On Tue, May 07, 2024 at 05:35:54PM +0000, Edgecombe, Rick P wrote: > On Tue, 2024-05-07 at 12:53 +0200, Jiri Olsa wrote: > > diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c > > index 81e6ee95784d..ae6c3458a675 100644 > > --- a/arch/x86/kernel/uprobes.c > > +++ b/arch/x86/kernel/uprobes.c > > @@ -406,6 +406,11 @@ SYSCALL_DEFINE0(uretprobe) > > * trampoline's ret instruction > > */ > > r11_cx_ax[2] = regs->ip; > > + > > + /* make the shadow stack follow that */ > > + if (shstk_push_frame(regs->ip)) > > + goto sigill; > > + > > regs->ip = ip; > > > > Per the earlier discussion, this cannot be reached unless uretprobes are in use, > which cannot happen without something with privileges taking an action. But are > uretprobes ever used for monitoring applications where security is important? Or > is it strictly a debug-time thing? sorry, I don't have that level of detail, but we do have customers that use uprobes in general or want to use it and complain about the speed there are several tools in bcc [1] that use uretprobes in scripts, like: memleak, sslsniff, trace, bashreadline, gethostlatency, argdist, funclatency jirka [1] https://github.com/iovisor/bcc
