From kprobe document:
echo 'p:myprobe do_sys_open dfd=%ax filename=%dx flags=%cx mode=+4($stack)' > /sys/kernel/debug/tracing/kprobe_events
Per my understanding, on X86_64 platform, the arguments should be passed into registers (please refer X86_64 syscalls). So I think adding probe should like this:
echo 'p:myprobe do_sys_open dfd=%rdi filename=%rsi flags=%rdx mode=%rcx' > /sys/kernel/debug/tracing/kprobe_events
But execute the above statement, bash complains:
-bash: echo: write error: Invalid argument
So my questions is: how to use registers in kprobe? Which registers are valid?
After discussing with kprobe maintainer, I get the answer:
ftrace-kprobe interface does not accept bitwidth prefix like 'rax' instead it accepts 'ax'. The bitwidth is automatically chosen by architecture. So please remove 'r' from all arguments. If you'd like to access eax or ax, you can use typecast, like as %ax:u32.