kprobe vs kretprobe — Code Deep Dive

lyan 2026-02-28

The Linux kernel provides several dynamic tracing mechanisms, among which kprobe and kretprobe are the most fundamental and widely used. Both allow injecting callbacks into kernel functions at runtime, but they serve different purposes and trigger at different points in execution.

kprobe: Can insert breakpoints at any probeable kernel address, providing two callback points — pre_handler (before instruction execution) and post_handler (after instruction execution).

kretprobe: Designed specifically for function-level tracing, providing entry_handler (function entry) and handler (function return) callbacks, with a built-in per-instance private data channel.

eBPF kprobe kretprobe
Read More

Search

Top Posts

Hot Posts

Recent Posts

Tag Cloud

Linux (61) XEN (29) Life (27) Memory (24) Virtualization (23) Diary (21) C/C++ (19) QEMU (17) test (15) CPU (14) Interest (11) Algorithm (11) VisualStudio (11) KVM (10) eBPF (8) MFC (8) AI (7) Debian (7) TorchDynamo (6) PyTorch (6) Kernel (6) OS (6) Jetson (5) OpenClaw (4) GPU (4) Kubernetes (4) Libvirt (4) Worklog (4) UEFI (4) NVIDIA (4) Git (4) Compiler (4)