Re: [RFC PATCH 2/2] seccomp: defer syscall_rollback() to get_signal()

Next message: Guangshuo Li: "[PATCH] media: visl: fix reference leak on failed device registration"
Previous message: Dan Carpenter: "Re: [PATCH v3 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()"
In reply to: Kees Cook: "Re: [RFC PATCH 2/2] seccomp: defer syscall_rollback() to get_signal()"
Next in thread: Oleg Nesterov: "Re: [RFC PATCH 0/2] seccomp: defer syscall_rollback() to get_signal()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Oleg Nesterov

Date: Wed Apr 15 2026 - 12:11:20 EST

On 04/15, Kees Cook wrote:
>
> On Tue, Apr 14, 2026 at 07:41:39PM +0200, Oleg Nesterov wrote:
> > Yes sure. but do you agree with this RFC approach?
>
> I like it so far; I'm going to run the rr regression tests to
> double-check.

Thanks!

But see my reply to 0/2 ... I'll write another email later.

And I just noticed that I forgot to check info->si_signo == SIGSYS
in check_force_sig_seccomp().

So if you are going to run the test, please apply the fix below...

Oleg.

diff --git a/kernel/signal.c b/kernel/signal.c
index b93e37517d6d..49d73e4991b2 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2809,7 +2816,7 @@ static inline void check_force_sig_seccomp(kernel_siginfo_t *info)
* seccomp siginfo is already lost anyway.
*/
if (IS_ENABLED(CONFIG_SECCOMP_FILTER)) {
- if (info->si_code == SYS_SECCOMP)
+ if (info->si_signo == SIGSYS && info->si_code == SYS_SECCOMP)
syscall_rollback(current, current_pt_regs());
}
}