WARNING in do_notify_parent (kernel/signal.c:2174)

WARNING in do_notify_parent (kernel/signal.c:2174)

[y2k]

Hello,

I am reporting a kernel bug found with syzkaller fuzzer.


KERNEL VERSION
--------------
7.1.0-rc2-00099-gadc1e5c6203c
arch: x86_64
preemption: PREEMPT(lazy)


REPRODUCER (syzkaller program)
------------------------------
# {Threaded:false Repeat:false Procs:1 Sandbox: SandboxArg:0 Sysctl:true HandleSegv:true}
syz_clone(0x200080, &(0x7f00000003c0)="9562597ade4c359303b4585229dfcf8a12e5a172b6bfeb0d6d973e21df1c19605d9eb45142bd770cb6310057f646adcbde17681e392e8c11af0836a4ffff47c8c083fd4da4af3fdaa71e8a42df556d90bfb7e2511aac2628e271cddf224733c2881a422684cd3c7033fd24e00b205efdd94ece24e22040e80a310fb8cfaafecb00e067c5c2dfc13181c8773d3a37aa7635b8da5dbf2c9b25a7192f3861c442929542a4a564920eb870a06b383e781fe0d54d05275c7e2cd2f901c72c8270308a5db0adbed89176bac1122b21cb2e2d202569ae8d5a97cbce75aff3444207cb68bfcf", 0xe2, 0x0, 0x0, 0x0)


KERNEL CONFIG (relevant options)
---------------------------------
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KASAN_SHADOW_OFFSET=0xdffffc0000000000
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_DWARF4=y
CONFIG_DEBUG_BUGVERBOSE=y


CRASH REPORT
------------
------------[ cut here ]------------
WARNING: kernel/signal.c:2174 at do_notify_parent+0xfef/0x11c0 kernel/signal.c:2174
CPU: 1 UID: 0 PID: 1245 Comm: syz.3.17 Not tainted 7.1.0-rc2-00099-gadc1e5c6203c #1 PREEMPT(lazy)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996)
RIP: 0010:do_notify_parent+0xfef/0x11c0 kernel/signal.c:2174
Code: 06 00 00 e8 23 b8 ff ff e9 81 f8 ff ff 41 bf 01 00 00 00 e9 76 f8 ff ff 4c 8d bb d0 08 00 00 e9 e7 f1 ff ff e8 82 88 39 00 90 <0f> 0b 90 45 31 ff e9 95 f8 ff ff e8 71 88 39 00 90 0f 0b 90 e9 d8
RSP: 0018:ffff8880057ffd38 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff88800c158000 RCX: ffffffff8287ce7e
RDX: ffff88800c158000 RSI: 0000000000000040 RDI: 0000000000000007
RBP: ffff88800c015e50 R08: 0000000000000001 R09: ffffed1000afffb7
R10: 0000000000000080 R11: ffff88800c158000 R12: 1ffff11000afffaa
R13: dffffc0000000000 R14: 0000000000000080 R15: 0000000000000001
FS:  000055556c108500(0000) GS:ffff8881121b5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff9749c2480 CR3: 00000000afea6000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 exit_notify kernel/exit.c:757 [inline]
 do_exit+0x1a84/0x2960 kernel/exit.c:987
 __do_sys_exit kernel/exit.c:1084 [inline]
 __se_sys_exit kernel/exit.c:1082 [inline]
 __x64_sys_exit+0x42/0x50 kernel/exit.c:1082
 x64_sys_call+0x1880/0x1880 arch/x86/include/generated/asm/syscalls_64.h:61
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x115/0x6a0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>


REPRODUCTION NOTES
------------------
The bug was reproduced consistently. Syzkaller minimized the reproducer
to a single syz_clone() call. The WARNING fires in do_notify_parent()
during process exit when notifying the parent, called from exit_notify()
via do_exit() -> sys_exit().

Reproducing took 38 minutes across 87 programs. The crash is confirmed
not corrupted and reproducible.

This bug was found with syzkaller. The full .config is available on request.

Thanks,
y2k
y2k@desarrollaria.com

Re: WARNING in do_notify_parent (kernel/signal.c:2174)

[y2k]

Follow-up: I found that commit 0f8e38eeb995 by Oleg Nesterov
("do_notify_parent: sanitize the valid_signal() checks") appears to be
related to this WARNING.

The syzkaller reproducer confirms the WARN_ON_ONCE fires in real
conditions via syz_clone() with specific arguments.

Kernel tested: 7.1.0-rc2-00099-gadc1e5c6203c

Thanks,
y2k
y2k@desarrollaria.com

Re: WARNING in do_notify_parent (kernel/signal.c:2174)

[y2k]

I noticed that commit 0f8e38eeb995 adds WARN_ON_ONCE for invalid signals
in do_notify_parent(). The syzkaller reproducer triggers this via
syz_clone() with CLONE_THREAD flags.

Could this be related to the ptrace path in exit.c:749 where
exit_signal=-1 (set for CLONE_THREAD processes) could reach
do_notify_parent() without a valid_signal() check?

Thanks,
y2k
y2k@desarrollaria.com

Re: WARNING in do_notify_parent (kernel/signal.c:2174)

[Oleg Nesterov]

On 05/07, y2k wrote:
>
> 7.1.0-rc2-00099-gadc1e5c6203c
> arch: x86_64
> preemption: PREEMPT(lazy)
>
>
> REPRODUCER (syzkaller program)
> ------------------------------
> # {Threaded:false Repeat:false Procs:1 Sandbox: SandboxArg:0 Sysctl:true HandleSegv:true}
> syz_clone(0x200080, &(0x7f00000003c0)="9562597ade4c359303b4585229dfcf8a12e5a172b6bfeb0d6d973e21df1c19605d9eb45142bd770cb6310057f646adcbde17681e392e8c11af0836a4ffff47c8c083fd4da4af3fdaa71e8a42df556d90bfb7e2511aac2628e271cddf224733c2881a422684cd3c7033fd24e00b205efdd94ece24e22040e80a310fb8cfaafecb00e067c5c2dfc13181c8773d3a37aa7635b8da5dbf2c9b25a7192f3861c442929542a4a564920eb870a06b383e781fe0d54d05275c7e2cd2f901c72c8270308a5db0adbed89176bac1122b21cb2e2d202569ae8d5a97cbce75aff3444207cb68bfcf", 0xe2, 0x0, 0x0, 0x0)
...

> WARNING: kernel/signal.c:2174 at do_notify_parent+0xfef/0x11c0 kernel/signal.c:2174

...

> Follow-up: I found that commit 0f8e38eeb995 by Oleg Nesterov
> ("do_notify_parent: sanitize the valid_signal() checks") appears to be
> related to this WARNING.

From the changelog:

	Now that kernel_clone() checks valid_signal(args->exit_signal), the "sig"
	argument of do_notify_parent() must always be valid or we have a bug.

This patch depends on

	[PATCH v3] kernel/fork: validate exit_signal in kernel_clone()
	https://lore.kernel.org/all/20260316151956.563558-1-kartikey406@gmail.com/

Was kernel-fork-validate-exit_signal-in-kernel_clone.patch in mm-tree

So it seems that my patch is already merged, but the patch from Deepanshu is not...

Oleg.