On Wed, 29 Apr 2026 17:40:53 +0900 Masami Hiramatsu (Google) <[email protected]> wrote:
> Shijia Hu <[email protected]> wrote: > > > When a kernel module that registered kprobes is unloaded without calling > > unregister_kprobe(), kprobes_module_callback() calls kill_kprobe() to > > mark the probe(s) GONE. If the probe is an aggrprobe, kill_kprobe() > > also marks all child probes GONE, but it does not remove them from > > the aggrprobe's list. > > That sounds like a bug in the module. Agreed. > > > > > The problem is that child probes whose struct kprobe resides in the > > unloading module's memory are freed along with the module, yet they > > remain on the aggrprobe's list. Later, when another caller registers > > a kprobe at the same address, __get_valid_kprobe() walks that list > > and dereferences the freed child probe, causing a use-after-free. > > > > Reproduction steps: > > > > 1) Load module A which registers two kprobes on the same kernel > > function address (e.g., do_nanosleep), causing them to be > > aggregated under one aggrprobe. > > > > 2) Unload module A without calling unregister_kprobe(). > > Module A's memory is freed, but its two child probes remain > > on the aggrprobe's list as dangling pointers. > > Would you mean "load a buggy kernel module and unload it, the kernel cause > use-after-free."? for example: > > ---- > struct kprobe my_probe = {...}; > > init_module() { > register_kprobe(&my_probe); > } > exit_module() { > /* do nothing */ > } > ---- > > Yes, this cause UAF because that module has a bug. Please call > unregister_kprobe(). Yes, this is one of those... Patient: Doctor it hurts me when I do this Doctor: Then don't do that ... reports. No, the kernel isn't responsible for fixing buggy modules. -- Steve
