[PATCH] signal: change sys_kill() to use SEND_SIG_NOINFO

[PATCH] signal: change sys_kill() to use SEND_SIG_NOINFO

[Oleg Nesterov]

prepare_kill_siginfo(PIDTYPE_TGID) fills si_code = SI_USER and sets
si_pid/si_uid in the sender's namespace. Then send_signal_locked()
translates si_pid/si_uid to the target's namespace.

SEND_SIG_NOINFO produces the same result: si_code = SI_USER, and
__send_signal_locked() computes si_pid/si_uid directly in the target's
namespace. The force computation is also the same: both check if the
sender is visible in the target's pid namespace.

Note: this also fixes the kill(-1, sig) case where send_signal_locked()
rewrites si_pid/si_uid in the shared siginfo, corrupting it for subsequent
recipients. But for other group senders like __kill_pgrp_info() we still
need the fix from Bradley Morgan [1] who found this problem.

TODO: kill prepare_kill_siginfo() and change other users to use
SEND_SIG_NOINFO too. This needs trivial changes in __send_signal_locked()
and TP_STORE_SIGINFO().

Link: https://lore.kernel.org/all/20260622164029.11474-1-include@grrlz.net/ [1]
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 kernel/signal.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/kernel/signal.c b/kernel/signal.c
index 077effd21582..12edbf43d678 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3966,11 +3966,7 @@ static void prepare_kill_siginfo(int sig, struct kernel_siginfo *info,
  */
 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
 {
-	struct kernel_siginfo info;
-
-	prepare_kill_siginfo(sig, &info, PIDTYPE_TGID);
-
-	return kill_something_info(sig, &info, pid);
+	return kill_something_info(sig, SEND_SIG_NOINFO, pid);
 }
 
 /*
-- 
2.52.0

Re: [PATCH] signal: change sys_kill() to use SEND_SIG_NOINFO

[Andrew Morton]

On Fri, 26 Jun 2026 17:33:08 +0200 Oleg Nesterov <oleg@redhat.com> wrote:

> prepare_kill_siginfo(PIDTYPE_TGID) fills si_code = SI_USER and sets
> si_pid/si_uid in the sender's namespace. Then send_signal_locked()
> translates si_pid/si_uid to the target's namespace.
> 
> SEND_SIG_NOINFO produces the same result: si_code = SI_USER, and
> __send_signal_locked() computes si_pid/si_uid directly in the target's
> namespace. The force computation is also the same: both check if the
> sender is visible in the target's pid namespace.

The above paragraphs contain no description of any flaw.  What's wrong
here?

> Note: this also fixes the kill(-1, sig) case where send_signal_locked()
> rewrites si_pid/si_uid in the shared siginfo, corrupting it for subsequent
> recipients. But for other group senders like __kill_pgrp_info() we still
> need the fix from Bradley Morgan [1] who found this problem.

"also fixes".  Again, what was the first fix?

> TODO: kill prepare_kill_siginfo() and change other users to use
> SEND_SIG_NOINFO too. This needs trivial changes in __send_signal_locked()
> and TP_STORE_SIGINFO().
> 
> ...
>
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -3966,11 +3966,7 @@ static void prepare_kill_siginfo(int sig, struct kernel_siginfo *info,
>   */
>  SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
>  {
> -	struct kernel_siginfo info;
> -
> -	prepare_kill_siginfo(sig, &info, PIDTYPE_TGID);
> -
> -	return kill_something_info(sig, &info, pid);
> +	return kill_something_info(sig, SEND_SIG_NOINFO, pid);
>  }

Thanks, I'll queue this for testing.  Please send along some changelog
edits sometime?

Re: [PATCH] signal: change sys_kill() to use SEND_SIG_NOINFO

[Bradley Morgan]

On June 26, 2026 5:36:03 PM GMT+01:00, Andrew Morton
<akpm@linux-foundation.org> wrote:
>On Fri, 26 Jun 2026 17:33:08 +0200 Oleg Nesterov <oleg@redhat.com> wrote:
>
>> prepare_kill_siginfo(PIDTYPE_TGID) fills si_code = SI_USER and sets
>> si_pid/si_uid in the sender's namespace. Then send_signal_locked()
>> translates si_pid/si_uid to the target's namespace.
>> 
>> SEND_SIG_NOINFO produces the same result: si_code = SI_USER, and
>> __send_signal_locked() computes si_pid/si_uid directly in the target's
>> namespace. The force computation is also the same: both check if the
>> sender is visible in the target's pid namespace.
>
>The above paragraphs contain no description of any flaw.  What's wrong
>here?
>
>> Note: this also fixes the kill(-1, sig) case where send_signal_locked()
>> rewrites si_pid/si_uid in the shared siginfo, corrupting it for
>subsequent
>> recipients. But for other group senders like __kill_pgrp_info() we still
>> need the fix from Bradley Morgan [1] who found this problem.
>
>"also fixes".  Again, what was the first fix?
>
>> TODO: kill prepare_kill_siginfo() and change other users to use
>> SEND_SIG_NOINFO too. This needs trivial changes in
>__send_signal_locked()
>> and TP_STORE_SIGINFO().
>> 
>> ...
>>
>> --- a/kernel/signal.c
>> +++ b/kernel/signal.c
>> @@ -3966,11 +3966,7 @@ static void prepare_kill_siginfo(int sig, struct
>kernel_siginfo *info,
>>   */
>>  SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
>>  {
>> -	struct kernel_siginfo info;
>> -
>> -	prepare_kill_siginfo(sig, &info, PIDTYPE_TGID);
>> -
>> -	return kill_something_info(sig, &info, pid);
>> +	return kill_something_info(sig, SEND_SIG_NOINFO, pid);
>>  }
>
>Thanks, I'll queue this for testing.  Please send along some changelog
>edits sometime?
>
>
Fair enough.

If you want, please add


Reviewed-by: Bradley Morgan <include@grrlz.net>

:)
Thanks!