From nobody Mon Jun 15 23:14:32 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D6DF313E30
	for <linux-kernel@vger.kernel.org>; Tue, 14 Apr 2026 16:48:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776185311; cv=none;
 b=atyASS7WTUX9GZf/xT5jvbXb2stLaOhe1MZ3PCCDp9XAC/wAllB/h7N5WJR24xHB+R6YtJ/niVb/YDYHTIJXbOER/3lz2NOf9ZcaOl0lkB+UvgqbJ8daCYan/R/cyE2PWYdy8AiM27SmIJ0AZSHR8VAPD5a6uNHkfLNN2FDvW5A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776185311; c=relaxed/simple;
	bh=p8tf9brEw6sXzyN8rPTtq7oW1mfos8yma8dbTbRUqsA=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition:In-Reply-To;
 b=RGcsO+fN+C0+1snDCVMC4o1JFYZgFCG2TkgRLNHS4q3ifgVYstwAwV7KjsiBzvMTwViSQE67IDiF8olhBKyg07V2mAAakd88HZPxwc0m+0KgjizTN3sK1OdOOeenEp3zKRWanoHiTLOr0B97CSQ7wVAMnfdQILxwuAY63GjFdrg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=fyIqprLt; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="fyIqprLt"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1776185309;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to; bh=R9Oid93PnVrQy+LikjbR5Hy3F0zFMiTTmcgd9FAZbfo=;
	b=fyIqprLtAtH6N3Z3Dhvx7tUJ6g1LRQYRz9KzmnhGRqg8sdRavHgGEpC90ziEtR9ArJr3aw
	hQggzp+FBcc9D8OmuJ2/OogsJAT3uxYh1ncEfbWRjIbOgYmzfqSv6N5KUOSpO8kHgNginZ
	D6nalAJkYu7fX5RLACdGPeV0tvnKBJk=
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-25-4QmOzkR-MmKr82rzVltBwQ-1; Tue,
 14 Apr 2026 12:48:23 -0400
X-MC-Unique: 4QmOzkR-MmKr82rzVltBwQ-1
X-Mimecast-MFC-AGG-ID: 4QmOzkR-MmKr82rzVltBwQ_1776185300
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 8F8481956095;
	Tue, 14 Apr 2026 16:48:19 +0000 (UTC)
Received: from fedora (unknown [10.44.48.62])
	by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP
 id 5D88B3000C1F;
	Tue, 14 Apr 2026 16:48:16 +0000 (UTC)
Received: by fedora (nbSMTP-1.00) for uid 1000
	oleg@redhat.com; Tue, 14 Apr 2026 18:48:19 +0200 (CEST)
Date: Tue, 14 Apr 2026 18:48:14 +0200
From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@kernel.org>, Kees Cook <kees@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@kernel.org>, Will Drewry <wad@chromium.org>
Cc: Kusaram Devineni <kusaram@devineni.in>,
	Max Ver <dudududumaxver@gmail.com>, linux-kernel@vger.kernel.org
Subject: [RFC PATCH 1/2] seccomp: introduce seccomp_nack_syscall() helper
Message-ID: <ad5vztrjvqD0wOCf@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ad5voOrbqayQBgNk@redhat.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

To factor out the code and simplify the next change

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 kernel/seccomp.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 066909393c38..cb8dd78791cd 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1256,6 +1256,14 @@ static int seccomp_do_user_notification(int this_sys=
call,
 	return -1;
 }
=20
+static void seccomp_nack_syscall(int this_syscall, int data, bool force_co=
redump)
+{
+	/* Show the handler or coredump the original registers. */
+	syscall_rollback(current, current_pt_regs());
+	/* Let the filter pass back 16 bits of data. */
+	force_sig_seccomp(this_syscall, data, force_coredump);
+}
+
 static int __seccomp_filter(int this_syscall, const bool recheck_after_tra=
ce)
 {
 	u32 filter_ret, action;
@@ -1285,10 +1293,7 @@ static int __seccomp_filter(int this_syscall, const =
bool recheck_after_trace)
 		goto skip;
=20
 	case SECCOMP_RET_TRAP:
-		/* Show the handler the original registers. */
-		syscall_rollback(current, current_pt_regs());
-		/* Let the filter pass back 16 bits of data. */
-		force_sig_seccomp(this_syscall, data, false);
+		seccomp_nack_syscall(this_syscall, data, false);
 		goto skip;
=20
 	case SECCOMP_RET_TRACE:
@@ -1360,10 +1365,7 @@ static int __seccomp_filter(int this_syscall, const =
bool recheck_after_trace)
 		/* Dump core only if this is the last remaining thread. */
 		if (action !=3D SECCOMP_RET_KILL_THREAD ||
 		    (atomic_read(&current->signal->live) =3D=3D 1)) {
-			/* Show the original registers in the dump. */
-			syscall_rollback(current, current_pt_regs());
-			/* Trigger a coredump with SIGSYS */
-			force_sig_seccomp(this_syscall, data, true);
+			seccomp_nack_syscall(this_syscall, data, true);
 		} else {
 			do_exit(SIGSYS);
 		}
--=20
2.52.0
From nobody Mon Jun 15 23:14:32 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B0C527FB18
	for <linux-kernel@vger.kernel.org>; Tue, 14 Apr 2026 16:48:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776185312; cv=none;
 b=uLOhrb/OIPu4r7sT/gRlJCo14nHd1DFdChHDDmYucgpS+TMO7RN7sMZZQovEKEtu6UzXaVFjoB/0Gw2+/a073rJwFJldeQtQTxQd0W9DQ3R7fZYRi7mU11PyZWhZKT3bwFE/wj+9X1NRnRYnMv6GB2KPGQ3GF8MT9Y4UBj8Z9eI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776185312; c=relaxed/simple;
	bh=3hR2njnT7RscECO/allhu911VlYJMrXNfxudKFEtiOU=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition:In-Reply-To;
 b=p+93ZGNDc3zEcuuP9PaaHFVqr7H2t/jrifda+G/k5rd77U/NrQJ63wDC0R+eoURDEKHN6L3eIJgBPotefYT2+XqRyfneDjb3cKPyiGw7/cZ0ctvgp76Yq20esvDX5+tbo0ET6DSzOkXOyiR9z8qC+R6pQB9qdWW52HUbznVEpZc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=a9DU8Y3g; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="a9DU8Y3g"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1776185310;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to; bh=U7zZbgDsmpcD5l43TqPUEsDDeTmo8/Ubh8efFwjMxsg=;
	b=a9DU8Y3gDmIKXK30BPxy6KX/Plk16vA5T+9nIcPyKRlSnF491tnyVAAN3CGqJTDzptrE/+
	rdOuZK3Bk8WIGHfu2kSyBIOs4E7cGknTfPALIb7iY7PSWT1ygvUW67Y4KEPG4cEO4llVM5
	c/hPsi7H9l5R/sJ7tQUfdwcZlkvFMPo=
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-20-d9aGQxjKPOqmoHhKc9ALEQ-1; Tue,
 14 Apr 2026 12:48:26 -0400
X-MC-Unique: d9aGQxjKPOqmoHhKc9ALEQ-1
X-Mimecast-MFC-AGG-ID: d9aGQxjKPOqmoHhKc9ALEQ_1776185305
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id DDB20180049F;
	Tue, 14 Apr 2026 16:48:24 +0000 (UTC)
Received: from fedora (unknown [10.44.48.62])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP
 id 93D25195608E;
	Tue, 14 Apr 2026 16:48:21 +0000 (UTC)
Received: by fedora (nbSMTP-1.00) for uid 1000
	oleg@redhat.com; Tue, 14 Apr 2026 18:48:24 +0200 (CEST)
Date: Tue, 14 Apr 2026 18:48:20 +0200
From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@kernel.org>, Kees Cook <kees@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@kernel.org>, Will Drewry <wad@chromium.org>
Cc: Kusaram Devineni <kusaram@devineni.in>,
	Max Ver <dudududumaxver@gmail.com>, linux-kernel@vger.kernel.org
Subject: [RFC PATCH 2/2] seccomp: defer syscall_rollback() to get_signal()
Message-ID: <ad5v1J7bosR88z7b@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ad5voOrbqayQBgNk@redhat.com>
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Currently, seccomp_nack_syscall() calls syscall_rollback() immediately.
Because this restores the original registers, the syscall exit path sees
the original syscall number as the return value.

This confuses audit_syscall_exit(), trace_syscall_exit(), and ptrace.

Change seccomp_nack_syscall() to call syscall_set_return_value(-EINTR),
and add the new check_force_sig_seccomp() helper called by get_signal()
which does syscall_rollback() if the signal was sent by seccomp.

Note that the si_code =3D=3D SYS_SECCOMP check in check_force_sig_seccomp()
is not 100% reliable, see the comment in check_force_sig_seccomp(), but
I hope we don't really care.

Reported-by: Max Ver <dudududumaxver@gmail.com>
Closes: https://lore.kernel.org/all/CABjJbFJO+p3jA1r0gjUZrCepQb1Fab3kqxYhc_=
PSfoqo21ypeQ@mail.gmail.com/
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 kernel/seccomp.c |  4 ++--
 kernel/signal.c  | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index cb8dd78791cd..a8d103054212 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1258,8 +1258,8 @@ static int seccomp_do_user_notification(int this_sysc=
all,
=20
 static void seccomp_nack_syscall(int this_syscall, int data, bool force_co=
redump)
 {
-	/* Show the handler or coredump the original registers. */
-	syscall_rollback(current, current_pt_regs());
+	/* check_force_sig_seccomp() will restore the original registers */
+	syscall_set_return_value(current, current_pt_regs(), -EINTR, 0);
 	/* Let the filter pass back 16 bits of data. */
 	force_sig_seccomp(this_syscall, data, force_coredump);
 }
diff --git a/kernel/signal.c b/kernel/signal.c
index d65d0fe24bfb..b93e37517d6d 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2796,6 +2796,24 @@ static void hide_si_addr_tag_bits(struct ksignal *ks=
ig)
 	}
 }
=20
+static inline void check_force_sig_seccomp(kernel_siginfo_t *info)
+{
+	/*
+	 * See seccomp_nack_syscall(). Show the original registers to
+	 * the handler or coredump.
+	 *
+	 * Note: a task can send a .si_code =3D=3D SYS_SECCOMP signal to
+	 * itself, but syscall_rollback() is harmless in this case.
+	 * SYS_SECCOMP can also be missed if a prior SIGSYS was pending
+	 * and blocked before force_sig_seccomp(), but in that case the
+	 * seccomp siginfo is already lost anyway.
+	 */
+	if (IS_ENABLED(CONFIG_SECCOMP_FILTER)) {
+		if (info->si_code =3D=3D SYS_SECCOMP)
+			syscall_rollback(current, current_pt_regs());
+	}
+}
+
 bool get_signal(struct ksignal *ksig)
 {
 	struct sighand_struct *sighand =3D current->sighand;
@@ -2916,6 +2934,8 @@ bool get_signal(struct ksignal *ksig)
 		if (!signr)
 			break; /* will return 0 */
=20
+		check_force_sig_seccomp(&ksig->info);
+
 		if (unlikely(current->ptrace) && (signr !=3D SIGKILL) &&
 		    !(sighand->action[signr -1].sa.sa_flags & SA_IMMUTABLE)) {
 			signr =3D ptrace_signal(signr, &ksig->info, type);
--=20
2.52.0