Why does a syscall clobber rcx and r11? [duplicate]

Question

In the book Low-Level Programming: C, Assembly, and Program Execution on Intel® 64 Architecture it says,

On system call arguments The arguments for system calls are stored in a different set of registers than those for functions. The fourth argument is stored in r10 , while a function accepts the fourth argument in rcx!

The reason is that syscall instruction implicitly uses rcx. System calls cannot accept more than six arguments.

You can see this also mentioned in this Stack Overflow post,

A system-call is done via the syscall instruction. This clobbers %rcx and %r11, as well as %rax, but other registers are preserved.

I understand clobbering rax to store the return code, but why is rcx, and r11 clobbered in syscall? Is there a list of the specific syscalls that clobber rcx/r11? Is there a convention for the clobbering? Are they assumed safe in any syscalls?

Answer 1

The syscall instruction uses rcx to store the address of the next instruction to return to, and r11 to save the value of the rflags register. These values will then be restored by the sysret instruction.

This is done by the CPU when executing the CPU instruction, so any OS-specific calling conventions need to avoid using these registers to pass arguments to syscalls.