BPF Calling Convention
● R0
Return value from in-kernel function, and exit value for
eBPF program
● R1 – R5
Arguments from eBPF program to in-kernel function
● R6 – R9
Callee saved registers that in-kernel function will
preserve
● R10
Read-only frame pointer to access stack
memleak.py
if not kernel_trace:
print("Attaching to malloc and free in pid %d,"
"Ctrl+C to quit." % pid)
bpf_program.attach_uprobe(name="c", sym="malloc",
fn_name="alloc_enter", pid=pid)
bpf_program.attach_uretprobe(name="c", sym="malloc",
fn_name="alloc_exit", pid=pid)
bpf_program.attach_uprobe(name="c", sym="free",
fn_name="free_enter", pid=pid)
else:
print("Attaching to kmalloc and kfree, Ctrl+C to quit.")
bpf_program.attach_kprobe(event="__kmalloc",
fn_name="alloc_enter")
bpf_program.attach_kretprobe(event="__kmalloc",
fn_name="alloc_exit")
bpf_program.attach_kprobe(event="kfree",
fn_name="free_enter")