user/sven/linux.git/kernel/fork.c, branch next/HEADLinux Kernel
https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=next%2FHEAD2026-04-09T14:10:39ZMerge branch 'for-next/kspp' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git2026-04-09T14:10:39ZMark Brownbroonie@kernel.org2026-04-09T14:10:39Zurn:sha1:0164919a7ef7fe242e6cfc367e28f3da3c613c21Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext.git2026-04-09T13:55:43ZMark Brownbroonie@kernel.org2026-04-09T13:55:43Zurn:sha1:d7ef843ec4d1199c731754c46defe9b94cc0df24Merge branch 'master' of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git2026-04-09T13:29:03ZMark Brownbroonie@kernel.org2026-04-09T13:29:02Zurn:sha1:b9a032f6e43b3f04fa76856831e36154d0fb6418Merge branch 'fs-next' of linux-next2026-04-09T13:09:24ZMark Brownbroonie@kernel.org2026-04-09T13:09:23Zurn:sha1:85315ec393d8fe7bd0e9543d18cbc3f4ae61b01dkernel/fork: validate exit_signal in kernel_clone()2026-04-08T23:26:43ZDeepanshu Kartikeykartikey406@gmail.com2026-03-16T15:19:56Zurn:sha1:60c46736c703551d8d47ba35d92698de1546ca96
When a child process exits, it sends exit_signal to its parent via
do_notify_parent(). The clone() syscall constructs exit_signal as:
(lower_32_bits(clone_flags) & CSIGNAL)
CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
non-zero non-valid exit_signal acts the same as exit_signal == 0: the
parent process is not signaled when the child terminates.
The syzkaller reproducer triggers this by calling clone() with flags=0x80,
resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
is not a valid signal.
The v1 of this patch added the check only in the clone() syscall handler,
which is incomplete. kernel_clone() has other callers such as
sys_ia32_clone() which would remain unprotected. Move the check to
kernel_clone() to cover all callers.
Since the valid_signal() check is now in kernel_clone() and covers all
callers including clone3(), the same check in copy_clone_args_from_user()
becomes redundant and is removed. The higher 32bits check for clone3() is
kept as it is clone3() specific.
Note that this is a user-visible change: previously, passing an invalid
exit_signal to clone() was silently accepted. The man page for clone()
does not document any defined behavior for invalid exit_signal values, so
rejecting them with -EINVAL is the correct behavior. It is unlikely that
any sane application relies on passing an invalid exit_signal.
[oleg@redhat.com: the comment above kernel_clone() should be updated]
Link: https://lkml.kernel.org/r/abwvgU17W8wuW2-J@redhat.com
Link: https://lkml.kernel.org/r/20260316151956.563558-1-kartikey406@gmail.com
Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Ben Segall <bsegall@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
locking: Add task::blocked_lock to serialize blocked_on state2026-04-03T12:23:39ZJohn Stultzjstultz@google.com2026-03-24T19:13:19Zurn:sha1:fa4a1ff8ab235a308d8c983827657a69649185fd
So far, we have been able to utilize the mutex::wait_lock
for serializing the blocked_on state, but when we move to
proxying across runqueues, we will need to add more state
and a way to serialize changes to this state in contexts
where we don't hold the mutex::wait_lock.
So introduce the task::blocked_lock, which nests under the
mutex::wait_lock in the locking order, and rework the locking
to use it.
Signed-off-by: John Stultz <jstultz@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: K Prateek Nayak <kprateek.nayak@amd.com>
Link: https://patch.msgid.link/20260324191337.1841376-5-jstultz@google.com
Merge branch 'namespaces-7.1.misc' into vfs.all2026-04-01T13:15:28ZChristian Braunerbrauner@kernel.org2026-04-01T13:15:28Zurn:sha1:8370d1a0baa48b0da0821837a1e4643b5440733c
Signed-off-by: Christian Brauner <brauner@kernel.org>
# Conflicts:
# kernel/fork.c
# kernel/nsproxy.c
Merge branch 'kernel-7.1.misc' into vfs.all2026-04-01T11:25:11ZChristian Braunerbrauner@kernel.org2026-04-01T11:25:11Zurn:sha1:6d37e82c880f7ea8ccefa14a80c75a2ca8536bd2
Signed-off-by: Christian Brauner <brauner@kernel.org>
Merge branch 'vfs-7.1.mount' into vfs.all2026-03-31T11:59:04ZChristian Braunerbrauner@kernel.org2026-03-31T11:59:04Zurn:sha1:2bd0092c694fb8a7f9f1e0a98a31e23e4e5b0139
Signed-off-by: Christian Brauner <brauner@kernel.org>
# Conflicts:
# include/uapi/linux/sched.h
# kernel/fork.c
Merge branch 'vfs-7.1.pidfs' into vfs.all2026-03-31T11:59:03ZChristian Braunerbrauner@kernel.org2026-03-31T11:59:03Zurn:sha1:94c699e2db2b12e6a90e78e9303e4ae2403bde3b
Signed-off-by: Christian Brauner <brauner@kernel.org>