* [PATCH] signal: prevent evasion of SA_IMMUTABLE signals
@ 2026-04-29 8:29 Oleg Nesterov
2026-04-29 10:27 ` Oleg Nesterov
2026-05-02 18:28 ` kernel test robot
0 siblings, 2 replies; 3+ messages in thread
From: Oleg Nesterov @ 2026-04-29 8:29 UTC (permalink / raw)
To: Andrew Morton
Cc: Andy Lutomirski, Kees Cook, Kusaram Devineni, Peter Zijlstra,
Thomas Gleixner, Will Drewry, linux-kernel
force_sig_info_to_task(HANDLER_EXIT) sets SA_IMMUTABLE to ensure a forced
fatal signal cannot be ignored or caught by userspace; it must always
terminate the target. However, if get_signal() dequeues another synchronous
signal first, and that signal has a handler and its sa_mask includes the
fatal SA_IMMUTABLE signal, the task can return to userspace and survive.
So dequeue_synchronous_signal() must always dequeue an SA_IMMUTABLE signal
first. But it relies on the SI_FROMKERNEL() check and picks the first one
it sees in pending->list, and thus we have the following problems:
- If the same signal was already pending and blocked, the new siginfo
with .si_code > 0 will be lost.
Change __send_signal_locked() to bypass the legacy_queue() check in
this case.
- If force_sig_info_to_task() races with another synchronous/SI_FROMKERNEL
signal, that signal can be picked first.
Change __send_signal_locked() to add an SA_IMMUTABLE at the start
of pending->list.
- SA_IMMUTABLE implies override_rlimit == true, but GFP_ATOMIC can fail
anyway.
Change __send_signal_locked() to escalate to SIGKILL in this (very
unlikely) case.
Not perfect and perhaps deserves WARN() or pr_warn_ratelimited(), but
better than nothing.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
kernel/signal.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/kernel/signal.c b/kernel/signal.c
index 9924489c43a5..e4605daa8d04 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1034,6 +1034,11 @@ static void complete_signal(int sig, struct task_struct *p, enum pid_type type)
return;
}
+static inline bool sa_immutable(struct sighand_struct *sighand, int sig)
+{
+ return sighand->action[sig - 1].sa.sa_flags & SA_IMMUTABLE;
+}
+
static inline bool legacy_queue(struct sigpending *signals, int sig)
{
return (sig < SIGRTMIN) && sigismember(&signals->signal, sig);
@@ -1042,6 +1047,7 @@ static inline bool legacy_queue(struct sigpending *signals, int sig)
static int __send_signal_locked(int sig, struct kernel_siginfo *info,
struct task_struct *t, enum pid_type type, bool force)
{
+ bool immutable = sa_immutable(t->sighand, sig);
struct sigpending *pending;
struct sigqueue *q;
int override_rlimit;
@@ -1055,12 +1061,12 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info,
pending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending;
/*
- * Short-circuit ignored signals and support queuing
- * exactly one non-rt signal, so that we can get more
- * detailed information about the cause of the signal.
+ * Queue exactly one non-rt signal so that we can get more
+ * detailed information about the cause. But we must never
+ * lose the siginfo for an SA_IMMUTABLE signal.
*/
result = TRACE_SIGNAL_ALREADY_PENDING;
- if (legacy_queue(pending, sig))
+ if (legacy_queue(pending, sig) && !immutable)
goto ret;
result = TRACE_SIGNAL_DELIVERED;
@@ -1087,7 +1093,12 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info,
q = sigqueue_alloc(sig, t, GFP_ATOMIC, override_rlimit);
if (q) {
- list_add_tail(&q->list, &pending->list);
+ /* Ensure dequeue_synchronous_signal() sees SA_IMMUTABLE first */
+ if (immutable)
+ list_add(&q->list, &pending->list);
+ else
+ list_add_tail(&q->list, &pending->list);
+
switch ((unsigned long) info) {
case (unsigned long) SEND_SIG_NOINFO:
clear_siginfo(&q->info);
@@ -1130,6 +1141,9 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info,
* send the signal, but the *info bits are lost.
*/
result = TRACE_SIGNAL_LOSE_INFO;
+ /* The task must not escape SA_IMMUTABLE; escalate to SIGKILL */
+ if (immutable)
+ sig = SIGKILL;
}
out_set:
--
2.52.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] signal: prevent evasion of SA_IMMUTABLE signals
2026-04-29 8:29 [PATCH] signal: prevent evasion of SA_IMMUTABLE signals Oleg Nesterov
@ 2026-04-29 10:27 ` Oleg Nesterov
2026-05-02 18:28 ` kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: Oleg Nesterov @ 2026-04-29 10:27 UTC (permalink / raw)
To: Andrew Morton
Cc: Andy Lutomirski, Kees Cook, Kusaram Devineni, Peter Zijlstra,
Thomas Gleixner, Will Drewry, linux-kernel
On 04/29, Oleg Nesterov wrote:
>
> static int __send_signal_locked(int sig, struct kernel_siginfo *info,
> struct task_struct *t, enum pid_type type, bool force)
> {
> + bool immutable = sa_immutable(t->sighand, sig);
OK, sashiko.dev raised the valid concern,
https://sashiko.dev/#/patchset/afHBYTUA5XexTj-Q%40redhat.com
If a signal action is marked SA_IMMUTABLE (for example, by forcing a fatal
SIGSEGV), and another thread repeatedly sends the same signal via kill(),
the legacy_queue() check is bypassed.
This check should be more strict. I'll send V2.
Oleg.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] signal: prevent evasion of SA_IMMUTABLE signals
2026-04-29 8:29 [PATCH] signal: prevent evasion of SA_IMMUTABLE signals Oleg Nesterov
2026-04-29 10:27 ` Oleg Nesterov
@ 2026-05-02 18:28 ` kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2026-05-02 18:28 UTC (permalink / raw)
To: Oleg Nesterov, Andrew Morton
Cc: oe-kbuild-all, Linux Memory Management List, Andy Lutomirski,
Kees Cook, Kusaram Devineni, Peter Zijlstra, Thomas Gleixner,
Will Drewry, linux-kernel
Hi Oleg,
kernel test robot noticed the following build warnings:
[auto build test WARNING on akpm-mm/mm-everything]
[also build test WARNING on linus/master v7.1-rc1 next-20260430]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Oleg-Nesterov/signal-prevent-evasion-of-SA_IMMUTABLE-signals/20260430-182827
base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/r/afHBYTUA5XexTj-Q%40redhat.com
patch subject: [PATCH] signal: prevent evasion of SA_IMMUTABLE signals
config: nios2-randconfig-r132-20260502 (https://download.01.org/0day-ci/archive/20260503/202605030218.3dGIaLF1-lkp@intel.com/config)
compiler: nios2-linux-gcc (GCC) 8.5.0
sparse: v0.6.5-rc1
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260503/202605030218.3dGIaLF1-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605030218.3dGIaLF1-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
kernel/signal.c: note: in included file (through include/uapi/asm-generic/signal.h, include/asm-generic/signal.h, arch/nios2/include/uapi/asm/signal.h, ...):
include/uapi/asm-generic/signal-defs.h:83:29: sparse: sparse: multiple address spaces given
kernel/signal.c:191:31: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:191:31: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:191:31: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:194:33: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:194:33: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:194:33: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:497:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:497:9: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:497:9: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:501:34: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:501:34: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:501:34: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:523:53: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected struct k_sigaction *ka @@ got struct k_sigaction [noderef] __rcu * @@
kernel/signal.c:523:53: sparse: expected struct k_sigaction *ka
kernel/signal.c:523:53: sparse: got struct k_sigaction [noderef] __rcu *
include/uapi/asm-generic/signal-defs.h:83:29: sparse: sparse: multiple address spaces given
>> kernel/signal.c:1048:40: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct sighand_struct *sighand @@ got struct sighand_struct [noderef] __rcu *sighand @@
kernel/signal.c:1048:40: sparse: expected struct sighand_struct *sighand
kernel/signal.c:1048:40: sparse: got struct sighand_struct [noderef] __rcu *sighand
kernel/signal.c:1314:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:1314:9: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:1314:9: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:1315:16: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct k_sigaction *action @@ got struct k_sigaction [noderef] __rcu * @@
kernel/signal.c:1315:16: sparse: expected struct k_sigaction *action
kernel/signal.c:1315:16: sparse: got struct k_sigaction [noderef] __rcu *
kernel/signal.c:1336:34: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:1336:34: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:1336:34: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2204:44: sparse: sparse: cast removes address space '__rcu' of expression
kernel/signal.c:2223:65: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct *tsk @@ got struct task_struct [noderef] __rcu *parent @@
kernel/signal.c:2223:65: sparse: expected struct task_struct *tsk
kernel/signal.c:2223:65: sparse: got struct task_struct [noderef] __rcu *parent
kernel/signal.c:2224:40: sparse: sparse: cast removes address space '__rcu' of expression
kernel/signal.c:2242:14: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct sighand_struct *psig @@ got struct sighand_struct [noderef] __rcu *[noderef] __rcu sighand @@
kernel/signal.c:2242:14: sparse: expected struct sighand_struct *psig
kernel/signal.c:2242:14: sparse: got struct sighand_struct [noderef] __rcu *[noderef] __rcu sighand
kernel/signal.c:2275:53: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected struct task_struct *t @@ got struct task_struct [noderef] __rcu *parent @@
kernel/signal.c:2275:53: sparse: expected struct task_struct *t
kernel/signal.c:2275:53: sparse: got struct task_struct [noderef] __rcu *parent
kernel/signal.c:2276:34: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected struct task_struct *parent @@ got struct task_struct [noderef] __rcu *parent @@
kernel/signal.c:2276:34: sparse: expected struct task_struct *parent
kernel/signal.c:2276:34: sparse: got struct task_struct [noderef] __rcu *parent
kernel/signal.c:2305:24: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct task_struct *parent @@ got struct task_struct [noderef] __rcu *parent @@
kernel/signal.c:2305:24: sparse: expected struct task_struct *parent
kernel/signal.c:2305:24: sparse: got struct task_struct [noderef] __rcu *parent
kernel/signal.c:2308:24: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct task_struct *parent @@ got struct task_struct [noderef] __rcu *real_parent @@
kernel/signal.c:2308:24: sparse: expected struct task_struct *parent
kernel/signal.c:2308:24: sparse: got struct task_struct [noderef] __rcu *real_parent
kernel/signal.c:2341:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct sighand_struct *sighand @@ got struct sighand_struct [noderef] __rcu *sighand @@
kernel/signal.c:2341:17: sparse: expected struct sighand_struct *sighand
kernel/signal.c:2341:17: sparse: got struct sighand_struct [noderef] __rcu *sighand
kernel/signal.c:2381:41: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2381:41: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2381:41: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2383:39: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2383:39: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2383:39: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2440:33: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2440:33: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2440:33: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2498:31: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2498:31: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2498:31: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2538:31: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2538:31: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2538:31: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2540:33: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2540:33: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2540:33: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2638:41: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2638:41: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2638:41: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2722:41: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2722:41: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2722:41: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2734:33: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:2734:33: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:2734:33: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:2777:52: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct *tsk @@ got struct task_struct [noderef] __rcu *parent @@
kernel/signal.c:2777:52: sparse: expected struct task_struct *tsk
kernel/signal.c:2777:52: sparse: got struct task_struct [noderef] __rcu *parent
kernel/signal.c:2779:49: sparse: sparse: cast removes address space '__rcu' of expression
kernel/signal.c:2817:49: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected struct sighand_struct *sighand @@ got struct sighand_struct [noderef] __rcu *sighand @@
kernel/signal.c:2817:49: sparse: expected struct sighand_struct *sighand
kernel/signal.c:2817:49: sparse: got struct sighand_struct [noderef] __rcu *sighand
kernel/signal.c:3150:27: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3150:27: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3150:27: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3170:29: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3170:29: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3170:29: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3237:27: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3237:27: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3237:27: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3239:29: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3239:29: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3239:29: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3390:31: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3390:31: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3390:31: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3393:33: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3393:33: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3393:33: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3782:27: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3782:27: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3782:27: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3794:37: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3794:37: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3794:37: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3799:35: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3799:35: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3799:35: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:3804:29: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:3804:29: sparse: expected struct spinlock [usertype] *lock
kernel/signal.c:3804:29: sparse: got struct spinlock [noderef] __rcu *
kernel/signal.c:4296:31: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct spinlock [usertype] *lock @@ got struct spinlock [noderef] __rcu * @@
kernel/signal.c:4296:31: sparse: expected struct spinlock [usertype] *lock
vim +1048 kernel/signal.c
1044
1045 static int __send_signal_locked(int sig, struct kernel_siginfo *info,
1046 struct task_struct *t, enum pid_type type, bool force)
1047 {
> 1048 bool immutable = sa_immutable(t->sighand, sig);
1049 struct sigpending *pending;
1050 struct sigqueue *q;
1051 int override_rlimit;
1052 int ret = 0, result;
1053
1054 lockdep_assert_held(&t->sighand->siglock);
1055
1056 result = TRACE_SIGNAL_IGNORED;
1057 if (!prepare_signal(sig, t, force))
1058 goto ret;
1059
1060 pending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending;
1061 /*
1062 * Queue exactly one non-rt signal so that we can get more
1063 * detailed information about the cause. But we must never
1064 * lose the siginfo for an SA_IMMUTABLE signal.
1065 */
1066 result = TRACE_SIGNAL_ALREADY_PENDING;
1067 if (legacy_queue(pending, sig) && !immutable)
1068 goto ret;
1069
1070 result = TRACE_SIGNAL_DELIVERED;
1071 /*
1072 * Skip useless siginfo allocation for SIGKILL and kernel threads.
1073 */
1074 if ((sig == SIGKILL) || (t->flags & PF_KTHREAD))
1075 goto out_set;
1076
1077 /*
1078 * Real-time signals must be queued if sent by sigqueue, or
1079 * some other real-time mechanism. It is implementation
1080 * defined whether kill() does so. We attempt to do so, on
1081 * the principle of least surprise, but since kill is not
1082 * allowed to fail with EAGAIN when low on memory we just
1083 * make sure at least one signal gets delivered and don't
1084 * pass on the info struct.
1085 */
1086 if (sig < SIGRTMIN)
1087 override_rlimit = (is_si_special(info) || info->si_code >= 0);
1088 else
1089 override_rlimit = 0;
1090
1091 q = sigqueue_alloc(sig, t, GFP_ATOMIC, override_rlimit);
1092
1093 if (q) {
1094 /* Ensure dequeue_synchronous_signal() sees SA_IMMUTABLE first */
1095 if (immutable)
1096 list_add(&q->list, &pending->list);
1097 else
1098 list_add_tail(&q->list, &pending->list);
1099
1100 switch ((unsigned long) info) {
1101 case (unsigned long) SEND_SIG_NOINFO:
1102 clear_siginfo(&q->info);
1103 q->info.si_signo = sig;
1104 q->info.si_errno = 0;
1105 q->info.si_code = SI_USER;
1106 q->info.si_pid = task_tgid_nr_ns(current,
1107 task_active_pid_ns(t));
1108 rcu_read_lock();
1109 q->info.si_uid =
1110 from_kuid_munged(task_cred_xxx(t, user_ns),
1111 current_uid());
1112 rcu_read_unlock();
1113 break;
1114 case (unsigned long) SEND_SIG_PRIV:
1115 clear_siginfo(&q->info);
1116 q->info.si_signo = sig;
1117 q->info.si_errno = 0;
1118 q->info.si_code = SI_KERNEL;
1119 q->info.si_pid = 0;
1120 q->info.si_uid = 0;
1121 break;
1122 default:
1123 copy_siginfo(&q->info, info);
1124 break;
1125 }
1126 } else if (!is_si_special(info) &&
1127 sig >= SIGRTMIN && info->si_code != SI_USER) {
1128 /*
1129 * Queue overflow, abort. We may abort if the
1130 * signal was rt and sent by user using something
1131 * other than kill().
1132 */
1133 result = TRACE_SIGNAL_OVERFLOW_FAIL;
1134 ret = -EAGAIN;
1135 goto ret;
1136 } else {
1137 /*
1138 * This is a silent loss of information. We still
1139 * send the signal, but the *info bits are lost.
1140 */
1141 result = TRACE_SIGNAL_LOSE_INFO;
1142 /* The task must not escape SA_IMMUTABLE; escalate to SIGKILL */
1143 if (immutable)
1144 sig = SIGKILL;
1145 }
1146
1147 out_set:
1148 signalfd_notify(t, sig);
1149 sigaddset(&pending->signal, sig);
1150
1151 /* Let multiprocess signals appear after on-going forks */
1152 if (type > PIDTYPE_TGID) {
1153 struct multiprocess_signals *delayed;
1154 hlist_for_each_entry(delayed, &t->signal->multiprocess, node) {
1155 sigset_t *signal = &delayed->signal;
1156 /* Can't queue both a stop and a continue signal */
1157 if (sig == SIGCONT)
1158 sigdelsetmask(signal, SIG_KERNEL_STOP_MASK);
1159 else if (sig_kernel_stop(sig))
1160 sigdelset(signal, SIGCONT);
1161 sigaddset(signal, sig);
1162 }
1163 }
1164
1165 complete_signal(sig, t, type);
1166 ret:
1167 trace_signal_generate(sig, info, t, type != PIDTYPE_PID, result);
1168 return ret;
1169 }
1170
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-02 18:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-29 8:29 [PATCH] signal: prevent evasion of SA_IMMUTABLE signals Oleg Nesterov
2026-04-29 10:27 ` Oleg Nesterov
2026-05-02 18:28 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox