> Check what error bpf_probe_read_user() returns. If it's -EFAULT, then > it's probably the case that user memory is not physically present in > memory and needs to be paged in, which is not allowed for > non-sleepable BPF programs. So you'd need to make use of > bpf_copy_from_user() and use sleepable BPF programs. Hi Andrii, We have tried using bpf_probe_read_user and it does not seem to be returning any error, instead it returns 0. We are using a non-sleepable bpf program. This looks like a very special case where it is unable to fetch a few arguments. This is the same behaviour in opensnoop as well. We have tested the test on the 6.2 kernel as well and seeing the same behaviour. Do you suggest any alternative method to capture arguments in the ebpf hooks? Or should we file a bug in the kernel ebpf subsystem?
