Signatures of functions for attach_uretprobe

[christian-2]

What is the right signature for a function that is attached through attach_uretprobe()?

From function probe_SSL_read_exit() in tools/sslsniff.py is appears that it comprises only a single argument of type struct pt_regs *.

From function probe_SSL_read_exit() in /user/sbin/sslsniff-bpfcc (the version that comes with Debian package bpfcc-tools=0.18.0+ds-2) it appears that it is the same as for probe_SSL_read_enter(), i.e. that it comprises an argument of type struct pt_regs * plus other arguments corresponding to the signature of SSL_read(). But there is also a comment that says "It looks like SSL_read's arguments aren't available in a return probe" and logic to account for that.

So is it correct to assume that the signature in tools/sslsniff.py is the correct one and that the other one (in /user/sbin/sslsniff-bpfcc) is incorrect or outdated?

[christian-2]

Or can/should one perhaps look up all. arguments with PT_REGS_PARMx(ctx) in both function attached through attach_uprobe() and attach_uretprobe()?

[gipi]

I think that the uretprobe cannot use ctx since at the end of the function you are not sure that the cpu registers are not trashed during the execution.

Source: https://docs.ebpf.io/ebpf-library/libbpf/ebpf/BPF_KRETPROBE/