Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2227577/?format=api
{ "id": 2227577, "url": "http://patchwork.ozlabs.org/api/patches/2227577/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260424-master-v2-2-8b50b5c063ed@gmail.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260424-master-v2-2-8b50b5c063ed@gmail.com>", "list_archive_url": null, "date": "2026-04-23T21:36:39", "name": "[v2,2/3] linux-user: Validate tkill/tgkill targets are guest threads", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "d8c5306512df48100597de042d31e176394083de", "submitter": { "id": 93154, "url": "http://patchwork.ozlabs.org/api/people/93154/?format=api", "name": "Ali Raza", "email": "elirazamumtaz@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260424-master-v2-2-8b50b5c063ed@gmail.com/mbox/", "series": [ { "id": 501265, "url": "http://patchwork.ozlabs.org/api/series/501265/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=501265", "date": "2026-04-23T21:36:37", "name": "linux-user: Filter /proc/*/task/ and validate tkill targets", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/501265/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2227577/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2227577/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=gEQWWbK8;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1vNY3tCcz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 24 Apr 2026 10:44:13 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wG4cw-0004U7-49; Thu, 23 Apr 2026 20:42:38 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <elirazamumtaz@gmail.com>)\n id 1wG1jo-0002Zz-JS\n for qemu-devel@nongnu.org; Thu, 23 Apr 2026 17:37:32 -0400", "from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <elirazamumtaz@gmail.com>)\n id 1wG1jm-000188-V0\n for qemu-devel@nongnu.org; Thu, 23 Apr 2026 17:37:32 -0400", "by mail-wr1-x42e.google.com with SMTP id\n ffacd0b85a97d-43d7b879691so949512f8f.1\n for <qemu-devel@nongnu.org>; Thu, 23 Apr 2026 14:37:30 -0700 (PDT)", "from [10.94.10.196] ([223.123.19.204])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48919f54572sm138755225e9.26.2026.04.23.14.37.25\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 23 Apr 2026 14:37:27 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776980249; x=1777585049; darn=nongnu.org;\n h=cc:to:in-reply-to:references:message-id:content-transfer-encoding\n :mime-version:subject:date:from:from:to:cc:subject:date:message-id\n :reply-to; bh=U7LovPah/QE6KW73zZhcUInjXBKP1mVggfWfskBESs4=;\n b=gEQWWbK8+P3TiWRgMBVl+hKy+CG8W5NmbwXB6Ph6cebqPIREarfkrEcsulsO4CJGlu\n Fud+OJteYc2OaWua2KZHPcHv/jhI9TnQ1kjk0b7gGDtYNBouIrQUPzbByoqumAvU1VDd\n tAQ2vb8LxHog83rcBBmWWLhn90i+CJG6qargJLRFOqTlWkbZt8h0bf4SNayh/eYJzbK3\n vVJY5U57j6PakLHZSgRKUoSfzvD15Us1p44Rr8LVoqg6pzFZ5Se8ty/vwEDmFdjCLPbh\n VXA1yZNAPG6767WGuLtwbsWjrnGkL/AiQxX8z9ldgS+KKrJth1Bh/7/yM1qKTllPRcj6\n GSSA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776980249; x=1777585049;\n h=cc:to:in-reply-to:references:message-id:content-transfer-encoding\n :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=U7LovPah/QE6KW73zZhcUInjXBKP1mVggfWfskBESs4=;\n b=OmOdaXBh/oQES9dpVJ5Pk6rSNO9TNUbsByLkIwacfiuPBadD3dT4TfP4Y0cYWT9pk+\n RK6JU4RyXbwNEhtjQDrjlkWF5vQGUgDC79ZWFD+7nmMD/wtd8gkqlgZdB/LqimAq8DTo\n oKffIpbGKPJ//z4xcq1E+gI/EdSxDtwLEzWy/3j4f6uWf2tm6XvWjVix7LYIbuDxw9EM\n PXp7q98XMUIm3L/TZd8imP3lHNmQ8LIMETP61PYV/NjRP7g8I3UC3/DlXHN+49nqRCuN\n HmaB6WuaEdpw5AcZwB7WxENrNnZz2X8IXFUHMdrobdi5FqkOcmMEKC0Mrk+XwSvNrLTK\n Rbsw==", "X-Gm-Message-State": "AOJu0YycAmJwsY/mcsEeK40kYNQsEGm/4BKl3OR5M00b+NBmjCu6e4ST\n qSxGrVIBJk4WHkjTgr0o71eDfs6sqbc+fQp0FQuaspxAm9hjSQSArnysOqw1CsDw", "X-Gm-Gg": "AeBDieum6XVnaYaDVVtYOKTuGJeAC3/Pxs9fYxydmC3f5/cVaIE5wEG4jDSbWM9WFut\n ka6KJVvg9j9JMnYIC/p8fZwgT4msInmVc1CIJoo4vD2ILSuo9qIQel2D/aHhkNY8nug6rpvMKTD\n GLEiJNp2ERJHoUVb+D2JzBqu1TLjQuNauck+RF2PYI2epog3wnAJOKzeoOYgp1fbhU+AExDIpDl\n zS/a5+apFevpNNSBSoMKn8KahZOoGikJs1wWAPtu9EuRhFQ4j0f6czhUISm1df6iBsbxFkeiTz9\n QMwY7iVudAix//gcaRENplcBu+CttrkxnFTLgU5pYDlgsWANnarvZNvUTaI9s9WjcnoBjStkMJQ\n NVl8moVi0lhJDEtnduuNonSfJ4Nf1Ra/PpnwIBbZHM/wo4Lhy4XkZ6SI4uWKqBSvsV4LWKqHKq7\n pFWAg/y8ftHPtcyppwY/55Iz4APVwJUD+T/dp8/Q14Nw==", "X-Received": "by 2002:a05:600c:1389:b0:487:1826:e138 with SMTP id\n 5b1f17b1804b1-488fb739780mr210684635e9.1.1776980249086;\n Thu, 23 Apr 2026 14:37:29 -0700 (PDT)", "From": "Ali Raza <elirazamumtaz@gmail.com>", "Date": "Fri, 24 Apr 2026 02:36:39 +0500", "Subject": "[PATCH v2 2/3] linux-user: Validate tkill/tgkill targets are guest\n threads", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "7bit", "Message-Id": "<20260424-master-v2-2-8b50b5c063ed@gmail.com>", "References": "<20260424-master-v2-0-8b50b5c063ed@gmail.com>", "In-Reply-To": "<20260424-master-v2-0-8b50b5c063ed@gmail.com>", "To": "qemu-devel@nongnu.org", "Cc": "Ali Raza <elirazamumtaz@gmail.com>, Laurent Vivier <laurent@vivier.eu>,\n Pierrick Bouvier <pierrick.bouvier@linaro.org>,\n =?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org>, deller@gmx.de", "X-Mailer": "b4 0.15.2", "Received-SPF": "pass client-ip=2a00:1450:4864:20::42e;\n envelope-from=elirazamumtaz@gmail.com; helo=mail-wr1-x42e.google.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-Mailman-Approved-At": "Thu, 23 Apr 2026 20:42:33 -0400", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "The tkill and tgkill syscall handlers pass the guest-supplied TID\ndirectly to the host kernel without checking whether it belongs to a\nguest thread. This allows a guest to send signals to QEMU-internal\nhost threads (RCU, TCG workers) that have no CPUState and no guest\nsignal handlers, which can cause hangs or disrupt QEMU operation.\n\nAdd validation that checks the target TID against the guest CPU list\nbefore forwarding the signal to the host. For tgkill, also verify\nthat the tgid matches the current process. Return -ESRCH for TIDs\nthat do not correspond to any guest thread, matching the behavior a\nreal kernel would return for a nonexistent thread.\n\nThis complements the /proc/*/task/ filtering in the previous commit\nto provide defense-in-depth: even if a guest discovers or guesses a\nQEMU-internal thread TID, it cannot send signals to it.\n\nSigned-off-by: Ali Raza (@locus-x64)\n\n---\nChanges in v2:\n- Range-check tid/tgid before narrowing from abi_long to pid_t.\n- do_tkill: only reject signals whose target lives in our own host\n process and is not a guest thread; cross-process tkill is passed\n through to the kernel unchanged.\n- do_tgkill: drop the previous tgid==getpid() blanket rejection and\n apply the same in-our-process-only filter, so legitimate\n cross-process tgkill keeps working.\n- New tid_is_qemu_internal() helper based on the CPU list and\n /proc/self/task/<tid> presence.\n---\n linux-user/syscall.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++--\n 1 file changed, 53 insertions(+), 2 deletions(-)", "diff": "diff --git a/linux-user/syscall.c b/linux-user/syscall.c\nindex 44f2cd851f..c7dea1086c 100644\n--- a/linux-user/syscall.c\n+++ b/linux-user/syscall.c\n@@ -9161,6 +9161,27 @@ static bool is_guest_tid(pid_t tid)\n return false;\n }\n \n+/*\n+ * Return true iff @tid identifies a thread inside our own host process\n+ * that is not one of the guest threads -- i.e. a QEMU-internal helper\n+ * thread (RCU, TCG worker, ...). Cross-process tids and unknown tids\n+ * are not classified here and the caller should pass the syscall\n+ * through to the kernel unchanged.\n+ */\n+static bool tid_is_qemu_internal(pid_t tid)\n+{\n+ char path[64];\n+\n+ WITH_RCU_READ_LOCK_GUARD() {\n+ if (is_guest_tid(tid)) {\n+ return false;\n+ }\n+ }\n+\n+ snprintf(path, sizeof(path), \"/proc/self/task/%d\", (int)tid);\n+ return access(path, F_OK) == 0;\n+}\n+\n #ifdef TARGET_NR_getdents\n static int do_getdents(abi_long dirfd, abi_long arg2, abi_long count)\n {\n@@ -13511,11 +13532,41 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,\n #endif\n \n case TARGET_NR_tkill:\n- return get_errno(safe_tkill((int)arg1, target_to_host_signal(arg2)));\n+ {\n+ pid_t tid = (pid_t)arg1;\n+ if ((abi_long)tid != arg1) {\n+ return -TARGET_ESRCH;\n+ }\n+ /*\n+ * Reject signals that target one of our own QEMU-internal\n+ * helper threads (RCU, TCG worker, ...) which share our\n+ * host PID but have no guest CPUState. Cross-process tids\n+ * are passed through unchanged.\n+ */\n+ if (tid_is_qemu_internal(tid)) {\n+ return -TARGET_ESRCH;\n+ }\n+ return get_errno(safe_tkill(tid, target_to_host_signal(arg2)));\n+ }\n \n case TARGET_NR_tgkill:\n- return get_errno(safe_tgkill((int)arg1, (int)arg2,\n+ {\n+ pid_t tgid = (pid_t)arg1;\n+ pid_t tid = (pid_t)arg2;\n+ if ((abi_long)tgid != arg1 || (abi_long)tid != arg2) {\n+ return -TARGET_ESRCH;\n+ }\n+ /*\n+ * Only screen targets in our own process; for cross-process\n+ * tgkill we have no way to know which TIDs are guest threads\n+ * in another QEMU instance, so the call is passed through.\n+ */\n+ if (tgid == getpid() && tid_is_qemu_internal(tid)) {\n+ return -TARGET_ESRCH;\n+ }\n+ return get_errno(safe_tgkill(tgid, tid,\n target_to_host_signal(arg3)));\n+ }\n \n #ifdef TARGET_NR_set_robust_list\n case TARGET_NR_set_robust_list:\n", "prefixes": [ "v2", "2/3" ] }