[PATCH] signal: avoid shared siginfo namespace rewrites

Next message: Conor Dooley: "Re: [PATCH 1/2] dt-bindings: iommu: Fix interrupt type in example"
Previous message: Maoyi Xie: "lpfc: unbounded QFPA response length in lpfc_cmpl_els_qfpa()"
Next in thread: Oleg Nesterov: "Re: [PATCH] signal: avoid shared siginfo namespace rewrites"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bradley Morgan

Date: Mon Jun 22 2026 - 12:40:56 EST

send_signal_locked() rewrites sender ids for the target namespace.
Group sends reuse the same siginfo, so one recipient can affect the
next.

Copy the siginfo before changing it.

Fixes: 7a0cf094944e ("signal: Correct namespace fixups of si_pid and si_uid")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Bradley Morgan <include@xxxxxxxxx>
---
kernel/signal.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/kernel/signal.c b/kernel/signal.c
index b9fc7be1a169..d72d9be3a992 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1181,6 +1181,7 @@ static inline bool has_si_pid_and_uid(struct kernel_siginfo *info)
int send_signal_locked(int sig, struct kernel_siginfo *info,
struct task_struct *t, enum pid_type type)
{
+ struct kernel_siginfo rewritten;
/* Should SIGKILL or SIGSTOP be received by a pid namespace init? */
bool force = false;

@@ -1194,6 +1195,9 @@ int send_signal_locked(int sig, struct kernel_siginfo *info,
/* SIGKILL and SIGSTOP is special or has ids */
struct user_namespace *t_user_ns;

+ rewritten = *info;
+ info = &rewritten;
+
rcu_read_lock();
t_user_ns = task_cred_xxx(t, user_ns);
if (current_user_ns() != t_user_ns) {
--
2.53.0