Re: [PATCH] kprobes: Remove dead child probes from aggrprobe list on module unload

[Steven Rostedt]

On Wed, 29 Apr 2026 17:40:53 +0900
Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx> wrote:

> Shijia Hu <hushijia1@xxxxxxxxxxxxx> wrote:
> 
> > When a kernel module that registered kprobes is unloaded without calling
> > unregister_kprobe(), kprobes_module_callback() calls kill_kprobe() to
> > mark the probe(s) GONE.  If the probe is an aggrprobe, kill_kprobe()
> > also marks all child probes GONE, but it does not remove them from
> > the aggrprobe's list.  
> 
> That sounds like a bug in the module.

Agreed.

> 
> > 
> > The problem is that child probes whose struct kprobe resides in the
> > unloading module's memory are freed along with the module, yet they
> > remain on the aggrprobe's list.  Later, when another caller registers
> > a kprobe at the same address, __get_valid_kprobe() walks that list
> > and dereferences the freed child probe, causing a use-after-free.
> > 
> > Reproduction steps:
> > 
> >     1) Load module A which registers two kprobes on the same kernel
> >        function address (e.g., do_nanosleep), causing them to be
> >        aggregated under one aggrprobe.
> > 
> >     2) Unload module A without calling unregister_kprobe().
> >        Module A's memory is freed, but its two child probes remain
> >        on the aggrprobe's list as dangling pointers.  
> 
> Would you mean "load a buggy kernel module and unload it, the kernel cause
> use-after-free."? for example:
> 
> ----
> struct kprobe my_probe = {...};
> 
> init_module() {
> 	register_kprobe(&my_probe);
> }
> exit_module() {
> 	/* do nothing */
> }
> ----
> 
> Yes, this cause UAF because that module has a bug. Please call
> unregister_kprobe().

Yes, this is one of those...

  Patient: Doctor it hurts me when I do this
  Doctor: Then don't do that

... reports.

No, the kernel isn't responsible for fixing buggy modules.

-- Steve