Re: How to get function param in kretprobe bpf program? #pragma #bcc


Andrii Nakryiko
 

On Fri, Aug 7, 2020 at 12:45 AM <forrest0579@gmail.com> wrote:

When using kprobe in bcc, I can get param directly like `int kprobe__tcp_set_state(struct pt_regs *ctx, struct sock *sk, int state)`
But it seems not to work in kretprobe, I've found that I can get first param by using `struct sock *sk = (void*)ctx->bx`
but I can't get the second param through `ctx->cx`.
Am I get the wrong register? I'm in x86-64
You can't do it reliably with kretprobe. kretprobe is executed right
before the function is exiting, by that time all the registers that
contained input parameters could have been used for something else. So
you got lucky with struct sock * here, but as a general rule you
shouldn't rely on this. You either have to pair kprobe with kretprobe
and store input arguments, or take a look at fexit program type, it is
just like kretprobe, but faster and guarantees input arguments are
preserved.

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.