I am porting some code from an accept4(2) tracepoint to a fexit hook. Previously the tracepoint captured the enter and exit events separately so capturing everything in a single fexit hook is appealing. Inside of the exit tracepoint I was traversing the task struct to retrieve the connecting address. The path being as follows, but through a bunch of bpf_probe_read() calls. ((struct socket *)task->files->fd_array[connfd]->private_data)->sk-> __sk_common.skc_family __sk_common.skc_dport __sk_common.skc_daddr Worked consistently in the tracepoint. In the fexit implementation , testing with `nc -l 127.0.0.1 1234` and `nc 127.0.0.1 1234`, `task->files->fd_array[connfd]` contains 0. However, when running netcat under strace, e.g. `strace nc -l 127.0.0.1 1234`, it returns a valid pointer and finishes the traversal! I am wondering if the fexit hook is being called before the socket is written back to the task (like an XDP?) or what could cause this behavior. I am getting the task struct with `bpf_get_current_task()`. Thank you for the help, Douglas
