Re: [PATCH] powerpc/syscall: Fix seccomp errno handling with GENERIC_ENTRY
From: "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>
Date: 2026-06-26 14:31:56
Also in:
lkml
Le 24/06/2026 à 19:15, Mukesh Kumar Chaurasiya (IBM) a écrit :
After enabling GENERIC_ENTRY on PowerPC, seccomp filters using
SCMP_ACT_ERRNO without an explicit errnoRet value return ENOSYS
(Function not implemented) instead of the expected EPERM (Operation
not permitted).
The issue occurs in system_call_exception() when syscall_enter_from_user_mode()
returns -1 to indicate the syscall should be skipped (e.g., blocked by seccomp).
The current code treats this -1 as a syscall number and compares it against
NR_syscalls. Since -1 (when cast to unsigned long) is greater than NR_syscalls,
the code incorrectly returns -ENOSYS, overwriting the errno that seccomp
already set via syscall_set_return_value().
The generic entry code in syscall_trace_enter() calls __secure_computing(),
which sets the appropriate errno in regs->gpr[3] and returns -1 to signal
that the syscall should be skipped. However, the PowerPC syscall handler
was not checking for this -1 return value before validating the syscall
number.
Fix this by explicitly checking if syscall_enter_from_user_mode() returns
-1 and returning the value already set in regs->gpr[3] (the errno from
seccomp) before performing the syscall number validation.
This aligns PowerPC's behavior with other architectures using GENERIC_ENTRY
and restores correct seccomp errno handling.
Fixes: bee25f97ad24 ("powerpc: Enable GENERIC_ENTRY feature")
Reported-by: Michal Suchánek <redacted>Closes: https://lore.kernel.org/all/ajpp-_XnbF3UTM_E@kunlun.suse.cz/ (local)
quoted hunk ↗ jump to hunk
Signed-off-by: Mukesh Kumar Chaurasiya (IBM) <redacted> --- arch/powerpc/kernel/syscall.c | 4 ++++ 1 file changed, 4 insertions(+)diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c index a9da2af6efa8..5b58c8d396c8 100644 --- a/arch/powerpc/kernel/syscall.c +++ b/arch/powerpc/kernel/syscall.c@@ -22,6 +22,10 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0) add_random_kstack_offset(); r0 = syscall_enter_from_user_mode(regs, r0); + /* Seccomp or ptrace may have set return value, skip syscall */ + if (unlikely(r0 == -1L))
Is it really needed to add the L after 1 ?
+ return regs->gpr[3];
+
if (unlikely(r0 >= NR_syscalls)) {
if (unlikely(trap_is_unsupported_scv(regs))) {
/* Unsupported scv vector */