_timedsend`, `newfstat`, `pidfd_getfd`, `pidfd_send_signal`, `pread64`, `preadv`, `preadv2`, `process_madvise`, `process_mrelease`, `pwrite64`, `pwritev`, `pwritev2`, `quotactl_fd`, `read`, `readahead`, `readv`, `recvfrom`, `recvmmsg`, `recvmsg`, `sendfile64`, `sendmmsg`, `sendmsg`, `sendto`, `setns`, `setsockopt`, `shutdown`, `splice`, `sync_file_range`, `syncfs`, `tee`, `timerfd_gettime`, `timerfd_settime`, `vmsplice`, `write`, `writev`
 - futex: `futex`, `futex_requeue`, `futex_wait`, `futex_waitv`, `futex_wake`
 - keyctl: `add_key`, `keyctl`, `request_key`
 - mem: `brk`, `madvise`, `map_shadow_stack`, `mincore`, `mlock`, `mlock2`, `mprotect`, `mremap`, `mseal`, `munlock`, `munmap`, `pkey_mprotect`, `remap_file_pages`
 - module: `delete_module`, `init_module`
 - mq-open: `mq_open`
 - name: `link`, `linkat`, `rename`, `renameat`, `renameat2`, `symlink`, `symlinkat`
-- null: `adjtimex`, `alarm`, `arch_prctl`, `capget`, `capset`, `clock_adjtime`, `clock_getres`, `clock_gettime`, `clock_settime`, `exit`, `exit_group`, `get_mempolicy`, `get_robust_list`, `getcpu`, `getcwd`, `getegid`, `geteuid`, `getgid`, `getgroups`, `getitimer`, `getpgid`, `getpgrp`, `getpid`, `getppid`, `getpriority`, `getrandom`, `getresgid`, `getresuid`, `getrlimit`, `getrusage`, `getsid`, `gettid`, `gettimeofday`, `getuid`, `io_cancel`, `io_destroy`, `io_getevents`, `io_pgetevents`, `io_setup`, `io_submit`, `io_uring_setup`, `ioperm`, `iopl`, `ioprio_get`, `ioprio_set`, `kexec_load`, `kill`, `listmount`, `listns`, `lsm_get_self_attr`, `lsm_list_modules`, `lsm_set_self_attr`, `mbind`, `membarrier`, `migrate_pages`, `mlockall`, `modify_ldt`, `move_pages`, `msync`, `munlockall`, `newuname`, `pause`, `personality`, `pkey_alloc`, `pkey_free`, `prlimit64`, `process_vm_readv`, `process_vm_writev`, `reboot`, `restart_syscall`, `rseq`, `rt_sigaction`, `rt_sigpending`, `rt_sigprocmask`, `rt_sigqueueinfo`, `rt_sigreturn`, `rt_sigsuspend`, `rt_sigtimedwait`, `rt_tgsigqueueinfo`, `sched_get_priority_max`, `sched_get_priority_min`, `sched_getaffinity`, `sched_getattr`, `sched_getparam`, `sched_getscheduler`, `sched_rr_get_interval`, `sched_setaffinity`, `sched_setattr`, `sched_setparam`, `sched_setscheduler`, `sched_yield`, `set_mempolicy`, `set_mempolicy_home_node`, `set_robust_list`, `set_tid_address`, `setdomainname`, `setfsgid`, `setfsuid`, `setgid`, `setgroups`, `sethostname`, `setitimer`, `setpgid`, `setpriority`, `setregid`, `setresgid`, `setresuid`, `setreuid`, `setrlimit`, `setsid`, `settimeofday`, `setuid`, `sigaltstack`, `splice`, `statmount`, `sync`, `sysfs`, `sysinfo`, `syslog`, `tee`, `tgkill`, `time`, `timerfd_gettime`, `timerfd_settime`, `times`, `tkill`, `umask`, `unshare`, `uprobe`, `uretprobe`, `ustat`, `vhangup`
+- null: `adjtimex`, `alarm`, `arch_prctl`, `capget`, `capset`, `clock_adjtime`, `clock_getres`, `clock_gettime`, `clock_settime`, `exit`, `exit_group`, `get_mempolicy`, `get_robust_list`, `getcpu`, `getcwd`, `getegid`, `geteuid`, `getgid`, `getgroups`, `getitimer`, `getpgid`, `getpgrp`, `getpid`, `getppid`, `getpriority`, `getrandom`, `getresgid`, `getresuid`, `getrlimit`, `getrusage`, `getsid`, `gettid`, `gettimeofday`, `getuid`, `io_cancel`, `io_destroy`, `io_getevents`, `io_pgetevents`, `io_setup`, `io_submit`, `io_uring_setup`, `ioperm`, `iopl`, `ioprio_get`, `ioprio_set`, `kexec_load`, `kill`, `listmount`, `listns`, `lsm_get_self_attr`, `lsm_list_modules`, `lsm_set_self_attr`, `mbind`, `membarrier`, `migrate_pages`, `mlockall`, `modify_ldt`, `move_pages`, `msync`, `munlockall`, `newuname`, `pause`, `personality`, `pkey_alloc`, `pkey_free`, `prlimit64`, `process_vm_readv`, `process_vm_writev`, `reboot`, `restart_syscall`, `rseq`, `rt_sigaction`, `rt_sigpending`, `rt_sigprocmask`, `rt_sigqueueinfo`, `rt_sigreturn`, `rt_sigsuspend`, `rt_sigtimedwait`, `rt_tgsigqueueinfo`, `sched_get_priority_max`, `sched_get_priority_min`, `sched_getaffinity`, `sched_getattr`, `sched_getparam`, `sched_getscheduler`, `sched_rr_get_interval`, `sched_setaffinity`, `sched_setattr`, `sched_setparam`, `sched_setscheduler`, `sched_yield`, `set_mempolicy`, `set_mempolicy_home_node`, `set_robust_list`, `set_tid_address`, `setdomainname`, `setfsgid`, `setfsuid`, `setgid`, `setgroups`, `sethostname`, `setitimer`, `setpgid`, `setpriority`, `setregid`, `setresgid`, `setresuid`, `setreuid`, `setrlimit`, `setsid`, `settimeofday`, `setuid`, `sigaltstack`, `statmount`, `sync`, `sysfs`, `sysinfo`, `syslog`, `tgkill`, `time`, `times`, `tkill`, `umask`, `unshare`, `uprobe`, `uretprobe`, `ustat`, `vhangup`
 - open: `open`, `open_tree`, `open_tree_attr`, `openat`, `openat2`
 - open-by-handle-at: `open_by_handle_at`
 - pathname: `access`, `acct`, `chdir`, `chmod`, `chown`, `chroot`, `creat`, `faccessat`, `faccessat2`, `fanotify_mark`, `fchmodat`, `fchmodat2`, `fchownat`, `file_getattr`, `file_setattr`, `fspick`, `futimesat`, `getxattr`, `getxattrat`, `lchown`, `lgetxattr`, `listxattr`, `listxattrat`, `llistxattr`, `lremovexattr`, `lsetxattr`, `mkdir`, `mkdirat`, `mknod`, `mknodat`, `mount`, `mount_setattr`, `mq_unlink`, `name_to_handle_at`, `newfstatat`, `newlstat`, `newstat`, `pivot_root`, `quotactl`, `readlink`, `readlinkat`, `removexattr`, `removexattrat`, `rmdir`, `setxattr`, `setxattrat`, `statfs`, `statx`, `swapoff`, `swapon`, `truncate`, `umount`, `unlink`, `unlinkat`, `utime`, `utimensat`, `utimes`
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 4ec7b86..f2f3d46 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -4169,7 +4169,7 @@ int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_timerfd_settime is a struct null_event (kind=null)
+/// sys_enter_timerfd_settime is a struct fd_event (kind=fd)
 SEC("tracepoint/syscalls/sys_enter_timerfd_settime")
 int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -4179,15 +4179,16 @@ int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_SETTIME))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_FD_EVENT;
     ev->trace_id = SYS_ENTER_TIMERFD_SETTIME;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->fd = (__s32)ctx->args[0];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -4219,7 +4220,7 @@ int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_timerfd_gettime is a struct null_event (kind=null)
+/// sys_enter_timerfd_gettime is a struct fd_event (kind=fd)
 SEC("tracepoint/syscalls/sys_enter_timerfd_gettime")
 int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -4229,15 +4230,16 @@ int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_GETTIME))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_FD_EVENT;
     ev->trace_id = SYS_ENTER_TIMERFD_GETTIME;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->fd = (__s32)ctx->args[0];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -6039,7 +6041,7 @@ int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_splice is a struct null_event (kind=null)
+/// sys_enter_splice is a struct fd_event (kind=fd)
 SEC("tracepoint/syscalls/sys_enter_splice")
 int handle_sys_enter_splice(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -6049,15 +6051,16 @@ int handle_sys_enter_splice(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_SPLICE))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_FD_EVENT;
     ev->trace_id = SYS_ENTER_SPLICE;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->fd = (__s32)ctx->args[0];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -6089,7 +6092,7 @@ int handle_sys_exit_splice(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_tee is a struct null_event (kind=null)
+/// sys_enter_tee is a struct fd_event (kind=fd)
 SEC("tracepoint/syscalls/sys_enter_tee")
 int handle_sys_enter_tee(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -6099,15 +6102,16 @@ int handle_sys_enter_tee(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_TEE))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_FD_EVENT;
     ev->trace_id = SYS_ENTER_TEE;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    ev->fd = (__s32)ctx->args[0];
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 3804441..3ec20dd 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -318,7 +318,7 @@ sys_enter_signalfd is a struct eventfd_event (kind=eventfd)
 sys_enter_signalfd4 is a struct eventfd_event (kind=eventfd)
 sys_enter_socket is a struct socket_event (kind=socket)
 sys_enter_socketpair is a struct socketpair_event (kind=socketpair)
-sys_enter_splice is a struct null_event (kind=null)
+sys_enter_splice is a struct fd_event (kind=fd)
 sys_enter_statfs is a struct path_event (kind=pathname)
 sys_enter_statmount is a struct null_event (kind=null)
 sys_enter_statx is a struct path_event (kind=pathname)
@@ -332,7 +332,7 @@ sys_enter_syncfs is a struct fd_event (kind=fd)
 sys_enter_sysfs is a struct null_event (kind=null)
 sys_enter_sysinfo is a struct null_event (kind=null)
 sys_enter_syslog is a struct null_event (kind=null)
-sys_enter_tee is a struct null_event (kind=null)
+sys_enter_tee is a struct fd_event (kind=fd)
 sys_enter_tgkill is a struct null_event (kind=null)
 sys_enter_time is a struct null_event (kind=null)
 sys_enter_timer_create is a struct null_event (kind=timer-obj)
@@ -341,8 +341,8 @@ sys_enter_timer_getoverrun is a struct null_event (kind=timer-obj)
 sys_enter_timer_gettime is a struct null_event (kind=timer-obj)
 sys_enter_timer_settime is a struct null_event (kind=timer-obj)
 sys_enter_timerfd_create is a struct eventfd_event (kind=eventfd)
-sys_enter_timerfd_gettime is a struct null_event (kind=null)
-sys_enter_timerfd_settime is a struct null_event (kind=null)
+sys_enter_timerfd_gettime is a struct fd_event (kind=fd)
+sys_enter_timerfd_settime is a struct fd_event (kind=fd)
 sys_enter_times is a struct null_event (kind=null)
 sys_enter_tkill is a struct null_event (kind=null)
 sys_enter_truncate is a struct path_event (kind=pathname)
diff --git a/internal/generate/classify.go b/internal/generate/classify.go
index 3ba0c00..efc9917 100644
--- a/internal/generate/classify.go
+++ b/internal/generate/classify.go
@@ -202,6 +202,16 @@ var nameOnlyKindsTable = map[string]TracepointKind{
 	"sys_exit_signalfd4":       KindEventfd,
 	"sys_enter_timerfd_create": KindEventfd,
 	"sys_exit_timerfd_create":  KindEventfd,
+	// timerfd_settime/timerfd_gettime operate on an EXISTING timerfd whose
+	// tracepoint arg0 is named "ufd" (int), not literally "fd". The generic
+	// field matcher (classifyByField) only maps fieldName=="fd" -> KindFd, so
+	// without these overrides they fall through to KindNull and capture NO
+	// descriptor — dropping the timerfd they act on. Classify them KindFd so
+	// the enter handler captures the timerfd at args[0], mirroring the
+	// epoll_wait(epfd) and mq_*(mqdes) precedent. timerfd_create above is the
+	// fd CREATOR (KindEventfd) and is intentionally left unchanged.
+	"sys_enter_timerfd_settime": KindFd,
+	"sys_enter_timerfd_gettime": KindFd,
 
 	"sys_enter_epoll_create":  KindEventfd,
 	"sys_exit_epoll_create":   KindEventfd,
@@ -257,6 +267,17 @@ var nameOnlyKindsTable = map[string]TracepointKind{
 	// the single-fd KindFd convention used for copy_file_range and the
 	// read/write/sendto/recvfrom families.
 	"sys_enter_sendfile64": KindFd,
+	// splice(fd_in, off_in, fd_out, off_out, len, flags) and
+	// tee(fdin, fdout, len, flags) are in-kernel transfers between two
+	// EXISTING file descriptors (TransferClassified, see retClassifications),
+	// exactly like copy_file_range/sendfile64. Their arg0 is the source fd
+	// named "fd_in"/"fdin" — not literally "fd" — so the generic field matcher
+	// (classifyByField) leaves them at KindNull, capturing NO descriptor and
+	// dropping the fds they operate on. Classify them KindFd to capture the
+	// source fd at args[0], matching the single-fd KindFd convention already
+	// used for copy_file_range and sendfile64.
+	"sys_enter_splice":     KindFd,
+	"sys_enter_tee":        KindFd,
 	"sys_enter_statmount":  KindNull,
 	"sys_enter_listmount":   KindNull,
 	"sys_enter_listns":      KindNull,
diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 4993293..7d68e40 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -304,8 +304,8 @@ func TestClassifyPhaseAByteSyscallPairsAccepted(t *testing.T) {
 		{"sendto", "struct fd_event", "WRITE_CLASSIFIED"},
 		{"sendmsg", "struct fd_event", "WRITE_CLASSIFIED"},
 		{"sendfile64", "struct fd_event", "TRANSFER_CLASSIFIED"},
-		{"splice", "struct null_event", "TRANSFER_CLASSIFIED"},
-		{"tee", "struct null_event", "TRANSFER_CLASSIFIED"},
+		{"splice", "struct fd_event", "TRANSFER_CLASSIFIED"},
+		{"tee", "struct fd_event", "TRANSFER_CLASSIFIED"},
 		{"process_vm_readv", "struct null_event", "READ_CLASSIFIED"},
 		{"process_vm_writev", "struct null_event", "WRITE_CLASSIFIED"},
 	}
diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go
index 58bc617..ed379d4 100644
--- a/internal/tracepoints/generated_tracepoints.go
+++ b/internal/tracepoints/generated_tracepoints.go
@@ -1426,7 +1426,7 @@ var syscallKinds = map[string]string{
 	"signalfd4":               "eventfd",
 	"socket":                  "socket",
 	"socketpair":              "socketpair",
-	"splice":                  "null",
+	"splice":                  "fd",
 	"statfs":                  "pathname",
 	"statmount":               "null",
 	"statx":                   "pathname",
@@ -1440,7 +1440,7 @@ var syscallKinds = map[string]string{
 	"sysfs":                   "null",
 	"sysinfo":                 "null",
 	"syslog":                  "null",
-	"tee":                     "null",
+	"tee":                     "fd",
 	"tgkill":                  "null",
 	"time":                    "null",
 	"timer_create":            "timer-obj",
@@ -1449,8 +1449,8 @@ var syscallKinds = map[string]string{
 	"timer_gettime":           "timer-obj",
 	"timer_settime":           "timer-obj",
 	"timerfd_create":          "eventfd",
-	"timerfd_gettime":         "null",
-	"timerfd_settime":         "null",
+	"timerfd_gettime":         "fd",
+	"timerfd_settime":         "fd",
 	"times":                   "null",
 	"tkill":                   "null",
 	"truncate":                "pathname",