Audit not recording the correct syscall return value in Fedora 10?

[Paul Moore <paul.moore@hp.com>]

While doing some testing on Fedora 10 using the 2.6.27.5-117.fc10.x86_64 
kernel I stumbled across a rather odd problem: somewhere between the end of 
sys_sendto() and audit_syscall_exit() the syscall's return value was changing 
resulting in incorrect audit records (similar problems with sys_sendmsg()).  
After some head scratching and debugging I determined that the %rax register 
was being altered at some point and if we reloaded the syscall's return value 
from the stack before calling audit_syscall_exit() we could avoid the problem 
(see patch below).

I also tried to reproduce the problem with a vanilla 2.6.29.1 kernel and after 
several hours of testing I have yet to see the problem using the newer, 
upstream kernel.  Taking a look at the entry_64.S files of the two kernels 
there appear to be a number of changes, the most significant are the tracing 
changes but I'm not familiar enough with this chunk of code to identify the 
definitive root cause (although, tracing changes does sound reasonable).

Does anyone have any thoughts?

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index a331ec3..16db517 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -589,8 +589,8 @@ auditsys:
         * masked off.
         */
 sysret_audit:
-       movq %rax,%rsi          /* second arg, syscall return value */
-       cmpq $0,%rax            /* is it < 0? */
+       movq RAX-ARGOFFSET(%rsp),%rsi   /* second arg, syscall return value */
+       cmpq $0,%rsi                    /* is it < 0? */
        setl %al                /* 1 if so, 0 if not */
        movzbl %al,%edi         /* zero-extend that into %edi */
        inc %edi /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */

-- 
paul moore
linux @ hp