[syzbot] [fs?] WARNING in free_mnt_ns
0 views
Skip to first unread message
syzbot
Sep 30, 2025, 4:17:36 PM (15 hours ago) Sep 30
to bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following issue on:
HEAD commit: 449c2b302c8e Merge tag 'vfs-6.18-rc1.async' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b43858580000
kernel config: https://syzkaller.appspot.com/x/.config?x=595e5938a1dd5b4e
dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c9ad04580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160bf27c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ddc1ff1fc7e3/disk-449c2b30.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/92fc60e0e9d5/vmlinux-449c2b30.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e50a03ce90e3/bzImage-449c2b30.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7d23dc...@syzkaller.appspotmail.com
------------[ cut here ]------------
ida_free called for id=1125 which is not allocated.
WARNING: CPU: 1 PID: 6109 at lib/idr.c:592 ida_free+0x1f9/0x2e0 lib/idr.c:592
Modules linked in:
CPU: 1 UID: 0 PID: 6109 Comm: syz.1.23 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:ida_free+0x1f9/0x2e0 lib/idr.c:592
Code: 33 f6 41 83 fe 3e 76 72 e8 14 31 33 f6 48 8b 7c 24 28 4c 89 ee e8 57 65 0d 00 90 48 c7 c7 e0 17 16 8d 89 ee e8 78 13 f2 f5 90 <0f> 0b 90 90 e8 ee 30 33 f6 48 b8 00 00 00 00 00 fc ff df 48 01 c3
RSP: 0018:ffffc90003037980 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 1ffff92000606f31 RCX: ffffffff817a02f8
RDX: ffff88802c8ebc00 RSI: ffffffff817a0305 RDI: 0000000000000001
RBP: 0000000000000465 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880791f7f00
R13: 0000000000000293 R14: 0000000000000065 R15: ffff8880791f7f08
FS: 0000000000000000(0000) GS:ffff8881247b3000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe8d5f156c0 CR3: 000000007680c000 CR4: 00000000003526f0
Call Trace:
<TASK>
free_mnt_ns+0xe0/0x110 fs/namespace.c:4096
namespace_unlock+0x542/0x920 fs/namespace.c:1701
put_mnt_ns fs/namespace.c:6135 [inline]
put_mnt_ns+0xf5/0x120 fs/namespace.c:6126
free_nsproxy+0x3a/0x400 kernel/nsproxy.c:188
put_nsproxy include/linux/nsproxy.h:107 [inline]
switch_task_namespaces+0xeb/0x100 kernel/nsproxy.c:241
do_exit+0x86a/0x2bf0 kernel/exit.c:960
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5cffd8eec9
Code: Unable to access opcode bytes at 0x7f5cffd8ee9f.
RSP: 002b:00007f5d00ba0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: fffffffffffffff4 RBX: 00007f5cfffe5fa0 RCX: 00007f5cffd8eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000020000
RBP: 00007f5cffe11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5cfffe6038 R14: 00007f5cfffe5fa0 R15: 00007ffee87a9438
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 449c2b302c8e Merge tag 'vfs-6.18-rc1.async' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b43858580000
kernel config: https://syzkaller.appspot.com/x/.config?x=595e5938a1dd5b4e
dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c9ad04580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160bf27c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ddc1ff1fc7e3/disk-449c2b30.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/92fc60e0e9d5/vmlinux-449c2b30.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e50a03ce90e3/bzImage-449c2b30.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7d23dc...@syzkaller.appspotmail.com
------------[ cut here ]------------
ida_free called for id=1125 which is not allocated.
WARNING: CPU: 1 PID: 6109 at lib/idr.c:592 ida_free+0x1f9/0x2e0 lib/idr.c:592
Modules linked in:
CPU: 1 UID: 0 PID: 6109 Comm: syz.1.23 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:ida_free+0x1f9/0x2e0 lib/idr.c:592
Code: 33 f6 41 83 fe 3e 76 72 e8 14 31 33 f6 48 8b 7c 24 28 4c 89 ee e8 57 65 0d 00 90 48 c7 c7 e0 17 16 8d 89 ee e8 78 13 f2 f5 90 <0f> 0b 90 90 e8 ee 30 33 f6 48 b8 00 00 00 00 00 fc ff df 48 01 c3
RSP: 0018:ffffc90003037980 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 1ffff92000606f31 RCX: ffffffff817a02f8
RDX: ffff88802c8ebc00 RSI: ffffffff817a0305 RDI: 0000000000000001
RBP: 0000000000000465 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880791f7f00
R13: 0000000000000293 R14: 0000000000000065 R15: ffff8880791f7f08
FS: 0000000000000000(0000) GS:ffff8881247b3000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe8d5f156c0 CR3: 000000007680c000 CR4: 00000000003526f0
Call Trace:
<TASK>
free_mnt_ns+0xe0/0x110 fs/namespace.c:4096
namespace_unlock+0x542/0x920 fs/namespace.c:1701
put_mnt_ns fs/namespace.c:6135 [inline]
put_mnt_ns+0xf5/0x120 fs/namespace.c:6126
free_nsproxy+0x3a/0x400 kernel/nsproxy.c:188
put_nsproxy include/linux/nsproxy.h:107 [inline]
switch_task_namespaces+0xeb/0x100 kernel/nsproxy.c:241
do_exit+0x86a/0x2bf0 kernel/exit.c:960
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5cffd8eec9
Code: Unable to access opcode bytes at 0x7f5cffd8ee9f.
RSP: 002b:00007f5d00ba0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: fffffffffffffff4 RBX: 00007f5cfffe5fa0 RCX: 00007f5cffd8eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000020000
RBP: 00007f5cffe11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5cfffe6038 R14: 00007f5cfffe5fa0 R15: 00007ffee87a9438
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Sep 30, 2025, 8:43:35 PM (11 hours ago) Sep 30
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Tue, 30 Sep 2025 13:17:34 -0700 [thread overview]
--- l/fs/namespace.c
+++ n/fs/namespace.c
@@ -4092,8 +4092,12 @@ static void dec_mnt_namespaces(struct uc
static void free_mnt_ns(struct mnt_namespace *ns)
{
- if (!is_anon_ns(ns))
- ns_common_free(ns);
+ if (!is_anon_ns(ns)) {
+ struct ns_common *nsc = to_ns_common(ns);
+
+ if (nsc->inum != MNT_NS_ANON_INO)
+ ns_common_free(ns);
+ }
dec_mnt_namespaces(ns->ucounts);
mnt_ns_tree_remove(ns);
}
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 449c2b302c8e Merge tag 'vfs-6.18-rc1.async' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15b43858580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=595e5938a1dd5b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c9ad04580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160bf27c580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: 449c2b302c8e Merge tag 'vfs-6.18-rc1.async' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15b43858580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=595e5938a1dd5b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c9ad04580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160bf27c580000
--- l/fs/namespace.c
+++ n/fs/namespace.c
@@ -4092,8 +4092,12 @@ static void dec_mnt_namespaces(struct uc
static void free_mnt_ns(struct mnt_namespace *ns)
{
- if (!is_anon_ns(ns))
- ns_common_free(ns);
+ if (!is_anon_ns(ns)) {
+ struct ns_common *nsc = to_ns_common(ns);
+
+ if (nsc->inum != MNT_NS_ANON_INO)
+ ns_common_free(ns);
+ }
dec_mnt_namespaces(ns->ucounts);
mnt_ns_tree_remove(ns);
}
--
syzbot
Sep 30, 2025, 9:52:03 PM (10 hours ago) Sep 30
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in free_mnt_ns
------------[ cut here ]------------
ida_free called for id=1124 which is not allocated.
WARNING: CPU: 1 PID: 6583 at lib/idr.c:592 ida_free+0x1f9/0x2e0 lib/idr.c:592
Modules linked in:
CPU: 1 UID: 0 PID: 6583 Comm: syz.2.30 Not tainted syzkaller #0 PREEMPT(full)
RSP: 0018:ffffc90003b6f980 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 1ffff9200076df31 RCX: ffffffff81796158
RDX: ffff888026349e40 RSI: ffffffff81796165 RDI: 0000000000000001
RBP: 0000000000000464 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880216dd000
R13: 0000000000000293 R14: 0000000000000064 R15: ffff8880216dd008
FS: 0000000000000000(0000) GS:ffff888124f7e000(0000) knlGS:0000000000000000
Call Trace:
<TASK>
free_mnt_ns+0x121/0x160 fs/namespace.c:4099
namespace_unlock+0x542/0x920 fs/namespace.c:1701
put_mnt_ns fs/namespace.c:6139 [inline]
put_mnt_ns+0xf5/0x120 fs/namespace.c:6130
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x7a/0x100 kernel/entry/common.c:40
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4240f8eec9
Code: Unable to access opcode bytes at 0x7f4240f8ee9f.
RSP: 002b:00007f4241e1e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: fffffffffffffff4 RBX: 00007f42411e5fa0 RCX: 00007f4240f8eec9
</TASK>
Tested on:
commit: 4b81e2eb Merge tag 'timers-vdso-2025-09-29' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f53858580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b28601618dc289ee
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in free_mnt_ns
------------[ cut here ]------------
ida_free called for id=1124 which is not allocated.
WARNING: CPU: 1 PID: 6583 at lib/idr.c:592 ida_free+0x1f9/0x2e0 lib/idr.c:592
Modules linked in:
CPU: 1 UID: 0 PID: 6583 Comm: syz.2.30 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:ida_free+0x1f9/0x2e0 lib/idr.c:592
Code: 78 f6 41 83 fe 3e 76 72 e8 c4 76 78 f6 48 8b 7c 24 28 4c 89 ee e8 07 39 0d 00 90 48 c7 c7 60 c7 cf 8c 89 ee e8 d8 51 37 f6 90 <0f> 0b 90 90 e8 9e 76 78 f6 48 b8 00 00 00 00 00 fc ff df 48 01 c3
RIP: 0010:ida_free+0x1f9/0x2e0 lib/idr.c:592
RSP: 0018:ffffc90003b6f980 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 1ffff9200076df31 RCX: ffffffff81796158
RDX: ffff888026349e40 RSI: ffffffff81796165 RDI: 0000000000000001
RBP: 0000000000000464 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880216dd000
R13: 0000000000000293 R14: 0000000000000064 R15: ffff8880216dd008
FS: 0000000000000000(0000) GS:ffff888124f7e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32d63fff CR3: 000000007d92a000 CR4: 00000000003526f0
Call Trace:
<TASK>
free_mnt_ns+0x121/0x160 fs/namespace.c:4099
namespace_unlock+0x542/0x920 fs/namespace.c:1701
put_mnt_ns fs/namespace.c:6139 [inline]
put_mnt_ns+0xf5/0x120 fs/namespace.c:6130
free_nsproxy+0x3a/0x400 kernel/nsproxy.c:188
put_nsproxy include/linux/nsproxy.h:107 [inline]
switch_task_namespaces+0xeb/0x100 kernel/nsproxy.c:241
do_exit+0x86a/0x2bf0 kernel/exit.c:960
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2671/0x26d0 kernel/signal.c:3034
put_nsproxy include/linux/nsproxy.h:107 [inline]
switch_task_namespaces+0xeb/0x100 kernel/nsproxy.c:241
do_exit+0x86a/0x2bf0 kernel/exit.c:960
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x7a/0x100 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x419/0x4b0 arch/x86/entry/syscall_64.c:100
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4240f8eec9
Code: Unable to access opcode bytes at 0x7f4240f8ee9f.
RSP: 002b:00007f4241e1e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: fffffffffffffff4 RBX: 00007f42411e5fa0 RCX: 00007f4240f8eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000020000
RBP: 00007f4241011f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f42411e6038 R14: 00007f42411e5fa0 R15: 00007fff77993fb8
</TASK>
Tested on:
commit: 4b81e2eb Merge tag 'timers-vdso-2025-09-29' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f53858580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b28601618dc289ee
dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16153858580000
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
3:20 AM (4 hours ago) 3:20 AM
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Tue, 30 Sep 2025 13:17:34 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 449c2b302c8e Merge tag 'vfs-6.18-rc1.async' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15b43858580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=595e5938a1dd5b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c9ad04580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160bf27c580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: 449c2b302c8e Merge tag 'vfs-6.18-rc1.async' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15b43858580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=595e5938a1dd5b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c9ad04580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160bf27c580000
--- l/include/linux/ns_common.h
+++ n/include/linux/ns_common.h
@@ -38,7 +38,7 @@ extern const struct proc_ns_operations t
extern const struct proc_ns_operations timens_for_children_operations;
struct ns_common {
- u32 ns_type;
+ u32 ns_type, gi;
struct dentry *stashed;
const struct proc_ns_operations *ops;
unsigned int inum;
--- l/kernel/nscommon.c
+++ n/kernel/nscommon.c
@@ -57,6 +57,7 @@ int __ns_common_init(struct ns_common *n
ns->ops = ops;
ns->ns_id = 0;
ns->ns_type = ns_type;
+ ns->gi = 0;
RB_CLEAR_NODE(&ns->ns_tree_node);
INIT_LIST_HEAD(&ns->ns_list_node);
@@ -66,6 +67,7 @@ int __ns_common_init(struct ns_common *n
if (inum) {
ns->inum = inum;
+ ns->gi++;
return 0;
}
return proc_alloc_inum(&ns->inum);
@@ -73,5 +75,7 @@ int __ns_common_init(struct ns_common *n
void __ns_common_free(struct ns_common *ns)
{
+ if (ns->gi)
+ return;
proc_free_inum(ns->inum);
}
--
syzbot
3:38 AM (4 hours ago) 3:38 AM
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __ns_common_free
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
ida_free called for id=1016 which is not allocated.
WARNING: CPU: 0 PID: 6533 at lib/idr.c:592 ida_free+0x1f9/0x2e0 lib/idr.c:592
Modules linked in:
CPU: 0 UID: 0 PID: 6533 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:ida_free+0x1f9/0x2e0 lib/idr.c:592
Code: 77 f6 41 83 fe 3e 76 72 e8 d4 eb 77 f6 48 8b 7c 24 28 4c 89 ee e8 07 39 0d 00 90 48 c7 c7 e0 cf cf 8c 89 ee e8 a8 c5 36 f6 90 <0f> 0b 90 90 e8 ae eb 77 f6 48 b8 00 00 00 00 00 fc ff df 48 01 c3
RIP: 0010:ida_free+0x1f9/0x2e0 lib/idr.c:592
RSP: 0018:ffffc90003417968 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 1ffff92000682f2e RCX: ffffffff81796528
RDX: ffff888033f83c80 RSI: ffffffff81796535 RDI: 0000000000000001
RBP: 00000000000003f8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888140ea3000
R13: 0000000000000293 R14: 00000000000003f8 R15: ffff888140ea3078
FS: 0000000000000000(0000) GS:ffff888124e79000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8b525b7230 CR3: 0000000076170000 CR4: 00000000003526f0
Call Trace:
<TASK>
__ns_common_free+0x7d/0xa0 kernel/nscommon.c:80
free_mnt_ns+0xe0/0x110 fs/namespace.c:4096
namespace_unlock+0x542/0x920 fs/namespace.c:1701
put_mnt_ns fs/namespace.c:6135 [inline]
put_mnt_ns+0xf5/0x120 fs/namespace.c:6126
put_mnt_ns+0xf5/0x120 fs/namespace.c:6126
free_nsproxy+0x3a/0x400 kernel/nsproxy.c:188
put_nsproxy include/linux/nsproxy.h:107 [inline]
switch_task_namespaces+0xeb/0x100 kernel/nsproxy.c:241
do_exit+0x86a/0x2bf0 kernel/exit.c:960
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x7a/0x100 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x419/0x4b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f96f758eec9
put_nsproxy include/linux/nsproxy.h:107 [inline]
switch_task_namespaces+0xeb/0x100 kernel/nsproxy.c:241
do_exit+0x86a/0x2bf0 kernel/exit.c:960
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x7a/0x100 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x419/0x4b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: Unable to access opcode bytes at 0x7f96f758ee9f.
RSP: 002b:00007f96f83e3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: fffffffffffffff4 RBX: 00007f96f77e5fa0 RCX: 00007f96f758eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000020000
RBP: 00007f96f7611f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f96f77e6038 R14: 00007f96f77e5fa0 R15: 00007ffc0945e908
</TASK>
Tested on:
commit: 50c19e20 Merge tag 'nolibc-20250928-for-6.18-1' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=121a8092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b28601618dc289ee
dashboard link: https://syzkaller.appspot.com/bug?extid=7d23dc5cd4fa132fb9f3
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11fb7c14580000
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages