Re: [PATCH 1/2] x86: Prevent syscall hooking

Next message: Chen, Yu C: "Re: [PATCH v3 14/21] sched/cache: Respect LLC preference in task migration and detach"
Previous message: George Abraham P: "Re: [PATCH V2 RESEND] PCI/TPH: Skip Root Port completer check for RC_END devices"
In reply to: Dave Hansen: "Re: [PATCH 1/2] x86: Prevent syscall hooking"
Next in thread: H. Peter Anvin: "Re: [PATCH 1/2] x86: Prevent syscall hooking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Peter Zijlstra

Date: Wed Feb 18 2026 - 10:33:11 EST

On Wed, Feb 18, 2026 at 07:18:25AM -0800, Dave Hansen wrote:
> ... adding kprobes folks and Kees to cc
>
> On 2/18/26 06:47, Elly I. Esparza wrote:
> > Kprobes can be used by rootkits to find the address of x64_sys_call(),
> > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits
> > to find an specific syscall handler and hook it.
> >
> > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes
> > blacklist.
> I'm an occasional, but not super regular kprobes user. Is this going to
> hurt folks who are legitimately probing the syscall dispatch functions?
>
> I'm a bit worried that the rootkits will just move on to something else
> and this will become a never ending game of whack-a-mole where half the
> kernel needs NOKPROBE_SYMBOL(). ;)

So I really think this should be noinstr; pretty much all the code here
is noinstr already, so why not include the syscall dispatch.

Better still, noinstr ensures the spectre-v1 mitigation actually works.