libbpf-bootstrap icon indicating copy to clipboard operation
libbpf-bootstrap copied to clipboard

Published 20 hours ago verified publisher icon libbpf

kprobe for mmap

Open kochia3 opened this issue 3 years ago • 2 comments

I'm trying to have krobe for mmap:

SEC("kprobe/mmap")
int BPF_KPROBE(kprobe_mmap, void *addr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long fd, unsigned long offset)
{
	return 0;
}

but it fails to compile, it works if I remove the last parameter and make parameter count to five

my guess it that it's due to calling conversion

how can I get the sixth parameter?

kochia3 avatar Sep 10 '22 08:09 kochia3

I have the same question. The calling convention of the System V AMD64 ABI is followed on GNU/Linux. The registers RDI, RSI, RDX, RCX, R8, and R9 are used for integer and memory address arguments and XMM0, XMM1, XMM2, XMM3, XMM4, XMM5, XMM6 and XMM7 are used for floating point arguments. For system calls, R10 is used instead of RCX. Additional arguments are passed on the stack and the return value is stored in RAX.

chenbd avatar Sep 19 '22 22:09 chenbd

Libbpf's BPF_KPROBE macro currently doesn't support more than 5 arguments. Please contribute the patch to extend it.

For now to unblock yourself you can add this before BPF_KPROBE macro use:

#define ___bpf_kprobe_args6(x, args...) \
	___bpf_kprobe_args5(args), (void *)(ctx)->r9

** But note that this will eventually be added libbpf (probably pretty soon) and at that point your code will stop compiling again, most probably. ** So it's best to fix this in libbpf properly.

anakryiko avatar Sep 20 '22 06:09 anakryiko

Should be addressed by https://github.com/libbpf/libbpf/issues/616, once that feature is implemented.

anakryiko avatar Nov 15 '22 05:11 anakryiko