Skip to content

fallocate

Intro

fallocate - System call to preallocate blocks of a file

Description

The fallocate() system call is used to preallocate blocks for a file. The call guarantees the requested space for the file without allocating a physical storage, resulting in faster file access. This system call is not affected by the current size of a file, but rather allows it to extend the size immediately.

This syscall has some edge cases, such as when the file is on a filesystem which doesn't support fallocation, and when the file is located on a cluster filesystem. In such cases, a part of the requested area will be allocated, with the remaining blocks marked as needing allocation.

Arguments

  • fd:int - File descriptor.
  • mode:int - Operation type. A bitwise combination of the flags FALLOC_FL_KEEP_SIZE, FALLOC_FL_PUNCH_HOLE, FALLOC_FL_COLLAPSE_RANGE. FALLOC_FL_ZERO_RANGE is not supported from kernel 4.14 onwards.
  • offset:off_t - Starting offset of requested space past the end of file.
  • len:off_t - Length of requested space.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_fallocate

Type

Kprobe + Kretprobe

Purpose

To gather file descriptor and offset information, as well as the size of the file before and after the fallocation for a process.

Example Use Case

This event can be used to track a process' file write operations to disk. This can be helpful for debugging the performance of an application, as the syscall enables us to track how and when the application reserves and uses disk space.

Issues

The fallocate syscall is not supported by some filesystems, thus the fallocation wont be completely successful.

  • pwrite
  • ftruncate

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.