On Mon, Jun 29, 2026 at 07:07:21PM +0200, Michal Suchánek wrote:
> On Mon, Jun 29, 2026 at 10:32:47PM +0530, Mukesh Kumar Chaurasiya wrote:
> > On Mon, Jun 29, 2026 at 03:31:36PM +0200, Michal Suchánek wrote:
> > > Hello,
> > >
> > > there is yet another bug identified.
> > >
> > > When the initial syscall number is -1 the new condition bypasses setting
> > > the ENOSYS below in if (unlikely(r0 >= NR_syscalls)) and returns 0.
> > >
> > > perl -MPOSIX -e '$!=0; my $r = syscall(-1, 0); print "ret=$r
> > > errno=".($!+0)." ($!)\n"'
> > >
> > > Normally the result is
> > >
> > > ret=-1 errno=38 (Function not implemented)
> > >
> > > but with this patch the result is
> > >
> > > ret=0 errno=0 ()
> > >
> > > fixup below.
> > >
> > > On Wed, Jun 24, 2026 at 10:45:20PM +0530, Mukesh Kumar Chaurasiya (IBM)
> > > wrote:
> > > > After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
> > > > SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
> > > > (Function not implemented) instead of the expected EPERM (Operation
> > > > not permitted).
> > > >
> > > > The issue occurs in system_call_exception() when
> > > > syscall_enter_from_user_mode()
> > > > returns -1 to indicate the syscall should be skipped (e.g., blocked by
> > > > seccomp).
> > > > The current code treats this -1 as a syscall number and compares it
> > > > against
> > > > NR_syscalls. Since -1 (when cast to unsigned long) is greater than
> > > > NR_syscalls,
> > > > the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
> > > > already set via syscall_set_return_value().
> > > >
> > > > The generic entry code in syscall_trace_enter() calls
> > > > __secure_computing(),
> > > > which sets the appropriate errno in regs->gpr[3] and returns -1 to
> > > > signal
> > > > that the syscall should be skipped. However, the PowerPC syscall handler
> > > > was not checking for this -1 return value before validating the syscall
> > > > number.
> > > >
> > > > Fix this by explicitly checking if syscall_enter_from_user_mode()
> > > > returns
> > > > -1 and returning the value already set in regs->gpr[3] (the errno from
> > > > seccomp) before performing the syscall number validation.
> > > >
> > > > This aligns PowerPC's behavior with other architectures using
> > > > GENERIC_ENTRY
> > > > and restores correct seccomp errno handling.
> > > >
> > > > Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
> > > > Reported-by: Michal Suchánek <[email protected]>
> > > > Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <[email protected]>
> > > > ---
> > > > arch/powerpc/kernel/syscall.c | 4 ++++
> > > > 1 file changed, 4 insertions(+)
> > > >
> > > > diff --git a/arch/powerpc/kernel/syscall.c
> > > > b/arch/powerpc/kernel/syscall.c
> > > > index a9da2af6efa8..5b58c8d396c8 100644
> > > > --- a/arch/powerpc/kernel/syscall.c
> > > > +++ b/arch/powerpc/kernel/syscall.c
> > > > @@ -22,6 +22,10 @@ notrace long system_call_exception(struct pt_regs
> > > > *regs, unsigned long r0)
> > > unsigned long r0_initial = r0;
> > > > add_random_kstack_offset();
> > > > r0 = syscall_enter_from_user_mode(regs, r0);
> > > >
> > > > + /* Seccomp or ptrace may have set return value, skip syscall */
> > > > + if (unlikely(r0 == -1L)
> > > && (r0_initial != -1L))
> > > > + return regs->gpr[3];
> > > > +
> > > > if (unlikely(r0 >= NR_syscalls)) {
> > > > if (unlikely(trap_is_unsupported_scv(regs))) {
> > > > /* Unsupported scv vector */
> > >
> > > Thanks
> > >
> > > Michal
> >
> > What do you think about this diff?
> > This seems much cleaner.
> >
> > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > index a9da2af6efa8..a6c89052e8c5 100644
> > --- a/arch/powerpc/kernel/syscall.c
> > +++ b/arch/powerpc/kernel/syscall.c
> > @@ -20,8 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs,
> > unsigned long r0)
> > syscall_fn f;
> >
> > add_random_kstack_offset();
> > - r0 = syscall_enter_from_user_mode(regs, r0);
> > -
> > if (unlikely(r0 >= NR_syscalls)) {
> > if (unlikely(trap_is_unsupported_scv(regs))) {
> > /* Unsupported scv vector */
> > @@ -30,6 +28,11 @@ notrace long system_call_exception(struct pt_regs *regs,
> > unsigned long r0)
> > }
> > return -ENOSYS;
> > }
> > + r0 = syscall_enter_from_user_mode(regs, r0);
> > +
> > + /* Seccomp or ptrace may have set return value, skip syscall */
> > + if (unlikely(r0 == -1L))
> > + return syscall_get_error(current, regs);
> >
>
> This will skip the check for NR_syscalls for whatever is returned from
> syscall_enter_from_user_mode other than -1. To me it is not clear if
> invalid syscall can be generated by one of the modifications done in
> syscall_enter_from_user_mode.
>
> Thanks
>
> Michal
The possible return values for syscall_enter_from_user_mode are either
`gpr[0]` or -1. If we have an invalid syscall it'll be handled by the
`r0 >= NR_syscalls` check. I think functionally there should be no
issues.
Regards,
Mukesh
