Implement event notifiers for syscalls

Signed-off-by: Francis Deslauriers <francis.deslauriers@efficios.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I31e60d0d758b93ada11d208f583d71f05168c014

diff --git a/include/instrumentation/syscalls/headers/syscalls_unknown.h b/include/instrumentation/syscalls/headers/syscalls_unknown.h
index 64e53792e5b2f1c8a29ac860e64a94593940a240..8645d7144f0e90950d1e24a810a92fe10dda755f 100644 (file)
--- a/include/instrumentation/syscalls/headers/syscalls_unknown.h
+++ b/include/instrumentation/syscalls/headers/syscalls_unknown.h
@@ -9,7 +9,10 @@
 #define UNKNOWN_SYSCALL_NRARGS 6
 
 #undef TP_PROBE_CB
-#define TP_PROBE_CB(_template)          &syscall_entry_event_probe
+#define TP_PROBE_CB(_template)                 &syscall_entry_event_probe
+
+#undef TP_EVENT_NOTIFIER_PROBE_CB
+#define TP_EVENT_NOTIFIER_PROBE_CB(_template)  &syscall_entry_event_notifier_probe
 
 LTTNG_TRACEPOINT_EVENT(syscall_entry_unknown,
        TP_PROTO(int id, unsigned long *args),
@@ -30,6 +33,8 @@ LTTNG_TRACEPOINT_EVENT(compat_syscall_entry_unknown,
 
 #undef TP_PROBE_CB
 #define TP_PROBE_CB(_template)          &syscall_exit_event_probe
+#undef TP_EVENT_NOTIFIER_PROBE_CB
+#define TP_EVENT_NOTIFIER_PROBE_CB(_template)  &syscall_exit_event_notifier_probe
 
 LTTNG_TRACEPOINT_EVENT(syscall_exit_unknown,
        TP_PROTO(int id, long ret, unsigned long *args),

diff --git a/include/lttng/abi.h b/include/lttng/abi.h
index 75c2cb087fdb1ea791413c832b0e6c5c18dfae27..c7c6dc1949b8e2fa237de65f29ede9f7ac0a75d6 100644 (file)
--- a/include/lttng/abi.h
+++ b/include/lttng/abi.h
@@ -98,8 +98,8 @@ enum lttng_kernel_syscall_entryexit {
 
 enum lttng_kernel_syscall_abi {
        LTTNG_KERNEL_SYSCALL_ABI_ALL = 0,
-       LTTNG_KERNEL_SYSCALL_ABI_NATIVE = 1,    /* Not implemented. */
-       LTTNG_KERNEL_SYSCALL_ABI_COMPAT = 2,    /* Not implemented. */
+       LTTNG_KERNEL_SYSCALL_ABI_NATIVE = 1,
+       LTTNG_KERNEL_SYSCALL_ABI_COMPAT = 2,
 };
 
 enum lttng_kernel_syscall_match {

diff --git a/include/lttng/events.h b/include/lttng/events.h
index 05b0f7cf7a9740a1e32ade6753cd91fa763e379b..6125f08bc1d63a90c26cdfe446e7f6470abc7b04 100644 (file)
--- a/include/lttng/events.h
+++ b/include/lttng/events.h
@@ -350,6 +350,13 @@ struct lttng_event_notifier {
        union {
                struct lttng_kprobe kprobe;
                struct lttng_uprobe uprobe;
+               struct {
+                       enum lttng_syscall_entryexit entryexit;
+                       enum lttng_syscall_abi abi;
+                       struct hlist_node node;                 /* chain registered syscall event_notifier */
+                       unsigned int syscall_id;
+               } syscall;
+
        } u;
 
        /* Backward references: list of lttng_enabler_ref (ref to enablers) */
@@ -628,6 +635,28 @@ struct lttng_event_notifier_group {
        struct lib_ring_buffer *buf;    /* Ring buffer for event notifier group. */
        wait_queue_head_t read_wait;
        struct irq_work wakeup_pending; /* Pending wakeup irq work. */
+       struct lttng_event_notifier *sc_unknown;        /* for unknown syscalls */
+       struct lttng_event_notifier *sc_compat_unknown;
+
+       struct lttng_syscall_filter *sc_filter;
+
+       struct hlist_head *event_notifier_syscall_dispatch;
+       struct hlist_head *event_notifier_compat_syscall_dispatch;
+       struct hlist_head *event_notifier_exit_syscall_dispatch;
+       struct hlist_head *event_notifier_exit_compat_syscall_dispatch;
+
+       struct hlist_head event_notifier_unknown_syscall_dispatch;
+       struct hlist_head event_notifier_compat_unknown_syscall_dispatch;
+       struct hlist_head event_notifier_exit_unknown_syscall_dispatch;
+       struct hlist_head event_notifier_exit_compat_unknown_syscall_dispatch;
+
+       int syscall_all_entry;
+       int syscall_all_exit;
+
+       unsigned int sys_enter_registered:1, sys_exit_registered:1;
+
+       struct lttng_counter *error_counter;
+       size_t error_counter_len;
 };
 
 struct lttng_metadata_cache {
@@ -769,6 +798,9 @@ int lttng_session_list_tracker_ids(struct lttng_session *session,
 void lttng_clock_ref(void);
 void lttng_clock_unref(void);
 
+int lttng_desc_match_enabler(const struct lttng_event_desc *desc,
+               struct lttng_enabler *enabler);
+
 #if defined(CONFIG_HAVE_SYSCALL_TRACEPOINTS)
 int lttng_syscalls_register_event(struct lttng_channel *chan, void *filter);
 int lttng_syscalls_unregister_event(struct lttng_channel *chan);
@@ -783,6 +815,14 @@ int lttng_syscall_filter_disable_event(
 long lttng_channel_syscall_mask(struct lttng_channel *channel,
                struct lttng_kernel_syscall_mask __user *usyscall_mask);
 
+int lttng_syscalls_register_event_notifier(
+               struct lttng_event_notifier_enabler *event_notifier_enabler,
+               void *filter);
+int lttng_syscals_create_matching_event_notifiers(
+               struct lttng_event_notifier_enabler *event_notifier_enabler, void *filter);
+int lttng_syscalls_unregister_event_notifier(struct lttng_event_notifier_group *group);
+int lttng_syscall_filter_enable_event_notifier(struct lttng_event_notifier *event_notifier);
+int lttng_syscall_filter_disable_event_notifier(struct lttng_event_notifier *event_notifier);
 #else
 static inline int lttng_syscalls_register_event(
                struct lttng_channel *chan, void *filter)
@@ -818,6 +858,32 @@ static inline long lttng_channel_syscall_mask(struct lttng_channel *channel,
        return -ENOSYS;
 }
 
+static inline int lttng_syscalls_register_event_notifier(
+               struct lttng_event_notifier_group *group, void *filter)
+{
+       return -ENOSYS;
+}
+
+static inline int lttng_syscalls_unregister_event_notifier(
+               struct lttng_event_notifier_group *group)
+{
+       return 0;
+}
+
+static inline int lttng_syscall_filter_enable_event_notifier(
+               struct lttng_event_notifier_group *group,
+               const char *name)
+{
+       return -ENOSYS;
+}
+
+static inline int lttng_syscall_filter_disable_event_notifier(
+               struct lttng_event_notifier_group *group,
+               const char *name)
+{
+       return -ENOSYS;
+}
+
 #endif
 
 void lttng_filter_sync_state(struct lttng_bytecode_runtime *runtime);

diff --git a/src/lttng-abi.c b/src/lttng-abi.c
index fbbdbabf15600bb00c0986022cf6c89db4e00a70..67f5aa87e010b9dafe10cd42d2f27356bbccae39 100644 (file)
--- a/src/lttng-abi.c
+++ b/src/lttng-abi.c
@@ -1826,11 +1826,12 @@ int lttng_abi_create_event_notifier(struct file *event_notifier_group_file,
        case LTTNG_KERNEL_KPROBE:
                event_notifier_param->event.u.kprobe.symbol_name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
                break;
+       case LTTNG_KERNEL_SYSCALL:
+               break;
        case LTTNG_KERNEL_KRETPROBE:
                /* Placing an event notifier on kretprobe is not supported. */
        case LTTNG_KERNEL_FUNCTION:
        case LTTNG_KERNEL_NOOP:
-       case LTTNG_KERNEL_SYSCALL:
        default:
                ret = -EINVAL;
                goto inval_instr;

diff --git a/src/lttng-events.c b/src/lttng-events.c
index 91a0810030047d59ea281a8dced6d91dc49f5aca..dff93ce6d93c3fabc838c4a33364a185e8a1c562 100644 (file)
--- a/src/lttng-events.c
+++ b/src/lttng-events.c
@@ -329,6 +329,9 @@ void lttng_event_notifier_group_destroy(
 
        mutex_lock(&sessions_mutex);
 
+       ret = lttng_syscalls_unregister_event_notifier(event_notifier_group);
+       WARN_ON(ret);
+
        list_for_each_entry_safe(event_notifier, tmpevent_notifier,
                        &event_notifier_group->event_notifiers_head, list) {
                ret = _lttng_event_notifier_unregister(event_notifier);
@@ -340,6 +343,8 @@ void lttng_event_notifier_group_destroy(
 
        irq_work_sync(&event_notifier_group->wakeup_pending);
 
+       kfree(event_notifier_group->sc_filter);
+
        list_for_each_entry_safe(event_notifier_enabler, tmp_event_notifier_enabler,
                        &event_notifier_group->enablers_head, node)
                lttng_event_notifier_enabler_destroy(event_notifier_enabler);
@@ -612,13 +617,13 @@ int lttng_event_notifier_enable(struct lttng_event_notifier *event_notifier)
        }
        switch (event_notifier->instrumentation) {
        case LTTNG_KERNEL_TRACEPOINT:
+       case LTTNG_KERNEL_SYSCALL:
                ret = -EINVAL;
                break;
        case LTTNG_KERNEL_KPROBE:
        case LTTNG_KERNEL_UPROBE:
                WRITE_ONCE(event_notifier->enabled, 1);
                break;
-       case LTTNG_KERNEL_SYSCALL:
        case LTTNG_KERNEL_FUNCTION:
        case LTTNG_KERNEL_NOOP:
        case LTTNG_KERNEL_KRETPROBE:
@@ -642,13 +647,13 @@ int lttng_event_notifier_disable(struct lttng_event_notifier *event_notifier)
        }
        switch (event_notifier->instrumentation) {
        case LTTNG_KERNEL_TRACEPOINT:
+       case LTTNG_KERNEL_SYSCALL:
                ret = -EINVAL;
                break;
        case LTTNG_KERNEL_KPROBE:
        case LTTNG_KERNEL_UPROBE:
                WRITE_ONCE(event_notifier->enabled, 0);
                break;
-       case LTTNG_KERNEL_SYSCALL:
        case LTTNG_KERNEL_FUNCTION:
        case LTTNG_KERNEL_NOOP:
        case LTTNG_KERNEL_KRETPROBE:
@@ -1009,12 +1014,12 @@ struct lttng_event_notifier *_lttng_event_notifier_create(
                break;
        case LTTNG_KERNEL_KPROBE:
        case LTTNG_KERNEL_UPROBE:
+       case LTTNG_KERNEL_SYSCALL:
                event_name = event_notifier_param->event.name;
                break;
        case LTTNG_KERNEL_KRETPROBE:
        case LTTNG_KERNEL_FUNCTION:
        case LTTNG_KERNEL_NOOP:
-       case LTTNG_KERNEL_SYSCALL:
        default:
                WARN_ON_ONCE(1);
                ret = -EINVAL;
@@ -1086,6 +1091,43 @@ struct lttng_event_notifier *_lttng_event_notifier_create(
                ret = try_module_get(event_notifier->desc->owner);
                WARN_ON_ONCE(!ret);
                break;
+       case LTTNG_KERNEL_NOOP:
+       case LTTNG_KERNEL_SYSCALL:
+               /*
+                * Needs to be explicitly enabled after creation, since
+                * we may want to apply filters.
+                */
+               event_notifier->enabled = 0;
+               event_notifier->registered = 0;
+               event_notifier->desc = event_desc;
+               switch (event_notifier_param->event.u.syscall.entryexit) {
+               case LTTNG_KERNEL_SYSCALL_ENTRYEXIT:
+                       ret = -EINVAL;
+                       goto register_error;
+               case LTTNG_KERNEL_SYSCALL_ENTRY:
+                       event_notifier->u.syscall.entryexit = LTTNG_SYSCALL_ENTRY;
+                       break;
+               case LTTNG_KERNEL_SYSCALL_EXIT:
+                       event_notifier->u.syscall.entryexit = LTTNG_SYSCALL_EXIT;
+                       break;
+               }
+               switch (event_notifier_param->event.u.syscall.abi) {
+               case LTTNG_KERNEL_SYSCALL_ABI_ALL:
+                       ret = -EINVAL;
+                       goto register_error;
+               case LTTNG_KERNEL_SYSCALL_ABI_NATIVE:
+                       event_notifier->u.syscall.abi = LTTNG_SYSCALL_ABI_NATIVE;
+                       break;
+               case LTTNG_KERNEL_SYSCALL_ABI_COMPAT:
+                       event_notifier->u.syscall.abi = LTTNG_SYSCALL_ABI_COMPAT;
+                       break;
+               }
+
+               if (!event_notifier->desc) {
+                       ret = -EINVAL;
+                       goto register_error;
+               }
+               break;
        case LTTNG_KERNEL_UPROBE:
                /*
                 * Needs to be explicitly enabled after creation, since
@@ -1111,8 +1153,6 @@ struct lttng_event_notifier *_lttng_event_notifier_create(
                break;
        case LTTNG_KERNEL_KRETPROBE:
        case LTTNG_KERNEL_FUNCTION:
-       case LTTNG_KERNEL_NOOP:
-       case LTTNG_KERNEL_SYSCALL:
        default:
                WARN_ON_ONCE(1);
                ret = -EINVAL;
@@ -1257,11 +1297,13 @@ void register_event_notifier(struct lttng_event_notifier *event_notifier)
                                                  desc->event_notifier_callback,
                                                  event_notifier);
                break;
+       case LTTNG_KERNEL_SYSCALL:
+               ret = lttng_syscall_filter_enable_event_notifier(event_notifier);
+               break;
        case LTTNG_KERNEL_KPROBE:
        case LTTNG_KERNEL_UPROBE:
                ret = 0;
                break;
-       case LTTNG_KERNEL_SYSCALL:
        case LTTNG_KERNEL_KRETPROBE:
        case LTTNG_KERNEL_FUNCTION:
        case LTTNG_KERNEL_NOOP:
@@ -1297,9 +1339,11 @@ int _lttng_event_notifier_unregister(
                lttng_uprobes_unregister_event_notifier(event_notifier);
                ret = 0;
                break;
+       case LTTNG_KERNEL_SYSCALL:
+               ret = lttng_syscall_filter_disable_event_notifier(event_notifier);
+               break;
        case LTTNG_KERNEL_KRETPROBE:
        case LTTNG_KERNEL_FUNCTION:
-       case LTTNG_KERNEL_SYSCALL:
        case LTTNG_KERNEL_NOOP:
        default:
                WARN_ON_ONCE(1);
@@ -1357,14 +1401,15 @@ void _lttng_event_notifier_destroy(struct lttng_event_notifier *event_notifier)
                module_put(event_notifier->desc->owner);
                lttng_kprobes_destroy_event_notifier_private(event_notifier);
                break;
+       case LTTNG_KERNEL_NOOP:
+       case LTTNG_KERNEL_SYSCALL:
+               break;
        case LTTNG_KERNEL_UPROBE:
                module_put(event_notifier->desc->owner);
                lttng_uprobes_destroy_event_notifier_private(event_notifier);
                break;
        case LTTNG_KERNEL_KRETPROBE:
        case LTTNG_KERNEL_FUNCTION:
-       case LTTNG_KERNEL_NOOP:
-       case LTTNG_KERNEL_SYSCALL:
        default:
                WARN_ON_ONCE(1);
        }
@@ -1647,7 +1692,6 @@ int lttng_match_enabler_name(const char *desc_name,
        return 1;
 }
 
-static
 int lttng_desc_match_enabler(const struct lttng_event_desc *desc,
                struct lttng_enabler *enabler)
 {
@@ -1901,6 +1945,17 @@ void lttng_create_syscall_event_if_missing(struct lttng_event_enabler *event_ena
        WARN_ON_ONCE(ret);
 }
 
+static
+void lttng_create_syscall_event_notifier_if_missing(struct lttng_event_notifier_enabler *event_notifier_enabler)
+{
+       int ret;
+
+       ret = lttng_syscalls_register_event_notifier(event_notifier_enabler, NULL);
+       WARN_ON_ONCE(ret);
+       ret = lttng_syscals_create_matching_event_notifiers(event_notifier_enabler, NULL);
+       WARN_ON_ONCE(ret);
+}
+
 /*
  * Create struct lttng_event if it is missing and present in the list of
  * tracepoint probes.
@@ -1995,6 +2050,9 @@ void lttng_create_event_notifier_if_missing(struct lttng_event_notifier_enabler
        case LTTNG_KERNEL_TRACEPOINT:
                lttng_create_tracepoint_event_notifier_if_missing(event_notifier_enabler);
                break;
+       case LTTNG_KERNEL_SYSCALL:
+               lttng_create_syscall_event_notifier_if_missing(event_notifier_enabler);
+               break;
        default:
                WARN_ON_ONCE(1);
                break;
@@ -2005,11 +2063,29 @@ void lttng_create_event_notifier_if_missing(struct lttng_event_notifier_enabler
  * Create event_notifiers associated with a event_notifier enabler (if not already present).
  */
 static
-int lttng_event_notifier_enabler_ref_event_notifiers(struct lttng_event_notifier_enabler *event_notifier_enabler)
+int lttng_event_notifier_enabler_ref_event_notifiers(
+               struct lttng_event_notifier_enabler *event_notifier_enabler)
 {
        struct lttng_event_notifier_group *event_notifier_group = event_notifier_enabler->group;
+       struct lttng_enabler *base_enabler = lttng_event_notifier_enabler_as_enabler(event_notifier_enabler);
        struct lttng_event_notifier *event_notifier;
 
+       if (base_enabler->event_param.instrumentation == LTTNG_KERNEL_SYSCALL &&
+                       base_enabler->event_param.u.syscall.abi == LTTNG_KERNEL_SYSCALL_ABI_ALL &&
+                       base_enabler->event_param.u.syscall.match == LTTNG_KERNEL_SYSCALL_MATCH_NAME &&
+                       !strcmp(base_enabler->event_param.name, "*")) {
+
+               int enabled = base_enabler->enabled;
+               enum lttng_kernel_syscall_entryexit entryexit = base_enabler->event_param.u.syscall.entryexit;
+
+               if (entryexit == LTTNG_KERNEL_SYSCALL_ENTRY || entryexit == LTTNG_KERNEL_SYSCALL_ENTRYEXIT)
+                       WRITE_ONCE(event_notifier_group->syscall_all_entry, enabled);
+
+               if (entryexit == LTTNG_KERNEL_SYSCALL_EXIT || entryexit == LTTNG_KERNEL_SYSCALL_ENTRYEXIT)
+                       WRITE_ONCE(event_notifier_group->syscall_all_exit, enabled);
+
+       }
+
        /* First ensure that probe event_notifiers are created for this enabler. */
        lttng_create_event_notifier_if_missing(event_notifier_enabler);
 
@@ -2241,9 +2317,8 @@ struct lttng_event_notifier_enabler *lttng_event_notifier_enabler_create(
        event_notifier_enabler->base.format_type = format_type;
        INIT_LIST_HEAD(&event_notifier_enabler->base.filter_bytecode_head);
 
-       memcpy(&event_notifier_enabler->base.event_param.name, event_notifier_param->event.name,
-               sizeof(event_notifier_enabler->base.event_param.name));
-       event_notifier_enabler->base.event_param.instrumentation = event_notifier_param->event.instrumentation;
+       memcpy(&event_notifier_enabler->base.event_param, &event_notifier_param->event,
+               sizeof(event_notifier_enabler->base.event_param));
        event_notifier_enabler->base.evtype = LTTNG_TYPE_ENABLER;
 
        event_notifier_enabler->base.enabled = 0;

diff --git a/src/lttng-syscalls.c b/src/lttng-syscalls.c
index 06d16ff2e7c2659d9eacbbd403b92ab083f728ca..1465083556c4ca94657deb621cdb95f58b297962 100644 (file)
--- a/src/lttng-syscalls.c
+++ b/src/lttng-syscalls.c
@@ -29,6 +29,7 @@
 #include <wrapper/rcu.h>
 #include <wrapper/syscall.h>
 #include <lttng/events.h>
+#include <lttng/utils.h>
 
 #ifndef CONFIG_COMPAT
 # ifndef is_compat_task
@@ -63,6 +64,13 @@ void syscall_entry_event_probe(void *__data, struct pt_regs *regs, long id);
 static
 void syscall_exit_event_probe(void *__data, struct pt_regs *regs, long ret);
 
+static
+void syscall_entry_event_notifier_probe(void *__data, struct pt_regs *regs,
+               long id);
+static
+void syscall_exit_event_notifier_probe(void *__data, struct pt_regs *regs,
+               long ret);
+
 /*
  * Forward declarations for old kernels.
  */
@@ -285,6 +293,7 @@ typedef __kernel_old_time_t time_t;
 
 struct trace_syscall_entry {
        void *event_func;
+       void *event_notifier_func;
        const struct lttng_event_desc *desc;
        const struct lttng_event_field *fields;
        unsigned int nrargs;
@@ -301,6 +310,7 @@ struct trace_syscall_entry {
 #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs)    \
        [ _nr ] = {                                             \
                .event_func = __event_probe__syscall_entry_##_template, \
+               .event_notifier_func = __event_notifier_probe__syscall_entry_##_template, \
                .nrargs = (_nrargs),                            \
                .fields = __event_fields___syscall_entry_##_template, \
                .desc = &__event_desc___syscall_entry_##_name,  \
@@ -316,6 +326,7 @@ static const struct trace_syscall_entry sc_table[] = {
 #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs)    \
        [ _nr ] = {                                             \
                .event_func = __event_probe__compat_syscall_entry_##_template, \
+               .event_notifier_func = __event_notifier_probe__compat_syscall_entry_##_template, \
                .nrargs = (_nrargs),                            \
                .fields = __event_fields___compat_syscall_entry_##_template, \
                .desc = &__event_desc___compat_syscall_entry_##_name, \
@@ -338,6 +349,7 @@ const struct trace_syscall_entry compat_sc_table[] = {
 #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs)    \
        [ _nr ] = {                                             \
                .event_func = __event_probe__syscall_exit_##_template, \
+               .event_notifier_func = __event_notifier_probe__syscall_exit_##_template, \
                .nrargs = (_nrargs),                            \
                .fields = __event_fields___syscall_exit_##_template, \
                .desc = &__event_desc___syscall_exit_##_name, \
@@ -353,6 +365,7 @@ static const struct trace_syscall_entry sc_exit_table[] = {
 #define TRACE_SYSCALL_TABLE(_template, _name, _nr, _nrargs)    \
        [ _nr ] = {                                             \
                .event_func = __event_probe__compat_syscall_exit_##_template, \
+               .event_notifier_func = __event_notifier_probe__compat_syscall_exit_##_template, \
                .nrargs = (_nrargs),                            \
                .fields = __event_fields___compat_syscall_exit_##_template, \
                .desc = &__event_desc___compat_syscall_exit_##_name, \
@@ -376,7 +389,7 @@ struct lttng_syscall_filter {
 };
 
 static void syscall_entry_event_unknown(struct lttng_event *event,
-       struct pt_regs *regs, unsigned int id)
+       struct pt_regs *regs, long id)
 {
        unsigned long args[LTTNG_SYSCALL_NR_ARGS];
 
@@ -387,6 +400,38 @@ static void syscall_entry_event_unknown(struct lttng_event *event,
                __event_probe__syscall_entry_unknown(event, id, args);
 }
 
+static void syscall_entry_event_notifier_unknown(
+               struct hlist_head *unknown_dispatch_list_head,
+               struct pt_regs *regs, long id)
+{
+       unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+       struct lttng_event_notifier *notifier;
+
+       lttng_syscall_get_arguments(current, regs, args);
+       lttng_hlist_for_each_entry_rcu(notifier, unknown_dispatch_list_head, u.syscall.node) {
+               if (unlikely(in_compat_syscall()))
+                       __event_notifier_probe__compat_syscall_entry_unknown(notifier, id, args);
+               else
+                       __event_notifier_probe__syscall_entry_unknown(notifier, id, args);
+       }
+}
+
+static void syscall_exit_event_notifier_unknown(
+               struct hlist_head *unknown_dispatch_list_head,
+               struct pt_regs *regs, long id, long ret)
+{
+       unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+       struct lttng_event_notifier *notifier;
+
+       lttng_syscall_get_arguments(current, regs, args);
+       lttng_hlist_for_each_entry_rcu(notifier, unknown_dispatch_list_head, u.syscall.node) {
+               if (unlikely(in_compat_syscall()))
+                       __event_notifier_probe__compat_syscall_exit_unknown(notifier, id, ret, args);
+               else
+                       __event_notifier_probe__syscall_exit_unknown(notifier, id, ret, args);
+       }
+}
+
 static __always_inline
 void syscall_entry_call_func(void *func, unsigned int nrargs, void *data,
                struct pt_regs *regs)
@@ -479,6 +524,106 @@ void syscall_entry_call_func(void *func, unsigned int nrargs, void *data,
        }
 }
 
+static __always_inline
+void syscall_entry_event_notifier_call_func(struct hlist_head *dispatch_list,
+               void *func, unsigned int nrargs, struct pt_regs *regs)
+{
+       struct lttng_event_notifier *notifier;
+
+       switch (nrargs) {
+       case 0:
+       {
+               void (*fptr)(void *__data) = func;
+
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier);
+               break;
+       }
+       case 1:
+       {
+               void (*fptr)(void *__data, unsigned long arg0) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, args[0]);
+               break;
+       }
+       case 2:
+       {
+               void (*fptr)(void *__data,
+                       unsigned long arg0,
+                       unsigned long arg1) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, args[0], args[1]);
+               break;
+       }
+       case 3:
+       {
+               void (*fptr)(void *__data,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, args[0], args[1], args[2]);
+               break;
+       }
+       case 4:
+       {
+               void (*fptr)(void *__data,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2,
+                       unsigned long arg3) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, args[0], args[1], args[2], args[3]);
+               break;
+       }
+       case 5:
+       {
+               void (*fptr)(void *__data,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2,
+                       unsigned long arg3,
+                       unsigned long arg4) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, args[0], args[1], args[2], args[3], args[4]);
+               break;
+       }
+       case 6:
+       {
+               void (*fptr)(void *__data,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2,
+                       unsigned long arg3,
+                       unsigned long arg4,
+                       unsigned long arg5) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, args[0], args[1], args[2], args[3], args[4], args[5]);
+               break;
+       }
+       default:
+               break;
+       }
+}
+
 void syscall_entry_event_probe(void *__data, struct pt_regs *regs, long id)
 {
        struct lttng_channel *chan = __data;
@@ -526,8 +671,67 @@ void syscall_entry_event_probe(void *__data, struct pt_regs *regs, long id)
        syscall_entry_call_func(entry->event_func, entry->nrargs, event, regs);
 }
 
+void syscall_entry_event_notifier_probe(void *__data, struct pt_regs *regs,
+               long id)
+{
+       struct lttng_event_notifier_group *group = __data;
+       const struct trace_syscall_entry *table, *entry;
+       struct hlist_head *dispatch_list, *unknown_dispatch_list;
+       size_t table_len;
+
+       if (unlikely(in_compat_syscall())) {
+               struct lttng_syscall_filter *filter = group->sc_filter;
+
+               if (id < 0 || id >= NR_compat_syscalls
+                       || (!READ_ONCE(group->syscall_all_entry) &&
+                               !test_bit(id, filter->sc_compat_entry))) {
+                       /* System call filtered out. */
+                       return;
+               }
+               table = compat_sc_table;
+               table_len = ARRAY_SIZE(compat_sc_table);
+               unknown_dispatch_list = &group->event_notifier_compat_unknown_syscall_dispatch;
+       } else {
+               struct lttng_syscall_filter *filter = group->sc_filter;
+
+               if (id < 0 || id >= NR_syscalls
+                       || (!READ_ONCE(group->syscall_all_entry) &&
+                               !test_bit(id, filter->sc_entry))) {
+                       /* System call filtered out. */
+                       return;
+               }
+               table = sc_table;
+               table_len = ARRAY_SIZE(sc_table);
+               unknown_dispatch_list = &group->event_notifier_unknown_syscall_dispatch;
+       }
+       /* Check if the syscall id is out of bound. */
+       if (unlikely(id < 0 || id >= table_len)) {
+               syscall_entry_event_notifier_unknown(unknown_dispatch_list,
+                               regs, id);
+               return;
+       }
+
+       entry = &table[id];
+       if (!entry->event_notifier_func) {
+               syscall_entry_event_notifier_unknown(unknown_dispatch_list,
+                               regs, id);
+               return;
+       }
+
+       if (unlikely(in_compat_syscall())) {
+               dispatch_list = &group->event_notifier_compat_syscall_dispatch[id];
+       } else {
+               dispatch_list = &group->event_notifier_syscall_dispatch[id];
+       }
+       if (unlikely(hlist_empty(dispatch_list)))
+               return;
+
+       syscall_entry_event_notifier_call_func(dispatch_list,
+                       entry->event_notifier_func, entry->nrargs, regs);
+}
+
 static void syscall_exit_event_unknown(struct lttng_event *event,
-       struct pt_regs *regs, int id, long ret)
+       struct pt_regs *regs, long id, long ret)
 {
        unsigned long args[LTTNG_SYSCALL_NR_ARGS];
 
@@ -681,6 +885,173 @@ void syscall_exit_event_probe(void *__data, struct pt_regs *regs, long ret)
        }
 }
 
+static __always_inline
+void syscall_exit_event_notifier_call_func(struct hlist_head *dispatch_list,
+               void *func, unsigned int nrargs, struct pt_regs *regs, long ret)
+{
+       struct lttng_event_notifier *notifier;
+
+       switch (nrargs) {
+       case 0:
+       {
+               void (*fptr)(void *__data, long ret) = func;
+
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, ret);
+               break;
+       }
+       case 1:
+       {
+               void (*fptr)(void *__data, long ret, unsigned long arg0) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, ret, args[0]);
+               break;
+       }
+       case 2:
+       {
+               void (*fptr)(void *__data,
+                       long ret,
+                       unsigned long arg0,
+                       unsigned long arg1) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, ret, args[0], args[1]);
+               break;
+       }
+       case 3:
+       {
+               void (*fptr)(void *__data,
+                       long ret,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, ret, args[0], args[1], args[2]);
+               break;
+       }
+       case 4:
+       {
+               void (*fptr)(void *__data,
+                       long ret,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2,
+                       unsigned long arg3) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, ret, args[0], args[1], args[2], args[3]);
+               break;
+       }
+       case 5:
+       {
+               void (*fptr)(void *__data,
+                       long ret,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2,
+                       unsigned long arg3,
+                       unsigned long arg4) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, ret, args[0], args[1], args[2], args[3], args[4]);
+               break;
+       }
+       case 6:
+       {
+               void (*fptr)(void *__data,
+                       long ret,
+                       unsigned long arg0,
+                       unsigned long arg1,
+                       unsigned long arg2,
+                       unsigned long arg3,
+                       unsigned long arg4,
+                       unsigned long arg5) = func;
+               unsigned long args[LTTNG_SYSCALL_NR_ARGS];
+
+               lttng_syscall_get_arguments(current, regs, args);
+               lttng_hlist_for_each_entry_rcu(notifier, dispatch_list, u.syscall.node)
+                       fptr(notifier, ret, args[0], args[1], args[2], args[3], args[4], args[5]);
+               break;
+       }
+       default:
+               break;
+       }
+}
+
+static
+void syscall_exit_event_notifier_probe(void *__data, struct pt_regs *regs,
+               long ret)
+{
+       struct lttng_event_notifier_group *group = __data;
+       const struct trace_syscall_entry *table, *entry;
+       struct hlist_head *dispatch_list, *unknown_dispatch_list;
+       size_t table_len;
+       long id;
+
+       id = syscall_get_nr(current, regs);
+
+       if (unlikely(in_compat_syscall())) {
+               struct lttng_syscall_filter *filter = group->sc_filter;
+
+               if (id < 0 || id >= NR_compat_syscalls
+                       || (!READ_ONCE(group->syscall_all_exit) &&
+                               !test_bit(id, filter->sc_compat_exit))) {
+                       /* System call filtered out. */
+                       return;
+               }
+               table = compat_sc_exit_table;
+               table_len = ARRAY_SIZE(compat_sc_exit_table);
+               unknown_dispatch_list = &group->event_notifier_exit_compat_unknown_syscall_dispatch;
+       } else {
+               struct lttng_syscall_filter *filter = group->sc_filter;
+
+               if (id < 0 || id >= NR_syscalls
+                       || (!READ_ONCE(group->syscall_all_exit) &&
+                                       !test_bit(id, filter->sc_exit))) {
+                       /* System call filtered out. */
+                       return;
+               }
+               table = sc_exit_table;
+               table_len = ARRAY_SIZE(sc_exit_table);
+               unknown_dispatch_list = &group->event_notifier_exit_unknown_syscall_dispatch;
+       }
+       /* Check if the syscall id is out of bound. */
+       if (unlikely(id < 0 || id >= table_len)) {
+               syscall_exit_event_notifier_unknown(unknown_dispatch_list,
+                               regs, id, ret);
+               return;
+       }
+
+       entry = &table[id];
+       if (!entry->event_notifier_func) {
+               syscall_entry_event_notifier_unknown(unknown_dispatch_list,
+                               regs, id);
+               return;
+       }
+
+       if (unlikely(in_compat_syscall())) {
+               dispatch_list = &group->event_notifier_exit_compat_syscall_dispatch[id];
+       } else {
+               dispatch_list = &group->event_notifier_exit_syscall_dispatch[id];
+       }
+       if (unlikely(hlist_empty(dispatch_list)))
+               return;
+
+       syscall_exit_event_notifier_call_func(dispatch_list,
+                       entry->event_notifier_func, entry->nrargs, regs, ret);
+}
 /*
  * noinline to diminish caller stack size.
  * Should be called with sessions lock held.
@@ -918,8 +1289,377 @@ int lttng_syscalls_register_event(struct lttng_channel *chan, void *filter)
 }
 
 /*
- * Only called at session destruction.
+ * Should be called with sessions lock held.
+ */
+int lttng_syscalls_register_event_notifier(
+               struct lttng_event_notifier_enabler *event_notifier_enabler,
+               void *filter)
+{
+       struct lttng_event_notifier_group *group = event_notifier_enabler->group;
+       unsigned int i;
+       int ret = 0;
+
+       wrapper_vmalloc_sync_mappings();
+
+       if (!group->event_notifier_syscall_dispatch) {
+               group->event_notifier_syscall_dispatch =
+                               kzalloc(sizeof(struct hlist_head) * ARRAY_SIZE(sc_table),
+                                       GFP_KERNEL);
+               if (!group->event_notifier_syscall_dispatch)
+                       return -ENOMEM;
+
+               /* Initialize all list_head */
+               for (i = 0; i < ARRAY_SIZE(sc_table); i++)
+                       INIT_HLIST_HEAD(&group->event_notifier_syscall_dispatch[i]);
+
+               /* Init the unknown syscall notifier list. */
+               INIT_HLIST_HEAD(&group->event_notifier_unknown_syscall_dispatch);
+       }
+
+       if (!group->event_notifier_exit_syscall_dispatch) {
+               group->event_notifier_exit_syscall_dispatch =
+                               kzalloc(sizeof(struct hlist_head) * ARRAY_SIZE(sc_table),
+                                       GFP_KERNEL);
+               if (!group->event_notifier_exit_syscall_dispatch)
+                       return -ENOMEM;
+
+               /* Initialize all list_head */
+               for (i = 0; i < ARRAY_SIZE(sc_table); i++)
+                       INIT_HLIST_HEAD(&group->event_notifier_exit_syscall_dispatch[i]);
+
+               /* Init the unknown exit syscall notifier list. */
+               INIT_HLIST_HEAD(&group->event_notifier_exit_unknown_syscall_dispatch);
+       }
+
+#ifdef CONFIG_COMPAT
+       if (!group->event_notifier_compat_syscall_dispatch) {
+               group->event_notifier_compat_syscall_dispatch =
+                               kzalloc(sizeof(struct hlist_head) * ARRAY_SIZE(compat_sc_table),
+                                       GFP_KERNEL);
+               if (!group->event_notifier_syscall_dispatch)
+                       return -ENOMEM;
+
+               /* Initialize all list_head */
+               for (i = 0; i < ARRAY_SIZE(compat_sc_table); i++)
+                       INIT_HLIST_HEAD(&group->event_notifier_compat_syscall_dispatch[i]);
+
+               /* Init the unknown syscall notifier list. */
+               INIT_HLIST_HEAD(&group->event_notifier_compat_unknown_syscall_dispatch);
+       }
+
+       if (!group->event_notifier_exit_compat_syscall_dispatch) {
+               group->event_notifier_exit_compat_syscall_dispatch =
+                               kzalloc(sizeof(struct hlist_head) * ARRAY_SIZE(compat_sc_exit_table),
+                                       GFP_KERNEL);
+               if (!group->event_notifier_exit_syscall_dispatch)
+                       return -ENOMEM;
+
+               /* Initialize all list_head */
+               for (i = 0; i < ARRAY_SIZE(compat_sc_exit_table); i++)
+                       INIT_HLIST_HEAD(&group->event_notifier_exit_compat_syscall_dispatch[i]);
+
+               /* Init the unknown exit syscall notifier list. */
+               INIT_HLIST_HEAD(&group->event_notifier_exit_compat_unknown_syscall_dispatch);
+       }
+#endif
+
+       if (!group->sc_filter) {
+               group->sc_filter = kzalloc(sizeof(struct lttng_syscall_filter),
+                               GFP_KERNEL);
+               if (!group->sc_filter)
+                       return -ENOMEM;
+       }
+
+       if (!group->sys_enter_registered) {
+               ret = lttng_wrapper_tracepoint_probe_register("sys_enter",
+                               (void *) syscall_entry_event_notifier_probe, group);
+               if (ret)
+                       return ret;
+               group->sys_enter_registered = 1;
+       }
+
+       if (!group->sys_exit_registered) {
+               ret = lttng_wrapper_tracepoint_probe_register("sys_exit",
+                               (void *) syscall_exit_event_notifier_probe, group);
+               if (ret) {
+                       WARN_ON_ONCE(lttng_wrapper_tracepoint_probe_unregister("sys_enter",
+                               (void *) syscall_entry_event_notifier_probe, group));
+                       return ret;
+               }
+               group->sys_exit_registered = 1;
+       }
+
+       return ret;
+}
+
+static
+int create_unknown_event_notifier(
+               struct lttng_event_notifier_enabler *event_notifier_enabler,
+               enum sc_type type)
+{
+       struct lttng_event_notifier *notifier;
+       const struct lttng_event_desc *desc;
+       struct lttng_event_notifier_group *group = event_notifier_enabler->group;
+       struct lttng_kernel_event_notifier event_notifier_param;
+       uint64_t user_token = event_notifier_enabler->base.user_token;
+       struct lttng_enabler *base_enabler = lttng_event_notifier_enabler_as_enabler(
+               event_notifier_enabler);
+       struct hlist_head *unknown_dispatch_list;
+       int ret = 0;
+       bool found = false;
+       enum lttng_kernel_syscall_abi abi;
+       enum lttng_kernel_syscall_entryexit entryexit;
+       struct hlist_head *head;
+
+       switch (type) {
+       case SC_TYPE_ENTRY:
+               desc = &__event_desc___syscall_entry_unknown;
+               unknown_dispatch_list = &group->event_notifier_unknown_syscall_dispatch;
+               entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
+               abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
+               break;
+       case SC_TYPE_EXIT:
+               desc = &__event_desc___syscall_exit_unknown;
+               unknown_dispatch_list = &group->event_notifier_exit_unknown_syscall_dispatch;
+               entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
+               abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
+               break;
+       case SC_TYPE_COMPAT_ENTRY:
+               desc = &__event_desc___compat_syscall_entry_unknown;
+               unknown_dispatch_list = &group->event_notifier_compat_unknown_syscall_dispatch;
+               entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
+               abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
+               break;
+       case SC_TYPE_COMPAT_EXIT:
+               desc = &__event_desc___compat_syscall_exit_unknown;
+               unknown_dispatch_list = &group->event_notifier_exit_compat_unknown_syscall_dispatch;
+               entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
+               abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
+               break;
+       default:
+               BUG_ON(1);
+       }
+
+       /*
+        * Check if already created.
+        */
+       head = utils_borrow_hash_table_bucket(group->event_notifiers_ht.table,
+               LTTNG_EVENT_NOTIFIER_HT_SIZE, desc->name);
+       lttng_hlist_for_each_entry(notifier, head, hlist) {
+               if (notifier->desc == desc &&
+                               notifier->user_token == base_enabler->user_token)
+                       found = true;
+       }
+       if (found)
+               goto end;
+
+       memset(&event_notifier_param, 0, sizeof(event_notifier_param));
+       strncat(event_notifier_param.event.name, desc->name,
+               LTTNG_KERNEL_SYM_NAME_LEN - strlen(event_notifier_param.event.name) - 1);
+
+       event_notifier_param.event.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
+
+       event_notifier_param.event.instrumentation = LTTNG_KERNEL_SYSCALL;
+       event_notifier_param.event.u.syscall.abi = abi;
+       event_notifier_param.event.u.syscall.entryexit = entryexit;
+
+       notifier = _lttng_event_notifier_create(desc, user_token,
+               group, &event_notifier_param, NULL,
+               event_notifier_param.event.instrumentation);
+       if (IS_ERR(notifier)) {
+               printk(KERN_INFO "Unable to create unknown notifier %s\n",
+                       desc->name);
+               ret = -ENOMEM;
+               goto end;
+       }
+
+       hlist_add_head_rcu(&notifier->u.syscall.node, unknown_dispatch_list);
+
+end:
+       return ret;
+}
+
+static int create_matching_event_notifiers(
+               struct lttng_event_notifier_enabler *event_notifier_enabler,
+               void *filter, const struct trace_syscall_entry *table,
+               size_t table_len, enum sc_type type)
+{
+       struct lttng_event_notifier_group *group = event_notifier_enabler->group;
+       const struct lttng_event_desc *desc;
+       uint64_t user_token = event_notifier_enabler->base.user_token;
+       unsigned int i;
+       int ret = 0;
+
+       /* iterate over all syscall and create event_notifier that match */
+       for (i = 0; i < table_len; i++) {
+               struct lttng_event_notifier *event_notifier;
+               struct lttng_kernel_event_notifier event_notifier_param;
+               struct hlist_head *head;
+               int found = 0;
+
+               desc = table[i].desc;
+               if (!desc) {
+                       /* Unknown syscall */
+                       continue;
+               }
+
+               if (!lttng_desc_match_enabler(desc,
+                               lttng_event_notifier_enabler_as_enabler(event_notifier_enabler)))
+                       continue;
+
+               /*
+                * Check if already created.
+                */
+               head = utils_borrow_hash_table_bucket(group->event_notifiers_ht.table,
+                       LTTNG_EVENT_NOTIFIER_HT_SIZE, desc->name);
+               lttng_hlist_for_each_entry(event_notifier, head, hlist) {
+                       if (event_notifier->desc == desc
+                               && event_notifier->user_token == event_notifier_enabler->base.user_token)
+                               found = 1;
+               }
+               if (found)
+                       continue;
+
+               memset(&event_notifier_param, 0, sizeof(event_notifier_param));
+               switch (type) {
+               case SC_TYPE_ENTRY:
+                       event_notifier_param.event.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
+                       event_notifier_param.event.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
+                       break;
+               case SC_TYPE_EXIT:
+                       event_notifier_param.event.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
+                       event_notifier_param.event.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
+                       break;
+               case SC_TYPE_COMPAT_ENTRY:
+                       event_notifier_param.event.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
+                       event_notifier_param.event.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
+                       break;
+               case SC_TYPE_COMPAT_EXIT:
+                       event_notifier_param.event.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
+                       event_notifier_param.event.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
+                       break;
+               }
+               strncat(event_notifier_param.event.name, desc->name,
+                       LTTNG_KERNEL_SYM_NAME_LEN - strlen(event_notifier_param.event.name) - 1);
+               event_notifier_param.event.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
+               event_notifier_param.event.instrumentation = LTTNG_KERNEL_SYSCALL;
+
+               event_notifier = _lttng_event_notifier_create(desc, user_token, group,
+                       &event_notifier_param, filter,
+                       event_notifier_param.event.instrumentation);
+               if (IS_ERR(event_notifier)) {
+                       printk(KERN_INFO "Unable to create event_notifier %s\n",
+                               desc->name);
+                       ret = -ENOMEM;
+                       goto end;
+               }
+
+               event_notifier->u.syscall.syscall_id = i;
+       }
+
+end:
+       return ret;
+
+}
+
+int lttng_syscals_create_matching_event_notifiers(
+               struct lttng_event_notifier_enabler *event_notifier_enabler,
+               void *filter)
+{
+       int ret;
+       struct lttng_enabler *base_enabler =
+                       lttng_event_notifier_enabler_as_enabler(event_notifier_enabler);
+       enum lttng_kernel_syscall_entryexit entryexit =
+                       base_enabler->event_param.u.syscall.entryexit;
+
+       if (entryexit == LTTNG_KERNEL_SYSCALL_ENTRY || entryexit == LTTNG_KERNEL_SYSCALL_ENTRYEXIT) {
+               ret = create_matching_event_notifiers(event_notifier_enabler,
+                       filter, sc_table, ARRAY_SIZE(sc_table), SC_TYPE_ENTRY);
+               if (ret)
+                       goto end;
+
+               ret = create_matching_event_notifiers(event_notifier_enabler,
+                       filter, compat_sc_table, ARRAY_SIZE(compat_sc_table),
+                       SC_TYPE_COMPAT_ENTRY);
+               if (ret)
+                       goto end;
+
+               ret = create_unknown_event_notifier(event_notifier_enabler,
+                               SC_TYPE_ENTRY);
+               if (ret)
+                       goto end;
+
+               ret = create_unknown_event_notifier(event_notifier_enabler,
+                               SC_TYPE_COMPAT_ENTRY);
+               if (ret)
+                       goto end;
+       }
+
+       if (entryexit == LTTNG_KERNEL_SYSCALL_EXIT || entryexit == LTTNG_KERNEL_SYSCALL_ENTRYEXIT) {
+               ret = create_matching_event_notifiers(event_notifier_enabler,
+                       filter, sc_exit_table, ARRAY_SIZE(sc_exit_table),
+                       SC_TYPE_EXIT);
+               if (ret)
+                       goto end;
+
+               ret = create_unknown_event_notifier(event_notifier_enabler,
+                               SC_TYPE_EXIT);
+               if (ret)
+                       goto end;
+
+               ret = create_matching_event_notifiers(event_notifier_enabler,
+                       filter, compat_sc_exit_table, ARRAY_SIZE(compat_sc_exit_table),
+                       SC_TYPE_COMPAT_EXIT);
+               if (ret)
+                       goto end;
+
+               ret = create_unknown_event_notifier(event_notifier_enabler,
+                               SC_TYPE_COMPAT_EXIT);
+               if (ret)
+                       goto end;
+       }
+
+end:
+       return ret;
+}
+
+/*
+ * Unregister the syscall event_notifier probes from the callsites.
  */
+int lttng_syscalls_unregister_event_notifier(
+               struct lttng_event_notifier_group *event_notifier_group)
+{
+       int ret;
+
+       /*
+        * Only register the event_notifier probe on the `sys_enter` callsite for now.
+        * At the moment, we don't think it's desirable to have one fired
+        * event_notifier for the entry and one for the exit of a syscall.
+        */
+       if (event_notifier_group->sys_enter_registered) {
+               ret = lttng_wrapper_tracepoint_probe_unregister("sys_enter",
+                               (void *) syscall_entry_event_notifier_probe, event_notifier_group);
+               if (ret)
+                       return ret;
+               event_notifier_group->sys_enter_registered = 0;
+       }
+       if (event_notifier_group->sys_exit_registered) {
+               ret = lttng_wrapper_tracepoint_probe_unregister("sys_exit",
+                               (void *) syscall_exit_event_notifier_probe, event_notifier_group);
+               if (ret)
+                       return ret;
+               event_notifier_group->sys_enter_registered = 0;
+       }
+
+       kfree(event_notifier_group->event_notifier_syscall_dispatch);
+       kfree(event_notifier_group->event_notifier_exit_syscall_dispatch);
+#ifdef CONFIG_COMPAT
+       kfree(event_notifier_group->event_notifier_compat_syscall_dispatch);
+       kfree(event_notifier_group->event_notifier_exit_compat_syscall_dispatch);
+#endif
+       return 0;
+}
+
 int lttng_syscalls_unregister_event(struct lttng_channel *chan)
 {
        int ret;
@@ -1100,6 +1840,52 @@ int lttng_syscall_filter_enable(
        return 0;
 }
 
+int lttng_syscall_filter_enable_event_notifier(
+               struct lttng_event_notifier *notifier)
+{
+       struct lttng_event_notifier_group *group = notifier->group;
+       unsigned int syscall_id = notifier->u.syscall.syscall_id;
+       struct hlist_head *dispatch_list;
+       int ret = 0;
+
+       WARN_ON_ONCE(notifier->instrumentation != LTTNG_KERNEL_SYSCALL);
+
+       ret = lttng_syscall_filter_enable(group->sc_filter,
+               notifier->desc->name, notifier->u.syscall.abi,
+               notifier->u.syscall.entryexit);
+       if (ret) {
+               goto end;
+       }
+
+       switch (notifier->u.syscall.entryexit) {
+       case LTTNG_SYSCALL_ENTRY:
+               switch (notifier->u.syscall.abi) {
+               case LTTNG_SYSCALL_ABI_NATIVE:
+                       dispatch_list = &group->event_notifier_syscall_dispatch[syscall_id];
+                       break;
+               case LTTNG_SYSCALL_ABI_COMPAT:
+                       dispatch_list = &group->event_notifier_compat_syscall_dispatch[syscall_id];
+                       break;
+               }
+               break;
+       case LTTNG_SYSCALL_EXIT:
+               switch (notifier->u.syscall.abi) {
+               case LTTNG_SYSCALL_ABI_NATIVE:
+                       dispatch_list = &group->event_notifier_exit_syscall_dispatch[syscall_id];
+                       break;
+               case LTTNG_SYSCALL_ABI_COMPAT:
+                       dispatch_list = &group->event_notifier_exit_compat_syscall_dispatch[syscall_id];
+                       break;
+               }
+               break;
+       }
+
+       hlist_add_head_rcu(&notifier->u.syscall.node, dispatch_list);
+
+end:
+       return ret ;
+}
+
 int lttng_syscall_filter_enable_event(
                struct lttng_channel *channel,
                struct lttng_event *event)
@@ -1171,6 +1957,23 @@ int lttng_syscall_filter_disable(
        return 0;
 }
 
+int lttng_syscall_filter_disable_event_notifier(
+               struct lttng_event_notifier *notifier)
+{
+       struct lttng_event_notifier_group *group = notifier->group;
+       int ret;
+
+       WARN_ON_ONCE(notifier->instrumentation != LTTNG_KERNEL_SYSCALL);
+
+       ret = lttng_syscall_filter_disable(group->sc_filter,
+               notifier->desc->name, notifier->u.syscall.abi,
+               notifier->u.syscall.entryexit);
+       WARN_ON_ONCE(ret != 0);
+
+       hlist_del_rcu(&notifier->u.syscall.node);
+       return 0;
+}
+
 int lttng_syscall_filter_disable_event(
                struct lttng_channel *channel,
                struct lttng_event *event)