[syzbot] WARNING in mntput_no_expire (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: fceb07950a7a Merge https://git.kernel.org/pub/scm/linux/ke..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=16f9e61ab00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5d447cdc3ae81d9
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5b1e53...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 13724 at fs/namespace.c:1187 mntput_no_expire+0xada/0xcd0 fs/namespace.c:1187
Modules linked in:
CPU: 0 PID: 13724 Comm: syz-executor.0 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0xada/0xcd0 fs/namespace.c:1187
Code: 30 84 c0 0f 84 b9 fe ff ff 3c 03 0f 8f b1 fe ff ff 4c 89 44 24 10 e8 45 3e ec ff 4c 8b 44 24 10 e9 9d fe ff ff e8 d6 d1 a5 ff <0f> 0b e9 19 fd ff ff e8 ca d1 a5 ff e8 b5 e1 65 07 31 ff 89 c5 89
RSP: 0018:ffffc90003fffc18 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff920007fff89 RCX: 0000000000000000
RDX: ffff8880746c3a00 RSI: ffffffff81d1a0ba RDI: 0000000000000003
RBP: ffff88807324ad80 R08: 0000000000000000 R09: ffffffff8fd39a0f
R10: ffffffff81d19dd1 R11: 0000000000000000 R12: 0000000000000008
R13: ffffc90003fffc68 R14: 00000000ffffffff R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fee49cd9c18 CR3: 0000000030b77000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
<TASK>
mntput fs/namespace.c:1233 [inline]
namespace_unlock+0x26b/0x410 fs/namespace.c:1452
drop_collected_mounts fs/namespace.c:1935 [inline]
put_mnt_ns fs/namespace.c:4344 [inline]
put_mnt_ns+0x106/0x140 fs/namespace.c:4340
free_nsproxy+0x43/0x4c0 kernel/nsproxy.c:191
put_nsproxy include/linux/nsproxy.h:105 [inline]
switch_task_namespaces+0xad/0xc0 kernel/nsproxy.c:249
do_exit+0xba5/0x2a20 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:923
__do_sys_exit_group kernel/exit.c:934 [inline]
__se_sys_exit_group kernel/exit.c:932 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:932
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fee49bf8ae9
Code: Unable to access opcode bytes at RIP 0x7fee49bf8abf.
RSP: 002b:00007ffe70646608 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000029 RCX: 00007fee49bf8ae9
RDX: 00007fee49bfa13a RSI: 0000000000000000 RDI: 0000000000000007
RBP: 0000000000000007 R08: ffffffffffff0000 R09: 0000000000000029
R10: 00000000000003b8 R11: 0000000000000246 R12: 00007ffe70646c70
R13: 0000000000000003 R14: 00007ffe70646c0c R15: 00007fee49cd9b60
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: feb9c5e19e91 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10ea9d8ef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385

dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125039fef00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a27b71f00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5b1e53...@syzkaller.appspotmail.com

------------[ cut here ]------------

WARNING: CPU: 0 PID: 3608 at fs/namespace.c:1236 mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236
Modules linked in:

CPU: 0 PID: 3608 Comm: syz-executor314 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236
Code: 30 84 c0 0f 84 b9 fe ff ff 3c 03 0f 8f b1 fe ff ff 4c 89 44 24 10 e8 45 50 e9 ff 4c 8b 44 24 10 e9 9d fe ff ff e8 56 bf 9d ff <0f> 0b e9 19 fd ff ff e8 4a bf 9d ff e8 b5 cf 91 07 31 ff 89 c5 89
RSP: 0018:ffffc900030ffcf0 EFLAGS: 00010293

RAX: 0000000000000000 RBX: 1ffff9200061ffa4 RCX: 0000000000000000
RDX: ffff88807c859d80 RSI: ffffffff81db815a RDI: 0000000000000003
RBP: ffff88801bcbca80 R08: 0000000000000000 R09: ffffffff9006d90f
R10: ffffffff81db7e71 R11: 0000000000000001 R12: 0000000000000008
R13: ffffc900030ffd40 R14: 00000000ffffffff R15: 0000000000000002
FS: 0000555556a0e300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555556a17628 CR3: 0000000071c9d000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
path_umount+0x7d4/0x1260 fs/namespace.c:1806
ksys_umount fs/namespace.c:1825 [inline]
__do_sys_umount fs/namespace.c:1830 [inline]
__se_sys_umount fs/namespace.c:1828 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1828

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7fcc5b9cc2c7
Code: 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcb4fdf1a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcc5b9cc2c7
RDX: 00007ffcb4fdf269 RSI: 000000000000000a RDI: 00007ffcb4fdf260
RBP: 00007ffcb4fdf260 R08: 00000000ffffffff R09: 00007ffcb4fdf040
R10: 0000555556a0f693 R11: 0000000000000202 R12: 00007ffcb4fe02e0
R13: 0000555556a0f5f0 R14: 00007ffcb4fdf1d0 R15: 0000000000000002
</TASK>

[Hillf Danton]

On Tue, 10 May 2022 22:34:24 -0700

See if it is due to race.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ feb9c5e19e91

--- y/fs/namespace.c
+++ x/fs/namespace.c
@@ -1801,6 +1801,9 @@ int path_umount(struct path *path, int f
if (!ret)
ret = do_umount(mnt, flags);

+ if (ret)
+ return ret;
+
/* we mustn't call path_put() as that would clear mnt_expiry_mark */
dput(path->dentry);
mntput_no_expire(mnt);
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in __init_work

------------[ cut here ]------------
ODEBUG: init active (active state 0) object type: work_struct hint: css_killed_work_fn+0x0/0x5e0 kernel/cgroup/cgroup.c:3947
WARNING: CPU: 1 PID: 4107 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Modules linked in:
CPU: 1 PID: 4107 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 40 40 27 8a 4c 89 ee 48 c7 c7 40 34 27 8a e8 7a cc 2c 05 <0f> 0b 83 05 25 a2 bd 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffc900001e0cb8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff88807348bb00 RSI: ffffffff81601ae8 RDI: fffff5200003c189
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff815fc4be R11: 0000000000000000 R12: ffffffff89cb9000
R13: ffffffff8a2739c0 R14: ffffffff814c80d0 R15: ffffffff90840968
FS: 0000555555872400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f22b216c058 CR3: 000000006b894000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<IRQ>
__debug_object_init+0x524/0xd10 lib/debugobjects.c:593
__init_work+0x48/0x50 kernel/workqueue.c:523
css_release+0x1a/0x110 kernel/cgroup/cgroup.c:5213
percpu_ref_put_many.constprop.0+0x22b/0x260 include/linux/percpu-refcount.h:335
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__syscall_enter_from_user_work kernel/entry/common.c:89 [inline]
RIP: 0010:syscall_enter_from_user_mode+0x2b/0x70 kernel/entry/common.c:110
Code: 54 49 89 f4 55 48 89 fd 48 8b 7c 24 10 e8 ed f5 ff ff eb 27 eb 2b e8 04 35 12 f8 e8 7f 31 12 f8 fb 65 48 8b 04 25 00 70 02 00 <48> 8b 70 08 40 f6 c6 3f 75 19 4c 89 e0 5d 41 5c c3 eb 1b 0f 0b eb
RSP: 0018:ffffc9000352ff28 EFLAGS: 00000206
RAX: ffff88807348bb00 RBX: 0000000000000000 RCX: 1ffffffff1b71e79
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000352ff58 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817f8958 R11: 0000000000000000 R12: 000000000000003d
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
do_syscall_64+0x16/0xb0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f307ec87587
Code: 89 7c 24 10 48 89 4c 24 18 e8 35 50 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 89 44 24 10 e8 65 50 02 00 8b 44
RSP: 002b:00007ffcba6fb200 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000000018 RCX: 00007f307ec87587
RDX: 0000000040000001 RSI: 00007ffcba6fb28c RDI: 00000000ffffffff
RBP: 00007ffcba6fb28c R08: 0000000000000000 R09: 00007ffcba74f080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
R13: 0000000000016531 R14: 0000000000000004 R15: 00007ffcba6fb2f0
</TASK>
----------------
Code disassembly (best guess):
0: 54 push %rsp
1: 49 89 f4 mov %rsi,%r12
4: 55 push %rbp
5: 48 89 fd mov %rdi,%rbp
8: 48 8b 7c 24 10 mov 0x10(%rsp),%rdi
d: e8 ed f5 ff ff callq 0xfffff5ff
12: eb 27 jmp 0x3b
14: eb 2b jmp 0x41
16: e8 04 35 12 f8 callq 0xf812351f
1b: e8 7f 31 12 f8 callq 0xf812319f
20: fb sti
21: 65 48 8b 04 25 00 70 mov %gs:0x27000,%rax
28: 02 00
* 2a: 48 8b 70 08 mov 0x8(%rax),%rsi <-- trapping instruction
2e: 40 f6 c6 3f test $0x3f,%sil
32: 75 19 jne 0x4d
34: 4c 89 e0 mov %r12,%rax
37: 5d pop %rbp
38: 41 5c pop %r12
3a: c3 retq
3b: eb 1b jmp 0x58
3d: 0f 0b ud2
3f: eb .byte 0xeb


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=1193d43af00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1681e821f00000

[Hillf Danton]

On Wed, 11 May 2022 07:03:14 -0700

v1, See if it is due to race.
v2, queise the warning by adding a dedicated release work in parallel to
the destroy work.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ feb9c5e19e91

--- y/fs/namespace.c
+++ x/fs/namespace.c
@@ -1801,6 +1801,9 @@ int path_umount(struct path *path, int f
if (!ret)
ret = do_umount(mnt, flags);

+ if (ret)
+ return ret;
+
/* we mustn't call path_put() as that would clear mnt_expiry_mark */
dput(path->dentry);
mntput_no_expire(mnt);

--- y/include/linux/cgroup-defs.h
+++ x/include/linux/cgroup-defs.h
@@ -179,7 +179,7 @@ struct cgroup_subsys_state {
atomic_t online_cnt;

/* percpu_ref killing and RCU release */
- struct work_struct destroy_work;
+ struct work_struct destroy_work, release_work;
struct rcu_work destroy_rwork;

/*
--- y/kernel/cgroup/cgroup.c
+++ x/kernel/cgroup/cgroup.c
@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct wor
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, release_work);
struct cgroup_subsys *ss = css->ss;
struct cgroup *cgrp = css->cgroup;

@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_re
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);

- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->release_work, css_release_work_fn);
+ queue_work(cgroup_destroy_wq, &css->release_work);
}

static void init_and_link_css(struct cgroup_subsys_state *css,
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in mntput_no_expire

------------[ cut here ]------------
WARNING: CPU: 1 PID: 4071 at fs/namespace.c:1236 mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236
Modules linked in:
CPU: 1 PID: 4071 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236

Code: 30 84 c0 0f 84 b9 fe ff ff 3c 03 0f 8f b1 fe ff ff 4c 89 44 24 10 e8 45 50 e9 ff 4c 8b 44 24 10 e9 9d fe ff ff e8 46 bf 9d ff <0f> 0b e9 19 fd ff ff e8 3a bf 9d ff e8 75 cf 91 07 31 ff 89 c5 89
RSP: 0018:ffffc9000324fcf0 EFLAGS: 00010293

RAX: 0000000000000000 RBX: 1ffff92000649fa4 RCX: 0000000000000000
RDX: ffff88807ccd0000 RSI: ffffffff81db819a RDI: 0000000000000003
RBP: ffff888022660c00 R08: 0000000000000000 R09: ffffffff9006d94f
R10: ffffffff81db7eb1 R11: 0000000000000001 R12: 0000000000000008
R13: ffffc9000324fd40 R14: 00000000ffffffff R15: 0000000000000002
FS: 0000555556484400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005567c4d8d680 CR3: 0000000022908000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<TASK>
path_umount+0x925/0x10d0 fs/namespace.c:1809
ksys_umount fs/namespace.c:1828 [inline]
__do_sys_umount fs/namespace.c:1833 [inline]
__se_sys_umount fs/namespace.c:1831 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1831

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f0dfe48a557
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef4140618 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0dfe48a557
RDX: 00007ffef41406ea RSI: 000000000000000a RDI: 00007ffef41406e0
RBP: 00007ffef41406e0 R08: 00000000ffffffff R09: 00007ffef41404b0
R10: 00005555564858b3 R11: 0000000000000246 R12: 00007f0dfe4e21f8
R13: 00007ffef41417a0 R14: 0000555556485810 R15: 00007ffef41417e0
</TASK>

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=159cbc4ef00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1449df71f00000

[Hillf Danton]

On Wed, 11 May 2022 07:03:14 -0700

JFYI the warning above is due to the double roles of the destroy_work in
css_killed_work_fn() and css_release(),

css_killed_work_fn css_release
=== ===
css_put(css);
INIT_WORK(&css->destroy_work,
css_release_work_fn);

and a quick fix is to add a dedicated release_work to css_release().

Hillf

[Hillf Danton]

On Thu, 12 May 2022 05:20:08 -0700

v1, See if it is due to race.

v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ feb9c5e19e91

--- y/fs/namespace.c
+++ x/fs/namespace.c
@@ -1221,10 +1221,15 @@ static void mntput_no_expire(struct moun
* we are dropping is not the final one.
*/
mnt_add_count(mnt, -1);
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
rcu_read_unlock();
return;
}
lock_mount_hash();
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
/*
* make sure that if __legitimize_mnt() has not seen us grab
* mount_lock, we'll see their refcount increment here.
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 1 PID: 4303 at fs/namespace.c:1225 mntput_no_expire+0x965/0xfc0 fs/namespace.c:1225
Modules linked in:
CPU: 1 PID: 4303 Comm: syz-executor.2 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0x965/0xfc0 fs/namespace.c:1225
Code: 05 00 00 48 8b 35 93 a4 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 e0 fd f0 8b e8 c5 0e 72 ff e9 15 f9 ff ff e8 bb c0 9d ff <0f> 0b e9 ca f8 ff ff e8 af c0 9d ff 0f 0b e9 be f8 ff ff e8 a3 c0
RSP: 0018:ffffc900039dfd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888018771d80 RSI: ffffffff81db8025 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db78d8 R11: 0000000000000000 R12: 0000000000000002
R13: ffff88807d666600 R14: dffffc0000000000 R15: ffffed100facccca
FS: 00005555560e5400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555556a84848 CR3: 000000001a7cd000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

mntput+0x67/0x90 fs/namespace.c:1287
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f215003bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffc71fd75e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f215003bd2b
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007f215019d960 R08: 0000000000000000 R09: 00007ffc71fe1080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000016e46
R13: 00007ffc71fd76e0 R14: 00007ffc71fd7700 R15: 0000000000000032

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=10502459f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1786c8c6f00000

[Hillf Danton]

On Thu, 12 May 2022 07:05:08 -0700

v1, See if it is due to race.
v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.

v4, See if it is due to race the third time.

@@ -632,6 +632,8 @@ int __legitimize_mnt(struct vfsmount *ba
smp_mb(); // see mntput_no_expire()
if (likely(!read_seqretry(&mount_lock, seq)))
return 0;
+ else
+ return -1;
if (bastard->mnt_flags & MNT_SYNC_UMOUNT) {
mnt_add_count(mnt, -1);
return 1;
@@ -1221,10 +1223,16 @@ static void mntput_no_expire(struct moun

* we are dropping is not the final one.
*/
mnt_add_count(mnt, -1);
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
rcu_read_unlock();
return;
}
lock_mount_hash();
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);

+ WARN_ON(count < 0);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 1 PID: 4387 at fs/namespace.c:1228 mntput_no_expire+0x985/0xfe0 fs/namespace.c:1228
Modules linked in:
CPU: 1 PID: 4387 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0x985/0xfe0 fs/namespace.c:1228
Code: 00 00 00 bf 08 00 00 00 48 c7 c2 e0 fd f0 8b e8 b1 0e 72 ff e9 01 f9 ff ff e8 a7 c0 9d ff 0f 0b e9 b6 f8 ff ff e8 9b c0 9d ff <0f> 0b e9 aa f8 ff ff e8 8f c0 9d ff e8 ca d0 91 07 31 ff 89 c3 89
RSP: 0018:ffffc90003fb7d78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff88806bd9d880 RSI: ffffffff81db8045 RDI: 0000000000000003

RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001

R10: ffffffff81db78ee R11: 0000000000000000 R12: 0000000000000002
R13: ffff88801f142600 R14: dffffc0000000000 R15: ffffed1003e284ca
FS: 00005555562ef400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f71d6e99ff8 CR3: 000000006b3ca000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

mntput+0x67/0x90 fs/namespace.c:1290

__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f043643bd2b

Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44

RSP: 002b:00007ffecc2e9cc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f043643bd2b
RDX: 0000001b31320000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f043659d960 R08: 0000000000000000 R09: 00007ffecc37f080
R10: 00007ffecc37f090 R11: 0000000000000293 R12: 0000000000016ea4
R13: 00007ffecc2e9dc0 R14: 00007ffecc2e9de0 R15: 0000000000000032

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=103e78aef00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=14aafa9ef00000

[Hillf Danton]

On Fri, 13 May 2022 05:48:17 -0700

v1, See if it is due to race.
v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.
v4, See if it is due to race the third time.

v5, See if it is due to race once more.

@@ -623,11 +623,15 @@ static void delayed_free_vfsmnt(struct r
int __legitimize_mnt(struct vfsmount *bastard, unsigned seq)
{
struct mount *mnt;
+ int count;
if (read_seqretry(&mount_lock, seq))
return 1;
if (bastard == NULL)
return 0;
mnt = real_mount(bastard);
+ count = mnt_get_count(mnt);
+ if (count < 1)
+ return 1;
mnt_add_count(mnt, 1);

smp_mb(); // see mntput_no_expire()
if (likely(!read_seqretry(&mount_lock, seq)))

@@ -1221,10 +1225,16 @@ static void mntput_no_expire(struct moun

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 0 PID: 4363 at fs/namespace.c:1229 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1229
Modules linked in:
CPU: 0 PID: 4363 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1229
Code: 04 00 00 48 8b 35 ff a4 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 20 fe f0 8b e8 b1 0e 72 ff e9 01 f9 ff ff e8 a7 c0 9d ff <0f> 0b e9 b6 f8 ff ff e8 9b c0 9d ff 0f 0b e9 aa f8 ff ff e8 8f c0
RSP: 0018:ffffc90003c2fd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880243f9d80 RSI: ffffffff81db8039 RDI: 0000000000000003

RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001

R10: ffffffff81db78d8 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888022f03800 R14: dffffc0000000000 R15: ffffed10045e070a
FS: 0000555556ec8400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055555662a848 CR3: 000000006e4e0000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

mntput+0x67/0x90 fs/namespace.c:1292

__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f5ac9e3bd2b

Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44

RSP: 002b:00007ffd32b26f80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f5ac9e3bd2b

RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003

RBP: 00007f5ac9f9d960 R08: 0000000000000000 R09: 00007ffd32bcf080
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000001705f
R13: 00007ffd32b27080 R14: 00007ffd32b270a0 R15: 0000000000000032

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=126c6aa5f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=10935b21f00000

[Hillf Danton]

On Fri, 13 May 2022 07:12:12 -0700

v1, See if it is due to race.
v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.
v4, See if it is due to race the third time.
v5, See if it is due to race once more.

v6, See if it is due to imbalance in count.

@@ -215,7 +215,7 @@ static struct mount *alloc_vfsmnt(const
if (!mnt->mnt_pcp)
goto out_free_devname;

- this_cpu_add(mnt->mnt_pcp->mnt_count, 1);
+ this_cpu_add(mnt->mnt_pcp->mnt_count, 2);
#else
mnt->mnt_count = 1;
mnt->mnt_writers = 0;
@@ -1221,10 +1221,16 @@ static void mntput_no_expire(struct moun

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 0 PID: 4063 at fs/namespace.c:1232 mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232
Modules linked in:
CPU: 0 PID: 4063 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232
Code: 00 48 c7 c7 80 16 db 89 c6 05 c3 c9 c8 0b 01 e8 19 58 4d 07 e9 57 ff ff ff e8 2a bf 9d ff 0f 0b e9 df f9 ff ff e8 1e bf 9d ff <0f> 0b e9 d3 f9 ff ff e8 12 bf 9d ff e8 9d b9 88 ff 31 ff 89 c3 89
RSP: 0018:ffffc9000335fc38 EFLAGS: 00010293

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

RDX: ffff88806e651d80 RSI: ffffffff81db81c2 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: ffffffff9006e94f
R10: ffffffff81db7b7e R11: 0000000000000001 R12: ffffc9000335fc88
R13: ffff88801a842300 R14: 0000000000000002 R15: dffffc0000000000
FS: 0000555557159400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f18cda11280 CR3: 0000000077f04000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

mntput fs/namespace.c:1288 [inline]
namespace_unlock+0x3ee/0x410 fs/namespace.c:1507
do_umount fs/namespace.c:1726 [inline]
path_umount+0x797/0x1260 fs/namespace.c:1808
ksys_umount fs/namespace.c:1831 [inline]
__do_sys_umount fs/namespace.c:1836 [inline]
__se_sys_umount fs/namespace.c:1834 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1834

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7ff9a7c8a557

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe33a40f28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9a7c8a557
RDX: 00007ffe33a40ff9 RSI: 000000000000000a RDI: 00007ffe33a40ff0
RBP: 00007ffe33a40ff0 R08: 00000000ffffffff R09: 00007ffe33a40dc0
R10: 000055555715a8b3 R11: 0000000000000246 R12: 00007ff9a7ce21f8
R13: 00007ffe33a420b0 R14: 000055555715a810 R15: 00007ffe33a420f0

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=14be78aef00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=10db8f71f00000

[Hillf Danton]

On Fri, 13 May 2022 08:14:09 -0700

v1, See if it is due to race.
v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.
v4, See if it is due to race the third time.
v5, See if it is due to race once more.
v6, See if it is due to imbalance in count.

v7, See if it is due to imbalance in count.

@@ -1595,8 +1601,10 @@ static void umount_tree(struct mount *mn
}
}
change_mnt_propagation(p, MS_PRIVATE);
- if (disconnect)
+ if (disconnect) {
hlist_add_head(&p->mnt_umount, &unmounted);
+ WARN_ON(mnt_get_count(p) == 0);
+ }
}
}

@@ -1748,6 +1756,7 @@ void __detach_mounts(struct dentry *dent
if (mnt->mnt.mnt_flags & MNT_UMOUNT) {
umount_mnt(mnt);
hlist_add_head(&mnt->mnt_umount, &unmounted);
+ WARN_ON(mnt_get_count(mnt) == 0);
}
else umount_tree(mnt, UMOUNT_CONNECTED);
}
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: unable to handle kernel paging request in dst_dev_put

BUG: unable to handle page fault for address: ffffffffffffffff
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD ba8f067
P4D ba8f067
PUD ba91067
PMD 0

Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:dst_dev_put+0x30/0x320 net/core/dst.c:154
Code: fe 41 55 41 54 55 e8 bf 78 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a <4d> 8b 26 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6
RSP: 0018:ffffc900001b7c88 EFLAGS: 00010246

RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100
RDX: 1fffffffffffffff RSI: ffffffff874dc821 RDI: 0000000000000039
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffe8ffffc9571f
R10: fffff91ffff92ae3 R11: 0000000000000000 R12: 0000000000000003
R13: ffff88807ac008a8 R14: ffffffffffffffff R15: ffffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: ffffffffffffffff CR3: 000000006b914000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

fib6_nh_release_dsts.part.0+0xf8/0x160 net/ipv6/route.c:3672
fib6_nh_release_dsts net/ipv6/route.c:3663 [inline]
fib6_nh_release+0x11a/0x240 net/ipv6/route.c:3653
fib6_info_destroy_rcu+0x187/0x210 net/ipv6/ip6_fib.c:176

rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558

run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:
CR2: ffffffffffffffff
---[ end trace 0000000000000000 ]---
RIP: 0010:dst_dev_put+0x30/0x320 net/core/dst.c:154
Code: fe 41 55 41 54 55 e8 bf 78 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a <4d> 8b 26 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6
RSP: 0018:ffffc900001b7c88 EFLAGS: 00010246

RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100
RDX: 1fffffffffffffff RSI: ffffffff874dc821 RDI: 0000000000000039
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffe8ffffc9571f
R10: fffff91ffff92ae3 R11: 0000000000000000 R12: 0000000000000003
R13: ffff88807ac008a8 R14: ffffffffffffffff R15: ffffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: ffffffffffffffff CR3: 000000006b914000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

----------------
Code disassembly (best guess):

0: fe 41 55 incb 0x55(%rcx)
3: 41 54 push %r12
5: 55 push %rbp
6: e8 bf 78 2b fa callq 0xfa2b78ca
b: 4c 89 f2 mov %r14,%rdx
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 48 c1 ea 03 shr $0x3,%rdx
1c: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
20: 0f 85 dc 02 00 00 jne 0x302
26: 49 8d 7e 3a lea 0x3a(%r14),%rdi
* 2a: 4d 8b 26 mov (%r14),%r12 <-- trapping instruction
2d: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
34: fc ff df
37: 48 89 fa mov %rdi,%rdx
3a: 48 c1 ea 03 shr $0x3,%rdx
3e: 0f .byte 0xf
3f: b6 .byte 0xb6

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=13f8f0f1f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1233a91af00000

[Hillf Danton]

On Fri, 13 May 2022 18:30:09 -0700

v1, See if it is due to race.
v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.
v4, See if it is due to race the third time.
v5, See if it is due to race once more.
v6, See if it is due to imbalance in count.
v7, See if it is due to imbalance in count.

v8, Try to handle PF.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ feb9c5e19e91

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5926,6 +5926,7 @@ void tcp_rcv_established(struct sock *sk
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPHPHITS);

/* Bulk data transfer: receiver */
+ skb_dst_drop(skb);
__skb_pull(skb, tcp_header_len);
eaten = tcp_queue_rcv(sk, skb, &fragstolen);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 1 PID: 4281 at fs/namespace.c:1225 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225
Modules linked in:
CPU: 1 PID: 4281 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225
Code: 04 00 00 48 8b 35 0f a4 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 41 0d 72 ff e9 01 f9 ff ff e8 37 bf 9d ff <0f> 0b e9 b6 f8 ff ff e8 2b bf 9d ff 0f 0b e9 aa f8 ff ff e8 1f bf
RSP: 0018:ffffc9000388fd78 EFLAGS: 00010293

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

RDX: ffff888015df8000 RSI: ffffffff81db81a9 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db7a48 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888019de1380 R14: dffffc0000000000 R15: ffffed10033bc27a
FS: 00005555555f0400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555563e6848 CR3: 000000007f64c000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

mntput+0x67/0x90 fs/namespace.c:1288

__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f8b4ea3bd2b

Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44

RSP: 002b:00007fffd543b3b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f8b4ea3bd2b

RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003

RBP: 00007f8b4eb9d960 R08: 0000000000000000 R09: 00007fffd547d080
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000169e6
R13: 00007fffd543b4b0 R14: 00007fffd543b4d0 R15: 0000000000000032
</TASK>

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=11d1bd99f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=14c96d96f00000

[Hillf Danton]

On Fri, 13 May 2022 23:38:08 -0700

v1, See if it is due to race.
v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.
v4, See if it is due to race the third time.
v5, See if it is due to race once more.
v6, See if it is due to imbalance in count.
v7, See if it is due to imbalance in count.
v8, Try to handle PF.

v9, See if it is due to imbalance in count.

@@ -1498,7 +1504,6 @@ static void namespace_unlock(void)

hlist_for_each_entry_safe(m, p, &head, mnt_umount) {
hlist_del(&m->mnt_umount);
- mntput(&m->mnt);
}
}

@@ -1595,8 +1600,10 @@ static void umount_tree(struct mount *mn

}
}
change_mnt_propagation(p, MS_PRIVATE);
- if (disconnect)
+ if (disconnect) {
hlist_add_head(&p->mnt_umount, &unmounted);
+ WARN_ON(mnt_get_count(p) == 0);
+ }
}
}

@@ -1748,6 +1755,7 @@ void __detach_mounts(struct dentry *dent

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 0 PID: 4055 at fs/namespace.c:1232 mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232
Modules linked in:
CPU: 0 PID: 4055 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232

Code: 00 48 c7 c7 80 16 db 89 c6 05 c3 9d c8 0b 01 e8 19 2b 4d 07 e9 57 ff ff ff e8 2a 92 9d ff 0f 0b e9 df f9 ff ff e8 1e 92 9d ff <0f> 0b e9 d3 f9 ff ff e8 12 92 9d ff e8 9d 8c 88 ff 31 ff 89 c3 89
RSP: 0018:ffffc9000334fcf0 EFLAGS: 00010293

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

RDX: ffff88807e7b1d80 RSI: ffffffff81dbaec2 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: ffffffff9006e94f
R10: ffffffff81dba87e R11: 0000000000000001 R12: ffffc9000334fd40
R13: ffff888077683b00 R14: 0000000000000002 R15: dffffc0000000000
FS: 0000555556613400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fcf211088a5 CR3: 00000000740bc000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

path_umount+0x7d4/0x1260 fs/namespace.c:1814
ksys_umount fs/namespace.c:1833 [inline]
__do_sys_umount fs/namespace.c:1838 [inline]
__se_sys_umount fs/namespace.c:1836 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1836

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7fa5afe8a557

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc6ec4cb58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa5afe8a557
RDX: 00007ffc6ec4cc29 RSI: 000000000000000a RDI: 00007ffc6ec4cc20
RBP: 00007ffc6ec4cc20 R08: 00000000ffffffff R09: 00007ffc6ec4c9f0
R10: 00005555566148b3 R11: 0000000000000246 R12: 00007fa5afee21f8
R13: 00007ffc6ec4dce0 R14: 0000555556614810 R15: 00007ffc6ec4dd20

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=132990c6f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=17ff8456f00000

[Hillf Danton]

On Fri, 13 May 2022 23:38:08 -0700

v1, See if it is due to race.
v2, Queise the warning by adding a dedicated release work in parallel to
the destroy work.
v3, See if it is due to race the second time.
v4, See if it is due to race the third time.
v5, See if it is due to race once more.
v6, See if it is due to imbalance in count.
v7, See if it is due to imbalance in count.
v8, Try to handle PF.
v9, See if it is due to imbalance in count.

v10, See if it is due to imbalance in count.

@@ -1595,8 +1601,10 @@ static void umount_tree(struct mount *mn

}
}
change_mnt_propagation(p, MS_PRIVATE);
- if (disconnect)
+ if (disconnect) {
hlist_add_head(&p->mnt_umount, &unmounted);
+ WARN_ON(mnt_get_count(p) == 0);
+ }
}
}

@@ -1748,6 +1756,7 @@ void __detach_mounts(struct dentry *dent

if (mnt->mnt.mnt_flags & MNT_UMOUNT) {
umount_mnt(mnt);
hlist_add_head(&mnt->mnt_umount, &unmounted);
+ WARN_ON(mnt_get_count(mnt) == 0);
}
else umount_tree(mnt, UMOUNT_CONNECTED);
}

--- y/fs/namei.c
+++ x/fs/namei.c
@@ -2510,6 +2510,7 @@ static int path_lookupat(struct nameidat
err = -ENOTDIR;
if (!err) {
*path = nd->path;
+ mntget(path->mnt);
nd->path.mnt = NULL;
nd->path.dentry = NULL;
}
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffeaa23bc1f R14: 00007fbb0b9ee300 R15: 0000000000022000
</TASK>
cgroup: cgroup_addrm_files: failed to add max, err=-12
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4705 at fs/namespace.c:1225 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225
Modules linked in:
CPU: 1 PID: 4705 Comm: syz-executor.1 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225

Code: 04 00 00 48 8b 35 af a3 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 e1 0c 72 ff e9 01 f9 ff ff e8 d7 be 9d ff <0f> 0b e9 b6 f8 ff ff e8 cb be 9d ff 0f 0b e9 aa f8 ff ff e8 bf be
RSP: 0018:ffffc90005887b08 EFLAGS: 00010293

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

RDX: ffff8880687e1d80 RSI: ffffffff81db8209 RDI: 0000000000000003

RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001

R10: ffffffff81db7aa8 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888073407200 R14: dffffc0000000000 R15: ffffed100e680e4a
FS: 00007fbb0b9ee700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffe756d5ff8 CR3: 0000000075509000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1288
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164

get_signal+0x1c5/0x24c0 kernel/signal.c:2641
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201

__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7fbb0a8890e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbb0b9ee168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: fffffffffffffff4 RBX: 00007fbb0a99c030 RCX: 00007fbb0a8890e9
RDX: 0000000000000006 RSI: 00000000200000c0 RDI: 0000000000000004
RBP: 00007fbb0b9ee1d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffeaa23bc1f R14: 00007fbb0b9ee300 R15: 0000000000022000

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=13f70966f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1668ee31f00000

[Hillf Danton]

On Sat, 14 May 2022 02:20:08 -0700

v11, See if it is due to imbalance in count.

--- y/fs/namei.c
+++ x/fs/namei.c
@@ -2510,6 +2510,7 @@ static int path_lookupat(struct nameidat
err = -ENOTDIR;
if (!err) {
*path = nd->path;
+ mntget(path->mnt);
nd->path.mnt = NULL;
nd->path.dentry = NULL;
}

@@ -1498,7 +1504,7 @@ static void namespace_unlock(void)

hlist_for_each_entry_safe(m, p, &head, mnt_umount) {
hlist_del(&m->mnt_umount);
- mntput(&m->mnt);

+ // mntput(&m->mnt);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4445 at fs/namespace.c:1226 mntput_no_expire+0x985/0xfe0 fs/namespace.c:1226
Modules linked in:

CPU: 0 PID: 4445 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0x985/0xfe0 fs/namespace.c:1226
Code: 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 51 e1 71 ff e9 01 f9 ff ff e8 47 93 9d ff 0f 0b e9 b6 f8 ff ff e8 3b 93 9d ff <0f> 0b e9 aa f8 ff ff e8 2f 93 9d ff e8 6a a3 91 07 31 ff 89 c3 89
RSP: 0018:ffffc9000459fd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff8880220f3b00 RSI: ffffffff81dbada5 RDI: 0000000000000003

RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001

R10: ffffffff81dba64e R11: 0000000000000000 R12: 0000000000000002
R13: ffff88807bd12900 R14: dffffc0000000000 R15: ffffed100f7a252a
FS: 0000555555d3b400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffd780a50a0 CR3: 000000007cff9000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1288
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164

resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]

exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201

__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f59ef83bd2b

Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44

RSP: 002b:00007ffdc9489d50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f59ef83bd2b
RDX: 0000001b31020000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f59ef99d960 R08: 0000000000000000 R09: 00007ffdc9495080
R10: 00007ffdc9495090 R11: 0000000000000293 R12: 0000000000016fbc
R13: 00007ffdc9489e50 R14: 00007ffdc9489e70 R15: 0000000000000032

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=1794b83af00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=10404456f00000

[Hillf Danton]

On Sat, 14 May 2022 04:59:09 -0700

v12, See if it is due to imbalance in count.

@@ -910,6 +910,7 @@ void mnt_set_mountpoint(struct mount *mn
child_mnt->mnt_mountpoint = mp->m_dentry;
child_mnt->mnt_parent = mnt;
child_mnt->mnt_mp = mp;
+ mnt_add_count(child_mnt, 1);
hlist_add_head(&child_mnt->mnt_mp_list, &mp->m_list);
}

@@ -1221,10 +1222,16 @@ static void mntput_no_expire(struct moun

* we are dropping is not the final one.
*/
mnt_add_count(mnt, -1);
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
rcu_read_unlock();
return;
}
lock_mount_hash();
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
/*
* make sure that if __legitimize_mnt() has not seen us grab
* mount_lock, we'll see their refcount increment here.

@@ -1498,7 +1505,7 @@ static void namespace_unlock(void)

hlist_for_each_entry_safe(m, p, &head, mnt_umount) {
hlist_del(&m->mnt_umount);
- mntput(&m->mnt);
+ // mntput(&m->mnt);
}
}

@@ -1595,8 +1602,10 @@ static void umount_tree(struct mount *mn

}
}
change_mnt_propagation(p, MS_PRIVATE);
- if (disconnect)
+ if (disconnect) {
hlist_add_head(&p->mnt_umount, &unmounted);
+ WARN_ON(mnt_get_count(p) == 0);
+ }
}
}

@@ -1748,6 +1757,7 @@ void __detach_mounts(struct dentry *dent

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 1 PID: 4205 at fs/namespace.c:1226 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1226
Modules linked in:
CPU: 1 PID: 4205 Comm: syz-executor.2 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1226
Code: 04 00 00 48 8b 35 ef 77 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 21 e1 71 ff e9 01 f9 ff ff e8 17 93 9d ff <0f> 0b e9 b6 f8 ff ff e8 0b 93 9d ff 0f 0b e9 aa f8 ff ff e8 ff 92
RSP: 0018:ffffc9000374fd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802467bb00 RSI: ffffffff81dbadc9 RDI: 0000000000000003

RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001

R10: ffffffff81dba668 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888079fad500 R14: dffffc0000000000 R15: ffffed100f3f5aaa
FS: 0000555556994400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555572e8848 CR3: 000000006a5f1000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

mntput+0x67/0x90 fs/namespace.c:1289

__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f3c1a63bd2b

Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44

RSP: 002b:00007ffd7174ab10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3c1a63bd2b

RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003

RBP: 00007f3c1a79d960 R08: 0000000000000000 R09: 00007ffd71751080
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000142ec
R13: 00007ffd7174ac10 R14: 00007ffd7174ac30 R15: 0000000000000032

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=124eef66f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=123ae715f00000

[Hillf Danton]

On Sat, 14 May 2022 06:40:07 -0700

v13, See if it is due to imbalance in count.

--- y/fs/namespace.c
+++ x/fs/namespace.c
@@ -1221,10 +1221,16 @@ static void mntput_no_expire(struct moun

* we are dropping is not the final one.
*/
mnt_add_count(mnt, -1);
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
rcu_read_unlock();
return;
}
lock_mount_hash();
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
/*
* make sure that if __legitimize_mnt() has not seen us grab
* mount_lock, we'll see their refcount increment here.

--- y/fs/file_table.c
+++ x/fs/file_table.c
@@ -372,6 +372,13 @@ void fput_many(struct file *file, unsign
{
if (atomic_long_sub_and_test(refs, &file->f_count)) {
struct task_struct *task = current;
+ struct vfsmount *mnt = file->f_path.mnt;
+ if (mnt) {
+ struct mount *m = real_mount(mnt);
+ int count = mnt_get_count(m);
+ WARN_ON(count == 0);
+ WARN_ON(m->mnt_ns && count < 2);
+ }

if (likely(!in_interrupt() && !(task->flags & PF_KTHREAD))) {
init_task_work(&file->f_u.fu_rcuhead, ____fput);
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/file_table.c:377:22: error: implicit declaration of function 'real_mount'; did you mean 'kern_mount'? [-Werror=implicit-function-declaration]
fs/file_table.c:378:16: error: implicit declaration of function 'mnt_get_count'; did you mean 'init_page_count'? [-Werror=implicit-function-declaration]
fs/file_table.c:380:13: error: invalid use of undefined type 'struct mount'

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=16788769f00000

[Hillf Danton]

On Sat, 14 May 2022 04:59:09 -0700

@@ -1292,6 +1298,18 @@ struct vfsmount *mntget(struct vfsmount
}
EXPORT_SYMBOL(mntget);

+void mnt_check_count(struct vfsmount *mnt);
+{

+ if (mnt) {
+ struct mount *m = real_mount(mnt);
+ int count = mnt_get_count(m);
+

+ WARN_ON(count == 0);
+ WARN_ON(count < 2 && m->mnt_ns);
+ }
+}
+EXPORT_SYMBOL(mnt_check_count);
+
/**
* path_is_mountpoint() - Check if path is a mount in the current namespace.
* @path: path to check
--- y/include/linux/mount.h
+++ x/include/linux/mount.h
@@ -89,6 +89,7 @@ extern int mnt_want_write_file(struct fi
extern void mnt_drop_write(struct vfsmount *mnt);
extern void mnt_drop_write_file(struct file *file);
extern void mntput(struct vfsmount *mnt);
+extern void mnt_check_count(struct vfsmount *mnt);
extern struct vfsmount *mntget(struct vfsmount *mnt);
extern struct vfsmount *mnt_clone_internal(const struct path *path);
extern bool __mnt_is_readonly(struct vfsmount *mnt);
--- y/fs/file_table.c
+++ x/fs/file_table.c
@@ -372,6 +372,7 @@ void fput_many(struct file *file, unsign

{
if (atomic_long_sub_and_test(refs, &file->f_count)) {
struct task_struct *task = current;

+ mnt_check_count(file->f_path.mnt);

[Hillf Danton]

On Sat, 14 May 2022 04:59:09 -0700

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/namespace.c:1302:1: error: expected identifier or '(' before '{' token

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=13dff259f00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in mnt_check_count

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4324 at fs/namespace.c:1307 mnt_check_count fs/namespace.c:1307 [inline]
WARNING: CPU: 0 PID: 4324 at fs/namespace.c:1307 mnt_check_count+0x14a/0x210 fs/namespace.c:1301
Modules linked in:
CPU: 1 PID: 4324 Comm: syz-executor.0 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mnt_check_count fs/namespace.c:1307 [inline]
RIP: 0010:mnt_check_count+0x14a/0x210 fs/namespace.c:1301
Code: ff 89 de bf 01 00 00 00 e8 c3 ed 9d ff 83 fb 01 7e 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f e9 8b eb 9d ff e8 86 eb 9d ff <0f> 0b e8 7f eb 9d ff 49 8d be c8 00 00 00 48 b8 00 00 00 00 00 fc
RSP: 0018:ffffc90003adfe60 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801613bb00 RSI: ffffffff81db555a RDI: 0000000000000003

RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001

R10: ffffffff81db5528 R11: 0000000000000000 R12: 0000000000000002
R13: dffffc0000000000 R14: ffff88814013cda0 R15: ffffed10280279ba
FS: 000055555725a400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fb39859d090 CR3: 000000001a0ad000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

fput_many.part.0+0x3d/0x1a0 fs/file_table.c:375
fput_many fs/file_table.c:396 [inline]
fput+0x42/0x50 fs/file_table.c:395
filp_close+0x124/0x160 fs/open.c:1329
close_fd+0x6f/0xa0 fs/file.c:671
__do_sys_close fs/open.c:1342 [inline]
__se_sys_close fs/open.c:1340 [inline]
__x64_sys_close+0x2f/0xa0 fs/open.c:1340

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f4ef943bd2b

Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44

RSP: 002b:00007ffc2b1ebbc0 EFLAGS: 00000293
ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f4ef943bd2b
RDX: 0000001b31d20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f4ef959d960 R08: 0000000000000000 R09: 00007ffc2b1fa080
R10: 00007ffc2b1fa090 R11: 0000000000000293 R12: 0000000000015538
R13: 00007ffc2b1ebcc0 R14: 00007ffc2b1ebce0 R15: 0000000000000032

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=1488f396f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=12375f31f00000

[Hillf Danton]

On Sun, 15 May 2022 00:52:09 -0700

v14, See if it is due to imbalance in count.

+ //WARN_ON(count == 0);
+ //WARN_ON(count < 2 && m->mnt_ns);

+ }
+}
+EXPORT_SYMBOL(mnt_check_count);
+
/**
* path_is_mountpoint() - Check if path is a mount in the current namespace.
* @path: path to check
--- y/include/linux/mount.h
+++ x/include/linux/mount.h
@@ -89,6 +89,7 @@ extern int mnt_want_write_file(struct fi
extern void mnt_drop_write(struct vfsmount *mnt);
extern void mnt_drop_write_file(struct file *file);
extern void mntput(struct vfsmount *mnt);
+extern void mnt_check_count(struct vfsmount *mnt);
extern struct vfsmount *mntget(struct vfsmount *mnt);
extern struct vfsmount *mnt_clone_internal(const struct path *path);
extern bool __mnt_is_readonly(struct vfsmount *mnt);
--- y/fs/file_table.c
+++ x/fs/file_table.c

@@ -330,7 +330,7 @@ static void __fput(struct file *file)
dput(dentry);
if (unlikely(mode & FMODE_NEED_UNMOUNT))
dissolve_on_fput(mnt);
- mntput(mnt);
+ //mntput(mnt);
out:
file_free(file);
}
@@ -373,6 +373,8 @@ void fput_many(struct file *file, unsign

if (atomic_long_sub_and_test(refs, &file->f_count)) {
struct task_struct *task = current;

+ //mnt_check_count(file->f_path.mnt);
+

if (likely(!in_interrupt() && !(task->flags & PF_KTHREAD))) {
init_task_work(&file->f_u.fu_rcuhead, ____fput);

if (!task_work_add(task, &file->f_u.fu_rcuhead, TWA_RESUME))
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

general protection fault in dst_dev_put

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:dst_dev_put+0x22/0x320 net/core/dst.c:154
Code: 00 00 00 00 00 0f 1f 00 41 57 41 56 49 89 fe 41 55 41 54 55 e8 5f 7b 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a 4d 8b 26 48 b8 00 00 00
RSP: 0018:ffffc90000147c88 EFLAGS: 00010246

RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100

RDX: 0000000000000000 RSI: ffffffff874dc581 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffe8ffffd801e7
R10: fffff91ffffb003c R11: 0000000000000000 R12: 0000000000000003
R13: ffff888069c1a8a8 R14: 0000000000000001 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f729a014ff8 CR3: 0000000023035000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

fib6_nh_release_dsts.part.0+0xf8/0x160 net/ipv6/route.c:3672
fib6_nh_release_dsts net/ipv6/route.c:3663 [inline]
fib6_nh_release+0x11a/0x240 net/ipv6/route.c:3653
fib6_info_destroy_rcu+0x187/0x210 net/ipv6/ip6_fib.c:176
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:

---[ end trace 0000000000000000 ]---

RIP: 0010:dst_dev_put+0x22/0x320 net/core/dst.c:154
Code: 00 00 00 00 00 0f 1f 00 41 57 41 56 49 89 fe 41 55 41 54 55 e8 5f 7b 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a 4d 8b 26 48 b8 00 00 00
RSP: 0018:ffffc90000147c88 EFLAGS: 00010246

RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100

RDX: 0000000000000000 RSI: ffffffff874dc581 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffe8ffffd801e7
R10: fffff91ffffb003c R11: 0000000000000000 R12: 0000000000000003
R13: ffff888069c1a8a8 R14: 0000000000000001 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f729a014ff8 CR3: 0000000023035000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

----------------
Code disassembly (best guess), 1 bytes skipped:
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 0f 1f 00 nopl (%rax)
7: 41 57 push %r15
9: 41 56 push %r14
b: 49 89 fe mov %rdi,%r14
e: 41 55 push %r13
10: 41 54 push %r12
12: 55 push %rbp
13: e8 5f 7b 2b fa callq 0xfa2b7b77
18: 4c 89 f2 mov %r14,%rdx
1b: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
22: fc ff df
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2d: 0f 85 dc 02 00 00 jne 0x30f
33: 49 8d 7e 3a lea 0x3a(%r14),%rdi
37: 4d 8b 26 mov (%r14),%r12
3a: 48 rex.W
3b: b8 .byte 0xb8
3c: 00 00 add %al,(%rax)

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=16848769f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=15cc4e85f00000

[Hillf Danton]

On Sun, 15 May 2022 02:59:07 -0700

v15, See if the PF can be reproduced.

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in cleanup_mnt

------------[ cut here ]------------
WARNING: CPU: 1 PID: 4044 at fs/namespace.c:1177 cleanup_mnt+0x416/0x540 fs/namespace.c:1177
Modules linked in:

CPU: 1 PID: 4044 Comm: syz-executor.0 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:cleanup_mnt+0x416/0x540 fs/namespace.c:1177
Code: 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f e9 f1 9f 89 ff e8 5c b3 9d ff 48 89 df e8 84 52 06 00 e9 40 fd ff ff e8 4a b3 9d ff <0f> 0b e9 ff fc ff ff e8 2e 44 e9 ff eb ab 48 c7 c7 a0 26 b9 8d e8
RSP: 0018:ffffc900031efe78 EFLAGS: 00010293

RAX: 0000000000000000 RBX: ffff88814013dc80 RCX: 0000000000000000
RDX: ffff888073a85880 RSI: ffffffff81db8d96 RDI: 0000000000000003

RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001

R10: ffffffff81db8a93 R11: 0000000000000001 R12: 00000000ffffffff
R13: 0000000000000002 R14: dffffc0000000000 R15: ffffed1028027b9a
FS: 0000555556e94400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f4df11a0000 CR3: 000000007054d000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f832748a557
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc0b9d39f8 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f832748a557
RDX: 00007ffc0b9d3ac9 RSI: 000000000000000a RDI: 00007ffc0b9d3ac0
RBP: 00007ffc0b9d3ac0 R08: 00000000ffffffff R09: 00007ffc0b9d3890
R10: 0000555556e958b3 R11: 0000000000000246 R12: 00007f83274e21f8
R13: 00007ffc0b9d4b80 R14: 0000555556e95810 R15: 00007ffc0b9d4bc0
</TASK>

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=17d119aef00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=12ab09a5f00000

[Hillf Danton]

On Sun, 15 May 2022 06:42:09 -0700

v16, try to queisce the warning by waiting for writers to go home.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ feb9c5e19e91

diff -pur a/fs/file_table.c b/fs/file_table.c
--- a/fs/file_table.c 2022-05-16 19:54:05.244159900 +0800
+++ b/fs/file_table.c 2022-05-16 19:55:14.706577300 +0800

@@ -330,7 +330,7 @@ static void __fput(struct file *file)
dput(dentry);
if (unlikely(mode & FMODE_NEED_UNMOUNT))
dissolve_on_fput(mnt);
- mntput(mnt);
+ //mntput(mnt);
out:
file_free(file);
}

diff -pur a/fs/mount.h b/fs/mount.h
--- a/fs/mount.h 2022-05-16 19:33:29.792582900 +0800
+++ b/fs/mount.h 2022-05-16 19:38:05.627715000 +0800
@@ -77,6 +77,7 @@ struct mount {
int mnt_expiry_mark; /* true if marked for expiry */
struct hlist_head mnt_pins;
struct hlist_head mnt_stuck_children;
+ struct wait_queue_head wwq; /* writer wq */
} __randomize_layout;

#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff -pur a/fs/namespace.c b/fs/namespace.c
--- a/fs/namespace.c 2022-05-16 19:34:10.676163000 +0800
+++ b/fs/namespace.c 2022-05-16 19:51:59.915219000 +0800
@@ -233,6 +233,7 @@ static struct mount *alloc_vfsmnt(const
INIT_LIST_HEAD(&mnt->mnt_umounting);
INIT_HLIST_HEAD(&mnt->mnt_stuck_children);
mnt->mnt.mnt_userns = &init_user_ns;
+ init_waitqueue_head(&mnt->wwq);
}
return mnt;

@@ -469,6 +470,12 @@ void mnt_drop_write(struct vfsmount *mnt
{
__mnt_drop_write(mnt);
sb_end_write(mnt->mnt_sb);
+ if (mnt->mnt_flags & MNT_DOOMED) {

+ struct mount *m = real_mount(mnt);
+

+ if (!m->mnt_ns && !mnt_get_writers(m))
+ wake_up(&m->wwq);
+ }
}
EXPORT_SYMBOL_GPL(mnt_drop_write);

@@ -1174,7 +1181,7 @@ static void cleanup_mnt(struct mount *mn
* The locking used to deal with mnt_count decrement provides barriers,
* so mnt_get_writers() below is safe.
*/
- WARN_ON(mnt_get_writers(mnt));
+ wait_event(mnt->wwq, !mnt_get_writers(mnt));
if (unlikely(mnt->mnt_pins.first))
mnt_pin_kill(mnt);
hlist_for_each_entry_safe(m, p, &mnt->mnt_stuck_children, mnt_umount) {
@@ -1221,10 +1228,16 @@ static void mntput_no_expire(struct moun

* we are dropping is not the final one.
*/
mnt_add_count(mnt, -1);
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
rcu_read_unlock();
return;
}
lock_mount_hash();
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
/*
* make sure that if __legitimize_mnt() has not seen us grab
* mount_lock, we'll see their refcount increment here.

diff -pur a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
--- a/include/linux/cgroup-defs.h 2022-05-16 20:01:41.873691800 +0800
+++ b/include/linux/cgroup-defs.h 2022-05-16 20:05:57.239210800 +0800

@@ -179,7 +179,7 @@ struct cgroup_subsys_state {
atomic_t online_cnt;

/* percpu_ref killing and RCU release */
- struct work_struct destroy_work;
+ struct work_struct destroy_work, release_work;
struct rcu_work destroy_rwork;

/*

diff -pur a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
--- a/kernel/cgroup/cgroup.c 2022-05-16 20:03:31.595702700 +0800
+++ b/kernel/cgroup/cgroup.c 2022-05-16 20:05:57.255709200 +0800

@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct wor
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, release_work);
struct cgroup_subsys *ss = css->ss;
struct cgroup *cgrp = css->cgroup;

@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_re
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);

- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->release_work, css_release_work_fn);
+ queue_work(cgroup_destroy_wq, &css->release_work);
}

static void init_and_link_css(struct cgroup_subsys_state *css,

diff -pur a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
--- a/net/ipv4/tcp_input.c 2022-05-16 19:59:50.885069300 +0800
+++ b/net/ipv4/tcp_input.c 2022-05-16 20:05:57.183788500 +0800

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in percpu_ref_switch_to_atomic_rcu

------------[ cut here ]------------
percpu ref (css_release) <= 0 (-4294967295) after switching to atomic
WARNING: CPU: 1 PID: 4059 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Modules linked in:
CPU: 1 PID: 4059 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c0 00 00 00 49 8b 77 e8 4c 89 e2 48 c7 c7 60 e3 26 8a e8 bc a7 31 05 <0f> 0b e9 34 ff ff ff 48 89 c6 48 c7 c7 80 39 69 8c 48 89 44 24 08
RSP: 0018:ffffc900001e0e20 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801d1bbb00 RSI: ffffffff81601ae8 RDI: fffff5200003c1b6
RBP: ffff88802009bf00 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815fc4be R11: 0000000000000000 R12: ffffffff00000001
R13: dffffc0000000000 R14: 0000607f46080068 R15: ffff88802009bf20
FS: 0000555556ed0400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f729536db58 CR3: 000000006f54c000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<IRQ>

rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558

invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 ba 60 ed f7 48 89 ef e8 02 e0 ed f7 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 23 ff e0 f7 65 8b 05 2c 24 92 76 85 c0 74 0a 5b 5d c3 e8 b0 3d
RSP: 0018:ffffc9000331f668 EFLAGS: 00000206
RAX: 0000000000000006 RBX: 0000000000000200 RCX: 1ffffffff1b71ef9
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8be8f980 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817f8988 R11: 0000000000000000 R12: 0000000000000000
R13: 0000607f4607e000 R14: ffff8881457e8448 R15: ffff8881457e8471
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
free_percpu mm/percpu.c:2305 [inline]
free_percpu+0x7eb/0x10c0 mm/percpu.c:2261
xt_percpu_counter_free+0x96/0xc0 net/netfilter/x_tables.c:1950
cleanup_entry+0x24f/0x300 net/ipv4/netfilter/ip_tables.c:656
__do_replace+0x628/0x870 net/ipv4/netfilter/ip_tables.c:1085
do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
do_ipt_set_ctl+0x901/0xb80 net/ipv4/netfilter/ip_tables.c:1630
nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
ip_setsockopt+0x3c3/0x3ab0 net/ipv4/ip_sockglue.c:1444
tcp_setsockopt+0x136/0x2520 net/ipv4/tcp.c:3696
__sys_setsockopt+0x2db/0x6a0 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2188

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f729528a73a
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdea7f0d38 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f729528a73a
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffdea7f0d60 R08: 0000000000000408 R09: fefefefeff646b66
R10: 00007f729536db00 R11: 0000000000000202 R12: 00007ffdea7f0dc0
R13: 0000000000000003 R14: 00007ffdea7f0d5c R15: 00007f729536daa0
</TASK>

----------------
Code disassembly (best guess):

0: 74 24 je 0x26
2: 10 e8 adc %ch,%al
4: ba 60 ed f7 48 mov $0x48f7ed60,%edx
9: 89 ef mov %ebp,%edi
b: e8 02 e0 ed f7 callq 0xf7ede012
10: 81 e3 00 02 00 00 and $0x200,%ebx
16: 75 25 jne 0x3d
18: 9c pushfq
19: 58 pop %rax
1a: f6 c4 02 test $0x2,%ah
1d: 75 2d jne 0x4c
1f: 48 85 db test %rbx,%rbx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 23 ff e0 f7 callq 0xf7e0ff52 <-- trapping instruction
2f: 65 8b 05 2c 24 92 76 mov %gs:0x7692242c(%rip),%eax # 0x76922462
36: 85 c0 test %eax,%eax
38: 74 0a je 0x44
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: e8 .byte 0xe8
3e: b0 3d mov $0x3d,%al

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=1626d569f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1266a479f00000

[Hillf Danton]

On Sun, 15 May 2022 06:42:09 -0700

percpu ref (css_release) <= 0 (-4294967295) after switching to atomic
WARNING: CPU: 1 PID: 4059 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196

v17, see if the percpu-refcount warning can be reproduced.

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in percpu_ref_switch_to_atomic_rcu

------------[ cut here ]------------

percpu ref (css_release) <= 0 (-4294967295) after switching to atomic

WARNING: CPU: 1 PID: 0 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c0 00 00 00 49 8b 77 e8 4c 89 e2 48 c7 c7 60 e3 26 8a e8 bc a7 31 05 <0f> 0b e9 34 ff ff ff 48 89 c6 48 c7 c7 80 39 69 8c 48 89 44 24 08
RSP: 0018:ffffc900001e0e20 EFLAGS: 00010286

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888010e71d80 RSI: ffffffff81601ae8 RDI: fffff5200003c1b6
RBP: ffff88801c8e2380 R08: 0000000000000000 R09: 0000000000000000

R10: ffffffff815fc4be R11: 0000000000000000 R12: ffffffff00000001

R13: dffffc0000000000 R14: 0000607f4607c018 R15: ffff88801c8e23a0
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555556503848 CR3: 0000000023275000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<IRQ>
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645

RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
RIP: 0010:acpi_idle_do_entry+0x1c6/0x250 drivers/acpi/processor_idle.c:551
Code: 89 de e8 1d 00 09 f8 84 db 75 ac e8 34 fc 08 f8 e8 9f 44 0f f8 eb 0c e8 28 fc 08 f8 0f 00 2d c1 93 c2 00 e8 1c fc 08 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 97 fe 08 f8 48 85 db
RSP: 0018:ffffc90000177d20 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888010e71d80 RSI: ffffffff897044c4 RDI: 0000000000000000
RBP: ffff88801640a864 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817f8988 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88801640a800 R14: ffff88801640a864 R15: ffff888147cb0004
acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:686
cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x3e8/0x590 kernel/sched/idle.c:303
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:400
start_secondary+0x224/0x2c0 arch/x86/kernel/smpboot.c:266
secondary_startup_64_no_verify+0xc3/0xcb

</TASK>
----------------
Code disassembly (best guess):

0: 89 de mov %ebx,%esi
2: e8 1d 00 09 f8 callq 0xf8090024
7: 84 db test %bl,%bl
9: 75 ac jne 0xffffffb7
b: e8 34 fc 08 f8 callq 0xf808fc44
10: e8 9f 44 0f f8 callq 0xf80f44b4
15: eb 0c jmp 0x23
17: e8 28 fc 08 f8 callq 0xf808fc44
1c: 0f 00 2d c1 93 c2 00 verw 0xc293c1(%rip) # 0xc293e4
23: e8 1c fc 08 f8 callq 0xf808fc44
28: fb sti
29: f4 hlt
* 2a: 9c pushfq <-- trapping instruction
2b: 5b pop %rbx
2c: 81 e3 00 02 00 00 and $0x200,%ebx
32: fa cli
33: 31 ff xor %edi,%edi
35: 48 89 de mov %rbx,%rsi
38: e8 97 fe 08 f8 callq 0xf808fed4
3d: 48 85 db test %rbx,%rbx

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=110e4759f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1545e62df00000

[Hillf Danton]

On Sun, 15 May 2022 06:42:09 -0700

percpu ref (css_release) <= 0 (-4294967295) after switching to atomic

WARNING: CPU: 1 PID: 4059 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196

v17, see if the percpu-refcount warning can be reproduced.

v18, try to queisce the warning by avoiding ref leak in css.

+++ b/kernel/cgroup/cgroup.c 2022-05-17 19:05:10.484641700 +0800

@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct wor
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, release_work);
struct cgroup_subsys *ss = css->ss;
struct cgroup *cgrp = css->cgroup;

@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_re
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);

- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->release_work, css_release_work_fn);
+ queue_work(cgroup_destroy_wq, &css->release_work);
}

static void init_and_link_css(struct cgroup_subsys_state *css,

@@ -5547,14 +5547,19 @@ static void css_killed_work_fn(struct wo
{
struct cgroup_subsys_state *css =
container_of(work, struct cgroup_subsys_state, destroy_work);
+ int put = 1;

mutex_lock(&cgroup_mutex);

do {
+ struct cgroup_subsys_state *parent = css->parent;
+
offline_css(css);
- css_put(css);
- /* @css can't go away while we're holding cgroup_mutex */
- css = css->parent;
+ if (put) {
+ css_put(css);
+ put = 0;
+ }
+ css = parent;
} while (css && atomic_dec_and_test(&css->online_cnt));

mutex_unlock(&cgroup_mutex);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in mntput_no_expire

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4042 at fs/namespace.c:1239 mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1239
Modules linked in:
CPU: 0 PID: 4042 Comm: syz-executor.2 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1239
Code: 00 48 c7 c7 c0 16 db 89 c6 05 33 c9 c8 0b 01 e8 c9 55 4d 07 e9 57 ff ff ff e8 2a bd 9d ff 0f 0b e9 df f9 ff ff e8 1e bd 9d ff <0f> 0b e9 d3 f9 ff ff e8 12 bd 9d ff e8 4d b7 88 ff 31 ff 89 c3 89
RSP: 0018:ffffc9000313fcf0 EFLAGS: 00010293

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801ba15880 RSI: ffffffff81db8412 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: ffffffff9006e94f
R10: ffffffff81db7dce R11: 0000000000000001 R12: ffffc9000313fd40
R13: ffff88801f6ea800 R14: 0000000000000002 R15: dffffc0000000000
FS: 000055555676b400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fff05411c78 CR3: 000000007a034000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

path_umount+0x7d4/0x1260 fs/namespace.c:1819
ksys_umount fs/namespace.c:1838 [inline]
__do_sys_umount fs/namespace.c:1843 [inline]
__se_sys_umount fs/namespace.c:1841 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1841

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f67c148a557

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc7f7ec938 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67c148a557
RDX: 00007ffc7f7eca0a RSI: 000000000000000a RDI: 00007ffc7f7eca00
RBP: 00007ffc7f7eca00 R08: 00000000ffffffff R09: 00007ffc7f7ec7d0
R10: 000055555676c8b3 R11: 0000000000000246 R12: 00007f67c14e21f8
R13: 00007ffc7f7edac0 R14: 000055555676c810 R15: 00007ffc7f7edb00

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=10df1295f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=16f621b9f00000

[Hillf Danton]

On Date: Tue, 17 May 2022 04:35:09 -0700

v19, try to queisce the warning by legitimizing __lookup_mnt.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ feb9c5e19e91

diff -pur a/fs/mount.h b/fs/mount.h
--- a/fs/mount.h 2022-05-16 19:33:29.792582900 +0800

+++ b/fs/mount.h 2022-05-17 21:09:35.549527700 +0800
@@ -77,6 +77,8 @@ struct mount {

int mnt_expiry_mark; /* true if marked for expiry */
struct hlist_head mnt_pins;
struct hlist_head mnt_stuck_children;
+ struct wait_queue_head wwq; /* writer wq */

+ struct list_head leg_list;

} __randomize_layout;

#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */

@@ -98,6 +100,7 @@ static inline int is_mounted(struct vfsm
}

extern struct mount *__lookup_mnt(struct vfsmount *, struct dentry *);
+extern struct mount *__lookup_mnt_leg(struct vfsmount *, struct dentry *);

extern int __legitimize_mnt(struct vfsmount *, unsigned);
extern bool legitimize_mnt(struct vfsmount *, unsigned);
diff -pur a/fs/namei.c b/fs/namei.c
--- a/fs/namei.c 2022-05-17 20:03:40.760743200 +0800
+++ b/fs/namei.c 2022-05-17 20:31:13.396868700 +0800
@@ -1497,7 +1497,7 @@ static bool __follow_mount_rcu(struct na
}

if (flags & DCACHE_MOUNTED) {
- struct mount *mounted = __lookup_mnt(path->mnt, dentry);
+ struct mount *mounted = __lookup_mnt_leg(path->mnt, dentry);
if (mounted) {
path->mnt = &mounted->mnt;
dentry = path->dentry = mounted->mnt.mnt_root;

diff -pur a/fs/namespace.c b/fs/namespace.c
--- a/fs/namespace.c 2022-05-16 19:34:10.676163000 +0800

+++ b/fs/namespace.c 2022-05-18 06:33:54.713376200 +0800
@@ -233,6 +233,8 @@ static struct mount *alloc_vfsmnt(const

INIT_LIST_HEAD(&mnt->mnt_umounting);
INIT_HLIST_HEAD(&mnt->mnt_stuck_children);
mnt->mnt.mnt_userns = &init_user_ns;
+ init_waitqueue_head(&mnt->wwq);

+ INIT_LIST_HEAD(&mnt->leg_list);
}
return mnt;

@@ -469,6 +471,12 @@ void mnt_drop_write(struct vfsmount *mnt

{
__mnt_drop_write(mnt);
sb_end_write(mnt->mnt_sb);
+ if (mnt->mnt_flags & MNT_DOOMED) {
+ struct mount *m = real_mount(mnt);
+
+ if (!m->mnt_ns && !mnt_get_writers(m))
+ wake_up(&m->wwq);
+ }
}
EXPORT_SYMBOL_GPL(mnt_drop_write);

@@ -676,6 +684,57 @@ struct mount *__lookup_mnt(struct vfsmou
return NULL;
}

+static LIST_HEAD(leg_put_list);
+static DEFINE_SPINLOCK(leg_put_lock);
+
+static void leg_put_workfn(struct work_struct *w)
+{
+ struct mount *mnt;
+again:
+ spin_lock_irq(&leg_put_lock);
+
+ if (!list_empty(&leg_put_list)) {
+ mnt = list_first_entry(&leg_put_list, struct mount, leg_list);
+ list_del_init(&mnt->leg_list);
+ spin_unlock_irq(&leg_put_lock);
+
+ mntput(&mnt->mnt);
+ goto again;
+ }
+ spin_unlock_irq(&leg_put_lock);
+}
+static DECLARE_WORK(leg_put_work, leg_put_workfn);
+
+struct mount *__lookup_mnt_leg(struct vfsmount *mnt, struct dentry *dentry)
+{
+ struct mount *child_mnt;
+ struct vfsmount *m;
+ unsigned seq;
+ int res;
+again:
+ seq = read_seqbegin(&mount_lock);
+ child_mnt = __lookup_mnt(mnt, dentry);
+ m = child_mnt ? &child_mnt->mnt : NULL;
+ res = __legitimize_mnt(m, seq);
+
+ if (res == 0)
+ return child_mnt;
+ if (res > 0)
+ if (read_seqretry(&mount_lock, seq))
+ goto again;
+ else
+ return NULL;
+
+ spin_lock_irq(&leg_put_lock);
+ if (list_empty(&child_mnt->leg_list)) {
+ list_add(&child_mnt->leg_list, &leg_put_list);
+ queue_work(system_unbound_wq, &leg_put_work);
+ } else
+ mnt_add_count(child_mnt, -1);
+ spin_unlock_irq(&leg_put_lock);
+ return NULL;
+}
+
/*
* lookup_mnt - Return the first child mount mounted at path
*
@@ -1174,7 +1233,7 @@ static void cleanup_mnt(struct mount *mn

* The locking used to deal with mnt_count decrement provides barriers,
* so mnt_get_writers() below is safe.
*/
- WARN_ON(mnt_get_writers(mnt));
+ wait_event(mnt->wwq, !mnt_get_writers(mnt));
if (unlikely(mnt->mnt_pins.first))
mnt_pin_kill(mnt);
hlist_for_each_entry_safe(m, p, &mnt->mnt_stuck_children, mnt_umount) {

@@ -1221,10 +1280,16 @@ static void mntput_no_expire(struct moun

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire

------------[ cut here ]------------

WARNING: CPU: 1 PID: 4486 at fs/namespace.c:1285 mntput_no_expire+0x985/0xfe0 fs/namespace.c:1285
Modules linked in:

CPU: 1 PID: 4486 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:mntput_no_expire+0x985/0xfe0 fs/namespace.c:1285
Code: 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 91 0b 72 ff e9 01 f9 ff ff e8 d7 bd 9d ff 0f 0b e9 b6 f8 ff ff e8 cb bd 9d ff <0f> 0b e9 aa f8 ff ff e8 bf bd 9d ff e8 aa dd 91 07 31 ff 89 c3 89
RSP: 0018:ffffc90004857d78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff888018b80000 RSI: ffffffff81db8365 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db7c0e R11: 0000000000000000 R12: 0000000000000002
R13: ffff88801d671e00 R14: dffffc0000000000 R15: ffffed1003ace3ca
FS: 0000555555fbb400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555556f3e848 CR3: 000000001f615000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

mntput+0x67/0x90 fs/namespace.c:1347
__fput+0x3ba/0x9d0 fs/file_table.c:333

task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f3b7a03bd2b

Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44

RSP: 002b:00007ffe9eb268b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3b7a03bd2b
RDX: 0000001b2ff20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f3b7a19d960 R08: 0000000000000000 R09: 00007ffe9ebbf080
R10: 00007ffe9ebbf090 R11: 0000000000000293 R12: 00000000000181f5
R13: 00007ffe9eb269b0 R14: 00007ffe9eb269d0 R15: 0000000000000032

</TASK>


Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=15ee4759f00000

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1108ae3af00000

[Al Viro]

On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in mntput_no_expire

Obvious question: which filesystem it is?

[Al Viro]

On Tue, May 17, 2022 at 10:58:15PM +0000, Al Viro wrote:
> On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in mntput_no_expire
>
> Obvious question: which filesystem it is?

FWIW, can't reproduce here - at least not with C reproducer +
-rc7^ kernel + .config from report + debian kvm image (bullseye,
with systemd shite replaced with sysvinit, which might be relevant).

In case systemd-specific braindamage is needed to reproduce it...
Hell knows; at least mount --make-rshared / doesn't seem to suffice.

[Al Viro]

... doesn't reproduce with genuine systemd either. FWIW, 4-way SMP
setup here.

[Al Viro]

OK, reproduced...

[Al Viro]

FWIW, it smells like something (cgroup?) fucking up percpu allocation/freeing.
Note that struct mount has both refcount and writers count held in percpu;
replacing the refcount with atomic_t gets rid of seeing negative refcount
in mntput_no_expire(), but leaves negative writers count caught in
cleanup_mnt(); turn that from WARN_ON into printk and we get past that,
only to see
percpu ref (css_release) <= 0 (-4294967294)
immediately afterwards.

IOW, it looks like we are getting not messed refcounting on either side,
but same refcount physically shared by unrelated objects.

[Al Viro]

Gotcha.
percpu_ref_init():
ref->percpu_count_ptr = (unsigned long)
__alloc_percpu_gfp(sizeof(unsigned long), align, gfp);
if (!ref->percpu_count_ptr)
return -ENOMEM;
data = kzalloc(sizeof(*ref->data), gfp);
if (!data) {
free_percpu((void __percpu *)ref->percpu_count_ptr);
return -ENOMEM;
}

cgroup_create():
err = percpu_ref_init(&css->refcnt, css_release, 0, GFP_KERNEL);
if (err)
goto err_free_css;

err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_KERNEL);
if (err < 0)
goto err_free_css;

Now note that we end up hitting the same path in case of successful and
failed percpu_ref_init(). With no way to tell if css->refcnt.percpu_count_ptr
is an already freed object or needs to be freed. And sure enough, we have

err_free_css:
list_del_rcu(&css->rstat_css_node);
INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn);
queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork);

with css_free_rwork_fn() starting with
percpu_ref_exit(&css->refcnt);

which will give that double free. That might be not the only cause of
trouble, but this looks like a bug and a plausible source of the
symptoms observed here. Let's see if this helps:

diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
index af9302141bcf..e5c5315da274 100644
--- a/lib/percpu-refcount.c
+++ b/lib/percpu-refcount.c
@@ -76,6 +76,7 @@ int percpu_ref_init(struct percpu_ref *ref, percpu_ref_func_t *release,
data = kzalloc(sizeof(*ref->data), gfp);
if (!data) {
free_percpu((void __percpu *)ref->percpu_count_ptr);
+ ref->percpu_count_ptr = 0;
return -ENOMEM;
}

[Al Viro]

... and it appears to fix the damn thing. 10 minutes and still running;
without that it usually fails within a few seconds.

[Al Viro]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git proposed-fix

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+5b1e53...@syzkaller.appspotmail.com

Tested on:

commit: a9171431 percpu_ref_init(): clean ->percpu_count_ref o..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git proposed-fix

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[Hillf Danton]

On Date: Tue, 17 May 2022 04:35:09 -0700

v19, try to queisce the warning by legitimizing __lookup_mnt.

v20, see if Al's fix cures the symptoms saw.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ feb9c5e19e91

diff -pur a/fs/namespace.c j/fs/namespace.c

--- a/fs/namespace.c 2022-05-16 19:34:10.676163000 +0800

+++ j/fs/namespace.c 2022-05-18 18:38:01.165374300 +0800
@@ -1221,10 +1221,16 @@ static void mntput_no_expire(struct moun

* we are dropping is not the final one.
*/
mnt_add_count(mnt, -1);
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
rcu_read_unlock();
return;
}
lock_mount_hash();
+ count = mnt_get_count(mnt);
+ WARN_ON(count == 0);
+ WARN_ON(count < 0);
/*
* make sure that if __legitimize_mnt() has not seen us grab
* mount_lock, we'll see their refcount increment here.

diff -pur a/include/linux/cgroup-defs.h j/include/linux/cgroup-defs.h

--- a/include/linux/cgroup-defs.h 2022-05-16 20:01:41.873691800 +0800

+++ j/include/linux/cgroup-defs.h 2022-05-18 18:38:01.178665800 +0800

@@ -179,7 +179,7 @@ struct cgroup_subsys_state {
atomic_t online_cnt;

/* percpu_ref killing and RCU release */
- struct work_struct destroy_work;
+ struct work_struct destroy_work, release_work;
struct rcu_work destroy_rwork;

/*

diff -pur a/kernel/cgroup/cgroup.c j/kernel/cgroup/cgroup.c

--- a/kernel/cgroup/cgroup.c 2022-05-16 20:03:31.595702700 +0800

+++ j/kernel/cgroup/cgroup.c 2022-05-18 18:38:01.194420100 +0800

@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct wor
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, release_work);
struct cgroup_subsys *ss = css->ss;
struct cgroup *cgrp = css->cgroup;

@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_re
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);

- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->release_work, css_release_work_fn);
+ queue_work(cgroup_destroy_wq, &css->release_work);
}

static void init_and_link_css(struct cgroup_subsys_state *css,

diff -pur a/lib/percpu-refcount.c j/lib/percpu-refcount.c
--- a/lib/percpu-refcount.c 2022-05-18 18:18:40.337365100 +0800
+++ j/lib/percpu-refcount.c 2022-05-18 18:38:01.215498900 +0800

@@ -76,6 +76,7 @@ int percpu_ref_init(struct percpu_ref *r

data = kzalloc(sizeof(*ref->data), gfp);
if (!data) {
free_percpu((void __percpu *)ref->percpu_count_ptr);
+ ref->percpu_count_ptr = 0;
return -ENOMEM;
}

diff -pur a/net/ipv4/tcp_input.c j/net/ipv4/tcp_input.c

--- a/net/ipv4/tcp_input.c 2022-05-16 19:59:50.885069300 +0800

+++ j/net/ipv4/tcp_input.c 2022-05-18 18:38:01.244757300 +0800

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+5b1e53...@syzkaller.appspotmail.com

Tested on:

commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=12f8dccef00000