On Fri, May 03, 2024 at 01:34:53PM +0200, Peter Zijlstra wrote: > On Thu, May 02, 2024 at 02:23:08PM +0200, Jiri Olsa wrote: > > Adding uretprobe syscall instead of trap to speed up return probe. > > > > At the moment the uretprobe setup/path is: > > > > - install entry uprobe > > > > - when the uprobe is hit, it overwrites probed function's return address > > on stack with address of the trampoline that contains breakpoint > > instruction > > > > - the breakpoint trap code handles the uretprobe consumers execution and > > jumps back to original return address > > > > This patch replaces the above trampoline's breakpoint instruction with new > > ureprobe syscall call. This syscall does exactly the same job as the trap > > with some more extra work: > > > > - syscall trampoline must save original value for rax/r11/rcx registers > > on stack - rax is set to syscall number and r11/rcx are changed and > > used by syscall instruction > > > > - the syscall code reads the original values of those registers and > > restore those values in task's pt_regs area > > > > - only caller from trampoline exposed in '[uprobes]' is allowed, > > the process will receive SIGILL signal otherwise > > > > Did you consider shadow stacks? IIRC we currently have userspace shadow > stack support available, and that will utterly break all of this. nope.. I guess it's the extra ret instruction in the trampoline that would make it crash? > > It would be really nice if the new scheme would consider shadow stacks. I seem to have the hw with support for user_shstk, let me test that thanks, jirka
