* [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
@ 2026-06-29 18:29 Mukesh Kumar Chaurasiya (IBM)
2026-06-30 17:19 ` Michal Suchánek
2026-06-30 20:11 ` Shrikanth Hegde
0 siblings, 2 replies; 10+ messages in thread
From: Mukesh Kumar Chaurasiya (IBM) @ 2026-06-29 18:29 UTC (permalink / raw)
To: maddy, mpe, npiggin, chleroy, mkchauras, sshegde, ryan.roberts,
ruanjinjie, mkchauras, linuxppc-dev, linux-kernel
Cc: Michal Suchánek
After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
(Function not implemented) instead of the expected EPERM (Operation
not permitted).
The issue occurs in system_call_exception() when syscall_enter_from_user_mode()
returns -1 to indicate the syscall should be skipped (e.g., blocked by seccomp).
The current code treats this -1 as a syscall number and compares it against
NR_syscalls. Since -1 is greater than NR_syscalls,
the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
already set via syscall_set_return_value().
The generic entry code in syscall_trace_enter() calls __secure_computing(),
which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
that the syscall should be skipped. However, the PowerPC syscall handler
was not checking for this -1 return value before validating the syscall
number.
Fix this by explicitly checking if syscall_enter_from_user_mode() returns
-1 and returning the value already set in regs->gpr[3] (the errno from
seccomp) before performing the syscall number validation.
Also Move the syscall_enter_from_user_mode() call and the seccomp/ptrace
skip check to after the NR_syscalls bounds check.
When syscall -1 was passed, the r0 == -1L check would trigger before
the NR_syscalls check, causing syscall_get_error() to return 0 instead
of -ENOSYS. This resulted in a silent success (ret=0, errno=0) instead
of the expected ENOSYS error.
By moving syscall_enter_from_user_mode() after the bounds check, an
initial syscall number of -1 is correctly rejected with -ENOSYS first.
The seccomp/ptrace skip path still works correctly for valid syscall
numbers that get overridden to -1 by seccomp or ptrace.
This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
and restores correct seccomp errno handling.
Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
Reported-by: Michal Suchánek <msuchanek@suse.de>
Closes: https://lore.kernel.org/all/ajpp-_XnbF3UTM_E@kunlun.suse.cz/
Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
---
v1 -> v2:
- Fix issues in the previous fix (Michal)
v1: https://lore.kernel.org/all/20260624171520.772408-1-mkchauras@gmail.com
arch/powerpc/kernel/syscall.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
index a9da2af6efa8..36d73933a311 100644
--- a/arch/powerpc/kernel/syscall.c
+++ b/arch/powerpc/kernel/syscall.c
@@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
syscall_fn f;
add_random_kstack_offset();
- r0 = syscall_enter_from_user_mode(regs, r0);
if (unlikely(r0 >= NR_syscalls)) {
if (unlikely(trap_is_unsupported_scv(regs))) {
@@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
return -ENOSYS;
}
+ r0 = syscall_enter_from_user_mode(regs, r0);
+
+ /* Seccomp or ptrace may have set return value, skip syscall */
+ if (unlikely(r0 == -1L))
+ return syscall_get_error(current, regs);
+
/* May be faster to do array_index_nospec? */
barrier_nospec();
--
2.54.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-06-29 18:29 [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY Mukesh Kumar Chaurasiya (IBM)
@ 2026-06-30 17:19 ` Michal Suchánek
2026-06-30 20:11 ` Shrikanth Hegde
1 sibling, 0 replies; 10+ messages in thread
From: Michal Suchánek @ 2026-06-30 17:19 UTC (permalink / raw)
To: Mukesh Kumar Chaurasiya (IBM)
Cc: maddy, mpe, npiggin, chleroy, mkchauras, sshegde, ryan.roberts,
ruanjinjie, linuxppc-dev, linux-kernel
On Mon, Jun 29, 2026 at 11:59:46PM +0530, Mukesh Kumar Chaurasiya (IBM) wrote:
> After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
> SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
> (Function not implemented) instead of the expected EPERM (Operation
> not permitted).
>
> The issue occurs in system_call_exception() when syscall_enter_from_user_mode()
> returns -1 to indicate the syscall should be skipped (e.g., blocked by seccomp).
> The current code treats this -1 as a syscall number and compares it against
> NR_syscalls. Since -1 is greater than NR_syscalls,
> the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
> already set via syscall_set_return_value().
>
> The generic entry code in syscall_trace_enter() calls __secure_computing(),
> which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
> that the syscall should be skipped. However, the PowerPC syscall handler
> was not checking for this -1 return value before validating the syscall
> number.
>
> Fix this by explicitly checking if syscall_enter_from_user_mode() returns
> -1 and returning the value already set in regs->gpr[3] (the errno from
> seccomp) before performing the syscall number validation.
>
> Also Move the syscall_enter_from_user_mode() call and the seccomp/ptrace
> skip check to after the NR_syscalls bounds check.
>
> When syscall -1 was passed, the r0 == -1L check would trigger before
> the NR_syscalls check, causing syscall_get_error() to return 0 instead
> of -ENOSYS. This resulted in a silent success (ret=0, errno=0) instead
> of the expected ENOSYS error.
>
> By moving syscall_enter_from_user_mode() after the bounds check, an
> initial syscall number of -1 is correctly rejected with -ENOSYS first.
> The seccomp/ptrace skip path still works correctly for valid syscall
> numbers that get overridden to -1 by seccomp or ptrace.
>
> This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
> and restores correct seccomp errno handling.
>
> Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
> Reported-by: Michal Suchánek <msuchanek@suse.de>
Tested-by: Michal Suchánek <msuchanek@suse.de>
Reviewed-by: Michal Suchánek <msuchanek@suse.de>
Thanks
Michal
> Closes: https://lore.kernel.org/all/ajpp-_XnbF3UTM_E@kunlun.suse.cz/
> Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
> ---
>
> v1 -> v2:
> - Fix issues in the previous fix (Michal)
> v1: https://lore.kernel.org/all/20260624171520.772408-1-mkchauras@gmail.com
>
> arch/powerpc/kernel/syscall.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> index a9da2af6efa8..36d73933a311 100644
> --- a/arch/powerpc/kernel/syscall.c
> +++ b/arch/powerpc/kernel/syscall.c
> @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> syscall_fn f;
>
> add_random_kstack_offset();
> - r0 = syscall_enter_from_user_mode(regs, r0);
>
> if (unlikely(r0 >= NR_syscalls)) {
> if (unlikely(trap_is_unsupported_scv(regs))) {
> @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> return -ENOSYS;
> }
>
> + r0 = syscall_enter_from_user_mode(regs, r0);
> +
> + /* Seccomp or ptrace may have set return value, skip syscall */
> + if (unlikely(r0 == -1L))
> + return syscall_get_error(current, regs);
> +
> /* May be faster to do array_index_nospec? */
> barrier_nospec();
>
> --
> 2.54.0
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-06-29 18:29 [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY Mukesh Kumar Chaurasiya (IBM)
2026-06-30 17:19 ` Michal Suchánek
@ 2026-06-30 20:11 ` Shrikanth Hegde
2026-07-01 6:27 ` Mukesh Kumar Chaurasiya
1 sibling, 1 reply; 10+ messages in thread
From: Shrikanth Hegde @ 2026-06-30 20:11 UTC (permalink / raw)
To: Mukesh Kumar Chaurasiya (IBM), maddy, mpe, npiggin, chleroy,
mkchauras, ryan.roberts, ruanjinjie, linuxppc-dev, linux-kernel
Cc: Michal Suchánek
Hi Mukesh.
On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
> SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
> (Function not implemented) instead of the expected EPERM (Operation
> not permitted).
>
> The issue occurs in system_call_exception() when syscall_enter_from_user_mode()
> returns -1 to indicate the syscall should be skipped (e.g., blocked by seccomp).
> The current code treats this -1 as a syscall number and compares it against
> NR_syscalls. Since -1 is greater than NR_syscalls,
> the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
> already set via syscall_set_return_value().
>
> The generic entry code in syscall_trace_enter() calls __secure_computing(),
> which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
> that the syscall should be skipped. However, the PowerPC syscall handler
> was not checking for this -1 return value before validating the syscall
> number.
>
> Fix this by explicitly checking if syscall_enter_from_user_mode() returns
> -1 and returning the value already set in regs->gpr[3] (the errno from
> seccomp) before performing the syscall number validation.
>
> Also Move the syscall_enter_from_user_mode() call and the seccomp/ptrace
> skip check to after the NR_syscalls bounds check.
>
> When syscall -1 was passed, the r0 == -1L check would trigger before
> the NR_syscalls check, causing syscall_get_error() to return 0 instead
> of -ENOSYS. This resulted in a silent success (ret=0, errno=0) instead
> of the expected ENOSYS error.
>
> By moving syscall_enter_from_user_mode() after the bounds check, an
> initial syscall number of -1 is correctly rejected with -ENOSYS first.
> The seccomp/ptrace skip path still works correctly for valid syscall
> numbers that get overridden to -1 by seccomp or ptrace.
>
> This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
> and restores correct seccomp errno handling.
>
> Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
> Reported-by: Michal Suchánek <msuchanek@suse.de>
> Closes: https://lore.kernel.org/all/ajpp-_XnbF3UTM_E@kunlun.suse.cz/
> Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
> ---
>
> v1 -> v2:
> - Fix issues in the previous fix (Michal)
> v1: https://lore.kernel.org/all/20260624171520.772408-1-mkchauras@gmail.com
>
> arch/powerpc/kernel/syscall.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> index a9da2af6efa8..36d73933a311 100644
> --- a/arch/powerpc/kernel/syscall.c
> +++ b/arch/powerpc/kernel/syscall.c
> @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> syscall_fn f;
>
> add_random_kstack_offset();
> - r0 = syscall_enter_from_user_mode(regs, r0);
>
> if (unlikely(r0 >= NR_syscalls)) {
> if (unlikely(trap_is_unsupported_scv(regs))) {
> @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> return -ENOSYS;
> }
>
> + r0 = syscall_enter_from_user_mode(regs, r0);
> +
I see many arch first do syscall_enter_from_user_mode and then check for return value.
take x86 for example,
__visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
{
nr = syscall_enter_from_user_mode(regs, nr);
if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
/* Invalid system call, but still a system call. */
regs->ax = __x64_sys_ni_syscall(regs);
}
}
So seccomp fails silently there if initial nr was -1?
> + /* Seccomp or ptrace may have set return value, skip syscall */
> + if (unlikely(r0 == -1L))
> + return syscall_get_error(current, regs);
> +
> /* May be faster to do array_index_nospec? */
> barrier_nospec();
>
Code per se, looks okay to me.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-06-30 20:11 ` Shrikanth Hegde
@ 2026-07-01 6:27 ` Mukesh Kumar Chaurasiya
2026-07-01 7:41 ` Michal Suchánek
0 siblings, 1 reply; 10+ messages in thread
From: Mukesh Kumar Chaurasiya @ 2026-07-01 6:27 UTC (permalink / raw)
To: Shrikanth Hegde
Cc: maddy, mpe, npiggin, chleroy, mkchauras, ryan.roberts, ruanjinjie,
linuxppc-dev, linux-kernel, Michal Suchánek
On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> Hi Mukesh.
>
> On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> > After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
> > SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
> > (Function not implemented) instead of the expected EPERM (Operation
> > not permitted).
> >
> > The issue occurs in system_call_exception() when syscall_enter_from_user_mode()
> > returns -1 to indicate the syscall should be skipped (e.g., blocked by seccomp).
> > The current code treats this -1 as a syscall number and compares it against
> > NR_syscalls. Since -1 is greater than NR_syscalls,
> > the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
> > already set via syscall_set_return_value().
> >
> > The generic entry code in syscall_trace_enter() calls __secure_computing(),
> > which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
> > that the syscall should be skipped. However, the PowerPC syscall handler
> > was not checking for this -1 return value before validating the syscall
> > number.
> >
> > Fix this by explicitly checking if syscall_enter_from_user_mode() returns
> > -1 and returning the value already set in regs->gpr[3] (the errno from
> > seccomp) before performing the syscall number validation.
> >
> > Also Move the syscall_enter_from_user_mode() call and the seccomp/ptrace
> > skip check to after the NR_syscalls bounds check.
> >
> > When syscall -1 was passed, the r0 == -1L check would trigger before
> > the NR_syscalls check, causing syscall_get_error() to return 0 instead
> > of -ENOSYS. This resulted in a silent success (ret=0, errno=0) instead
> > of the expected ENOSYS error.
> >
> > By moving syscall_enter_from_user_mode() after the bounds check, an
> > initial syscall number of -1 is correctly rejected with -ENOSYS first.
> > The seccomp/ptrace skip path still works correctly for valid syscall
> > numbers that get overridden to -1 by seccomp or ptrace.
> >
> > This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
> > and restores correct seccomp errno handling.
> >
> > Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
> > Reported-by: Michal Suchánek <msuchanek@suse.de>
> > Closes: https://lore.kernel.org/all/ajpp-_XnbF3UTM_E@kunlun.suse.cz/
> > Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
> > ---
> >
> > v1 -> v2:
> > - Fix issues in the previous fix (Michal)
> > v1: https://lore.kernel.org/all/20260624171520.772408-1-mkchauras@gmail.com
> >
> > arch/powerpc/kernel/syscall.c | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > index a9da2af6efa8..36d73933a311 100644
> > --- a/arch/powerpc/kernel/syscall.c
> > +++ b/arch/powerpc/kernel/syscall.c
> > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > syscall_fn f;
> > add_random_kstack_offset();
> > - r0 = syscall_enter_from_user_mode(regs, r0);
> > if (unlikely(r0 >= NR_syscalls)) {
> > if (unlikely(trap_is_unsupported_scv(regs))) {
> > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > return -ENOSYS;
> > }
> > + r0 = syscall_enter_from_user_mode(regs, r0);
> > +
>
> I see many arch first do syscall_enter_from_user_mode and then check for return value.
> take x86 for example,
>
> __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> {
> nr = syscall_enter_from_user_mode(regs, nr);
>
> if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
> /* Invalid system call, but still a system call. */
> regs->ax = __x64_sys_ni_syscall(regs);
> }
>
> }
>
> So seccomp fails silently there if initial nr was -1?
>
Hey,
No the -1 syscall ignores the error silently and returns 0.
From the above snippet from x86. Out behaviour also will remain same.
The reasoning for that i have given here
https://lore.kernel.org/all/akKnSqGUeFIGOfHb@li-1a3e774c-28e4-11b2-a85c-acc9f2883e29.ibm.com/
Regards,
Mukesh
>
>
> > + /* Seccomp or ptrace may have set return value, skip syscall */
> > + if (unlikely(r0 == -1L))
> > + return syscall_get_error(current, regs);
> > +
> > /* May be faster to do array_index_nospec? */
> > barrier_nospec();
>
> Code per se, looks okay to me.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-07-01 6:27 ` Mukesh Kumar Chaurasiya
@ 2026-07-01 7:41 ` Michal Suchánek
2026-07-01 8:01 ` Michal Suchánek
0 siblings, 1 reply; 10+ messages in thread
From: Michal Suchánek @ 2026-07-01 7:41 UTC (permalink / raw)
To: Mukesh Kumar Chaurasiya
Cc: Shrikanth Hegde, maddy, mpe, npiggin, chleroy, mkchauras,
ryan.roberts, ruanjinjie, linuxppc-dev, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 5028 bytes --]
On Wed, Jul 01, 2026 at 11:57:00AM +0530, Mukesh Kumar Chaurasiya wrote:
> On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> > Hi Mukesh.
> >
> > On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> > > After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
> > > SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
> > > (Function not implemented) instead of the expected EPERM (Operation
> > > not permitted).
> > >
> > > The issue occurs in system_call_exception() when syscall_enter_from_user_mode()
> > > returns -1 to indicate the syscall should be skipped (e.g., blocked by seccomp).
> > > The current code treats this -1 as a syscall number and compares it against
> > > NR_syscalls. Since -1 is greater than NR_syscalls,
> > > the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
> > > already set via syscall_set_return_value().
> > >
> > > The generic entry code in syscall_trace_enter() calls __secure_computing(),
> > > which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
> > > that the syscall should be skipped. However, the PowerPC syscall handler
> > > was not checking for this -1 return value before validating the syscall
> > > number.
> > >
> > > Fix this by explicitly checking if syscall_enter_from_user_mode() returns
> > > -1 and returning the value already set in regs->gpr[3] (the errno from
> > > seccomp) before performing the syscall number validation.
> > >
> > > Also Move the syscall_enter_from_user_mode() call and the seccomp/ptrace
> > > skip check to after the NR_syscalls bounds check.
> > >
> > > When syscall -1 was passed, the r0 == -1L check would trigger before
> > > the NR_syscalls check, causing syscall_get_error() to return 0 instead
> > > of -ENOSYS. This resulted in a silent success (ret=0, errno=0) instead
> > > of the expected ENOSYS error.
> > >
> > > By moving syscall_enter_from_user_mode() after the bounds check, an
> > > initial syscall number of -1 is correctly rejected with -ENOSYS first.
> > > The seccomp/ptrace skip path still works correctly for valid syscall
> > > numbers that get overridden to -1 by seccomp or ptrace.
> > >
> > > This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
> > > and restores correct seccomp errno handling.
> > >
> > > Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
> > > Reported-by: Michal Suchánek <msuchanek@suse.de>
> > > Closes: https://lore.kernel.org/all/ajpp-_XnbF3UTM_E@kunlun.suse.cz/
> > > Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
> > > ---
> > >
> > > v1 -> v2:
> > > - Fix issues in the previous fix (Michal)
> > > v1: https://lore.kernel.org/all/20260624171520.772408-1-mkchauras@gmail.com
> > >
> > > arch/powerpc/kernel/syscall.c | 7 ++++++-
> > > 1 file changed, 6 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > > index a9da2af6efa8..36d73933a311 100644
> > > --- a/arch/powerpc/kernel/syscall.c
> > > +++ b/arch/powerpc/kernel/syscall.c
> > > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > syscall_fn f;
> > > add_random_kstack_offset();
> > > - r0 = syscall_enter_from_user_mode(regs, r0);
> > > if (unlikely(r0 >= NR_syscalls)) {
> > > if (unlikely(trap_is_unsupported_scv(regs))) {
> > > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > return -ENOSYS;
> > > }
> > > + r0 = syscall_enter_from_user_mode(regs, r0);
> > > +
> >
> > I see many arch first do syscall_enter_from_user_mode and then check for return value.
> > take x86 for example,
> >
> > __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> > {
> > nr = syscall_enter_from_user_mode(regs, nr);
> >
> > if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
> > /* Invalid system call, but still a system call. */
> > regs->ax = __x64_sys_ni_syscall(regs);
> > }
> >
> > }
> >
> > So seccomp fails silently there if initial nr was -1?
> >
> Hey,
>
> No the -1 syscall ignores the error silently and returns 0.
>
There seems to be some inconsistency with the invalid syscalls.
Adapting the example from seccomp man page to ignore architecture I get
on x86_64 (presumably with GENERIC_ENTRY since long ago):
./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
ret=-1 errno=55 (No anode)
but on ppc64le (with GENEREC_ENTRY):
./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
ret=-1 errno=38 (Function not implemented)
That said, behavior of seccomp on invalid syscalls is not particularly
concerning. The tools that people typically use for constructing those
filters typically require a valid syscall number.
It would be nice to align, though.
Thanks
Michal
[-- Attachment #2: seccomp.c --]
[-- Type: text/x-c, Size: 1757 bytes --]
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <unistd.h>
static int
install_filter(int syscall_nr, int f_errno)
{
struct sock_filter filter[] = {
/* [0] Load architecture from 'seccomp_data' buffer into
accumulator. */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, arch))),
/* [1] Load system call number from 'seccomp_data' buffer into
accumulator. */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, nr))),
/* [2] Jump forward 1 instruction if system call number
does not match 'syscall_nr'. */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),
/* [3] Matching system call: don't execute
the system call, and return 'f_errno' in 'errno'. */
BPF_STMT(BPF_RET | BPF_K,
SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),
/* [4] Destination of system call number mismatch: allow other
system calls. */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog prog = {
.len = sizeof(filter) / sizeof(*filter),
.filter = filter,
};
if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog)) {
perror("seccomp");
return 1;
}
return 0;
}
int
main(int argc, char *argv[])
{
if (argc < 4) {
fprintf(stderr, "Usage: "
"%s <syscall_nr> <errno> <prog> [<args>]\n"
"\n", argv[0]);
exit(EXIT_FAILURE);
}
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl");
exit(EXIT_FAILURE);
}
if (install_filter(strtol(argv[1], NULL, 0),
strtol(argv[2], NULL, 0)))
exit(EXIT_FAILURE);
execv(argv[3], &argv[3]);
perror("execv");
exit(EXIT_FAILURE);
}
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-07-01 7:41 ` Michal Suchánek
@ 2026-07-01 8:01 ` Michal Suchánek
2026-07-01 8:29 ` Michal Suchánek
0 siblings, 1 reply; 10+ messages in thread
From: Michal Suchánek @ 2026-07-01 8:01 UTC (permalink / raw)
To: Mukesh Kumar Chaurasiya
Cc: Shrikanth Hegde, maddy, mpe, npiggin, chleroy, mkchauras,
ryan.roberts, ruanjinjie, linuxppc-dev, linux-kernel
On Wed, Jul 01, 2026 at 09:41:57AM +0200, Michal Suchánek wrote:
> On Wed, Jul 01, 2026 at 11:57:00AM +0530, Mukesh Kumar Chaurasiya wrote:
> > On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> > > Hi Mukesh.
> > >
> > > On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> > > > After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
> > > > SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
> > > > (Function not implemented) instead of the expected EPERM (Operation
> > > > not permitted).
> > > >
> > > > The issue occurs in system_call_exception() when syscall_enter_from_user_mode()
> > > > returns -1 to indicate the syscall should be skipped (e.g., blocked by seccomp).
> > > > The current code treats this -1 as a syscall number and compares it against
> > > > NR_syscalls. Since -1 is greater than NR_syscalls,
> > > > the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
> > > > already set via syscall_set_return_value().
> > > >
> > > > The generic entry code in syscall_trace_enter() calls __secure_computing(),
> > > > which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
> > > > that the syscall should be skipped. However, the PowerPC syscall handler
> > > > was not checking for this -1 return value before validating the syscall
> > > > number.
> > > >
> > > > Fix this by explicitly checking if syscall_enter_from_user_mode() returns
> > > > -1 and returning the value already set in regs->gpr[3] (the errno from
> > > > seccomp) before performing the syscall number validation.
> > > >
> > > > Also Move the syscall_enter_from_user_mode() call and the seccomp/ptrace
> > > > skip check to after the NR_syscalls bounds check.
> > > >
> > > > When syscall -1 was passed, the r0 == -1L check would trigger before
> > > > the NR_syscalls check, causing syscall_get_error() to return 0 instead
> > > > of -ENOSYS. This resulted in a silent success (ret=0, errno=0) instead
> > > > of the expected ENOSYS error.
> > > >
> > > > By moving syscall_enter_from_user_mode() after the bounds check, an
> > > > initial syscall number of -1 is correctly rejected with -ENOSYS first.
> > > > The seccomp/ptrace skip path still works correctly for valid syscall
> > > > numbers that get overridden to -1 by seccomp or ptrace.
> > > >
> > > > This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
> > > > and restores correct seccomp errno handling.
> > > >
> > > > Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
> > > > Reported-by: Michal Suchánek <msuchanek@suse.de>
> > > > Closes: https://lore.kernel.org/all/ajpp-_XnbF3UTM_E@kunlun.suse.cz/
> > > > Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
> > > > ---
> > > >
> > > > v1 -> v2:
> > > > - Fix issues in the previous fix (Michal)
> > > > v1: https://lore.kernel.org/all/20260624171520.772408-1-mkchauras@gmail.com
> > > >
> > > > arch/powerpc/kernel/syscall.c | 7 ++++++-
> > > > 1 file changed, 6 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > > > index a9da2af6efa8..36d73933a311 100644
> > > > --- a/arch/powerpc/kernel/syscall.c
> > > > +++ b/arch/powerpc/kernel/syscall.c
> > > > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > syscall_fn f;
> > > > add_random_kstack_offset();
> > > > - r0 = syscall_enter_from_user_mode(regs, r0);
> > > > if (unlikely(r0 >= NR_syscalls)) {
> > > > if (unlikely(trap_is_unsupported_scv(regs))) {
> > > > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > return -ENOSYS;
> > > > }
> > > > + r0 = syscall_enter_from_user_mode(regs, r0);
> > > > +
> > >
> > > I see many arch first do syscall_enter_from_user_mode and then check for return value.
> > > take x86 for example,
> > >
> > > __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> > > {
> > > nr = syscall_enter_from_user_mode(regs, nr);
> > >
> > > if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
> > > /* Invalid system call, but still a system call. */
> > > regs->ax = __x64_sys_ni_syscall(regs);
> > > }
> > >
> > > }
> > >
> > > So seccomp fails silently there if initial nr was -1?
> > >
> > Hey,
> >
> > No the -1 syscall ignores the error silently and returns 0.
> >
>
> There seems to be some inconsistency with the invalid syscalls.
>
> Adapting the example from seccomp man page to ignore architecture I get
> on x86_64 (presumably with GENERIC_ENTRY since long ago):
>
> ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> ret=-1 errno=55 (No anode)
>
> but on ppc64le (with GENEREC_ENTRY):
>
> ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> ret=-1 errno=38 (Function not implemented)
>
> That said, behavior of seccomp on invalid syscalls is not particularly
> concerning. The tools that people typically use for constructing those
> filters typically require a valid syscall number.
>
> It would be nice to align, though.
It is more concerning for SECCOMP_SET_MODE_STRICT or similar. So it
should be resolved to correctly execute seccomp even on invalid
syscalls. The syscall_enter_from_user_mode API is not particularly
well-suited for that, though.
Thanks
Michal
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-07-01 8:01 ` Michal Suchánek
@ 2026-07-01 8:29 ` Michal Suchánek
2026-07-02 5:50 ` Mukesh Kumar Chaurasiya
0 siblings, 1 reply; 10+ messages in thread
From: Michal Suchánek @ 2026-07-01 8:29 UTC (permalink / raw)
To: Mukesh Kumar Chaurasiya
Cc: Shrikanth Hegde, maddy, mpe, npiggin, chleroy, mkchauras,
ryan.roberts, ruanjinjie, linuxppc-dev, linux-kernel
On Wed, Jul 01, 2026 at 10:01:49AM +0200, Michal Suchánek wrote:
> On Wed, Jul 01, 2026 at 09:41:57AM +0200, Michal Suchánek wrote:
> > On Wed, Jul 01, 2026 at 11:57:00AM +0530, Mukesh Kumar Chaurasiya wrote:
> > > On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> > > > Hi Mukesh.
> > > >
> > > > On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> > > > > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > > > > index a9da2af6efa8..36d73933a311 100644
> > > > > --- a/arch/powerpc/kernel/syscall.c
> > > > > +++ b/arch/powerpc/kernel/syscall.c
> > > > > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > syscall_fn f;
> > > > > add_random_kstack_offset();
> > > > > - r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > if (unlikely(r0 >= NR_syscalls)) {
> > > > > if (unlikely(trap_is_unsupported_scv(regs))) {
> > > > > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > return -ENOSYS;
> > > > > }
> > > > > + r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > +
> > > >
> > > > I see many arch first do syscall_enter_from_user_mode and then check for return value.
> > > > take x86 for example,
> > > >
> > > > __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> > > > {
> > > > nr = syscall_enter_from_user_mode(regs, nr);
> > > >
> > > > if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
> > > > /* Invalid system call, but still a system call. */
> > > > regs->ax = __x64_sys_ni_syscall(regs);
> > > > }
> > > >
> > > > }
> > > >
> > > > So seccomp fails silently there if initial nr was -1?
> > > >
> > > Hey,
> > >
> > > No the -1 syscall ignores the error silently and returns 0.
> > >
> >
> > There seems to be some inconsistency with the invalid syscalls.
> >
> > Adapting the example from seccomp man page to ignore architecture I get
> > on x86_64 (presumably with GENERIC_ENTRY since long ago):
> >
> > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > ret=-1 errno=55 (No anode)
> >
> > but on ppc64le (with GENEREC_ENTRY):
> >
> > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > ret=-1 errno=38 (Function not implemented)
> >
> > That said, behavior of seccomp on invalid syscalls is not particularly
> > concerning. The tools that people typically use for constructing those
> > filters typically require a valid syscall number.
> >
> > It would be nice to align, though.
>
> It is more concerning for SECCOMP_SET_MODE_STRICT or similar. So it
> should be resolved to correctly execute seccomp even on invalid
> syscalls. The syscall_enter_from_user_mode API is not particularly
> well-suited for that, though.
In particular the fixup per
https://lore.kernel.org/linuxppc-dev/akJzuEJRLniHk4Fi@kunlun.suse.cz/
handles some cases
./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
ret=-1 errno=55 (No anode)
but not -1
./a.out -1 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-1, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
ret=-1 errno=38 (Function not implemented)
which is the direct result of the ambiguous return value of
syscall_enter_from_user_mode
Thanks
Michal
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-07-01 8:29 ` Michal Suchánek
@ 2026-07-02 5:50 ` Mukesh Kumar Chaurasiya
2026-07-02 9:34 ` Michal Suchánek
0 siblings, 1 reply; 10+ messages in thread
From: Mukesh Kumar Chaurasiya @ 2026-07-02 5:50 UTC (permalink / raw)
To: Michal Suchánek
Cc: Shrikanth Hegde, maddy, mpe, npiggin, chleroy, mkchauras,
ryan.roberts, ruanjinjie, linuxppc-dev, linux-kernel
On Wed, Jul 01, 2026 at 10:29:49AM +0200, Michal Suchánek wrote:
> On Wed, Jul 01, 2026 at 10:01:49AM +0200, Michal Suchánek wrote:
> > On Wed, Jul 01, 2026 at 09:41:57AM +0200, Michal Suchánek wrote:
> > > On Wed, Jul 01, 2026 at 11:57:00AM +0530, Mukesh Kumar Chaurasiya wrote:
> > > > On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> > > > > Hi Mukesh.
> > > > >
> > > > > On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
>
> > > > > > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > > > > > index a9da2af6efa8..36d73933a311 100644
> > > > > > --- a/arch/powerpc/kernel/syscall.c
> > > > > > +++ b/arch/powerpc/kernel/syscall.c
> > > > > > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > > syscall_fn f;
> > > > > > add_random_kstack_offset();
> > > > > > - r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > > if (unlikely(r0 >= NR_syscalls)) {
> > > > > > if (unlikely(trap_is_unsupported_scv(regs))) {
> > > > > > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > > return -ENOSYS;
> > > > > > }
> > > > > > + r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > > +
> > > > >
> > > > > I see many arch first do syscall_enter_from_user_mode and then check for return value.
> > > > > take x86 for example,
> > > > >
> > > > > __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> > > > > {
> > > > > nr = syscall_enter_from_user_mode(regs, nr);
> > > > >
> > > > > if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
> > > > > /* Invalid system call, but still a system call. */
> > > > > regs->ax = __x64_sys_ni_syscall(regs);
> > > > > }
> > > > >
> > > > > }
> > > > >
> > > > > So seccomp fails silently there if initial nr was -1?
> > > > >
> > > > Hey,
> > > >
> > > > No the -1 syscall ignores the error silently and returns 0.
> > > >
> > >
> > > There seems to be some inconsistency with the invalid syscalls.
> > >
> > > Adapting the example from seccomp man page to ignore architecture I get
> > > on x86_64 (presumably with GENERIC_ENTRY since long ago):
> > >
> > > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > ret=-1 errno=55 (No anode)
> > >
> > > but on ppc64le (with GENEREC_ENTRY):
> > >
> > > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > ret=-1 errno=38 (Function not implemented)
> > >
> > > That said, behavior of seccomp on invalid syscalls is not particularly
> > > concerning. The tools that people typically use for constructing those
> > > filters typically require a valid syscall number.
> > >
> > > It would be nice to align, though.
> >
> > It is more concerning for SECCOMP_SET_MODE_STRICT or similar. So it
> > should be resolved to correctly execute seccomp even on invalid
> > syscalls. The syscall_enter_from_user_mode API is not particularly
> > well-suited for that, though.
>
> In particular the fixup per
> https://lore.kernel.org/linuxppc-dev/akJzuEJRLniHk4Fi@kunlun.suse.cz/
>
> handles some cases
>
> ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> ret=-1 errno=55 (No anode)
>
> but not -1
>
> ./a.out -1 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-1, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> ret=-1 errno=38 (Function not implemented)
>
> which is the direct result of the ambiguous return value of
> syscall_enter_from_user_mode
>
> Thanks
>
> Michal
Hey Michal,
Yeah this seems to be a more complex thing than anticipated.
As per conversation on your another patch here
https://lore.kernel.org/all/BA7CD91D-C0E5-47A1-B49C-BC6AF6604182@zytor.com/
This patch seems to be redundant at this point.
Regards,
Mukesh
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-07-02 5:50 ` Mukesh Kumar Chaurasiya
@ 2026-07-02 9:34 ` Michal Suchánek
2026-07-02 9:39 ` Mukesh Kumar Chaurasiya
0 siblings, 1 reply; 10+ messages in thread
From: Michal Suchánek @ 2026-07-02 9:34 UTC (permalink / raw)
To: Mukesh Kumar Chaurasiya
Cc: Shrikanth Hegde, maddy, mpe, npiggin, chleroy, mkchauras,
ryan.roberts, ruanjinjie, linuxppc-dev, linux-kernel
On Thu, Jul 02, 2026 at 11:20:03AM +0530, Mukesh Kumar Chaurasiya wrote:
> On Wed, Jul 01, 2026 at 10:29:49AM +0200, Michal Suchánek wrote:
> > On Wed, Jul 01, 2026 at 10:01:49AM +0200, Michal Suchánek wrote:
> > > On Wed, Jul 01, 2026 at 09:41:57AM +0200, Michal Suchánek wrote:
> > > > On Wed, Jul 01, 2026 at 11:57:00AM +0530, Mukesh Kumar Chaurasiya wrote:
> > > > > On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> > > > > > Hi Mukesh.
> > > > > >
> > > > > > On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> >
> > > > > > > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > > > > > > index a9da2af6efa8..36d73933a311 100644
> > > > > > > --- a/arch/powerpc/kernel/syscall.c
> > > > > > > +++ b/arch/powerpc/kernel/syscall.c
> > > > > > > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > > > syscall_fn f;
> > > > > > > add_random_kstack_offset();
> > > > > > > - r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > > > if (unlikely(r0 >= NR_syscalls)) {
> > > > > > > if (unlikely(trap_is_unsupported_scv(regs))) {
> > > > > > > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > > > return -ENOSYS;
> > > > > > > }
> > > > > > > + r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > > > +
> > > > > >
> > > > > > I see many arch first do syscall_enter_from_user_mode and then check for return value.
> > > > > > take x86 for example,
> > > > > >
> > > > > > __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> > > > > > {
> > > > > > nr = syscall_enter_from_user_mode(regs, nr);
> > > > > >
> > > > > > if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
> > > > > > /* Invalid system call, but still a system call. */
> > > > > > regs->ax = __x64_sys_ni_syscall(regs);
> > > > > > }
> > > > > >
> > > > > > }
> > > > > >
> > > > > > So seccomp fails silently there if initial nr was -1?
> > > > > >
> > > > > Hey,
> > > > >
> > > > > No the -1 syscall ignores the error silently and returns 0.
> > > > >
> > > >
> > > > There seems to be some inconsistency with the invalid syscalls.
> > > >
> > > > Adapting the example from seccomp man page to ignore architecture I get
> > > > on x86_64 (presumably with GENERIC_ENTRY since long ago):
> > > >
> > > > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > > ret=-1 errno=55 (No anode)
> > > >
> > > > but on ppc64le (with GENEREC_ENTRY):
> > > >
> > > > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > > ret=-1 errno=38 (Function not implemented)
> > > >
> > > > That said, behavior of seccomp on invalid syscalls is not particularly
> > > > concerning. The tools that people typically use for constructing those
> > > > filters typically require a valid syscall number.
> > > >
> > > > It would be nice to align, though.
> > >
> > > It is more concerning for SECCOMP_SET_MODE_STRICT or similar. So it
> > > should be resolved to correctly execute seccomp even on invalid
> > > syscalls. The syscall_enter_from_user_mode API is not particularly
> > > well-suited for that, though.
> >
> > In particular the fixup per
> > https://lore.kernel.org/linuxppc-dev/akJzuEJRLniHk4Fi@kunlun.suse.cz/
> >
> > handles some cases
> >
> > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > ret=-1 errno=55 (No anode)
> >
> > but not -1
> >
> > ./a.out -1 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-1, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > ret=-1 errno=38 (Function not implemented)
> >
> > which is the direct result of the ambiguous return value of
> > syscall_enter_from_user_mode
> >
> > Thanks
> >
> > Michal
> Hey Michal,
>
> Yeah this seems to be a more complex thing than anticipated.
> As per conversation on your another patch here
> https://lore.kernel.org/all/BA7CD91D-C0E5-47A1-B49C-BC6AF6604182@zytor.com/
>
> This patch seems to be redundant at this point.
Hello,
while improving the entry API is a fine goal it will take time if
something can be even agreed on.
In the mantime we should provide a fix using the current API.
Inability to run container workloads is a significant regression.
Thanks
Michal
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
2026-07-02 9:34 ` Michal Suchánek
@ 2026-07-02 9:39 ` Mukesh Kumar Chaurasiya
0 siblings, 0 replies; 10+ messages in thread
From: Mukesh Kumar Chaurasiya @ 2026-07-02 9:39 UTC (permalink / raw)
To: Michal Suchánek
Cc: Shrikanth Hegde, maddy, mpe, npiggin, chleroy, mkchauras,
ryan.roberts, ruanjinjie, linuxppc-dev, linux-kernel
On Thu, Jul 02, 2026 at 11:34:55AM +0200, Michal Suchánek wrote:
> On Thu, Jul 02, 2026 at 11:20:03AM +0530, Mukesh Kumar Chaurasiya wrote:
> > On Wed, Jul 01, 2026 at 10:29:49AM +0200, Michal Suchánek wrote:
> > > On Wed, Jul 01, 2026 at 10:01:49AM +0200, Michal Suchánek wrote:
> > > > On Wed, Jul 01, 2026 at 09:41:57AM +0200, Michal Suchánek wrote:
> > > > > On Wed, Jul 01, 2026 at 11:57:00AM +0530, Mukesh Kumar Chaurasiya wrote:
> > > > > > On Wed, Jul 01, 2026 at 01:41:09AM +0530, Shrikanth Hegde wrote:
> > > > > > > Hi Mukesh.
> > > > > > >
> > > > > > > On 6/29/26 11:59 PM, Mukesh Kumar Chaurasiya (IBM) wrote:
> > >
> > > > > > > > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > > > > > > > index a9da2af6efa8..36d73933a311 100644
> > > > > > > > --- a/arch/powerpc/kernel/syscall.c
> > > > > > > > +++ b/arch/powerpc/kernel/syscall.c
> > > > > > > > @@ -20,7 +20,6 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > > > > syscall_fn f;
> > > > > > > > add_random_kstack_offset();
> > > > > > > > - r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > > > > if (unlikely(r0 >= NR_syscalls)) {
> > > > > > > > if (unlikely(trap_is_unsupported_scv(regs))) {
> > > > > > > > @@ -31,6 +30,12 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > > > > return -ENOSYS;
> > > > > > > > }
> > > > > > > > + r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > > > > +
> > > > > > >
> > > > > > > I see many arch first do syscall_enter_from_user_mode and then check for return value.
> > > > > > > take x86 for example,
> > > > > > >
> > > > > > > __visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr)
> > > > > > > {
> > > > > > > nr = syscall_enter_from_user_mode(regs, nr);
> > > > > > >
> > > > > > > if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) {
> > > > > > > /* Invalid system call, but still a system call. */
> > > > > > > regs->ax = __x64_sys_ni_syscall(regs);
> > > > > > > }
> > > > > > >
> > > > > > > }
> > > > > > >
> > > > > > > So seccomp fails silently there if initial nr was -1?
> > > > > > >
> > > > > > Hey,
> > > > > >
> > > > > > No the -1 syscall ignores the error silently and returns 0.
> > > > > >
> > > > >
> > > > > There seems to be some inconsistency with the invalid syscalls.
> > > > >
> > > > > Adapting the example from seccomp man page to ignore architecture I get
> > > > > on x86_64 (presumably with GENERIC_ENTRY since long ago):
> > > > >
> > > > > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > > > ret=-1 errno=55 (No anode)
> > > > >
> > > > > but on ppc64le (with GENEREC_ENTRY):
> > > > >
> > > > > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > > > ret=-1 errno=38 (Function not implemented)
> > > > >
> > > > > That said, behavior of seccomp on invalid syscalls is not particularly
> > > > > concerning. The tools that people typically use for constructing those
> > > > > filters typically require a valid syscall number.
> > > > >
> > > > > It would be nice to align, though.
> > > >
> > > > It is more concerning for SECCOMP_SET_MODE_STRICT or similar. So it
> > > > should be resolved to correctly execute seccomp even on invalid
> > > > syscalls. The syscall_enter_from_user_mode API is not particularly
> > > > well-suited for that, though.
> > >
> > > In particular the fixup per
> > > https://lore.kernel.org/linuxppc-dev/akJzuEJRLniHk4Fi@kunlun.suse.cz/
> > >
> > > handles some cases
> > >
> > > ./a.out -2 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-2, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > ret=-1 errno=55 (No anode)
> > >
> > > but not -1
> > >
> > > ./a.out -1 55 /usr/bin/perl -MPOSIX -e '$!=0; my $r = syscall(-1, 0); print "ret=$r errno=".($!+0)." ($!)\n"'
> > > ret=-1 errno=38 (Function not implemented)
> > >
> > > which is the direct result of the ambiguous return value of
> > > syscall_enter_from_user_mode
> > >
> > > Thanks
> > >
> > > Michal
> > Hey Michal,
> >
> > Yeah this seems to be a more complex thing than anticipated.
> > As per conversation on your another patch here
> > https://lore.kernel.org/all/BA7CD91D-C0E5-47A1-B49C-BC6AF6604182@zytor.com/
> >
> > This patch seems to be redundant at this point.
>
> Hello,
>
> while improving the entry API is a fine goal it will take time if
> something can be even agreed on.
>
> In the mantime we should provide a fix using the current API.
>
> Inability to run container workloads is a significant regression.
>
> Thanks
>
> Michal
Yeah, i am working on a fix for now. Will post out a new version.
Regards,
Mukesh
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-07-02 9:39 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 18:29 [PATCH V2] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY Mukesh Kumar Chaurasiya (IBM)
2026-06-30 17:19 ` Michal Suchánek
2026-06-30 20:11 ` Shrikanth Hegde
2026-07-01 6:27 ` Mukesh Kumar Chaurasiya
2026-07-01 7:41 ` Michal Suchánek
2026-07-01 8:01 ` Michal Suchánek
2026-07-01 8:29 ` Michal Suchánek
2026-07-02 5:50 ` Mukesh Kumar Chaurasiya
2026-07-02 9:34 ` Michal Suchánek
2026-07-02 9:39 ` Mukesh Kumar Chaurasiya
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox