From: syzbot <syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] kernel/fork: validate exit_signal in kernel_clone()
Date: Mon, 16 Mar 2026 01:21:08 -0700 [thread overview]
Message-ID: <69b7bd74.050a0220.248e02.010f.GAE@google.com> (raw)
In-Reply-To: <69a313aa.050a0220.3a55be.0042.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] kernel/fork: validate exit_signal in kernel_clone()
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
When a child process exits, it sends exit_signal to its parent via
do_notify_parent(). The clone() syscall constructs exit_signal as:
(lower_32_bits(clone_flags) & CSIGNAL)
CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
valid_signal() only accepts signals up to _NSIG (64 on x86_64), causing
a WARN_ON in do_notify_parent() when the process exits:
WARNING: kernel/signal.c:2174 do_notify_parent+0xc7e/0xd70
The syzkaller reproducer triggers this by calling clone() with
flags=0x80, resulting in exit_signal = (0x80 & CSIGNAL) = 128, which
exceeds _NSIG and is not a valid signal.
The v1 of this patch added the check only in the clone() syscall
handler, which is incomplete. kernel_clone() has other callers such
as sys_ia32_clone() which would remain unprotected. Move the check
to kernel_clone() to cover all callers.
clone3() already validates exit_signal in copy_clone_args_from_user().
The comment above kernel_clone() states that callers are expected to
validate exit_signal, but several callers never did. Adding the check
to kernel_clone() enforces this for all callers centrally.
Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
kernel/fork.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/fork.c b/kernel/fork.c
index 947a8dbce06a..89d7eb67baf5 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2687,6 +2687,8 @@ pid_t kernel_clone(struct kernel_clone_args *args)
(args->pidfd == args->parent_tid))
return -EINVAL;
+ if (!valid_signal(args->exit_signal))
+ return -EINVAL;
/*
* Determine whether and which event to report to ptracer. When
* called from kernel_thread or CLONE_UNTRACED is explicitly
--
2.43.0
prev parent reply other threads:[~2026-03-16 8:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-28 16:11 [syzbot] [kernel?] WARNING in do_notify_parent syzbot
2026-03-03 6:21 ` syzbot
2026-03-07 5:28 ` Forwarded: [PATCH] kernel/fork: validate exit_signal in clone() syscall syzbot
2026-03-16 8:21 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69b7bd74.050a0220.248e02.010f.GAE@google.com \
--to=syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.