>> >> >did you check PT_REGS_PARM4_CORE() definition? This should be >> >> In my local test, this wrong code can pass the correct arg4 because the test just checks the value. > >The biggest problem is the lack of bpf_probe_read_kernel(). Your definition does direct memory read which won't work if pt_regs is not an input context to the BPF program. Which is exactly the case for syscalls. Yes. I'll use BPF_CORE_READ() for PT_REGS_PARM4_CORE() not to read direct memory.
