On February 18, 2026 7:32:44 AM PST, Peter Zijlstra <[email protected]> wrote: >On Wed, Feb 18, 2026 at 07:18:25AM -0800, Dave Hansen wrote: >> ... adding kprobes folks and Kees to cc >> >> On 2/18/26 06:47, Elly I. Esparza wrote: >> > Kprobes can be used by rootkits to find the address of x64_sys_call(), >> > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits >> > to find an specific syscall handler and hook it. >> > >> > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes >> > blacklist. >> I'm an occasional, but not super regular kprobes user. Is this going to >> hurt folks who are legitimately probing the syscall dispatch functions? >> >> I'm a bit worried that the rootkits will just move on to something else >> and this will become a never ending game of whack-a-mole where half the >> kernel needs NOKPROBE_SYMBOL(). ;) > >So I really think this should be noinstr; pretty much all the code here >is noinstr already, so why not include the syscall dispatch. > >Better still, noinstr ensures the spectre-v1 mitigation actually works.
Yes, and merging the x64 and x32 dispatches into one function actually enables a lot of code sharing.
