>>> >>> >did you check PT_REGS_PARM4_CORE() definition? This should be >>> >>> In my local test, this wrong code can pass the correct arg4 because the test just checks the value. >> >>The biggest problem is the lack of bpf_probe_read_kernel(). Your definition does direct memory read which won't work if pt_regs is not an input context to the BPF program. Which is exactly the case for syscalls. > >Yes. >I'll use BPF_CORE_READ() for PT_REGS_PARM4_CORE() not to read direct memory. Sorry, Not PT_REGS_PARM4_CORE() but PT_REGS_PARM4_CORE_SYSCALL(). And I cofirmed the definition of PT_REGS_PARM4_CORE() and BPF_CORE_READ(). I'll use BPF_CORE_READ() for PT_REGS_PARM4_CORE_SYSCALL().
