On Tue, 2024-05-07 at 12:53 +0200, Jiri Olsa wrote: > diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c > index 81e6ee95784d..ae6c3458a675 100644 > --- a/arch/x86/kernel/uprobes.c > +++ b/arch/x86/kernel/uprobes.c > @@ -406,6 +406,11 @@ SYSCALL_DEFINE0(uretprobe) > * trampoline's ret instruction > */ > r11_cx_ax[2] = regs->ip; > + > + /* make the shadow stack follow that */ > + if (shstk_push_frame(regs->ip)) > + goto sigill; > + > regs->ip = ip; > Per the earlier discussion, this cannot be reached unless uretprobes are in use, which cannot happen without something with privileges taking an action. But are uretprobes ever used for monitoring applications where security is important? Or is it strictly a debug-time thing?