Re: [PATCH -mm v2] do_notify_parent: sanitize the valid_signal() checks

Next message: Andy Shevchenko: "Re: [PATCH 1/2] iio: adc: qcom-spmi-adc5-gen3: Share SDAM0 IRQ with ADC_TM auxiliary driver"
Previous message: Chukun Pan: "Re: [PATCH 1/1] riscv: dts: spacemit: enable QSPI for OrangePi RV2"
In reply to: Tetsuo Handa: "Re: [PATCH -mm v2] do_notify_parent: sanitize the valid_signal() checks"
Next in thread: Andrew Morton: "Re: [PATCH -mm v2] do_notify_parent: sanitize the valid_signal() checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Oleg Nesterov

Date: Sun May 17 2026 - 03:06:43 EST

On 05/17, Tetsuo Handa wrote:
>
> On 2026/03/18 4:08, Oleg Nesterov wrote:
> > On 03/17, Andrew Morton wrote:
> >>
> >> On Tue, 17 Mar 2026 14:58:18 +0100 Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
> >>
> >>> Now that kernel_clone() checks valid_signal(args->exit_signal), the "sig"
> >>> argument of do_notify_parent() must always be valid or we have a bug.
>
> No activity for two months. When is the fix expected to land to upstream?
> This bug allows a local unprivileged user to crash panic_on_warn=1 systems
> by running below program, and therefore should be fixed before Linux 7.1 is
> released.

This patch depends on

[PATCH v3] kernel/fork: validate exit_signal in kernel_clone()
https://lore.kernel.org/all/20260316151956.563558-1-kartikey406@xxxxxxxxx/

but it was merged without the patch above.

Andrew, that patch is still in mm tree,

kernel-fork-validate-exit_signal-in-kernel_clone.patch

could you merge it as well?

Oleg.

> ----------
> #define _GNU_SOURCE
> #include <sched.h>
>
> static int proc(void* arg) { return 0; }
>
> int main(void) {
> static char stack[8192];
> return clone(proc, &stack[sizeof(stack) - 64], 127, 0) == -1;
> }
> ----------
>