Re: [syzbot] [perf?] KASAN: slab-use-after-free Read in __task_pid_nr_ns
From: syzbot <hidden>
Date: 2026-01-05 02:38:51
Also in:
linux-perf-users, lkml
#syz test
This crash does not have a reproducer. I cannot test it.
quoted hunk ↗ jump to hunk
diff --git a/kernel/fork.c b/kernel/fork.c index b1f3915d5f8e..72b9b37a96c8 100644 --- a/kernel/fork.c +++ b/kernel/fork.c@@ -1975,6 +1975,7 @@ __latent_entropy struct task_struct *copy_process( struct file *pidfile = NULL; const u64 clone_flags = args->flags; struct nsproxy *nsp = current->nsproxy; + struct signal_struct *free_sig = NULL; /* * Don't allow sharing the root directory with processes in a different@@ -2501,8 +2502,11 @@ __latent_entropy struct task_struct *copy_process( mmput(p->mm); } bad_fork_cleanup_signal: - if (!(clone_flags & CLONE_THREAD)) - free_signal_struct(p->signal); + if (!(clone_flags & CLONE_THREAD)) { + free_sig = p->signal; + p->signal = NULL; + free_signal_struct(free_sig); + } bad_fork_cleanup_sighand: __cleanup_sighand(p->sighand); bad_fork_cleanup_fs:diff --git a/kernel/pid.c b/kernel/pid.c index a31771bc89c1..1a012e033552 100644 --- a/kernel/pid.c +++ b/kernel/pid.c@@ -329,9 +329,9 @@ EXPORT_SYMBOL_GPL(find_vpid); static struct pid **task_pid_ptr(struct task_struct *task, enum pid_type type) { - return (type == PIDTYPE_PID) ? - &task->thread_pid : - &task->signal->pids[type]; + if (type == PIDTYPE_PID) + return &task->thread_pid; + return task->signal ? &task->signal->pids[type] : NULL; } /*-- 2.34.1