On Wed, Sep 03, 2025 at 10:56:10PM +0200, Jiri Olsa wrote:
> > > +SYSCALL_DEFINE0(uprobe)
> > > +{
> > > + struct pt_regs *regs = task_pt_regs(current);
> > > + struct uprobe_syscall_args args;
> > > + unsigned long ip, sp;
> > > + int err;
> > > +
> > > + /* Allow execution only from uprobe trampolines. */
> > > + if (!in_uprobe_trampoline(regs->ip))
> > > + goto sigill;
> >
> > Hey Jiri,
> >
> > So I've been thinking what's the simplest and most reliable way to
> > feature-detect support for this sys_uprobe (e.g., for libbpf to know
> > whether we should attach at nop5 vs nop1), and clearly that would be
> > to try to call uprobe() syscall not from trampoline, and expect some
> > error code.
> >
> > How bad would it be to change this part to return some unique-enough
> > error code (-ENXIO, -EDOM, whatever).
> >
> > Is there any reason not to do this? Security-wise it will be just fine,
> > right?
>
> good question.. maybe :) the sys_uprobe sigill error path followed the
> uprobe logic when things go bad, seem like good idea to be strict
>
> I understand it'd make the detection code simpler, but it could just
> just fork and check for sigill, right?
Can't you simply uprobe your own nop5 and read back the text to see what
it turns into?
