Re: [PATCH v2] arm64: ptrace: use live x0 for seccomp and audit after ptrace

[Will Deacon <will@kernel.org>]

Hi Yiqi,

On Thu, Jun 25, 2026 at 06:45:02PM +0800, Yiqi Sun wrote:
> On arm64, seccomp obtains syscall arguments via
> syscall_get_arguments(), where arg0 is currently read from
> regs->orig_x0. audit_syscall_entry() in syscall_trace_enter() also
> takes arg0 from regs->orig_x0. However, the syscall wrapper consumes
> live arguments from regs->regs[0..5].
> 
> A ptracer can modify x0 on syscall-enter stop before seccomp and audit
> run, but cannot update orig_x0 through the native syscall-stop
> interface. This can leave seccomp and audit checking stale arg0 while
> the syscall executes with updated live x0.
> 
> Make both paths read arg0 from regs->regs[0], matching the actual
> dispatch arguments and keeping seccomp and audit aligned after ptrace
> updates.
> 
> Fixes: f27bb139c387 ("arm64: Miscellaneous library functions")
> Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
> ---
> Changes in v2:
> - Also switch the arm64 audit entry path to use live x0
> - Clarify the orig_x0 synchronization comment in syscall_set_arguments()
> ---
>  arch/arm64/include/asm/syscall.h | 7 +++----
>  arch/arm64/kernel/ptrace.c       | 2 +-
>  2 files changed, 4 insertions(+), 5 deletions(-)

Sashiko has pointed out some issues with this patch that look legitimate
to me:

https://sashiko.dev/#/patchset/2f435bab0d61d0bf8fbaa54203525aae8e8f5371.1782384161.git.sunyiqixm@gmail.com

Specifically, we don't appear to handle NO_SYSCALL properly and the
syscall-exit stop is now going to see the return code instead of the
syscall number.

Looking at this more broadly, it looks like orig_x0 is used for three
different cases:


1. syscall restarting:
			We restore from orig_x0, which should hold the
			original value passed by userspace.

2. syscall_get_arguments():
			This must work correctly vs syscall_set_arguments()
			(returning the latest set x0) but also
			syscall_get_return_value() (so we need to
			distinguish the return value and the argument
			somehow).

3. syscall_rollback():
			Seccomp wants to restore the original values
			passed by userspace.


So (1) and (3) look to require the same behaviour, but (2) wants
something different because it needs to reflect changes made via
syscall_set_arguments().

The bodge we have for (2) today is that syscall_set_arguments() updates
orig_x0, but I think that breaks (1) and (2) which is the underlying
problem you're facing here.

I haven't yet figured out the right way to fix this, but I'd be interested
to hear from others. I think the starting point would be removing orig_x0
from syscall_{get,set}_arguments() altogether so that it accurately
represents the initial value passed by userspace.

Will