From nobody Sun Feb  8 04:34:29 2026
Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com
 [209.85.210.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46516280A3B
	for <linux-kernel@vger.kernel.org>; Thu, 18 Dec 2025 14:59:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766069956; cv=none;
 b=AUG89FzVN0do97iOImZ9w/f8U8L5rXwywPU7nsXzpbTxbczwjU7taTR9aUrFg52KEFh9Cn6iuJfXaeR6j5RnW744YEgkrcPEbwIdh3xdhAtdSZE+FqSRouY0I3TytTgV1iZDzmjRpm1a80cu+uefvvi1Mz2YplLqZAy5cin365I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766069956; c=relaxed/simple;
	bh=ZL/UkwTv3QgoWJUNQvLSl/OFPjuScGHx0TpMe3OcWNo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=WkOgAHshbOmtqHBpCJCH1dVcT/d3i0TlMsoVDVVsjC2B9j5bboh14zmP85GVbNLvxbngQenCls+Gax0HcDRtzMkCa2v5r0wwq0UcEUNsXzmZJpUOk8wT+q4kKGsGPCxmVWvdZYmf9tvasRVTGJ8lynELImWlgylNUuWmFzbO0Nk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=eOmt00aN; arc=none smtp.client-ip=209.85.210.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="eOmt00aN"
Received: by mail-pf1-f182.google.com with SMTP id
 d2e1a72fcca58-7d26a7e5639so897858b3a.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 18 Dec 2025 06:59:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766069954; x=1766674754;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=0XbHdBKayUYoFLM3mVQJ1HmGu9AM/cpu5nlkq6UYpks=;
        b=eOmt00aNjUVQbslLTh4NFpczgq0GU+VIWEh9+42/RG2+T5DrPjvk5V74Fp7CoCpgpi
         jZj/WbkyGYhIJJOuuhv/FwaQCsgtAnPCsz+q4p9SW5YHUBnAZuv+duKyo5Dmmr7y0uni
         6QhLLti7yj/Y24nTinZrZzT1kK2oXLkOIeaLWLYIrg6izDRRdErlp5iISyw2essuED0K
         xnkXAvRXieSwHKkzd3en0XpYylgtL97rO9C/TVaui9Dt7MsUXeahIbmDOBH01jMQrkXM
         jIOKIwECKgoMTposB5GaQ3/VP4aDLc+7Dv6PTU6PdN3gZmXGIdI5xZeSg2BqoOMX5Hvh
         m7EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766069954; x=1766674754;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0XbHdBKayUYoFLM3mVQJ1HmGu9AM/cpu5nlkq6UYpks=;
        b=vywSmPEH4+rPZbK1QjZZqWiQM4WLpmyPI74cah+c+kQv1/CNfGr+zyXeQ1TuMRa+ee
         dtKAeECrWOwUggGfnxfgyUr411gnGD9SazgxIziWDhUnPN2E/Q0jdrJtHgQj6tuuIz+s
         UixK+AlXcFP7JEGFsUFgFRchKL5rv8SyhxPPj7m5djLSDcvNDHbbZTKp83tdqzSJ9CbV
         HcKJ4XG2wg/V4f9+O/XnMZPKT4ZMc3eaL/UCV1/pRAtVENjOMmi8spU/8tofnscwTrde
         clVVHifP8GjmhtIbnQF3IbwdD6eCX4qjEVFNvGn6ShripTDdJRgCN4UE66ZqgrUmRcGT
         Aykw==
X-Gm-Message-State: AOJu0YyLEDNg7rCPCQ/cfs2y+kow3Mg5sPmEhTGXV023S5yS4cnZIShU
	sP6neG4DlJcTOxrl2q7sLgUxIQbe+9WMi/SwizJx61VkIcR9GUAMJ49/qyitPA==
X-Gm-Gg: AY/fxX75MAIN7fZ/hHPIm07WT3qTrXkBthMxXdyJDWXiqS9GDUjA6EherOz4YV8jE8H
	8J5IaSOCNl9+AvLrZVjRI0CE6rxuEBBkPNudJNGzgjB77S/YV+T8sUxcJvsXm4Ejh/j08Sp9r+t
	KQdyJmrLafCT20BEb2GsB5V69CJUX3KgWlHm+BbqSn9gd3dj17OH2IiYj0xWu/puRRqtcap+xlW
	8HYAVeY92PBejEVNJZi7zp+IQaub5/3DvoKgUKH+mo44bTkOn1bV119gdRWdfcC9UYEap+0yoZW
	siGXkDmXUZCMagGA9Dtvem4zSj2GGLcbPuabABHVvln3Q+AeDs+zl2Eqsl7iiafza9g2YqXoGiH
	IGCjGD9ZtNwsn4NpXIPTcYXvqBZ4ZzmBiwgDxdepaRYiiWO+L48jwhcU56PBRp+kFImwK4hsyk2
	uD+p3DbbPt36PRpXciP7tdFvQwFY3o0PoIf1MWyg==
X-Google-Smtp-Source: 
 AGHT+IFisv/XYnDR4quZL+oGe+P8XAAOA+wkYTNKdVZTcbQb7l393ueZgLn/THUdFyBzYY65fQDPsg==
X-Received: by 2002:a05:6a00:600d:b0:776:1c49:82f8 with SMTP id
 d2e1a72fcca58-7f66f9f12fbmr23868368b3a.8.1766069953857;
        Thu, 18 Dec 2025 06:59:13 -0800 (PST)
Received: from eclypsium-Latitude-5490..
 ([2803:9800:9881:bd6c:edb8:f863:94b4:e7fc])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7fe117623fasm2918659b3a.2.2025.12.18.06.59.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 18 Dec 2025 06:59:13 -0800 (PST)
From: ellyndra <ellyesparza8@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: luto@kernel.org,
	tglx@linutronix.de,
	mingo@redhat.com,
	bp@alien8.de,
	dave.hansen@linux.intel.com,
	x86@kernel.org,
	hpa@zytor.com,
	ellyndra <ellyesparza8@gmail.com>,
	Peter Zijlstra <peterz@infradead.org>
Subject: [PATCH v2] x86/syscall: make sys_call helpers static
Date: Thu, 18 Dec 2025 11:57:14 -0300
Message-ID: <20251218145714.70220-1-ellyesparza8@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Make 'x64_sys_call()' 'x32_sys_call()' and 'ia32_sys_call()' static to
prevent them from being resolved via kallsyms and by extension kprobes.

These functions contain the final calls to the syscall handlers, having
access to their address can be used to hook this calls altering their
behavior. Preventing symbol visibility limits the area of such attacks.

Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Elly I Esparza <ellyesparza8@gmail.com>
---
 arch/x86/entry/syscall_32.c    |  6 ++++--
 arch/x86/entry/syscall_64.c    | 12 ++++++++----
 arch/x86/include/asm/syscall.h |  8 --------
 3 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c
index 2b15ea17bb7c..28c9a99fb2de 100644
--- a/arch/x86/entry/syscall_32.c
+++ b/arch/x86/entry/syscall_32.c
@@ -41,7 +41,7 @@ const sys_call_ptr_t sys_call_table[] =3D {
 #endif
=20
 #define __SYSCALL(nr, sym) case nr: return __ia32_##sym(regs);
-long ia32_sys_call(const struct pt_regs *regs, unsigned int nr)
+static __always_inline long ia32_sys_call(const struct pt_regs *regs, unsi=
gned int nr)
 {
 	switch (nr) {
 	#include <asm/syscalls_32.h>
@@ -70,7 +70,7 @@ early_param("ia32_emulation", ia32_emulation_override_cmd=
line);
 /*
  * Invoke a 32-bit syscall.  Called with IRQs on in CT_STATE_KERNEL.
  */
-static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, in=
t nr)
+static noinstr void do_syscall_32_irqs_on(struct pt_regs *regs, int nr)
 {
 	/*
 	 * Convert negative numbers to very high and thus out of range
@@ -78,12 +78,14 @@ static __always_inline void do_syscall_32_irqs_on(struc=
t pt_regs *regs, int nr)
 	 */
 	unsigned int unr =3D nr;
=20
+	instrumentation_begin();
 	if (likely(unr < IA32_NR_syscalls)) {
 		unr =3D array_index_nospec(unr, IA32_NR_syscalls);
 		regs->ax =3D ia32_sys_call(regs, unr);
 	} else if (nr !=3D -1) {
 		regs->ax =3D __ia32_sys_ni_syscall(regs);
 	}
+	instrumentation_end();
 }
=20
 #ifdef CONFIG_IA32_EMULATION
diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c
index b6e68ea98b83..55ad274f57f5 100644
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -32,7 +32,7 @@ const sys_call_ptr_t sys_call_table[] =3D {
 #undef  __SYSCALL
=20
 #define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs);
-long x64_sys_call(const struct pt_regs *regs, unsigned int nr)
+static __always_inline long x64_sys_call(const struct pt_regs *regs, unsig=
ned int nr)
 {
 	switch (nr) {
 	#include <asm/syscalls_64.h>
@@ -40,15 +40,17 @@ long x64_sys_call(const struct pt_regs *regs, unsigned =
int nr)
 	}
 }
=20
-#ifdef CONFIG_X86_X32_ABI
-long x32_sys_call(const struct pt_regs *regs, unsigned int nr)
+static __always_inline long x32_sys_call(const struct pt_regs *regs, unsig=
ned int nr)
 {
+#ifdef CONFIG_X86_X32_ABI
 	switch (nr) {
 	#include <asm/syscalls_x32.h>
 	default: return __x64_sys_ni_syscall(regs);
 	}
-}
+#else
+	return __x64_sys_ni_syscall(regs);
 #endif
+}
=20
 static __always_inline bool do_syscall_x64(struct pt_regs *regs, int nr)
 {
@@ -58,11 +60,13 @@ static __always_inline bool do_syscall_x64(struct pt_re=
gs *regs, int nr)
 	 */
 	unsigned int unr =3D nr;
=20
+	instrumentation_begin();
 	if (likely(unr < NR_syscalls)) {
 		unr =3D array_index_nospec(unr, NR_syscalls);
 		regs->ax =3D x64_sys_call(regs, unr);
 		return true;
 	}
+	instrumentation_end();
 	return false;
 }
=20
diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h
index c10dbb74cd00..59a406074dc0 100644
--- a/arch/x86/include/asm/syscall.h
+++ b/arch/x86/include/asm/syscall.h
@@ -20,14 +20,6 @@
 typedef long (*sys_call_ptr_t)(const struct pt_regs *);
 extern const sys_call_ptr_t sys_call_table[];
=20
-/*
- * These may not exist, but still put the prototypes in so we
- * can use IS_ENABLED().
- */
-extern long ia32_sys_call(const struct pt_regs *, unsigned int nr);
-extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
-extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
-
 /*
  * Only the low 32 bits of orig_ax are meaningful, so we return int.
  * This importantly ignores the high bits on 64-bit, so comparisons
--=20
2.43.0