From nobody Thu Apr 9 16:33:40 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82C5D30E842 for ; Sat, 7 Mar 2026 06:42:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772865739; cv=none; b=ompO68je9IjMsPH1DxNnv/TFyPoAUY8dhH0R8Qw+QxcmwB3LfCRJ2NUtoiizxIJNPUznpTDzgbU9RlgdxiAcVi7XTFzrkQ+sPA6ndxfCHFil5fj5GuUqbojt1bGsmvW6EzjHGFdsU5mOCspkTBokYlCtkUMKJHDkAtnPGNTVToI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772865739; c=relaxed/simple; bh=jFP2OIZvkrkTaswqw/LA1qXq4eY+a1RHt7I3Vo4TNt8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=EooRvBc9uL2T3OPldk1cWSsy4yWeYBrTDgQTGBxi/E77CAecefHH2APffNrudFkFemsb/Pmz/EJOoHe1adt10BHAiP8V5chkplLsRxNN+yi7cQhKDuT9nC4DJ5dGd1NjFI4NFAp09cimZDQXGDnpFh/UksSuCnp/i8BqZIBN3Xw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Aj71EgSu; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Aj71EgSu" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-35990245493so4005723a91.2 for ; Fri, 06 Mar 2026 22:42:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772865736; x=1773470536; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=60kOj0Rx2KfuuAB5qkGX0OsAbGbuDnekxaZcro1gQO8=; b=Aj71EgSu2xzMeY6J7V1t8kU3FXDotbcqeyD8mft01yMk3n1oKprZ347uUpoHygLgwL r/57mkq+Uf8kN8Ym2sOydIU9DhZeFJq5xg306lEb1yiwrwQy/IvbKYkaqJq10ikbKzrh jj3+XLMyQB5kOJkUfTUs1rXB7RYKnQoBAZ4v4hOgWS9+8+CrgiSjDuNkreJO2Z2PvR7T Ge2SyaVCL1tLtIbO7+/kpI7RPVwf/xP4ND1kMz4UzK7NBwuZTW5CR3842IhOsToTpqmC dgAefMmQjrU0rInAHqwjNPLnmxds0XdcmyDB+12JQavbSpMuSuCKjCIin70x/RsJxwmn evXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772865736; x=1773470536; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=60kOj0Rx2KfuuAB5qkGX0OsAbGbuDnekxaZcro1gQO8=; b=Oi9jZw/+18WMs0gfLxf1GT+pX/6Tz3uezdgm7zyhuinB9aR4kD22k+hUBGPPPFqPWs MDXteFXwJYhlkwNajHE20YTpkOf06ZAuvGkULQTHNE7TOHEajMo3epRbY+mUQDbMyN7p Fz543U9sqXYQLFaOBOg2VfZq4h3EylLqMCcQThb9lpH/jNz9RcKtj8bgUeMUG3uxuzrJ Xa9hPJer/MUCg0Lg9rrqUSRGVXmYTYbXzxVw6xJlYkcqY7wPmMUWTdKNoFLnV+unSkNI DpZIMi0hMox1kuaFmzd+jpLe6nOCp2z+lCx+2HTiVVpAjXEzKlUUT+waqXBV4Pt0YK+5 ufjQ== X-Gm-Message-State: AOJu0Yy1jWgXWCguGfvNuAT2Dg01/WSr+tPyxwB6WV9ioZ2jd3iGDXuA F2t1YFW74C/MozRfPF8AtdnI9xSuxW8PTAS6BhUiBvR9WGrAOcIxevOC X-Gm-Gg: ATEYQzzd2qANA3GYaRbfNWPzqO18AVj9tsWr4WOiSW2NSj0eUSXBB2VK9p4cLimfFBU kRUQmbKPzXmZ7O3N0tUuR3i2Oo23GzccRT0VLj5SxebtUp2HooGTjbV7p/J+9ansv8FYzX01d+2 6oq+Ab59TTw6q2UDyu50o6LsZ3v/qK9odbVEREpJqHzH5nJbkB1qWokbT5VxiEyr+5beE+JwP3i HssDqxDTHG+X8oayKTA17SiH5ih8SHawsRzzVRzqVRt+aHqnRtKibsNj9AvCyrTgNz6PIpp+DkJ Rz5RDvOKf0AC/bfDbabn13WkjSfS5mfS9p3E/Zh6XqXDPN/CFTXaZLAohpxW+4f4hfAwc9Pj5VO mwUcg2ILC+smiEVS6PdGikaNnQYvkb5c+4fRna4HvJlkk9AGwc6gWtDTZhE66wIb7MYrbBN7I5d xBFNrh+wmiW7tXUwD1fpusfxny+mkcOs4JHBgTVeGoW7iu9f6XWdLKeclub8OhLEh11EAMi649g edKyHM= X-Received: by 2002:a17:90b:4ecd:b0:349:9d63:8511 with SMTP id 98e67ed59e1d1-359be329dd6mr4323714a91.25.1772865735476; Fri, 06 Mar 2026 22:42:15 -0800 (PST) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:4191:5f1c:7dc6:bad2]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c739dfbf4fesm3507947a12.0.2026.03.06.22.42.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Mar 2026 22:42:14 -0800 (PST) From: Deepanshu Kartikey To: mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de, vschneid@redhat.com, kees@kernel.org, akpm@linux-foundation.org, david@kernel.org, lorenzo.stoakes@oracle.com, Liam.Howlett@oracle.com, rppt@kernel.org, surenb@google.com, mhocko@suse.com, brauner@kernel.org Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, Deepanshu Kartikey , syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com, Deepanshu Kartikey Subject: [PATCH] kernel/fork: validate exit_signal in clone() syscall Date: Sat, 7 Mar 2026 12:12:02 +0530 Message-ID: <20260307064202.353405-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a child process exits, it sends exit_signal to its parent via do_notify_parent(). The clone() syscall constructs exit_signal as: (lower_32_bits(clone_flags) & CSIGNAL) CSIGNAL is 0xff, so values in the range 65-255 are possible. However, valid_signal() only accepts signals up to _NSIG (64 on x86_64), causing a WARN_ON in do_notify_parent() when the process exits: WARNING: kernel/signal.c:2174 do_notify_parent+0xc7e/0xd70 The syzkaller reproducer triggers this by calling clone() with flags=3D0x80, resulting in exit_signal =3D (0x80 & CSIGNAL) =3D 128, which exceeds _NSIG and is not a valid signal. The comment above kernel_clone() states that callers are expected to validate exit_signal. clone3() correctly does this: if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || !valid_signal(args.exit_signal))) return -EINVAL; The clone() syscall has no such check. Add the missing valid_signal() check to clone(), consistent with the existing validation in clone3(). Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dbbe6b99feefc3a0842de Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- kernel/fork.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/fork.c b/kernel/fork.c index 947a8dbce06a..dbe26ac6ca10 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2845,7 +2845,8 @@ SYSCALL_DEFINE5(clone, unsigned long, clone_flags, un= signed long, newsp, .stack =3D newsp, .tls =3D tls, }; - + if (!valid_signal(args.exit_signal)) + return -EINVAL; return kernel_clone(&args); } #endif --=20 2.43.0