The problem

Because of the syscall warpper presented in linux kernel v4.17 link ( Now I use v5.3 link ) , the function __x64_sys_##name is the syscall warpper without parameters (Parameters cannot get from the registers directly) and only the sub function __sys_##name has the arguments. But if I want to use the bpf_override_return to override the return value of syscall, I can only add a kprobe to __x64_sys_##name since these functions are in "whitelist".

Conclusion

So if I add a kprobe to __x64_sys_##name, I can overwrite the return value but I can not get the parameters. In contrast, If I want to get the parameters of syscall I must add a probe to __sys_#name.

The trouble

Method get_syscall_fnname always return the name of syscall like __x64_sys_##name which make me trouble about the wrong parameters until now. Now I found the root cause and I has two problems:

1. Method get_syscall_fnname may trouble some people who using the new version of kernel (like me). May be I must hard code the syscall function name without using this function ?
2. I need to override the return value of syscall in some case according the parameters of syscall. If I do that I must add a kprobe to __sys_##name and add a kretprobe to __x64_sys_##name. ummm I just feel that is ugly. Is there a elegent way to do that ?