diff mbox

[v2] arm: prevent BUG_ON in audit_syscall_entry()

Message ID 1412160357-11324-1-git-send-email-takahiro.akashi@linaro.org
State New
Headers show

Commit Message

AKASHI Takahiro Oct. 1, 2014, 10:45 a.m. UTC
BUG_ON() in audit_syscall_entry() is hit under the following conditions:
  1) syscall auditing is enabled (that is, by running auditd).
  2) user process issues syscall(-1)
In fact, syscall(-1) just fails (not raising SIGILL, that is an expected
behavior if not audited), and the succeeding syscall will hit this BUG_ON.

------------[ cut here ]------------
kernel BUG at (...)/kernel/auditsc.c:1534!
Internal error: Oops - BUG: 0 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 61 Comm: syscall_arm Not tainted 3.17.0-rc4 #60
task: ea0c4380 ti: ea48e000 task.ti: ea48e000
PC is at __audit_syscall_entry+0xe4/0x110
LR is at 0xea0c4380
pc : [<c02b2ae8>]    lr : [<ea0c4380>]    psr: 20000013
sp : ea48ff68  ip : 00000001  fp : 0000869c
r10: 00000200  r9 : ea48e000  r8 : c020f4e4
r7 : 000000c5  r6 : ea48e000  r5 : ea48ffb0  r4 : ea490800
r3 : bef1e718  r2 : 00000001  r1 : 000000c5  r0 : 40000028
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: 8a4ac059  DAC: 00000015
Process syscall_arm (pid: 61, stack limit = 0xea48e250)
Stack: (0xea48ff68 to 0xea490000)
ff60:                   540e7a69 3ab5e840 00000200 000000c5 ea48ffb0 ea48e000
ff80: 000000c5 c02114bc bef1e718 00000001 b6efdb58 ffffffff 08400000 000000c5
ffa0: c020f4e4 c020f49c b6efdb58 ffffffff 00000001 bef1e718 bef1e718 00000001
ffc0: b6efdb58 ffffffff 08400000 000000c5 00000000 b6f22850 00000008 0000869c
ffe0: 000000c5 bef1e704 b6ea315f b6e318e6 20000030 00000001 00000000 00000000
[<c02b2ae8>] (__audit_syscall_entry) from [<c02114bc>] (syscall_trace_enter+0xf0/0x120)
[<c02114bc>] (syscall_trace_enter) from [<c020f49c>] (__sys_trace+0xc/0x38)
Code: e584500c e5842004 e28dd00c e8bd80f0 (e7f001f2)
---[ end trace 0c4441660aba5692 ]---

Under the current implementation, audit_syscall_entry() is called even
against syscall(-1), but audit_syscall_exit() is not. Because 'in_syscall'
flag in a current thread's audit context is kept on, next called
audit_syscall_entry() will see BUG_ON(in_syscall).

This patch fixes this bug by
  1) preventing syscall enter/exit tracing, ftrace tracepoint and audit,
     from being executed if an invalid (including -1) or pseudo syscall
     number (starting from __NR_ARM_BASE + 1).
     Please note that tracehook_report_syscall(PTRACE_SYSCALL_EXIT) is
     still executed as it should be paired with
     tracehook_report_syscall(PTRACE_SYSCALL_ENTER).

  2) handling user-issued syscall(-1) with arm_syscall() for compatibility
     if tracing is on.
     Since UL(-1) > __NR_ARM_BASE - __NR_SYSCALL_BASE, arm_syscall() is
     called at local_restart in entry-common.S if tracing is off.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm/include/asm/traps.h   |    1 +
 arch/arm/kernel/entry-common.S |    3 ++-
 arch/arm/kernel/ptrace.c       |   49 +++++++++++++++++++++++++---------------
 3 files changed, 34 insertions(+), 19 deletions(-)

Comments

Kees Cook Oct. 1, 2014, 7:02 p.m. UTC | #1
On Wed, Oct 1, 2014 at 3:45 AM, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
> BUG_ON() in audit_syscall_entry() is hit under the following conditions:
>   1) syscall auditing is enabled (that is, by running auditd).
>   2) user process issues syscall(-1)
> In fact, syscall(-1) just fails (not raising SIGILL, that is an expected
> behavior if not audited), and the succeeding syscall will hit this BUG_ON.

Thanks for digging in to this!

>
> ------------[ cut here ]------------
> kernel BUG at (...)/kernel/auditsc.c:1534!
> Internal error: Oops - BUG: 0 [#1] SMP ARM
> Modules linked in:
> CPU: 0 PID: 61 Comm: syscall_arm Not tainted 3.17.0-rc4 #60
> task: ea0c4380 ti: ea48e000 task.ti: ea48e000
> PC is at __audit_syscall_entry+0xe4/0x110
> LR is at 0xea0c4380
> pc : [<c02b2ae8>]    lr : [<ea0c4380>]    psr: 20000013
> sp : ea48ff68  ip : 00000001  fp : 0000869c
> r10: 00000200  r9 : ea48e000  r8 : c020f4e4
> r7 : 000000c5  r6 : ea48e000  r5 : ea48ffb0  r4 : ea490800
> r3 : bef1e718  r2 : 00000001  r1 : 000000c5  r0 : 40000028
> Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
> Control: 10c5387d  Table: 8a4ac059  DAC: 00000015
> Process syscall_arm (pid: 61, stack limit = 0xea48e250)
> Stack: (0xea48ff68 to 0xea490000)
> ff60:                   540e7a69 3ab5e840 00000200 000000c5 ea48ffb0 ea48e000
> ff80: 000000c5 c02114bc bef1e718 00000001 b6efdb58 ffffffff 08400000 000000c5
> ffa0: c020f4e4 c020f49c b6efdb58 ffffffff 00000001 bef1e718 bef1e718 00000001
> ffc0: b6efdb58 ffffffff 08400000 000000c5 00000000 b6f22850 00000008 0000869c
> ffe0: 000000c5 bef1e704 b6ea315f b6e318e6 20000030 00000001 00000000 00000000
> [<c02b2ae8>] (__audit_syscall_entry) from [<c02114bc>] (syscall_trace_enter+0xf0/0x120)
> [<c02114bc>] (syscall_trace_enter) from [<c020f49c>] (__sys_trace+0xc/0x38)
> Code: e584500c e5842004 e28dd00c e8bd80f0 (e7f001f2)
> ---[ end trace 0c4441660aba5692 ]---
>
> Under the current implementation, audit_syscall_entry() is called even
> against syscall(-1), but audit_syscall_exit() is not. Because 'in_syscall'
> flag in a current thread's audit context is kept on, next called
> audit_syscall_entry() will see BUG_ON(in_syscall).
>
> This patch fixes this bug by
>   1) preventing syscall enter/exit tracing, ftrace tracepoint and audit,
>      from being executed if an invalid (including -1) or pseudo syscall
>      number (starting from __NR_ARM_BASE + 1).
>      Please note that tracehook_report_syscall(PTRACE_SYSCALL_EXIT) is
>      still executed as it should be paired with
>      tracehook_report_syscall(PTRACE_SYSCALL_ENTER).
>
>   2) handling user-issued syscall(-1) with arm_syscall() for compatibility
>      if tracing is on.
>      Since UL(-1) > __NR_ARM_BASE - __NR_SYSCALL_BASE, arm_syscall() is
>      called at local_restart in entry-common.S if tracing is off.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm/include/asm/traps.h   |    1 +
>  arch/arm/kernel/entry-common.S |    3 ++-
>  arch/arm/kernel/ptrace.c       |   49 +++++++++++++++++++++++++---------------
>  3 files changed, 34 insertions(+), 19 deletions(-)
>
> diff --git a/arch/arm/include/asm/traps.h b/arch/arm/include/asm/traps.h
> index f555bb3..de01145 100644
> --- a/arch/arm/include/asm/traps.h
> +++ b/arch/arm/include/asm/traps.h
> @@ -49,6 +49,7 @@ static inline int in_exception_text(unsigned long ptr)
>  extern void __init early_trap_init(void *);
>  extern void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame);
>  extern void ptrace_break(struct task_struct *tsk, struct pt_regs *regs);
> +extern int arm_syscall(int no, struct pt_regs *regs);
>
>  extern void *vectors_page;
>
> diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
> index e52fe5a..4c62324 100644
> --- a/arch/arm/kernel/entry-common.S
> +++ b/arch/arm/kernel/entry-common.S
> @@ -476,10 +476,11 @@ __sys_trace:
>         cmp     scno, #-1                       @ skip the syscall?
>         bne     2b
>         add     sp, sp, #S_OFF                  @ restore stack
> -       b       ret_slow_syscall
> +       b       __sys_trace_return_skipped
>
>  __sys_trace_return:
>         str     r0, [sp, #S_R0 + S_OFF]!        @ save returned r0
> +__sys_trace_return_skipped:
>         mov     r0, sp
>         bl      syscall_trace_exit
>         b       ret_slow_syscall
> diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
> index 0c27ed6..d458367 100644
> --- a/arch/arm/kernel/ptrace.c
> +++ b/arch/arm/kernel/ptrace.c
> @@ -930,7 +930,9 @@ static void tracehook_report_syscall(struct pt_regs *regs,
>
>  asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
>  {
> -       current_thread_info()->syscall = scno;
> +       int orig_scno;
> +
> +       current_thread_info()->syscall = orig_scno = scno;
>
>         /* Do the secure computing check first; failures should be fast. */
>         if (secure_computing(scno) == -1)
> @@ -941,31 +943,42 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
>
>         scno = current_thread_info()->syscall;
>
> -       if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> -               trace_sys_enter(regs, scno);
> +       if (scno >= 0 && scno < NR_syscalls) {
> +               if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> +                       trace_sys_enter(regs, scno);
>
> -       audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1,
> -                           regs->ARM_r2, regs->ARM_r3);
> +               audit_syscall_entry(AUDIT_ARCH_ARM, scno,
> +                                   regs->ARM_r0, regs->ARM_r1,
> +                                   regs->ARM_r2, regs->ARM_r3);
> +       } else if (scno == -1 && orig_scno == -1) {
> +               /*
> +                * For compatibility, we handles user-issued syscall(-1)
> +                * here with arm_syscall().
> +                */
> +               arm_syscall(scno, regs);

Won't this always land in bad_syscall(-1, regs) during arm_syscall?
Should syscall_trace-enter just call bad_syscall directly instead, or
are you using arm_syscall since it's the common entry point for this
kind of logic on "non-standard" syscalls?

Either way, this look good! Thanks!

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> +       }
>
>         return scno;
>  }
>
>  asmlinkage void syscall_trace_exit(struct pt_regs *regs)
>  {
> -       /*
> -        * Audit the syscall before anything else, as a debugger may
> -        * come in and change the current registers.
> -        */
> -       audit_syscall_exit(regs);
> +       if (current_thread_info()->syscall < NR_syscalls) {
> +               /*
> +                * Audit the syscall before anything else, as a debugger may
> +                * come in and change the current registers.
> +                */
> +               audit_syscall_exit(regs);
>
> -       /*
> -        * Note that we haven't updated the ->syscall field for the
> -        * current thread. This isn't a problem because it will have
> -        * been set on syscall entry and there hasn't been an opportunity
> -        * for a PTRACE_SET_SYSCALL since then.
> -        */
> -       if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> -               trace_sys_exit(regs, regs_return_value(regs));
> +               /*
> +                * Note that we haven't updated the ->syscall field for the
> +                * current thread. This isn't a problem because it will have
> +                * been set on syscall entry and there hasn't been
> +                * an opportunity for a PTRACE_SET_SYSCALL since then.
> +                */
> +               if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> +                       trace_sys_exit(regs, regs_return_value(regs));
> +       }
>
>         if (test_thread_flag(TIF_SYSCALL_TRACE))
>                 tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
> --
> 1.7.9.5
>
Richard Guy Briggs Oct. 1, 2014, 9:42 p.m. UTC | #2
On 14/10/01, AKASHI Takahiro wrote:
> BUG_ON() in audit_syscall_entry() is hit under the following conditions:
>   1) syscall auditing is enabled (that is, by running auditd).
>   2) user process issues syscall(-1)
> In fact, syscall(-1) just fails (not raising SIGILL, that is an expected
> behavior if not audited), and the succeeding syscall will hit this BUG_ON.

Ok, this looks related to:
	https://lkml.org/lkml/2014/6/16/682

Andy has another plan for upstream:
	https://lkml.org/lkml/2014/6/16/730

Which finally got posted here:
	https://lkml.org/lkml/2014/9/5/736
		v5 0/5 x86: two-phase syscall tracing and seccomp fastpath

This is all x86 stuff, but sounds like it may be a problem across other
architectures as well.

Thanks for testing this!

> ------------[ cut here ]------------
> kernel BUG at (...)/kernel/auditsc.c:1534!
> Internal error: Oops - BUG: 0 [#1] SMP ARM
> Modules linked in:
> CPU: 0 PID: 61 Comm: syscall_arm Not tainted 3.17.0-rc4 #60
> task: ea0c4380 ti: ea48e000 task.ti: ea48e000
> PC is at __audit_syscall_entry+0xe4/0x110
> LR is at 0xea0c4380
> pc : [<c02b2ae8>]    lr : [<ea0c4380>]    psr: 20000013
> sp : ea48ff68  ip : 00000001  fp : 0000869c
> r10: 00000200  r9 : ea48e000  r8 : c020f4e4
> r7 : 000000c5  r6 : ea48e000  r5 : ea48ffb0  r4 : ea490800
> r3 : bef1e718  r2 : 00000001  r1 : 000000c5  r0 : 40000028
> Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
> Control: 10c5387d  Table: 8a4ac059  DAC: 00000015
> Process syscall_arm (pid: 61, stack limit = 0xea48e250)
> Stack: (0xea48ff68 to 0xea490000)
> ff60:                   540e7a69 3ab5e840 00000200 000000c5 ea48ffb0 ea48e000
> ff80: 000000c5 c02114bc bef1e718 00000001 b6efdb58 ffffffff 08400000 000000c5
> ffa0: c020f4e4 c020f49c b6efdb58 ffffffff 00000001 bef1e718 bef1e718 00000001
> ffc0: b6efdb58 ffffffff 08400000 000000c5 00000000 b6f22850 00000008 0000869c
> ffe0: 000000c5 bef1e704 b6ea315f b6e318e6 20000030 00000001 00000000 00000000
> [<c02b2ae8>] (__audit_syscall_entry) from [<c02114bc>] (syscall_trace_enter+0xf0/0x120)
> [<c02114bc>] (syscall_trace_enter) from [<c020f49c>] (__sys_trace+0xc/0x38)
> Code: e584500c e5842004 e28dd00c e8bd80f0 (e7f001f2)
> ---[ end trace 0c4441660aba5692 ]---
> 
> Under the current implementation, audit_syscall_entry() is called even
> against syscall(-1), but audit_syscall_exit() is not. Because 'in_syscall'
> flag in a current thread's audit context is kept on, next called
> audit_syscall_entry() will see BUG_ON(in_syscall).
> 
> This patch fixes this bug by
>   1) preventing syscall enter/exit tracing, ftrace tracepoint and audit,
>      from being executed if an invalid (including -1) or pseudo syscall
>      number (starting from __NR_ARM_BASE + 1).
>      Please note that tracehook_report_syscall(PTRACE_SYSCALL_EXIT) is
>      still executed as it should be paired with
>      tracehook_report_syscall(PTRACE_SYSCALL_ENTER).
> 
>   2) handling user-issued syscall(-1) with arm_syscall() for compatibility
>      if tracing is on.
>      Since UL(-1) > __NR_ARM_BASE - __NR_SYSCALL_BASE, arm_syscall() is
>      called at local_restart in entry-common.S if tracing is off.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm/include/asm/traps.h   |    1 +
>  arch/arm/kernel/entry-common.S |    3 ++-
>  arch/arm/kernel/ptrace.c       |   49 +++++++++++++++++++++++++---------------
>  3 files changed, 34 insertions(+), 19 deletions(-)
> 
> diff --git a/arch/arm/include/asm/traps.h b/arch/arm/include/asm/traps.h
> index f555bb3..de01145 100644
> --- a/arch/arm/include/asm/traps.h
> +++ b/arch/arm/include/asm/traps.h
> @@ -49,6 +49,7 @@ static inline int in_exception_text(unsigned long ptr)
>  extern void __init early_trap_init(void *);
>  extern void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame);
>  extern void ptrace_break(struct task_struct *tsk, struct pt_regs *regs);
> +extern int arm_syscall(int no, struct pt_regs *regs);
>  
>  extern void *vectors_page;
>  
> diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
> index e52fe5a..4c62324 100644
> --- a/arch/arm/kernel/entry-common.S
> +++ b/arch/arm/kernel/entry-common.S
> @@ -476,10 +476,11 @@ __sys_trace:
>  	cmp	scno, #-1			@ skip the syscall?
>  	bne	2b
>  	add	sp, sp, #S_OFF			@ restore stack
> -	b	ret_slow_syscall
> +	b	__sys_trace_return_skipped
>  
>  __sys_trace_return:
>  	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
> +__sys_trace_return_skipped:
>  	mov	r0, sp
>  	bl	syscall_trace_exit
>  	b	ret_slow_syscall
> diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
> index 0c27ed6..d458367 100644
> --- a/arch/arm/kernel/ptrace.c
> +++ b/arch/arm/kernel/ptrace.c
> @@ -930,7 +930,9 @@ static void tracehook_report_syscall(struct pt_regs *regs,
>  
>  asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
>  {
> -	current_thread_info()->syscall = scno;
> +	int orig_scno;
> +
> +	current_thread_info()->syscall = orig_scno = scno;
>  
>  	/* Do the secure computing check first; failures should be fast. */
>  	if (secure_computing(scno) == -1)
> @@ -941,31 +943,42 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
>  
>  	scno = current_thread_info()->syscall;
>  
> -	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> -		trace_sys_enter(regs, scno);
> +	if (scno >= 0 && scno < NR_syscalls) {
> +		if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> +			trace_sys_enter(regs, scno);
>  
> -	audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1,
> -			    regs->ARM_r2, regs->ARM_r3);
> +		audit_syscall_entry(AUDIT_ARCH_ARM, scno,
> +				    regs->ARM_r0, regs->ARM_r1,
> +				    regs->ARM_r2, regs->ARM_r3);
> +	} else if (scno == -1 && orig_scno == -1) {
> +		/*
> +		 * For compatibility, we handles user-issued syscall(-1)
> +		 * here with arm_syscall().
> +		 */
> +		arm_syscall(scno, regs);
> +	}
>  
>  	return scno;
>  }
>  
>  asmlinkage void syscall_trace_exit(struct pt_regs *regs)
>  {
> -	/*
> -	 * Audit the syscall before anything else, as a debugger may
> -	 * come in and change the current registers.
> -	 */
> -	audit_syscall_exit(regs);
> +	if (current_thread_info()->syscall < NR_syscalls) {
> +		/*
> +		 * Audit the syscall before anything else, as a debugger may
> +		 * come in and change the current registers.
> +		 */
> +		audit_syscall_exit(regs);
>  
> -	/*
> -	 * Note that we haven't updated the ->syscall field for the
> -	 * current thread. This isn't a problem because it will have
> -	 * been set on syscall entry and there hasn't been an opportunity
> -	 * for a PTRACE_SET_SYSCALL since then.
> -	 */
> -	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> -		trace_sys_exit(regs, regs_return_value(regs));
> +		/*
> +		 * Note that we haven't updated the ->syscall field for the
> +		 * current thread. This isn't a problem because it will have
> +		 * been set on syscall entry and there hasn't been
> +		 * an opportunity for a PTRACE_SET_SYSCALL since then.
> +		 */
> +		if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
> +			trace_sys_exit(regs, regs_return_value(regs));
> +	}
>  
>  	if (test_thread_flag(TIF_SYSCALL_TRACE))
>  		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
diff mbox

Patch

diff --git a/arch/arm/include/asm/traps.h b/arch/arm/include/asm/traps.h
index f555bb3..de01145 100644
--- a/arch/arm/include/asm/traps.h
+++ b/arch/arm/include/asm/traps.h
@@ -49,6 +49,7 @@  static inline int in_exception_text(unsigned long ptr)
 extern void __init early_trap_init(void *);
 extern void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame);
 extern void ptrace_break(struct task_struct *tsk, struct pt_regs *regs);
+extern int arm_syscall(int no, struct pt_regs *regs);
 
 extern void *vectors_page;
 
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index e52fe5a..4c62324 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -476,10 +476,11 @@  __sys_trace:
 	cmp	scno, #-1			@ skip the syscall?
 	bne	2b
 	add	sp, sp, #S_OFF			@ restore stack
-	b	ret_slow_syscall
+	b	__sys_trace_return_skipped
 
 __sys_trace_return:
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
+__sys_trace_return_skipped:
 	mov	r0, sp
 	bl	syscall_trace_exit
 	b	ret_slow_syscall
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 0c27ed6..d458367 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -930,7 +930,9 @@  static void tracehook_report_syscall(struct pt_regs *regs,
 
 asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
 {
-	current_thread_info()->syscall = scno;
+	int orig_scno;
+
+	current_thread_info()->syscall = orig_scno = scno;
 
 	/* Do the secure computing check first; failures should be fast. */
 	if (secure_computing(scno) == -1)
@@ -941,31 +943,42 @@  asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
 
 	scno = current_thread_info()->syscall;
 
-	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
-		trace_sys_enter(regs, scno);
+	if (scno >= 0 && scno < NR_syscalls) {
+		if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
+			trace_sys_enter(regs, scno);
 
-	audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1,
-			    regs->ARM_r2, regs->ARM_r3);
+		audit_syscall_entry(AUDIT_ARCH_ARM, scno,
+				    regs->ARM_r0, regs->ARM_r1,
+				    regs->ARM_r2, regs->ARM_r3);
+	} else if (scno == -1 && orig_scno == -1) {
+		/*
+		 * For compatibility, we handles user-issued syscall(-1)
+		 * here with arm_syscall().
+		 */
+		arm_syscall(scno, regs);
+	}
 
 	return scno;
 }
 
 asmlinkage void syscall_trace_exit(struct pt_regs *regs)
 {
-	/*
-	 * Audit the syscall before anything else, as a debugger may
-	 * come in and change the current registers.
-	 */
-	audit_syscall_exit(regs);
+	if (current_thread_info()->syscall < NR_syscalls) {
+		/*
+		 * Audit the syscall before anything else, as a debugger may
+		 * come in and change the current registers.
+		 */
+		audit_syscall_exit(regs);
 
-	/*
-	 * Note that we haven't updated the ->syscall field for the
-	 * current thread. This isn't a problem because it will have
-	 * been set on syscall entry and there hasn't been an opportunity
-	 * for a PTRACE_SET_SYSCALL since then.
-	 */
-	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
-		trace_sys_exit(regs, regs_return_value(regs));
+		/*
+		 * Note that we haven't updated the ->syscall field for the
+		 * current thread. This isn't a problem because it will have
+		 * been set on syscall entry and there hasn't been
+		 * an opportunity for a PTRACE_SET_SYSCALL since then.
+		 */
+		if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
+			trace_sys_exit(regs, regs_return_value(regs));
+	}
 
 	if (test_thread_flag(TIF_SYSCALL_TRACE))
 		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);