Re: Crash when attaching uretprobes to processes running in Docker
From: Oleg Nesterov
Date: Tue Jan 14 2025 - 05:58:59 EST
On 01/14, Jiri Olsa wrote:
>
> --- a/arch/x86/kernel/uprobes.c
> +++ b/arch/x86/kernel/uprobes.c
> @@ -315,14 +315,25 @@ asm (
> ".global uretprobe_trampoline_entry\n"
> "uretprobe_trampoline_entry:\n"
> "pushq %rax\n"
> + "pushq %rbx\n"
> "pushq %rcx\n"
> "pushq %r11\n"
> + "movq $1, %rbx\n"
> "movq $" __stringify(__NR_uretprobe) ", %rax\n"
> "syscall\n"
> ".global uretprobe_syscall_check\n"
> "uretprobe_syscall_check:\n"
> + "or %rbx,%rbx\n"
> + "jz uretprobe_syscall_return\n"
> "popq %r11\n"
> "popq %rcx\n"
> + "popq %rbx\n"
> + "popq %rax\n"
> + "int3\n"
> + "uretprobe_syscall_return:\n"
> + "popq %r11\n"
> + "popq %rcx\n"
> + "popq %rbx\n"
But why do we need to abuse %rbx? Can't uretprobe_trampoline_entry do
syscall
// int3_section, in case sys_uretprobe() doesn't work
popq %r11
popq %rcx
popq %rax
int3
uretprobe_syscall_return:
popq %r11
popq %rcx
popq %rbx
retq
and change sys_uretprobe() to do
- regs->ip = ip;
+ regs->ip = ip + sizeof(int3_section);
?
Oleg.