Advantage of kprobes over kretprobes

Question

Both kprobes and kretprobes allows you to put probe on a particular instruction in the kernel address.

If you register a kprobe, the pre_handler gets executed before the actual function and post_handler after the actual function

With kretprobes, you can get the entry_handler to execute before the actual function and ret_handler to execute after the actual function and it contain the return value of the function call.

So, what is the advantage of using kprobes over kretprobes, as kretprobes has the feature of kprobes plus the return value of the function

Answer 1

A kprobe can be placed on any instruction, not only at the start of a kernel function (if kprobes are allowed in the given kernel code, of course). The handlers of a kprobe run before and after the instruction.

Kretprobes only make sense for probing function entries and exits. The handlers of a kretprobe run on entry to a function and at its exit, rather than before and after some instruction, like kprobe handlers do.

Besides, if you don't need to run your code at the function exit, kprobes might be a better choice than kretprobes for probing functions (although Ftrace might be even better). Kretprobes meddle with the return address of the function on the stack to get the handler executed. If the function crashes or dumps the backtrace for some other reason, the backtrace may include the addresses of kretprobe internals rather than the real return addresses, which may be confusing.

https://www.kernel.org/doc/Documentation/kprobes.txt