[1] Add potential debug compilation option to Makefile

[2] Fix 'colors' issue when systemd service installation fails [3] [CI] Fix race condition with *_JUMP_LABEL engine resulting potential deadlock when LKRG is initialized parallel with other heavy kernel module (un)loading events [4] [ED] Rewrite internal logic how LKRG synchronizes with the task's resources - big change [5] [ED] Filter our kernel threads and system-init process when validation is performed bypassing threads iteration [6] [ED] Disable IRQ in most cases when ED's pids DB lock is taken. Otherwise, we might have potential race and deadlock with kprobe engine itself, and SoftIRQs might deadlock with pCFI
2019-04-29 19:36:20 +00:00 · 2019-04-29 19:36:20 +00:00 · fcf720967b
parent 3a9ef66437
commit fcf720967b
55 changed files with 569 additions and 394 deletions
--- a/6
+++ b/6
@ -13,6 +13,12 @@ P_KVER ?= $(shell uname -r)
 P_KERNEL := /lib/modules/$(P_KVER)/build
 P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh

+#
+# Uncomment for debug compilation
+#
+# ccflags-m := -ggdb
+# ccflags-y := ${ccflags-m}
+
 obj-m += p_lkrg.o
 p_lkrg-objs += src/modules/ksyms/p_resolve_ksym.o \
               src/modules/hashing/p_lkrg_fast_hash.o \
--- a/scripts/bootup/systemd/lkrg-systemd.sh
+++ b/scripts/bootup/systemd/lkrg-systemd.sh
@ -19,7 +19,7 @@ echo -e "  ${P_GREEN}[+] ${P_WHITE}Systemd detected${P_NC}"

 if [ "$1" == "install" ]; then
    if [ -f $P_SYSTEMD_DIR/lkrg.service ]; then
-	echo -e "      ${P_RED}ERROR! ${P_YL}lkrg.service${P_RED} file already exists under ${P_YL}$P_SYSTEMD_DIR${P_RED} folder"
+	echo -e "      ${P_RED}ERROR! ${P_YL}lkrg.service${P_RED} file already exists under ${P_YL}$P_SYSTEMD_DIR${P_RED} folder${P_NC}"
 	exit 1
    else
 	echo -e "       ${P_GREEN}Installing ${P_YL}lkrg.service${P_GREEN} file under ${P_YL}$P_SYSTEMD_DIR${P_GREEN} folder${P_NC}"
--- a/src/modules/database/p_database.c
+++ b/src/modules/database/p_database.c
@ -378,13 +378,14 @@ int p_create_database(void) {
   p_db.p_module_kobj_hash = p_lkrg_fast_hash((unsigned char *)p_db.p_module_kobj_array,
                                          (unsigned int)p_db.p_module_kobj_nr * sizeof(p_module_kobj_mem));
 */
-   /* Register module notification routine */
-   p_register_module_notifier();

   /* Release the 'module_mutex' */
   mutex_unlock(&module_mutex);
   p_text_section_unlock();

+   /* Register module notification routine - must be outside p_text_section_(un)lock */
+   p_register_module_notifier();
+
 /*
   if (p_install_arch_jump_label_transform_hook()) {
      p_print_log(P_LKRG_ERR,
--- a/src/modules/exploit_detection/p_exploit_detection.c
+++ b/src/modules/exploit_detection/p_exploit_detection.c
@ -39,6 +39,8 @@ struct kmem_cache *p_ed_pcfi_cache = NULL;
 int (*p_is_kernel_text_address)(unsigned long p_addr) = 0x0;
 int (*p_freeze_processes)(void) = 0x0;
 void (*p_thaw_processes)(void) = 0x0;
+void (*p_get_seccomp_filter)(struct task_struct *p_task) = 0x0;
+void (*p_put_seccomp_filter)(struct task_struct *p_task) = 0x0;

 unsigned long p_pcfi_CPU_flags = 0x0;

@ -169,6 +171,9 @@ void p_ed_wq_valid_cache_delete(void) {

 void p_dump_creds(struct p_cred *p_where, const struct cred *p_from) {

+   /* Get reference to cred */
+   get_cred(p_from);
+
   /* Track process's capabilities */
   memcpy(&p_where->cap_inheritable, &p_from->cap_inheritable, sizeof(kernel_cap_t));
   memcpy(&p_where->cap_permitted, &p_from->cap_permitted, sizeof(kernel_cap_t));
@ -195,10 +200,13 @@ void p_dump_creds(struct p_cred *p_where, const struct cred *p_from) {
   p_where->user     = p_from->user;
   p_where->user_ns  = p_from->user_ns;

+   /* Release reference to cred */
+   put_cred(p_from);
 }

 void p_dump_seccomp(struct p_seccomp *p_sec, struct task_struct *p_task) {

+   p_get_seccomp_filter(p_task);
   p_sec->sec.mode    = p_task->seccomp.mode;   // Mode
   p_sec->sec.filter  = p_task->seccomp.filter; // Filter
   if (test_tsk_thread_flag(p_task,TIF_SECCOMP))
@ -206,19 +214,22 @@ void p_dump_seccomp(struct p_seccomp *p_sec, struct task_struct *p_task) {
   else
      p_sec->flag = 0x0;
   p_sec->flag_sync_thread = 0x0;
+   p_put_seccomp_filter(p_task);

 }

 void p_update_ed_process(struct p_ed_process *p_source, struct task_struct *p_task) {

+   rcu_read_lock();
+   get_task_struct(p_task);
   /* Track process's metadata */
   p_source->p_ed_task.p_pid             = p_task->pid;
-   p_source->p_ed_task.p_cred_ptr        = p_task->cred;
-   p_source->p_ed_task.p_real_cred_ptr   = p_task->real_cred;
+   p_source->p_ed_task.p_cred_ptr        = rcu_dereference(p_task->cred);
+   p_source->p_ed_task.p_real_cred_ptr   = rcu_dereference(p_task->real_cred);
   p_source->p_ed_task.p_stack           = p_task->stack;
   /* Creds */
-   p_dump_creds(&p_source->p_ed_task.p_cred, p_task->cred);
-   p_dump_creds(&p_source->p_ed_task.p_real_cred, p_task->real_cred);
+   p_dump_creds(&p_source->p_ed_task.p_cred, p_source->p_ed_task.p_cred_ptr);
+   p_dump_creds(&p_source->p_ed_task.p_real_cred, p_source->p_ed_task.p_real_cred_ptr);
   /* Seccomp */
   p_dump_seccomp(&p_source->p_ed_task.p_sec, p_task);
   /* Name */
@ -227,6 +238,8 @@ void p_update_ed_process(struct p_ed_process *p_source, struct task_struct *p_ta
   /* Should be last here to propagate potential glitching */
   wmb();
   p_source->p_ed_task.p_task            = p_task;
+   put_task_struct(p_task);
+   rcu_read_unlock();

 }

@ -362,15 +375,15 @@ int p_dump_task_f(void *p_arg) {
   p_tmp->p_ed_task.p_off_count = 0x0;

   p_rb_init_ed_pid_node(&p_tmp->p_rb);
-   if (p_rb_add_ed_pid(&p_global_ed_pids_root, p_task->pid, p_tmp)) {
+   if (p_rb_add_ed_pid(&p_global_ed_pids_root, p_tmp->p_ed_task.p_pid, p_tmp)) {
      p_print_log(P_LKRG_INFO,
-                   "pid => %d is already inserted!\n",p_task->pid);
+                   "pid => %d is already inserted!\n",p_tmp->p_ed_task.p_pid);
      p_free_ed_pids(p_tmp);
      p_ret = 0x1;
      goto p_dump_task_f_out;
   } else {
      p_print_log(P_LKRG_INFO,
-                   "Inserting pid => %d\n", p_task->pid);
+                   "Inserting pid => %d\n", p_tmp->p_ed_task.p_pid);
   }

 p_dump_task_f_out:
@ -413,12 +426,13 @@ void p_iterate_processes(int (*p_func)(void *)) {

   int p_ret;
   struct task_struct *p_ptmp, *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_log(P_LKRG_STRONG_DBG,
          "Entering function <p_iterate_processes>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   rcu_read_lock();
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)
   for_each_process_thread(p_ptmp, p_tmp) {
@ -426,25 +440,21 @@ void p_iterate_processes(int (*p_func)(void *)) {
   // tasklist_lock
   do_each_thread(p_ptmp, p_tmp) {
 #endif
-      /* do not touch kernel threads or the global init */
-      if (p_tmp->flags & PF_KTHREAD || is_global_init(p_tmp))
-         continue;

-      if (p_tmp != current) {
-         task_lock(p_tmp);
-         if ( (p_ret = p_func(p_tmp)) != 0) {
-            p_print_log(P_LKRG_INFO,
-                         "<Exploit Detection> Error[%d] during process[%d |%s] iteration!\n",
-                                                              p_ret, task_pid_nr(p_tmp), p_tmp->comm);
-         }
-         task_unlock(p_tmp);
-      } else {
-         if ( (p_ret = p_func(p_tmp)) != 0) {
-            p_print_log(P_LKRG_INFO,
-                         "<Exploit Detection> Error[%d] during process[%d |%s] iteration!\n",
-                                                              p_ret, task_pid_nr(p_tmp), p_tmp->comm);
-         }
+      get_task_struct(p_tmp);
+      /* do not touch kernel threads or the global init */
+      if (!p_is_ed_task(p_tmp)) {
+         put_task_struct(p_tmp);
+         continue;
      }
+
+      if ( (p_ret = p_func(p_tmp)) != 0) {
+         p_print_log(P_LKRG_INFO,
+                      "<Exploit Detection> Error[%d] during process[%d |%s] iteration!\n",
+                                                           p_ret, task_pid_nr(p_tmp), p_tmp->comm);
+      }
+      put_task_struct(p_tmp);
+
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)
   }
 #else
@ -452,95 +462,95 @@ void p_iterate_processes(int (*p_func)(void *)) {
   } while_each_thread(p_ptmp, p_tmp);
 #endif
   rcu_read_unlock();
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 // STRONG_DEBUG
   p_debug_log(P_LKRG_STRONG_DBG,
          "Leaving function <p_iterate_processes>\n");
 }

-int p_cmp_creds(struct p_ed_process_task *p_task, struct task_struct *p_current, char p_opt) {
+int p_cmp_creds(struct p_cred *p_orig, const struct cred *p_current_cred, struct task_struct *p_current, char p_opt) {

   int p_ret = 0x0;

   /* *UID */
-   if (uid_gt(p_task->p_cred.uid, p_current->cred->uid)) {
+   if (uid_gt(p_orig->uid, p_current_cred->uid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different UID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_uid(&p_task->p_cred.uid), p_get_uid(&p_current->cred->uid));
+             p_get_uid(&p_orig->uid), p_get_uid(&p_current_cred->uid));
      }
      p_ret++;
   }

-   if (uid_gt(p_task->p_cred.euid, p_current->cred->euid)) {
+   if (uid_gt(p_orig->euid, p_current_cred->euid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different EUID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_uid(&p_task->p_cred.euid), p_get_uid(&p_current->cred->euid));
+             p_get_uid(&p_orig->euid), p_get_uid(&p_current_cred->euid));
      }
      p_ret++;
   }

-   if (uid_gt(p_task->p_cred.suid, p_current->cred->suid)) {
+   if (uid_gt(p_orig->suid, p_current_cred->suid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different SUID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_uid(&p_task->p_cred.suid), p_get_uid(&p_current->cred->suid));
+             p_get_uid(&p_orig->suid), p_get_uid(&p_current_cred->suid));
      }
      p_ret++;
   }

-   if (uid_gt(p_task->p_cred.fsuid, p_current->cred->fsuid)) {
+   if (uid_gt(p_orig->fsuid, p_current_cred->fsuid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different FSUID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_uid(&p_task->p_cred.fsuid), p_get_uid(&p_current->cred->fsuid));
+             p_get_uid(&p_orig->fsuid), p_get_uid(&p_current_cred->fsuid));
      }
      p_ret++;
   }

   /* *GID */
-   if (gid_gt(p_task->p_cred.gid, p_current->cred->gid)) {
+   if (gid_gt(p_orig->gid, p_current_cred->gid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different GID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_gid(&p_task->p_cred.gid), p_get_gid(&p_current->cred->gid));
+             p_get_gid(&p_orig->gid), p_get_gid(&p_current_cred->gid));
      }
      p_ret++;
   }

-   if (gid_gt(p_task->p_cred.egid, p_current->cred->egid)) {
+   if (gid_gt(p_orig->egid, p_current_cred->egid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different EGID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_gid(&p_task->p_cred.egid), p_get_gid(&p_current->cred->egid));
+             p_get_gid(&p_orig->egid), p_get_gid(&p_current_cred->egid));
      }
      p_ret++;
   }

-   if (gid_gt(p_task->p_cred.sgid, p_current->cred->sgid)) {
+   if (gid_gt(p_orig->sgid, p_current_cred->sgid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different SGID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_gid(&p_task->p_cred.sgid), p_get_gid(&p_current->cred->sgid));
+             p_get_gid(&p_orig->sgid), p_get_gid(&p_current_cred->sgid));
      }
      p_ret++;
   }

-   if (gid_gt(p_task->p_cred.fsgid, p_current->cred->fsgid)) {
+   if (gid_gt(p_orig->fsgid, p_current_cred->fsgid)) {
      if (p_opt) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> process[%d | %s] has different FSGID! %d vs %d\n",
             task_pid_nr(p_current), p_current->comm,
-             p_get_gid(&p_task->p_cred.fsgid), p_get_gid(&p_current->cred->fsgid));
+             p_get_gid(&p_orig->fsgid), p_get_gid(&p_current_cred->fsgid));
      }
      p_ret++;
   }
@ -553,7 +563,8 @@ int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_current) {
   int p_ret = 0x0;
   char *p_sec_strings[3] = { "SECCOMP_MODE_DISABLED", "SECCOMP_MODE_STRICT", "SECCOMP_MODE_FILTER" };
   register long p_off = p_orig->p_ed_task.p_off ^ p_global_off_cookie;
-
+   const struct cred *p_current_cred = NULL;
+   const struct cred *p_current_real_cred = NULL;

   if (p_off - p_global_cnt_cookie) {
      p_validate_off_flag(p_orig,p_off);   // Validate
@ -618,6 +629,16 @@ int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_current) {
      return 0x0;
   }

+   /*
+    * Fetch pointers first
+    */
+   p_current_cred = rcu_dereference(p_current->cred);
+   /* Get reference to cred */
+   get_cred(p_current_cred);
+   p_current_real_cred = rcu_dereference(p_current->real_cred);
+   /* Get reference to real_cred */
+   get_cred(p_current_real_cred);
+
   /* Validate stack first */
   if (p_ed_pcfi_validate_sp(p_current,p_orig,p_get_thread_sp(p_current))) {
      p_print_log(P_LKRG_CRIT,
@ -628,8 +649,8 @@ int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_current) {
      p_ret++;
   }

-   if (p_orig->p_ed_task.p_cred_ptr != p_current->cred) {
-      if (p_cmp_creds(&p_orig->p_ed_task, p_current, 0x0)) {
+   if (p_orig->p_ed_task.p_cred_ptr != p_current_cred) {
+      if (p_cmp_creds(&p_orig->p_ed_task.p_cred, p_current_cred, p_current, 0x0)) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> Detected pointer swapping attack!"
                                  "process[%d | %s] has different 'cred' pointer [0x%p vs 0x%p]\n",
@ -639,8 +660,8 @@ int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_current) {
      }
   }

-   if (p_orig->p_ed_task.p_real_cred_ptr != p_current->real_cred) {
-      if (p_cmp_creds(&p_orig->p_ed_task, p_current, 0x0)) {
+   if (p_orig->p_ed_task.p_real_cred_ptr != p_current_real_cred) {
+      if (p_cmp_creds(&p_orig->p_ed_task.p_real_cred, p_current_real_cred, p_current, 0x0)) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> Detected pointer swapping attack!"
                                  "process[%d | %s] has different 'real_cred' pointer [0x%p vs 0x%p]\n",
@ -650,10 +671,13 @@ int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_current) {
      }
   }

-   p_ret += p_cmp_creds(&p_orig->p_ed_task, p_current, 0x1);
+   p_ret += p_cmp_creds(&p_orig->p_ed_task.p_cred, p_current_cred, p_current, 0x1);
+   if (p_ret)
+      p_ret += p_cmp_creds(&p_orig->p_ed_task.p_real_cred, p_current_real_cred, p_current, 0x1);

   /* Seccomp */
   if (p_orig->p_ed_task.p_sec.flag) { // SECCOMP was enabled so it make sense to compare...
+      p_get_seccomp_filter(p_current);
      if (test_tsk_thread_flag(p_current,TIF_SECCOMP) != p_orig->p_ed_task.p_sec.flag) {
         p_print_log(P_LKRG_CRIT,
             "<Exploit Detection> Detected SECCOMP corruption!"
@ -690,8 +714,14 @@ int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_current) {
                                  p_orig->p_ed_task.p_sec.sec.filter, p_current->seccomp.filter);
         p_ret++;
      }
+      p_put_seccomp_filter(p_current);
   }

+   /* Release reference to cred */
+   put_cred(p_current_cred);
+   /* Release reference to real_cred */
+   put_cred(p_current_real_cred);
+
   return p_ret;
 }

@ -705,6 +735,9 @@ int p_validate_task_f(void *p_arg) {
   p_debug_log(P_LKRG_STRONG_DBG,
          "Entering function <p_validate_task_f>\n");

+   rcu_read_lock();
+   get_task_struct(p_task);
+
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(p_task))) == NULL) {
      // This process is not on the list!
      if (p_task->state != TASK_DEAD) {
@ -716,15 +749,16 @@ int p_validate_task_f(void *p_arg) {
      goto p_validate_task_out;
   }

-   rcu_read_lock();
   if (p_cmp_tasks(p_tmp, p_task)) {
      // kill this process!
      p_ed_kill_task_by_task(p_task);
   }
-   rcu_read_unlock();

 p_validate_task_out:

+   put_task_struct(p_task);
+   rcu_read_unlock();
+
 // STRONG_DEBUG
   p_debug_log(P_LKRG_STRONG_DBG,
          "Leaving function <p_validate_task_f> (p_ret => %d)\n",p_ret);
@ -905,7 +939,7 @@ static inline int p_is_obj_on_stack(struct task_struct *p_task, const void *p_ad
 int p_ed_enforce_pcfi(struct task_struct *p_task, struct p_ed_process *p_orig, struct pt_regs *p_regs) {

   unsigned int i;
-   unsigned long p_flags;
+//   unsigned long p_flags;
   struct stack_trace p_trace;
   const void *p_fp = (const void *)p_regs_get_fp(p_regs);
 #ifdef CONFIG_X86
@ -955,7 +989,8 @@ int p_ed_enforce_pcfi(struct task_struct *p_task, struct p_ed_process *p_orig, s

   while ( (p_trace.entries = p_ed_pcfi_alloc()) == NULL); // Should never be NULL

-   local_irq_save(p_flags);
+   /* Current logic always call this function with IRQ disabled */
+//   local_irq_save(p_flags);

   p_trace.max_entries = P_PCFI_STACK_BUF/sizeof(p_trace.entries[0]);
   p_trace.nr_entries = 0;
@ -1064,7 +1099,8 @@ p_ed_enforce_pcfi_unlock_out:

 #endif

-   local_irq_restore(p_flags);
+   /* Current logic always call this function with IRQ disabled */
+//   local_irq_restore(p_flags);

   p_ed_pcfi_free(p_trace.entries);

@ -1225,6 +1261,24 @@ int p_exploit_detection_init(void) {
      goto p_exploit_detection_init_out;
   }

+   p_get_seccomp_filter = (void (*)(struct task_struct *))p_kallsyms_lookup_name("get_seccomp_filter");
+
+   if (!p_get_seccomp_filter) {
+      p_print_log(P_LKRG_ERR,
+             "[ED] ERROR: Can't find 'get_seccomp_filter' function :( Exiting...\n");
+      p_ret = P_LKRG_GENERAL_ERROR;
+      goto p_exploit_detection_init_out;
+   }
+
+   p_put_seccomp_filter = (void (*)(struct task_struct *))p_kallsyms_lookup_name("put_seccomp_filter");
+
+   if (!p_put_seccomp_filter) {
+      p_print_log(P_LKRG_ERR,
+             "[ED] ERROR: Can't find 'put_seccomp_filter' function :( Exiting...\n");
+      p_ret = P_LKRG_GENERAL_ERROR;
+      goto p_exploit_detection_init_out;
+   }
+
 #ifdef CONFIG_SECURITY_SELINUX
   p_selinux_enabled    = (int *)p_kallsyms_lookup_name("selinux_enabled");
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
--- a/src/modules/exploit_detection/p_exploit_detection.h
+++ b/src/modules/exploit_detection/p_exploit_detection.h
@ -311,6 +311,11 @@ static inline unsigned long get_random_long(void) {
 }
 #endif

+static inline unsigned int p_is_ed_task(struct task_struct *p_task) {
+
+   return p_task->mm && !is_global_init(p_task);
+}
+
 static inline int p_ed_kill_task_by_task(struct task_struct *p_task) {

   p_print_log(P_LKRG_CRIT,
--- a/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.c
+++ b/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.c
@ -33,7 +33,7 @@ struct p_ed_process *p_rb_find_ed_pid(struct rb_root *p_root, pid_t p_arg) {
   p_debug_log(P_LKRG_STRONG_DBG,
          "Entering function <p_rb_find_ed_pid>\n");

-//   spin_lock(&p_rb_ed_pids_lock);
+//   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);

   while(p_node) {
      p_struct = rb_entry(p_node, struct p_ed_process, p_rb);
@ -54,7 +54,7 @@ p_rb_find_ed_pid_out:
   p_debug_log(P_LKRG_STRONG_DBG,
          "Leaving function <p_rb_find_ed_pid> (p_ret => 0x%p)\n",p_ret);

-//   spin_unlock(&p_rb_ed_pids_lock);
+//   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   return p_ret;
 }
--- a/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.c
+++ b/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.c
@ -41,18 +41,19 @@ static struct kretprobe p_x32_sys_execve_kretprobe = {
 int p_x32_sys_execve_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_x32_sys_execve_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   p_debug_kprobe_log(
          "Leaving function <p_x32_sys_execve_entry>\n");

@ -64,6 +65,7 @@ int p_x32_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)

 //   struct inode *p_inode;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_x32_sys_execve_ret>\n");
@ -77,7 +79,7 @@ int p_x32_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
 */

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
      p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
@ -86,7 +88,7 @@ int p_x32_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
      if (!p_regs_get_ret(p_regs))
         p_reset_ed_flags(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execveat/p_x32_sys_execveat.c
+++ b/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execveat/p_x32_sys_execveat.c
@ -41,18 +41,19 @@ static struct kretprobe p_x32_sys_execveat_kretprobe = {
 int p_x32_sys_execveat_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_x32_sys_execveat_entry>\n");

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_x32_sys_execveat_entry>\n");
@ -65,6 +66,7 @@ int p_x32_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs

 //   struct inode *p_inode;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_x32_sys_execveat_ret>\n");
@ -78,7 +80,7 @@ int p_x32_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs
 */

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
      p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
@ -87,7 +89,7 @@ int p_x32_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs
      if (!p_regs_get_ret(p_regs))
         p_reset_ed_flags(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_keyctl/p_x32_sys_keyctl.c
+++ b/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_keyctl/p_x32_sys_keyctl.c
@ -41,18 +41,19 @@ static struct kretprobe p_x32_sys_keyctl_kretprobe = {
 int p_x32_sys_keyctl_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_x32_sys_keyctl_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_x32_sys_keyctl_entry>\n");
@ -64,6 +65,7 @@ int p_x32_sys_keyctl_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_re
 int p_x32_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_x32_sys_keyctl_ret>\n");
@ -72,7 +74,7 @@ int p_x32_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!IS_ERR((void *)p_regs_get_ret(p_regs))) {
         // This process is on the ED list - update information!
@ -81,7 +83,7 @@ int p_x32_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_ptrace/p_x32_sys_ptrace.c
+++ b/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_ptrace/p_x32_sys_ptrace.c
@ -51,17 +51,18 @@ static struct kretprobe p_x32_sys_ptrace_kretprobe = {
 int p_x32_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
          "Entering function <p_x32_sys_ptrace_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/caps/p_cap_task_prctl/p_cap_task_prctl.c
+++ b/src/modules/exploit_detection/syscalls/caps/p_cap_task_prctl/p_cap_task_prctl.c
@ -37,18 +37,19 @@ static struct kretprobe p_cap_task_prctl_kretprobe = {
 int p_cap_task_prctl_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_cap_task_prctl_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_cap_task_prctl_entry>\n");
@ -61,6 +62,7 @@ int p_cap_task_prctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)

   struct p_ed_process *p_tmp;
   long p_ret = (long)p_regs_get_ret(p_regs);
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_cap_task_prctl_ret>\n");
@ -69,7 +71,7 @@ int p_cap_task_prctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (p_ret >= 0) {
         // This process is on the ED list - update information!
@ -78,7 +80,7 @@ int p_cap_task_prctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/caps/p_sys_capset/p_sys_capset.c
+++ b/src/modules/exploit_detection/syscalls/caps/p_sys_capset/p_sys_capset.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_capset_kretprobe = {
 int p_sys_capset_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_capset_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_capset_entry>\n");
@ -60,6 +61,7 @@ int p_sys_capset_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs)
 int p_sys_capset_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_capset_ret>\n");
@ -68,7 +70,7 @@ int p_sys_capset_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_capset_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_add_key/p_compat_sys_add_key.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_add_key/p_compat_sys_add_key.c
@ -45,18 +45,19 @@ static struct kretprobe p_compat_sys_add_key_kretprobe = {
 int p_compat_sys_add_key_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_add_key_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_compat_sys_add_key_entry>\n");
@ -68,6 +69,7 @@ int p_compat_sys_add_key_entry(struct kretprobe_instance *p_ri, struct pt_regs *
 int p_compat_sys_add_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_add_key_ret>\n");
@ -76,7 +78,7 @@ int p_compat_sys_add_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_re
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!IS_ERR((void *)p_regs_get_ret(p_regs))) {
         // This process is on the ED list - update information!
@ -85,7 +87,7 @@ int p_compat_sys_add_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_re
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_capset/p_compat_sys_capset.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_capset/p_compat_sys_capset.c
@ -45,18 +45,19 @@ static struct kretprobe p_compat_sys_capset_kretprobe = {
 int p_compat_sys_capset_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_capset_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_compat_sys_capset_entry>\n");
@ -68,6 +69,7 @@ int p_compat_sys_capset_entry(struct kretprobe_instance *p_ri, struct pt_regs *p
 int p_compat_sys_capset_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_capset_ret>\n");
@ -76,7 +78,7 @@ int p_compat_sys_capset_ret(struct kretprobe_instance *ri, struct pt_regs *p_reg
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -85,7 +87,7 @@ int p_compat_sys_capset_ret(struct kretprobe_instance *ri, struct pt_regs *p_reg
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_delete_module/p_compat_sys_delete_module.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_delete_module/p_compat_sys_delete_module.c
@ -44,16 +44,17 @@ static struct kretprobe p_compat_sys_delete_module_kretprobe = {
 int p_compat_sys_delete_module_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_delete_module_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();
   if (!capable(CAP_SYS_MODULE)) {
--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.c
@ -39,18 +39,20 @@ static struct kretprobe p_compat_sys_execve_kretprobe = {
 int p_compat_sys_execve_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_execve_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
+
   p_debug_kprobe_log(
          "Leaving function <p_compat_sys_execve_entry>\n");

@ -62,6 +64,7 @@ int p_compat_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_reg

 //   struct inode *p_inode;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_execve_ret>\n");
@ -75,7 +78,7 @@ int p_compat_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_reg
 */

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
      p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
@ -84,7 +87,7 @@ int p_compat_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_reg
      if (!p_regs_get_ret(p_regs))
         p_reset_ed_flags(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.c
@ -40,18 +40,19 @@ static struct kretprobe p_compat_sys_execveat_kretprobe = {
 int p_compat_sys_execveat_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_execveat_entry>\n");

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_compat_sys_execveat_entry>\n");
@ -64,6 +65,7 @@ int p_compat_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_r

 //   struct inode *p_inode;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_execveat_ret>\n");
@ -77,7 +79,7 @@ int p_compat_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_r
 */

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
      p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
@ -86,7 +88,7 @@ int p_compat_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_r
      if (!p_regs_get_ret(p_regs))
         p_reset_ed_flags(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.c
@ -39,18 +39,19 @@ static struct kretprobe p_compat_sys_keyctl_kretprobe = {
 int p_compat_sys_keyctl_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_keyctl_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_compat_sys_keyctl_entry>\n");
@ -62,6 +63,7 @@ int p_compat_sys_keyctl_entry(struct kretprobe_instance *p_ri, struct pt_regs *p
 int p_compat_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_keyctl_ret>\n");
@ -70,7 +72,7 @@ int p_compat_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_reg
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!IS_ERR((void *)p_regs_get_ret(p_regs))) {
         // This process is on the ED list - update information!
@ -79,7 +81,7 @@ int p_compat_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_reg
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_ptrace/p_compat_sys_ptrace.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_ptrace/p_compat_sys_ptrace.c
@ -49,17 +49,18 @@ static struct kretprobe p_compat_sys_ptrace_kretprobe = {
 int p_compat_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
          "Entering function <p_compat_sys_ptrace_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/compat/p_compat_sys_request_key/p_compat_sys_request_key.c
+++ b/src/modules/exploit_detection/syscalls/compat/p_compat_sys_request_key/p_compat_sys_request_key.c
@ -45,18 +45,19 @@ static struct kretprobe p_compat_sys_request_key_kretprobe = {
 int p_compat_sys_request_key_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_request_key_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_compat_sys_request_key_entry>\n");
@ -68,6 +69,7 @@ int p_compat_sys_request_key_entry(struct kretprobe_instance *p_ri, struct pt_re
 int p_compat_sys_request_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_compat_sys_request_key_ret>\n");
@ -76,7 +78,7 @@ int p_compat_sys_request_key_ret(struct kretprobe_instance *ri, struct pt_regs *
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!IS_ERR((void *)p_regs_get_ret(p_regs))) {
         // This process is on the ED list - update information!
@ -85,7 +87,7 @@ int p_compat_sys_request_key_ret(struct kretprobe_instance *ri, struct pt_regs *
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/keyring/p_key_change_session_keyring/p_key_change_session_keyring.c
+++ b/src/modules/exploit_detection/syscalls/keyring/p_key_change_session_keyring/p_key_change_session_keyring.c
@ -37,16 +37,17 @@ static struct kretprobe p_key_change_session_keyring_kretprobe = {
 int p_key_change_session_keyring_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_key_change_session_keyring_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_key_change_session_keyring_entry>\n");
@ -58,6 +59,7 @@ int p_key_change_session_keyring_entry(struct kretprobe_instance *p_ri, struct p
 int p_key_change_session_keyring_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_key_change_session_keyring_ret>\n");
@ -66,7 +68,7 @@ int p_key_change_session_keyring_ret(struct kretprobe_instance *ri, struct pt_re
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // Always update information - intercepted void function
      // This process is on the ED list - update information!
@ -74,7 +76,7 @@ int p_key_change_session_keyring_ret(struct kretprobe_instance *ri, struct pt_re
      p_update_ed_process(p_tmp, current);
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/keyring/p_sys_add_key/p_sys_add_key.c
+++ b/src/modules/exploit_detection/syscalls/keyring/p_sys_add_key/p_sys_add_key.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_add_key_kretprobe = {
 int p_sys_add_key_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_add_key_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_add_key_entry>\n");
@ -60,6 +61,7 @@ int p_sys_add_key_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs)
 int p_sys_add_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_add_key_ret>\n");
@ -68,7 +70,7 @@ int p_sys_add_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!IS_ERR((void *)p_regs_get_ret(p_regs))) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_add_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/keyring/p_sys_keyctl/p_sys_keyctl.c
+++ b/src/modules/exploit_detection/syscalls/keyring/p_sys_keyctl/p_sys_keyctl.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_keyctl_kretprobe = {
 int p_sys_keyctl_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_keyctl_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_keyctl_entry>\n");
@ -60,6 +61,7 @@ int p_sys_keyctl_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs)
 int p_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_keyctl_ret>\n");
@ -68,7 +70,7 @@ int p_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!IS_ERR((void *)p_regs_get_ret(p_regs))) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_keyctl_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/keyring/p_sys_request_key/p_sys_request_key.c
+++ b/src/modules/exploit_detection/syscalls/keyring/p_sys_request_key/p_sys_request_key.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_request_key_kretprobe = {
 int p_sys_request_key_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_request_key_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_request_key_entry>\n");
@ -60,6 +61,7 @@ int p_sys_request_key_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_r
 int p_sys_request_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_request_key_ret>\n");
@ -68,7 +70,7 @@ int p_sys_request_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!IS_ERR((void *)p_regs_get_ret(p_regs))) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_request_key_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/override/overlayfs/p_ovl_create_or_link/p_ovl_create_or_link.c
+++ b/src/modules/exploit_detection/syscalls/override/overlayfs/p_ovl_create_or_link/p_ovl_create_or_link.c
@ -49,24 +49,27 @@ int p_ovl_create_or_link_entry(struct kretprobe_instance *p_ri, struct pt_regs *
 int p_ovl_create_or_link_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_ovl_create_or_link_ret>\n");

-   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
-   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
-      if (p_verify_ovl_create_or_link(p_tmp))
-         p_set_ed_process_override_on(p_tmp);
+   if (p_is_ed_task(current)) {
+      // Update process
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
+         if (p_verify_ovl_create_or_link(p_tmp))
+            p_set_ed_process_override_on(p_tmp);
+      }
+      p_validate_task_f(current);
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   p_validate_task_f(current);
-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      p_ed_kill_task_by_task(current);
-   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_debug_kprobe_log(
          "Leaving function <p_ovl_create_or_link_ret>\n");
--- a/src/modules/exploit_detection/syscalls/override/p_override_creds/p_override_creds.c
+++ b/src/modules/exploit_detection/syscalls/override/p_override_creds/p_override_creds.c
@ -37,22 +37,25 @@ static struct kretprobe p_override_creds_kretprobe = {
 int p_override_creds_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_override_creds_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
-   p_validate_task_f(current);
-   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
-      /*
-       * Set temporary 'disable' flag:
-       *  - It is possible that this flag is already set. This is not a problem because in
-       *    normal scenario task that ends up being here must call 'revert_creds' before
-       *    switching to user-mode. This will 'normalize' this flag to the correct state.
-       */
-      p_set_ed_process_override_off(p_tmp);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_validate_task_f(current);
+      if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
+         /*
+          * Set temporary 'disable' flag:
+          *  - It is possible that this flag is already set. This is not a problem because in
+          *    normal scenario task that ends up being here must call 'revert_creds' before
+          *    switching to user-mode. This will 'normalize' this flag to the correct state.
+          */
+         p_set_ed_process_override_off(p_tmp);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_debug_kprobe_log(
          "Leaving function <p_override_creds_entry>\n");
@ -64,19 +67,22 @@ int p_override_creds_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_re
 int p_override_creds_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_override_creds_ret>\n");

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_debug_kprobe_log(
          "Leaving function <p_override_creds_ret>\n");
--- a/src/modules/exploit_detection/syscalls/override/p_revert_creds/p_revert_creds.c
+++ b/src/modules/exploit_detection/syscalls/override/p_revert_creds/p_revert_creds.c
@ -48,23 +48,26 @@ int p_revert_creds_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs
 int p_revert_creds_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_revert_creds_ret>\n");

-   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
-   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
-      p_set_ed_process_override_on(p_tmp);
+   if (p_is_ed_task(current)) {
+      // Update process
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
+         p_set_ed_process_override_on(p_tmp);
+      }
+      p_validate_task_f(current);
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   p_validate_task_f(current);
-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      p_ed_kill_task_by_task(current);
-   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_debug_kprobe_log(
          "Leaving function <p_revert_creds_ret>\n");
--- a/src/modules/exploit_detection/syscalls/pCFI/p_lookup_fast/p_lookup_fast.c
+++ b/src/modules/exploit_detection/syscalls/pCFI/p_lookup_fast/p_lookup_fast.c
@ -47,6 +47,7 @@ static struct kretprobe p_pcfi_lookup_fast_kretprobe = {
 int p_pcfi_lookup_fast_entry_noextra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -54,16 +55,18 @@ int p_pcfi_lookup_fast_entry_noextra(struct kretprobe_instance *p_ri, struct pt_

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_pcfi_validate_sp(current, p_tmp, p_regs_get_sp(p_regs))) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      // kill this process!
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_pcfi_validate_sp(current, p_tmp, p_regs_get_sp(p_regs))) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         // kill this process!
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_ed_pcfi_validate_cpu(1);

@ -76,6 +79,7 @@ int p_pcfi_lookup_fast_entry_noextra(struct kretprobe_instance *p_ri, struct pt_
 int p_pcfi_lookup_fast_entry_extra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -83,16 +87,18 @@ int p_pcfi_lookup_fast_entry_extra(struct kretprobe_instance *p_ri, struct pt_re

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_pcfi_validate_sp(current, p_tmp, p_regs_get_sp(p_regs))) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      // kill this process!
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_pcfi_validate_sp(current, p_tmp, p_regs_get_sp(p_regs))) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         // kill this process!
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_ed_pcfi_validate_cpu_extra(1);

--- a/src/modules/exploit_detection/syscalls/pCFI/p_mark_inode_dirty/p_mark_inode_dirty.c
+++ b/src/modules/exploit_detection/syscalls/pCFI/p_mark_inode_dirty/p_mark_inode_dirty.c
@ -47,6 +47,7 @@ static struct kretprobe p_pcfi_mark_inode_dirty_kretprobe = {
 int p_pcfi_mark_inode_dirty_entry_noextra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -54,47 +55,48 @@ int p_pcfi_mark_inode_dirty_entry_noextra(struct kretprobe_instance *p_ri, struc

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));

-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      struct inode *p_inode = (struct inode *)p_regs_get_arg1(p_regs);
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         struct inode *p_inode = (struct inode *)p_regs_get_arg1(p_regs);
 #if 0
-      struct dentry *p_dentry = NULL;
+         struct dentry *p_dentry = NULL;

-      if ( (p_dentry = d_find_alias(p_inode)) != NULL) {
-         char *p_buf;
-         if ( (p_buf = kmalloc(PAGE_SIZE << 1, GFP_ATOMIC)) != NULL) {
-            char *p_tmp = dentry_path_raw(p_dentry, p_buf, PAGE_SIZE << 1);
-            if (!IS_ERR(p_tmp)) {
-               p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
-                      "CFI failed during access to path [%s]\n",p_tmp);
+         if ( (p_dentry = d_find_alias(p_inode)) != NULL) {
+            char *p_buf;
+            if ( (p_buf = kmalloc(PAGE_SIZE << 1, GFP_ATOMIC)) != NULL) {
+               char *p_tmp = dentry_path_raw(p_dentry, p_buf, PAGE_SIZE << 1);
+               if (!IS_ERR(p_tmp)) {
+                  p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
+                         "CFI failed during access to path [%s]\n",p_tmp);
+               } else {
+                  p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
+                         "CFI failed during access to path which LKRG can't extract :(\n");
+               }
+               kfree(p_buf);
            } else {
               p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
                      "CFI failed during access to path which LKRG can't extract :(\n");
            }
-            kfree(p_buf);
+            dput(p_dentry);
         } else {
            p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
                   "CFI failed during access to path which LKRG can't extract :(\n");
         }
-         dput(p_dentry);
-      } else {
-         p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
-                "CFI failed during access to path which LKRG can't extract :(\n");
-      }
 #endif
-      p_print_log(P_LKRG_CRIT, "<Exploit Detection> Path's inode[%lu] mode[0x%x] will be isolated!\n",
-             p_inode->i_ino,p_inode->i_mode);
+         p_print_log(P_LKRG_CRIT, "<Exploit Detection> Path's inode[%lu] mode[0x%x] will be isolated!\n",
+                p_inode->i_ino,p_inode->i_mode);

-      p_set_uid(&p_inode->i_uid, 65534);
-      p_set_gid(&p_inode->i_gid, 65534);
-//      p_inode->i_mode = 0x0;
-      p_inode->i_mode = 0x0 | S_IFREG;
+         p_set_uid(&p_inode->i_uid, 65534);
+         p_set_gid(&p_inode->i_gid, 65534);
+//         p_inode->i_mode = 0x0;
+         p_inode->i_mode = 0x0 | S_IFREG;
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }

-   spin_unlock(&p_rb_ed_pids_lock);
-
   p_ed_pcfi_validate_cpu(1);

 // STRONG_DEBUG
@ -107,6 +109,7 @@ int p_pcfi_mark_inode_dirty_entry_noextra(struct kretprobe_instance *p_ri, struc
 int p_pcfi_mark_inode_dirty_entry_extra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -114,47 +117,48 @@ int p_pcfi_mark_inode_dirty_entry_extra(struct kretprobe_instance *p_ri, struct

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));

-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      struct inode *p_inode = (struct inode *)p_regs_get_arg1(p_regs);
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         struct inode *p_inode = (struct inode *)p_regs_get_arg1(p_regs);
 #if 0
-      struct dentry *p_dentry = NULL;
+         struct dentry *p_dentry = NULL;

-      if ( (p_dentry = d_find_alias(p_inode)) != NULL) {
-         char *p_buf;
-         if ( (p_buf = kmalloc(PAGE_SIZE << 1, GFP_ATOMIC)) != NULL) {
-            char *p_tmp = dentry_path_raw(p_dentry, p_buf, PAGE_SIZE << 1);
-            if (!IS_ERR(p_tmp)) {
-               p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
-                      "CFI failed during access to path [%s]\n",p_tmp);
+         if ( (p_dentry = d_find_alias(p_inode)) != NULL) {
+            char *p_buf;
+            if ( (p_buf = kmalloc(PAGE_SIZE << 1, GFP_ATOMIC)) != NULL) {
+               char *p_tmp = dentry_path_raw(p_dentry, p_buf, PAGE_SIZE << 1);
+               if (!IS_ERR(p_tmp)) {
+                  p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
+                         "CFI failed during access to path [%s]\n",p_tmp);
+               } else {
+                  p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
+                         "CFI failed during access to path which LKRG can't extract :(\n");
+               }
+               kfree(p_buf);
            } else {
               p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
                      "CFI failed during access to path which LKRG can't extract :(\n");
            }
-            kfree(p_buf);
+            dput(p_dentry);
         } else {
            p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
                   "CFI failed during access to path which LKRG can't extract :(\n");
         }
-         dput(p_dentry);
-      } else {
-         p_print_log(P_LKRG_CRIT, "<Exploit Detection> "
-                "CFI failed during access to path which LKRG can't extract :(\n");
-      }
 #endif
-      p_print_log(P_LKRG_CRIT, "<Exploit Detection> Path's inode[%lu] mode[0x%x] will be isolated!\n",
-             p_inode->i_ino,p_inode->i_mode);
+         p_print_log(P_LKRG_CRIT, "<Exploit Detection> Path's inode[%lu] mode[0x%x] will be isolated!\n",
+                p_inode->i_ino,p_inode->i_mode);

-      p_set_uid(&p_inode->i_uid, 65534);
-      p_set_gid(&p_inode->i_gid, 65534);
-//      p_inode->i_mode = 0x0;
-      p_inode->i_mode = 0x0 | S_IFREG;
+         p_set_uid(&p_inode->i_uid, 65534);
+         p_set_gid(&p_inode->i_gid, 65534);
+//         p_inode->i_mode = 0x0;
+         p_inode->i_mode = 0x0 | S_IFREG;
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }

-   spin_unlock(&p_rb_ed_pids_lock);
-
   p_ed_pcfi_validate_cpu_extra(1);

 // STRONG_DEBUG
--- a/src/modules/exploit_detection/syscalls/pCFI/p_schedule/p_schedule.c
+++ b/src/modules/exploit_detection/syscalls/pCFI/p_schedule/p_schedule.c
@ -47,6 +47,7 @@ static struct kretprobe p_pcfi_schedule_kretprobe = {
 int p_pcfi_schedule_entry_noextra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -54,16 +55,18 @@ int p_pcfi_schedule_entry_noextra(struct kretprobe_instance *p_ri, struct pt_reg

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      // kill this process!
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         // kill this process!
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_ed_pcfi_validate_cpu(0);

@ -77,6 +80,7 @@ int p_pcfi_schedule_entry_noextra(struct kretprobe_instance *p_ri, struct pt_reg
 int p_pcfi_schedule_entry_extra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -84,16 +88,18 @@ int p_pcfi_schedule_entry_extra(struct kretprobe_instance *p_ri, struct pt_regs

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      // kill this process!
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         // kill this process!
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_ed_pcfi_validate_cpu_extra(0);

--- a/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
+++ b/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
@ -43,6 +43,7 @@ int p_call_usermodehelper_entry(struct kretprobe_instance *p_ri, struct pt_regs
   struct subprocess_info *p_subproc = (struct subprocess_info *)p_regs_get_arg1(p_regs);
   unsigned int p_cnt, p_umh_cnt;
   unsigned char p_umh_allowed = 0x0;
+   unsigned long p_flags;
   struct p_umh_whitelist p_umh[] = {

      { "/etc/acpi/events/RadioPower.sh", 0x0 },
@ -89,12 +90,12 @@ int p_call_usermodehelper_entry(struct kretprobe_instance *p_ri, struct pt_regs
   if (p_lkrg_global_ctrl.p_umh_lock)
      goto p_call_usermodehelper_entry_not_allowed;

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_umh_cnt = sizeof(p_umh) / sizeof(p_umh[0]);
   for (p_cnt = 0x0; p_cnt < p_umh_cnt; p_cnt++) {
@ -153,19 +154,20 @@ int p_call_usermodehelper_ret(struct kretprobe_instance *ri, struct pt_regs *p_r

 //   struct inode *p_inode;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_call_usermodehelper_ret>\n");

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
      p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
      p_update_ed_process(p_tmp, current);
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.c
+++ b/src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.c
@ -36,20 +36,23 @@ static struct kretprobe p_call_usermodehelper_exec_kretprobe = {
 int p_call_usermodehelper_exec_entry_noextra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_call_usermodehelper_exec_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
-   p_validate_task_f(current);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_validate_task_f(current);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_ed_pcfi_validate_cpu(1);

@ -62,20 +65,23 @@ int p_call_usermodehelper_exec_entry_noextra(struct kretprobe_instance *p_ri, st
 int p_call_usermodehelper_exec_entry_extra(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_call_usermodehelper_exec_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
-   p_validate_task_f(current);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_validate_task_f(current);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_enforce_pcfi(current, p_tmp, p_regs)) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         p_ed_kill_task_by_task(current);
+      }
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   spin_unlock(&p_rb_ed_pids_lock);

   p_ed_pcfi_validate_cpu_extra(1);

--- a/src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.c
+++ b/src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.c
@ -37,6 +37,7 @@ static struct kretprobe p_do_exit_kretprobe = {
 int p_do_exit_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_do_exit_entry>\n");
@ -45,7 +46,7 @@ int p_do_exit_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
@ -54,7 +55,7 @@ int p_do_exit_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
   if (p_remove_task_pid_f(task_pid_nr(current))) {
      ;// DEBUG: p_print_log(P_LKRG_CRIT, "Can't remove ED pid (is not on the list) => %d [%s]\n",task_pid_nr(current),current->comm);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_do_exit_entry>\n");
--- a/src/modules/exploit_detection/syscalls/p_do_fork/p_do_fork.c
+++ b/src/modules/exploit_detection/syscalls/p_do_fork/p_do_fork.c
@ -41,13 +41,14 @@ static struct kretprobe p_do_fork_kretprobe = {
 int p_do_fork_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

@ -60,6 +61,7 @@ int p_do_fork_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct task_struct *p_task = p_regs_get_ret(p_regs) ? pid_task(find_vpid(p_regs_get_ret(p_regs)), PIDTYPE_PID) : NULL;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_do_fork_ret>\n");
@ -70,9 +72,9 @@ int p_do_fork_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   /* do not touch kernel threads or the global init */
   if (p_task) {
-      spin_lock(&p_rb_ed_pids_lock);
-      task_lock(p_task);
-      if (!(p_task->flags & PF_KTHREAD || is_global_init(p_task))) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+//      if (!(p_task->flags & PF_KTHREAD || is_global_init(p_task))) {
+      if (p_is_ed_task(p_task)) {
         int p_ret;

         if ( (p_ret = p_dump_task_f(p_task)) != 0) {
@ -90,8 +92,7 @@ int p_do_fork_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
            }
         }
      }
-      task_unlock(p_task);
-      spin_unlock(&p_rb_ed_pids_lock);
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }

 //   p_ed_enforce_validation();
--- a/src/modules/exploit_detection/syscalls/p_do_init_module/p_do_init_module.c
+++ b/src/modules/exploit_detection/syscalls/p_do_init_module/p_do_init_module.c
@ -44,16 +44,17 @@ static struct kretprobe p_do_init_module_kretprobe = {
 int p_do_init_module_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_do_init_module_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_generic_permission/p_generic_permission.c
+++ b/src/modules/exploit_detection/syscalls/p_generic_permission/p_generic_permission.c
@ -65,6 +65,7 @@ static struct kretprobe p_generic_permission_kretprobe = {
 int p_generic_permission_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp = NULL;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -72,17 +73,19 @@ int p_generic_permission_entry(struct kretprobe_instance *p_ri, struct pt_regs *

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
-   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
-   if (p_ed_pcfi_validate_sp(current, p_tmp, p_regs_get_sp(p_regs))) {
-      p_print_log(P_LKRG_CRIT,
-             "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
-             current->comm,task_pid_nr(current));
-      // kill this process!
-      p_ed_kill_task_by_task(current);
+   if (p_is_ed_task(current)) {
+      spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
+      p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
+      if (p_ed_pcfi_validate_sp(current, p_tmp, p_regs_get_sp(p_regs))) {
+         p_print_log(P_LKRG_CRIT,
+                "<Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[%s | %d] !!!\n",
+                current->comm,task_pid_nr(current));
+         // kill this process!
+         p_ed_kill_task_by_task(current);
+      }
+      p_validate_task_f(current);
+      spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
   }
-   p_validate_task_f(current);
-   spin_unlock(&p_rb_ed_pids_lock);

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -95,6 +98,7 @@ int p_generic_permission_entry(struct kretprobe_instance *p_ri, struct pt_regs *
 int p_generic_permission_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

 //   struct p_ed_process *p_tmp = NULL;
+//   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -102,7 +106,7 @@ int p_generic_permission_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_

 //   p_ed_enforce_validation();
 /*
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current));
   if (p_ed_pcfi_validate_sp(current, p_regs, p_tmp)) {
      p_print_log(P_LKRG_CRIT,
@ -110,7 +114,7 @@ int p_generic_permission_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_
             current->comm,task_pid_nr(current));
      p_ed_kill_task_by_task(current);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
 */
 // STRONG_DEBUG
   p_debug_kprobe_log(
--- a/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.c
+++ b/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.c
@ -51,6 +51,7 @@ static struct kretprobe p_seccomp_kretprobe = {
 int p_seccomp_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -58,7 +59,7 @@ int p_seccomp_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,17,0)
@ -69,22 +70,17 @@ int p_seccomp_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

         p_tmp->p_ed_task.p_sec.flag_sync_thread = 0x1;

+         rcu_read_lock();
         // Available since 3.14.0
         for_each_thread(p_father, p_threads) {
-            if (p_threads != p_father) {
-               task_lock(p_threads);
-               p_child_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(p_threads));
-               if (p_child_tmp) {
-                  p_set_ed_process_off(p_child_tmp);
-               }
-               task_unlock(p_threads);
-            } else {
-               p_child_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(p_threads));
-               if (p_child_tmp) {
-                  p_set_ed_process_off(p_child_tmp);
-               }
+            get_task_struct(p_threads);
+            p_child_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(p_threads));
+            if (p_child_tmp) {
+               p_set_ed_process_off(p_child_tmp);
            }
+            put_task_struct(p_threads);
         }
+         rcu_read_unlock();
      } else {
 #endif
         p_set_ed_process_off(p_tmp);
@ -92,7 +88,7 @@ int p_seccomp_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
      }
 #endif
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 // STRONG_DEBUG
   p_debug_kprobe_log(
@ -106,12 +102,13 @@ int p_seccomp_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
   char p_update = ((long)p_regs_get_ret(p_regs) >= 0) ? 1 : 0;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
          "Entering function <p_seccomp_ret>\n");
   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,17,0)
@ -120,27 +117,22 @@ int p_seccomp_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
         struct task_struct *p_threads = p_father;
         struct p_ed_process *p_child_tmp;

+         rcu_read_lock();
         // Available since 3.14.0
         for_each_thread(p_father, p_threads) {
+            get_task_struct(p_threads);
            p_child_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(p_threads));
            if (p_child_tmp) {
-               if (p_threads != p_father) {
-                  task_lock(p_threads);
-                  if (p_update) {
-                     p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",p_threads->pid);
-                     p_update_ed_process(p_child_tmp, p_threads);
-                  }
-                  p_set_ed_process_on(p_child_tmp);
-                  task_unlock(p_threads);
-               } else {
-                  if (p_update) {
-                     p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",p_threads->pid);
-                     p_update_ed_process(p_child_tmp, p_threads);
-                  }
-//                  p_set_ed_process_on(p_child_tmp);
+               if (p_update) {
+                  p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",p_threads->pid);
+                  p_update_ed_process(p_child_tmp, p_threads);
               }
+               if (p_threads != p_father)
+                  p_set_ed_process_on(p_child_tmp);
            }
+            put_task_struct(p_threads);
         }
+         rcu_read_unlock();
      } else {
 #endif
         if (p_update) {
@ -154,7 +146,7 @@ int p_seccomp_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
      // In case of seccomp failing with SECCOMP_FILTER_FLAG_TSYNC flag
      p_tmp->p_ed_task.p_sec.flag_sync_thread = 0x0;
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sel_write_enforce/p_sel_write_enforce.c
+++ b/src/modules/exploit_detection/syscalls/p_sel_write_enforce/p_sel_write_enforce.c
@ -49,17 +49,18 @@ static struct kretprobe p_sel_write_enforce_kretprobe = {
 int p_sel_write_enforce_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
          "Entering function <p_sel_write_enforce_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_set_current_groups/p_set_current_groups.c
+++ b/src/modules/exploit_detection/syscalls/p_set_current_groups/p_set_current_groups.c
@ -37,18 +37,19 @@ static struct kretprobe p_set_current_groups_kretprobe = {
 int p_set_current_groups_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_set_current_groups_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_set_current_groups_entry>\n");
@ -60,6 +61,7 @@ int p_set_current_groups_entry(struct kretprobe_instance *p_ri, struct pt_regs *
 int p_set_current_groups_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_set_current_groups_ret>\n");
@ -68,7 +70,7 @@ int p_set_current_groups_ret(struct kretprobe_instance *ri, struct pt_regs *p_re
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_set_current_groups_ret(struct kretprobe_instance *ri, struct pt_regs *p_re
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_delete_module/p_sys_delete_module.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_delete_module/p_sys_delete_module.c
@ -36,16 +36,17 @@ static struct kretprobe p_sys_delete_module_kretprobe = {
 int p_sys_delete_module_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_delete_module_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();
   if (!capable(CAP_SYS_MODULE)) {
--- a/src/modules/exploit_detection/syscalls/p_sys_execve/p_sys_execve.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_execve/p_sys_execve.c
@ -80,18 +80,20 @@ p_get_inode_from_task_out:
 int p_sys_execve_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_execve_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);
+
   p_debug_kprobe_log(
          "Leaving function <p_sys_execve_entry>\n");

@ -103,6 +105,7 @@ int p_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

 //   struct inode *p_inode;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_execve_ret>\n");
@ -116,7 +119,7 @@ int p_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
 */

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
      p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
@ -125,7 +128,7 @@ int p_sys_execve_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      if (!p_regs_get_ret(p_regs))
         p_reset_ed_flags(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_execveat/p_sys_execveat.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_execveat/p_sys_execveat.c
@ -38,18 +38,19 @@ static struct kretprobe p_sys_execveat_kretprobe = {
 int p_sys_execveat_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_execveat_entry>\n");

 //   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_execveat_entry>\n");
@ -62,6 +63,7 @@ int p_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

 //   struct inode *p_inode;
   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_execveat_ret>\n");
@ -75,7 +77,7 @@ int p_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
 */

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - update information!
      p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
@ -84,7 +86,7 @@ int p_sys_execveat_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      if (!p_regs_get_ret(p_regs))
         p_reset_ed_flags(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_finit_module/p_sys_finit_module.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_finit_module/p_sys_finit_module.c
@ -40,16 +40,17 @@ static struct kretprobe p_sys_finit_module_kretprobe = {
 int p_sys_finit_module_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_finit_module_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();
   if (!capable(CAP_SYS_MODULE)) {
--- a/src/modules/exploit_detection/syscalls/p_sys_ptrace/p_sys_ptrace.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_ptrace/p_sys_ptrace.c
@ -47,17 +47,18 @@ static struct kretprobe p_sys_ptrace_kretprobe = {
 int p_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

 // STRONG_DEBUG
   p_debug_kprobe_log(
          "Entering function <p_sys_ptrace_entry>\n");

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - validate 'off' flag
      p_ed_is_off_off_wrap(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setfsgid/p_sys_setfsgid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setfsgid/p_sys_setfsgid.c
@ -37,6 +37,7 @@ static struct kretprobe p_sys_setfsgid_kretprobe = {
 int p_sys_setfsgid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setfsgid_entry>\n");
@ -46,12 +47,13 @@ int p_sys_setfsgid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs
    * we must verify process list before and after the syscall
    */
   p_ed_enforce_validation();
-   spin_lock(&p_rb_ed_pids_lock);
+
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setfsgid_entry>\n");
@ -63,6 +65,7 @@ int p_sys_setfsgid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs
 int p_sys_setfsgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setfsgid_ret>\n");
@ -72,7 +75,7 @@ int p_sys_setfsgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   // Update process
 //   if (!p_regs_get_ret(p_regs)) {
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
      if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
         // This process is on the ED list - update information!
         p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",current->pid);
@ -81,7 +84,7 @@ int p_sys_setfsgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
         p_set_ed_process_on(p_tmp);
      }
 //   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setfsuid/p_sys_setfsuid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setfsuid/p_sys_setfsuid.c
@ -37,6 +37,7 @@ static struct kretprobe p_sys_setfsuid_kretprobe = {
 int p_sys_setfsuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setfsuid_entry>\n");
@ -46,12 +47,13 @@ int p_sys_setfsuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs
    * we must verify process list before and after the syscall
    */
   p_ed_enforce_validation();
-   spin_lock(&p_rb_ed_pids_lock);
+
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setfsuid_entry>\n");
@ -63,6 +65,7 @@ int p_sys_setfsuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs
 int p_sys_setfsuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setfsuid_ret>\n");
@ -72,7 +75,7 @@ int p_sys_setfsuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   // Update process
 //   if (!p_regs_get_ret(p_regs)) {
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
      if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
         // This process is on the ED list - update information!
         p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",current->pid);
@ -81,7 +84,7 @@ int p_sys_setfsuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
         p_set_ed_process_on(p_tmp);
      }
 //   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setgid/p_sys_setgid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setgid/p_sys_setgid.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_setgid_kretprobe = {
 int p_sys_setgid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setgid_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setgid_entry>\n");
@ -60,6 +61,7 @@ int p_sys_setgid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs)
 int p_sys_setgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setgid_ret>\n");
@ -68,7 +70,7 @@ int p_sys_setgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_setgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setregid/p_sys_setregid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setregid/p_sys_setregid.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_setregid_kretprobe = {
 int p_sys_setregid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setregid_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setregid_entry>\n");
@ -60,6 +61,7 @@ int p_sys_setregid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs
 int p_sys_setregid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setregid_ret>\n");
@ -68,7 +70,7 @@ int p_sys_setregid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_setregid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setresgid/p_sys_setresgid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setresgid/p_sys_setresgid.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_setresgid_kretprobe = {
 int p_sys_setresgid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setresgid_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setresgid_entry>\n");
@ -60,6 +61,7 @@ int p_sys_setresgid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_reg
 int p_sys_setresgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setresgid_ret>\n");
@ -68,7 +70,7 @@ int p_sys_setresgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
     if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_setresgid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setresuid/p_sys_setresuid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setresuid/p_sys_setresuid.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_setresuid_kretprobe = {
 int p_sys_setresuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setresuid_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setresuid_entry>\n");
@ -60,6 +61,7 @@ int p_sys_setresuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_reg
 int p_sys_setresuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setresuid_ret>\n");
@ -68,7 +70,7 @@ int p_sys_setresuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_setresuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setreuid/p_sys_setreuid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setreuid/p_sys_setreuid.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_setreuid_kretprobe = {
 int p_sys_setreuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setreuid_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setreuid_entry>\n");
@ -60,6 +61,7 @@ int p_sys_setreuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs
 int p_sys_setreuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setreuid_ret>\n");
@ -68,7 +70,7 @@ int p_sys_setreuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_setreuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_setuid/p_sys_setuid.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_setuid/p_sys_setuid.c
@ -37,18 +37,19 @@ static struct kretprobe p_sys_setuid_kretprobe = {
 int p_sys_setuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setuid_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_setuid_entry>\n");
@ -60,6 +61,7 @@ int p_sys_setuid_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs)
 int p_sys_setuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_setuid_ret>\n");
@ -68,7 +70,7 @@ int p_sys_setuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_sys_setuid_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_sys_unshare/p_sys_unshare.c
+++ b/src/modules/exploit_detection/syscalls/p_sys_unshare/p_sys_unshare.c
@ -41,18 +41,19 @@ static struct kretprobe p_sys_unshare_kretprobe = {
 int p_sys_unshare_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_unshare_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_sys_unshare_entry>\n");
@ -64,6 +65,7 @@ int p_sys_unshare_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs)
 int p_sys_unshare_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_sys_unshare_ret>\n");
@ -72,7 +74,7 @@ int p_sys_unshare_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -81,7 +83,7 @@ int p_sys_unshare_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/exploit_detection/syscalls/p_userns_install/p_userns_install.c
+++ b/src/modules/exploit_detection/syscalls/p_userns_install/p_userns_install.c
@ -37,18 +37,19 @@ static struct kretprobe p_userns_install_kretprobe = {
 int p_userns_install_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_userns_install_entry>\n");

   p_ed_enforce_validation();

-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      // This process is on the ED list - set temporary 'disable' flag!
      p_set_ed_process_off(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

   p_debug_kprobe_log(
          "Leaving function <p_userns_install_entry>\n");
@ -60,6 +61,7 @@ int p_userns_install_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_re
 int p_userns_install_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {

   struct p_ed_process *p_tmp;
+   unsigned long p_flags;

   p_debug_kprobe_log(
          "Entering function <p_userns_install_ret>\n");
@ -68,7 +70,7 @@ int p_userns_install_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
                       p_regs_get_ret(p_regs),current->comm,current->pid,current->real_parent->pid);

   // Update process
-   spin_lock(&p_rb_ed_pids_lock);
+   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
      if (!p_regs_get_ret(p_regs)) {
         // This process is on the ED list - update information!
@ -77,7 +79,7 @@ int p_userns_install_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs)
      }
      p_set_ed_process_on(p_tmp);
   }
-   spin_unlock(&p_rb_ed_pids_lock);
+   spin_unlock_irqrestore(&p_rb_ed_pids_lock, p_flags);

 //   p_ed_enforce_validation();

--- a/src/modules/kmod/p_kmod.c
+++ b/src/modules/kmod/p_kmod.c
@ -605,8 +605,15 @@ int p_kmod_hash(unsigned int *p_module_list_cnt_arg, p_module_list_mem **p_mlm_t
         memset(*p_mkm_tmp,0x0,sizeof(p_module_kobj_mem) * *p_module_kobj_cnt_arg);
      }
   } else {
-      *p_mlm_tmp = NULL;
-      *p_mkm_tmp = NULL;
+
+      if (*p_mlm_tmp) {
+         kzfree(*p_mlm_tmp);
+         *p_mlm_tmp = NULL;
+      }
+      if (*p_mkm_tmp) {
+         kzfree(*p_mkm_tmp);
+         *p_mkm_tmp = NULL;
+      }
      goto p_kmod_hash_err;
   }