On Wed, Feb 18, 2026 at 07:18:25AM -0800, Dave Hansen wrote: > ... adding kprobes folks and Kees to cc > > On 2/18/26 06:47, Elly I. Esparza wrote: > > Kprobes can be used by rootkits to find the address of x64_sys_call(), > > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits > > to find an specific syscall handler and hook it. > > > > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes > > blacklist. > I'm an occasional, but not super regular kprobes user. Is this going to > hurt folks who are legitimately probing the syscall dispatch functions? > > I'm a bit worried that the rootkits will just move on to something else > and this will become a never ending game of whack-a-mole where half the > kernel needs NOKPROBE_SYMBOL(). ;)
So I really think this should be noinstr; pretty much all the code here is noinstr already, so why not include the syscall dispatch. Better still, noinstr ensures the spectre-v1 mitigation actually works.
