From nobody Wed Jan 7 22:50:06 2026 Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB30A1B4223 for ; Mon, 5 Jan 2026 06:19:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767593964; cv=none; b=EjMbk43pTlQw/4uF1g6LuW+Jue/Sgzc6wyoLmlZ5G59KNddKFtLBo+6a79m5kANeJoHOSJ4V++ByAJZ/854tqyXPo6kFtePgtro7lSRBY5NFwRDfV8s+wtXbvrRep7FLHhmRmDV8rLZGKLi2mcgTGw+57KJ3vkNw0hf+G1TwyJs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767593964; c=relaxed/simple; bh=Pt7YpmpYFfG9CGwk3PPHUiwztwv6fyM2Phu6iaHhcJo=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=qDbk65Vd3lceM6z9vSl4qhkc25fiz2go310z9aZC3Se9Pha+GREoniXSWvyIo9tJx3VB3leEW/3/1t3z+12y7Zkw/CFGLyBnVgiUHrkN2zZS35yISWCh2CVt/BA0mGlg/RFXJULtoZREbm2bl6XbOJ0Gbae8G5Npdcyh20Yl2gQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q4yjbX6u; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q4yjbX6u" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-2a0d67f1877so181622565ad.2 for ; Sun, 04 Jan 2026 22:19:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767593962; x=1768198762; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Bh7mn4Pp+UNBO5StcY27LkPBbQE3CZScakH7lvcSGA0=; b=Q4yjbX6uvTNTa9d8OUqh79p7mtzzh8mg2BpeQ9RH42arsebVCgF7lZ2byd7NpiM0O1 QD90fCDQ3r8HPcRzla4tdjNJzhgMJ+50tn6lBpclALrCYurpGEnf31i0JNf1OiBJZVuU Xr2MMqLMyfjIUfoL/FRcFUWVbhU/KZ0iyHxJjyzNl1vMAAlIsUMBKQKcTI5uNraugC+v O0fMC+ETKBa9SguS/zzzjyhSH0lTm/s0uO8y2GC1E7GJ4G0M6tDo/vdLAmcFRIJSWEyr umYrdWg1p0z+WEShqQgmVugdS3UKZua2cFiEewLso6FgBXkRpqgkH+l1gmyVTWBHU/T9 FTSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767593962; x=1768198762; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Bh7mn4Pp+UNBO5StcY27LkPBbQE3CZScakH7lvcSGA0=; b=FUcC6gq5OX8qbyO7aAXFv10TMHEd01glrGy9DpbAycZF0Bf9REUbhPSPWkEm74iGCr pmPf7b+AAH2gAbcYTcVJ/r6AJRPWzO0At2FalVr7GNvMXduHRTFrLYQt1dabQXTqVG6z EXd/rYq7/FqsL/kjtXBpT/9E0SMwSVtaXTLpsIjHG7orNeLmFKapatscpJFa+ksIOjpq DhKexVHhScVpwo2gm4nxLkcIhrZT86vrjbmFL1eP7ejnD/SPtGT9vDlgNCvYAMuYMlHV zLSg+eoKGTzpzVRrv5Sq1p4IWWZ89YnQjvJ72vcIJ4c19CFxewOo5PoB8GB0NlryoXOa +yOg== X-Forwarded-Encrypted: i=1; AJvYcCXKxEu2dmbfVqTeMKDfx1hC2kt1I+bOJVKjgjZfjd1c3hq3bLEeGEzAwaohqtc0u5ymGQa56o7JuNlubRY=@vger.kernel.org X-Gm-Message-State: AOJu0Yzso/TnIU8PRu8a32p5/Hvb9oWsE+BErlTIUNvPMzfya+xNd+pC b1YNhM3LdfVK5WEnZGnGZtQ9dsy7b8AMfOqA8J0A9p8lHYVORvJCnrRJ+jQP0TVds+I= X-Gm-Gg: AY/fxX6R96fY2m2tqAnbqLDB84yTtoNqsQmNvekwwgmx3ATFMrwPw/XqtFq3lVXkf/Y NABONRkqeJPf7mO9LnA7f781VUyE+ag3Ju36RtzOgVlelnIH/GSmV+F51iFPK3MxtS4/1Eo0g+Q fq6dQDDc436LX1/QbtZxojlfIGbNKnufNEUEtnuOYzU3hCX1lAsVqxDdL74Go67XOnGar0YJv3M FPZHerTpQu8oSeFZfC4Xqt7HjxbDdJXareS4gtynOuWJJ7AI4i9E4UhoJE7WM9uF4OilPB4n3f/ 39gZBRW3YRG3yP0xgP4U6YYOku/E7MjhzZEZHG6DH89V4/YEXnIisvXAUF/WuWahY9Tlt968x4/ aK+PS3B+cc/9xLomyw5tQY8shPzPdqEJpcPARe2Cw3xEdXTlSite3H02p8lA07tqTPpu/3CEMhl R/6b+mvrosmXxPBELle5XnPRD+aagAf95Olt2wEg== X-Google-Smtp-Source: AGHT+IHX6HE/9apDpfaaznND9tySRDDnIclqgccZrW+Q1JYhbUoRcS2FpcgvE+TVgLGx6f3iJToyvA== X-Received: by 2002:a17:90b:4f8a:b0:33e:2d0f:4793 with SMTP id 98e67ed59e1d1-34e9214bedemr42713114a91.11.1767587891264; Sun, 04 Jan 2026 20:38:11 -0800 (PST) Received: from lima-ubuntu.hz.ali.com ([47.246.98.217]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34f4775df1fsm4710080a91.12.2026.01.04.20.38.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 20:38:10 -0800 (PST) From: Qing Wang To: mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, akpm@linux-foundation.org, david@kernel.org Cc: dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, lorenzo.stoakes@oracle.com, Liam.Howlett@oracle.com, vbabka@suse.cz, rppt@kernel.org, brauner@kernel.org, oleg@redhat.com, mjguzik@gmail.com, jack@suse.cz, joel.granados@kernel.org, linux-kernel@vger.kernel.org, Qing Wang , syzbot+e0378d4f4fe57aa2bdd0@syzkaller.appspotmail.com Subject: [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns Date: Mon, 5 Jan 2026 12:36:27 +0800 Message-Id: <20260105043627.1758935-1-wangqing7171@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzbot reported a slab-use-after-free issue in __task_pid_nr_ns: BUG: KASAN: slab-use-after-free in __task_pid_nr_ns+0x1e4/0x490... Read of size 8 at addr ffff88807f8058a8 by task syz.1.574/8108 The race condition occurs between the failure path of copy_process() and getting the PIDTYPE_TGID via __task_pid_nr_ns(). Bug timeline: Task B perf_event_open() Task A <--------------------------- clone() copy_process() perf_event_init_task() ... one copy failed free_signal_struct() close(event_fd) perf_child_detach() __task_pid_nr_ns() access child task->signal This is fixed by: 1. Setting task->signal =3D NULL in the failure cleanup path of copy_proces= s. 2. Adding a null check for task->signal before accessing PIDTYPE_TGID from task->signal. Note: This bug was reported by syzbot without a reproducer. The fix is based on code inspection and race condition analysis. Reported-by: syzbot+e0378d4f4fe57aa2bdd0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3De0378d4f4fe57aa2bdd0 Signed-off-by: Qing Wang --- kernel/fork.c | 8 ++++++-- kernel/pid.c | 6 +++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index b1f3915d5f8e..72b9b37a96c8 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1975,6 +1975,7 @@ __latent_entropy struct task_struct *copy_process( struct file *pidfile =3D NULL; const u64 clone_flags =3D args->flags; struct nsproxy *nsp =3D current->nsproxy; + struct signal_struct *free_sig =3D NULL; =20 /* * Don't allow sharing the root directory with processes in a different @@ -2501,8 +2502,11 @@ __latent_entropy struct task_struct *copy_process( mmput(p->mm); } bad_fork_cleanup_signal: - if (!(clone_flags & CLONE_THREAD)) - free_signal_struct(p->signal); + if (!(clone_flags & CLONE_THREAD)) { + free_sig =3D p->signal; + p->signal =3D NULL; + free_signal_struct(free_sig); + } bad_fork_cleanup_sighand: __cleanup_sighand(p->sighand); bad_fork_cleanup_fs: diff --git a/kernel/pid.c b/kernel/pid.c index a31771bc89c1..1a012e033552 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -329,9 +329,9 @@ EXPORT_SYMBOL_GPL(find_vpid); =20 static struct pid **task_pid_ptr(struct task_struct *task, enum pid_type t= ype) { - return (type =3D=3D PIDTYPE_PID) ? - &task->thread_pid : - &task->signal->pids[type]; + if (type =3D=3D PIDTYPE_PID) + return &task->thread_pid; + return task->signal ? &task->signal->pids[type] : NULL; } =20 /* --=20 2.34.1