On 2026/3/25 20:51, Jiri Olsa wrote:
> On Tue, Mar 24, 2026 at 11:04:43PM +0800, Leon Hwang wrote:
>> uprobe programs are allowed to modify struct pt_regs.
>>
>> Since the actual program type of uprobe is KPROBE, it can be abused to
>> modify struct pt_regs via kprobe+freplace when the kprobe attaches to
>> kernel functions.
>>
>> For example,
>>
>> SEC("?kprobe")
>> int kprobe(struct pt_regs *regs)
>> {
>> return 0;
>> }
>>
>> SEC("?freplace")
>> int freplace_kprobe(struct pt_regs *regs)
>> {
>> regs->di = 0;
>> return 0;
>> }
>>
>> freplace_kprobe prog will attach to kprobe prog.
>> kprobe prog will attach to a kernel function.
>>
>> Without this patch, when the kernel function runs, its first arg will
>> always be set as 0 via the freplace_kprobe prog.
>>
>> To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
>> freplace on kprobe programs with mismatched kprobe_write_ctx values.
>>
>> Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
>> Signed-off-by: Leon Hwang <[email protected]>
>
> hi,
> so it's another issue in addition to that on with tail-calls [1]
> do you plan to resend this fix as well?
>
> thanks,
> jirka
>
>
> [1] https://lore.kernel.org/bpf/[email protected]/
>
Kumar will re-post it soon.
Thanks,
Leon
