[PATCH v2 1/2] signal: avoid shared siginfo namespace rewrites

Next message: Thomas Gleixner: "Re: [PATCH v20 4/4] PCI/MSI: Enable memory decoding before restoring MSI-X messages"
Previous message: Johannes Weiner: "Re: [PATCH hotfix] mm/compaction: handle free_pages_prepare() properly in compaction_free()"
In reply to: Bradley Morgan: "Re: [PATCH] signal: avoid shared siginfo namespace rewrites"
Next in thread: Oleg Nesterov: "Re: [PATCH v2 1/2] signal: avoid shared siginfo namespace rewrites"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bradley Morgan

Date: Mon Jun 22 2026 - 16:29:25 EST

send_signal_locked() rewrites sender ids for the target namespace.
Group sends reuse the same siginfo, so one recipient can affect the
next.

Copy the siginfo before changing it.

Fixes: 7a0cf094944e ("signal: Correct namespace fixups of si_pid and si_uid")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Bradley Morgan <include@xxxxxxxxx>
---
Changes since v1:
- No code changes in this patch.
- Add patch 2 for Oleg's const suggestion.
- Link to v1:
https://lore.kernel.org/all/0873AC4A-3CB2-4F7B-BFE6-75D855AD22DC@xxxxxxxxx/T/#m89955d13f10807c316d34cc76680d690a2d95b31

kernel/signal.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/kernel/signal.c b/kernel/signal.c
index b9fc7be1a169..d72d9be3a992 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1181,6 +1181,7 @@ static inline bool has_si_pid_and_uid(struct kernel_siginfo *info)
int send_signal_locked(int sig, struct kernel_siginfo *info,
struct task_struct *t, enum pid_type type)
{
+ struct kernel_siginfo rewritten;
/* Should SIGKILL or SIGSTOP be received by a pid namespace init? */
bool force = false;

@@ -1194,6 +1195,9 @@ int send_signal_locked(int sig, struct kernel_siginfo *info,
/* SIGKILL and SIGSTOP is special or has ids */
struct user_namespace *t_user_ns;

+ rewritten = *info;
+ info = &rewritten;
+
rcu_read_lock();
t_user_ns = task_cred_xxx(t, user_ns);
if (current_user_ns() != t_user_ns) {
--
2.53.0