On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> Hi Mukesh.
> 
> On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> > After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
> > SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
> > (Function not implemented) instead of the expected EPERM (Operation
> > not permitted).
> > 
> > The issue occurs in system_call_exception() when 
> > syscall_enter_from_user_mode()
> > returns -1 to indicate the syscall should be skipped (e.g., blocked by 
> > seccomp).
> > The current code treats this -1 as a syscall number and compares it against
> > NR_syscalls. Since -1 is greater than NR_syscalls,
> > the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
> > already set via syscall_set_return_value().
> > 
> > The generic entry code in syscall_trace_enter() calls __secure_computing(),
> > which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
> > that the syscall should be skipped. However, the PowerPC syscall handler
> > was not checking for this -1 return value before validating the syscall
> > number.
> > 
> > Fix this by explicitly checking if syscall_enter_from_user_mode() returns
> > -1 and returning the value already set in regs->gpr[3] (the errno from
> > seccomp) before performing the syscall number validation.
> > 
> > Also Move the syscall_enter_from_user_mode() call and the seccomp/ptrace
> > skip check to after the NR_syscalls bounds check.
> > 
> > When syscall -1 was passed, the r0 == -1L check would trigger before
> > the NR_syscalls check, causing syscall_get_error() to return 0 instead
> > of -ENOSYS. This resulted in a silent success (ret=0, errno=0) instead
> > of the expected ENOSYS error.
> > 
> > By moving syscall_enter_from_user_mode() after the bounds check, an
> > initial syscall number of -1 is correctly rejected with -ENOSYS first.
> > The seccomp/ptrace skip path still works correctly for valid syscall
> > numbers that get overridden to -1 by seccomp or ptrace.
> > 
> > This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
> > and restores correct seccomp errno handling.
> > 
> > Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
> > Reported-by: Michal Suchánek <[email protected]>
> > Closes: https://lore.kernel.org/all/[email protected]/
> > Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <[email protected]>
> > ---
> > 
> > v1 -> v2:
> >   - Fix issues in the previous fix (Michal)
> > v1: https://lore.kernel.org/all/[email protected]
> > 
> >   arch/powerpc/kernel/syscall.c | 7 ++++++-
> >   1 file changed, 6 insertions(+), 1 deletion(-)
> > 
> > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > index a9da2af6efa8..36d73933a311 100644
> > --- a/arch/powerpc/kernel/syscall.c
> > +++ b/arch/powerpc/kernel/syscall.c
> > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, 
> > unsigned long r0)
> >     syscall_fn f;
> >     add_random_kstack_offset();
> > -   r0 = syscall_enter_from_user_mode(regs, r0);
> >     if (unlikely(r0 >= NR_syscalls)) {
> >             if (unlikely(trap_is_unsupported_scv(regs))) {
> > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, 
> > unsigned long r0)
> >             return -ENOSYS;
> >     }
> > +   r0 = syscall_enter_from_user_mode(regs, r0);
> > +
> 
> I see many arch first do syscall_enter_from_user_mode and then check for 
> return value.
> take x86 for example,
> 
> __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> {
>         nr = syscall_enter_from_user_mode(regs, nr);
> 
>         if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != 
> -1) {
>                 /* Invalid system call, but still a system call. */
>                 regs->ax = __x64_sys_ni_syscall(regs);
>         }
> 
> }
> 
> So seccomp fails silently there if initial nr was -1?
> 
Hey,

No the -1 syscall ignores the error silently and returns 0.

>From the above snippet from x86. Out behaviour also will remain same.
The reasoning for that i have given here
https://lore.kernel.org/all/[email protected]/

Regards,
Mukesh
> 
> 
> > +   /* Seccomp or ptrace may have set return value, skip syscall */
> > +   if (unlikely(r0 == -1L))
> > +           return syscall_get_error(current, regs);
> > +
> >     /* May be faster to do array_index_nospec? */
> >     barrier_nospec();
> 
> Code per se, looks okay to me.

Reply via email to