Issue
I'm using Linux Kernel 4.19.90, can I get both parameters and return values within one bpf program is called. Or I could only save the parameters into maps, and extract it from maps during "sys_exit_".
I just want to get both the parameters and return values in one tracepoint function. Otherwise, is saving parameter of a process into maps with key <pid, syscall_num> safe?
Solution
You cannot get both the parameters and result of a syscall within a single program invocation. In theory you can use a raw tracepoint to have 1 eBPF program handle both the entry and return, but this would only make your goal harder.
The technique of using a map is the way to go. Place one program at the entrypoint to record the arguments. Then have a second program at the return to add the return value, remove the key from the map and "submit" the result, for example via a BPF_MAP_TYPE_PERF_EVENT_ARRAY map.
Since a thread can only ever execute 1 syscall at a time (it is blocked until the syscall returns), we can use the pid/tgid combo as a unique ID and key to transfer data between the two programs. You can use the bpf_get_current_pid_tgid helper to get it.
While you can use one map for multiple syscalls at the same time, it might be easier to create a map per program-set the key being a __u64 for the pid-tgid, and the value equal to the syscall params + return code which will be different for each syscall.
Answered By - Dylan Reimerink Answer Checked By - Candace Johnson (WPSolving Volunteer)