On Thu, Jan 20, 2022 at 2:57 PM <Kenta.Tada@xxxxxxxx> wrote: > > >did you check PT_REGS_PARM4_CORE() definition? This should be > > In my local test, this wrong code can pass the correct arg4 because the test just checks the value. The biggest problem is the lack of bpf_probe_read_kernel(). Your definition does direct memory read which won't work if pt_regs is not an input context to the BPF program. Which is exactly the case for syscalls. > Anyway I should attach the test for CORE variants at first. > Sorry. I'll fix the issues and add tests for CORE variants this weekend.
