On Fri, Jun 13, 2025 at 09:37:11AM +0200, Alexis Lothoré (eBPF Foundation) wrote:
When the target function receives more arguments than available registers, the additional arguments are passed on stack, and so the generated trampoline needs to read those to prepare the bpf context, but also to prepare the target function stack when it is in charge of calling it. This works well for scalar types, but if the value is a struct, we can not know for sure the exact struct location, as it may have been packed or manually aligned to a greater value.
https://refspecs.linuxbase.org/elf/x86_64-abi-0.99.pdf
Has fairly clear rules on how arguments are encoded. Broadly speaking for the kernel, if the structure exceeds 2 registers in size, it is passed as a reference, otherwise it is passed as two registers.