[syzbot] [fs?] BUG: sleeping function called from invalid context in hook_sb_delete
12 views
Skip to first unread message
syzbot
Sep 23, 2025, 6:59:41 PM (2 days ago) Sep 23
to bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following issue on:
HEAD commit: ce7f1a983b07 Add linux-next specific files for 20250923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c30be6f36c31/disk-ce7f1a98.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae9ea347d4d8/vmlinux-ce7f1a98.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d59682a4f33c/bzImage-ce7f1a98.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+12479a...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at fs/inode.c:1928
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6028, name: syz.0.17
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.0.17/6028:
#0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbd0 security/landlock/fs.c:1405
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 6028 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__might_resched+0x495/0x610 kernel/sched/core.c:8960
iput+0x2b/0xc50 fs/inode.c:1928
hook_sb_delete+0x6b5/0xbd0 security/landlock/fs.c:1468
security_sb_delete+0x80/0x150 security/security.c:1467
generic_shutdown_super+0xaa/0x2c0 fs/super.c:634
kill_anon_super fs/super.c:1281 [inline]
kill_litter_super+0x76/0xb0 fs/super.c:1291
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc08e18eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcd5efff18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fc08e3e5fa0 RCX: 00007fc08e18eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000002c0
RBP: 00007fc08e211f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc08e3e5fa0 R14: 00007fc08e3e5fa0 R15: 0000000000000002
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ce7f1a983b07 Add linux-next specific files for 20250923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c30be6f36c31/disk-ce7f1a98.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae9ea347d4d8/vmlinux-ce7f1a98.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d59682a4f33c/bzImage-ce7f1a98.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+12479a...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at fs/inode.c:1928
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6028, name: syz.0.17
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.0.17/6028:
#0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbd0 security/landlock/fs.c:1405
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 6028 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__might_resched+0x495/0x610 kernel/sched/core.c:8960
iput+0x2b/0xc50 fs/inode.c:1928
hook_sb_delete+0x6b5/0xbd0 security/landlock/fs.c:1468
security_sb_delete+0x80/0x150 security/security.c:1467
generic_shutdown_super+0xaa/0x2c0 fs/super.c:634
kill_anon_super fs/super.c:1281 [inline]
kill_litter_super+0x76/0xb0 fs/super.c:1291
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc08e18eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcd5efff18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fc08e3e5fa0 RCX: 00007fc08e18eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000002c0
RBP: 00007fc08e211f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc08e3e5fa0 R14: 00007fc08e3e5fa0 R15: 0000000000000002
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Sep 23, 2025, 8:29:12 PM (2 days ago) Sep 23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Tue, 23 Sep 2025 15:59:37 -0700 [thread overview]
--- x/security/landlock/fs.c
+++ y/security/landlock/fs.c
@@ -1434,8 +1434,6 @@ static void hook_sb_delete(struct super_
spin_unlock(&inode->i_lock);
continue;
}
- /* Keeps a reference to this inode until the next loop walk. */
- __iget(inode);
spin_unlock(&inode->i_lock);
/*
@@ -1457,15 +1455,6 @@ static void hook_sb_delete(struct super_
* It is therefore not necessary to lock inode->i_lock.
*/
rcu_assign_pointer(landlock_inode(inode)->object, NULL);
- /*
- * At this point, we own the ihold() reference that was
- * originally set up by get_inode_object() and the
- * __iget() reference that we just set in this loop
- * walk. Therefore the following call to iput() will
- * not sleep nor drop the inode because there is now at
- * least two references to it.
- */
- iput(inode);
} else {
spin_unlock(&object->lock);
rcu_read_unlock();
@@ -1479,12 +1468,7 @@ static void hook_sb_delete(struct super_
* disappear from under us until the next loop walk.
*/
spin_unlock(&sb->s_inode_list_lock);
- /*
- * We can now actually put the inode reference from the
- * previous loop walk, which is not needed anymore.
- */
iput(prev_inode);
- cond_resched();
spin_lock(&sb->s_inode_list_lock);
}
prev_inode = inode;
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: ce7f1a983b07 Add linux-next specific files for 20250923
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
> dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: ce7f1a983b07 Add linux-next specific files for 20250923
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
> dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000
--- x/security/landlock/fs.c
+++ y/security/landlock/fs.c
@@ -1434,8 +1434,6 @@ static void hook_sb_delete(struct super_
spin_unlock(&inode->i_lock);
continue;
}
- /* Keeps a reference to this inode until the next loop walk. */
- __iget(inode);
spin_unlock(&inode->i_lock);
/*
@@ -1457,15 +1455,6 @@ static void hook_sb_delete(struct super_
* It is therefore not necessary to lock inode->i_lock.
*/
rcu_assign_pointer(landlock_inode(inode)->object, NULL);
- /*
- * At this point, we own the ihold() reference that was
- * originally set up by get_inode_object() and the
- * __iget() reference that we just set in this loop
- * walk. Therefore the following call to iput() will
- * not sleep nor drop the inode because there is now at
- * least two references to it.
- */
- iput(inode);
} else {
spin_unlock(&object->lock);
rcu_read_unlock();
@@ -1479,12 +1468,7 @@ static void hook_sb_delete(struct super_
* disappear from under us until the next loop walk.
*/
spin_unlock(&sb->s_inode_list_lock);
- /*
- * We can now actually put the inode reference from the
- * previous loop walk, which is not needed anymore.
- */
iput(prev_inode);
- cond_resched();
spin_lock(&sb->s_inode_list_lock);
}
prev_inode = inode;
--
syzbot
Sep 23, 2025, 8:56:08 PM (2 days ago) Sep 23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+12479a...@syzkaller.appspotmail.com
Tested-by: syzbot+12479a...@syzkaller.appspotmail.com
Tested on:
commit: ce7f1a98 Add linux-next specific files for 20250923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13182142580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+12479a...@syzkaller.appspotmail.com
Tested-by: syzbot+12479a...@syzkaller.appspotmail.com
Tested on:
commit: ce7f1a98 Add linux-next specific files for 20250923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13182142580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=108c8f12580000
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
Edward Adam Davis
Sep 24, 2025, 5:44:23 AM (yesterday) Sep 24
to syzbot+12479a...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 4ed997f4a663..a18d53507210 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1484,7 +1484,6 @@ static void hook_sb_delete(struct super_block *const sb)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 4ed997f4a663..a18d53507210 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1484,7 +1484,6 @@ static void hook_sb_delete(struct super_block *const sb)
* previous loop walk, which is not needed anymore.
Edward Adam Davis
Sep 24, 2025, 6:39:05 AM (yesterday) Sep 24
to syzbot+12479a...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
index e9a7fb5c3e49..a0b8eeeb1d27 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2349,7 +2349,7 @@ __latent_entropy struct task_struct *copy_process(
if (need_futex_hash_allocate_default(clone_flags)) {
retval = futex_hash_allocate_default();
if (retval)
- goto bad_fork_core_free;
+ goto bad_fork_cancel_cgroup;
/*
* If we fail beyond this point we don't free the allocated
* futex hash map. We assume that another thread will be created
syzbot
Sep 24, 2025, 6:43:06 AM (yesterday) Sep 24
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in hook_sb_delete
BUG: sleeping function called from invalid context at fs/inode.c:1928
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6514, name: syz.0.17
#0: ffff8880306a20e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880306a20e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880306a20e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffff8880306a2998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff8880306a2998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbc0 security/landlock/fs.c:1405
RAX: 0000000000000000 RBX: 00007fe6d89e5fa0 RCX: 00007fe6d878eec9
</TASK>
Tested on:
commit: ce7f1a98 Add linux-next specific files for 20250923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=128f94e2580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in hook_sb_delete
BUG: sleeping function called from invalid context at fs/inode.c:1928
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.0.17/6514:
RCU nest depth: 0, expected: 0
#0: ffff8880306a20e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880306a20e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880306a20e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffff8880306a2998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff8880306a2998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbc0 security/landlock/fs.c:1405
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 UID: 0 PID: 6514 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
[<0000000000000000>] 0x0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__might_resched+0x495/0x610 kernel/sched/core.c:8960
iput+0x2b/0xc50 fs/inode.c:1928
hook_sb_delete+0x6b7/0xbc0 security/landlock/fs.c:1468
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__might_resched+0x495/0x610 kernel/sched/core.c:8960
iput+0x2b/0xc50 fs/inode.c:1928
security_sb_delete+0x80/0x150 security/security.c:1467
generic_shutdown_super+0xaa/0x2c0 fs/super.c:634
kill_anon_super fs/super.c:1281 [inline]
kill_litter_super+0x76/0xb0 fs/super.c:1291
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe6d878eec9
generic_shutdown_super+0xaa/0x2c0 fs/super.c:634
kill_anon_super fs/super.c:1281 [inline]
kill_litter_super+0x76/0xb0 fs/super.c:1291
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe6d961c038 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fe6d89e5fa0 RCX: 00007fe6d878eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000002c0
RBP: 00007fe6d8811f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe6d89e6038 R14: 00007fe6d89e5fa0 R15: 00007ffc5011e858
</TASK>
Tested on:
commit: ce7f1a98 Add linux-next specific files for 20250923
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=14e2cce2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Edward Adam Davis
Sep 24, 2025, 6:46:23 AM (yesterday) Sep 24
to ead...@qq.com, syzbot+12479a...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test: none
syzbot
Sep 24, 2025, 6:46:26 AM (yesterday) Sep 24
to ead...@qq.com, ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> #syz test: none
want either no args or 2 args (repo, branch), got 1
>
want either no args or 2 args (repo, branch), got 1
>
Davis Edward Adam
Sep 24, 2025, 6:55:20 AM (yesterday) Sep 24
to syzkaller-bugs
#syz test: none
syzbot
Sep 24, 2025, 6:55:23 AM (yesterday) Sep 24
to twuu...@gmail.com, syzkall...@googlegroups.com, twuu...@gmail.com, linux-...@vger.kernel.org
> #syz test: none
"none" does not look like a valid git repo address.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/4f6e21b7-3c0d-4f99-bf3a-3f20fafa9591n%40googlegroups.com.
"none" does not look like a valid git repo address.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/4f6e21b7-3c0d-4f99-bf3a-3f20fafa9591n%40googlegroups.com.
Jan Kara
Sep 24, 2025, 7:05:09 AM (yesterday) Sep 24
to syzbot, bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, Mickaël Salaün, linux-secu...@vger.kernel.org, Günther Noack
Hello!
Added Landlock guys to CC since this is a bug in Landlock.
On Tue 23-09-25 15:59:37, syzbot wrote:
> syzbot found the following issue on:
>
> HEAD commit: ce7f1a983b07 Add linux-next specific files for 20250923
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
> dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c30be6f36c31/disk-ce7f1a98.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ae9ea347d4d8/vmlinux-ce7f1a98.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/d59682a4f33c/bzImage-ce7f1a98.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+12479a...@syzkaller.appspotmail.com
>
> BUG: sleeping function called from invalid context at fs/inode.c:1928
The first catch from the new might_sleep() annotations in iput().
> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6028, name: syz.0.17
> preempt_count: 1, expected: 0
> RCU nest depth: 0, expected: 0
> 2 locks held by syz.0.17/6028:
> #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
> #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
> #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
> #1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
> #1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbd0 security/landlock/fs.c:1405
> Preemption disabled at:
> [<0000000000000000>] 0x0
> CPU: 0 UID: 0 PID: 6028 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> __might_resched+0x495/0x610 kernel/sched/core.c:8960
> iput+0x2b/0xc50 fs/inode.c:1928
> hook_sb_delete+0x6b5/0xbd0 security/landlock/fs.c:1468
Indeed looks like a bug because we can call iput() while holding
sb->s_inode_list_lock in one case in hook_sb_delete().
Honza
--
Jan Kara <ja...@suse.com>
SUSE Labs, CR
Added Landlock guys to CC since this is a bug in Landlock.
On Tue 23-09-25 15:59:37, syzbot wrote:
> syzbot found the following issue on:
>
> HEAD commit: ce7f1a983b07 Add linux-next specific files for 20250923
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
> dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c30be6f36c31/disk-ce7f1a98.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ae9ea347d4d8/vmlinux-ce7f1a98.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/d59682a4f33c/bzImage-ce7f1a98.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+12479a...@syzkaller.appspotmail.com
>
> BUG: sleeping function called from invalid context at fs/inode.c:1928
> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6028, name: syz.0.17
> preempt_count: 1, expected: 0
> RCU nest depth: 0, expected: 0
> 2 locks held by syz.0.17/6028:
> #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
> #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
> #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
> #1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
> #1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbd0 security/landlock/fs.c:1405
> Preemption disabled at:
> [<0000000000000000>] 0x0
> CPU: 0 UID: 0 PID: 6028 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> __might_resched+0x495/0x610 kernel/sched/core.c:8960
> iput+0x2b/0xc50 fs/inode.c:1928
> hook_sb_delete+0x6b5/0xbd0 security/landlock/fs.c:1468
sb->s_inode_list_lock in one case in hook_sb_delete().
Honza
Jan Kara <ja...@suse.com>
SUSE Labs, CR
syzbot
Sep 24, 2025, 7:19:06 AM (yesterday) Sep 24
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in hook_sb_delete
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context at fs/inode.c:1928
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.0.17/6483:
RCU nest depth: 0, expected: 0
#0: ffff888028f400e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff888028f400e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888028f400e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffff888028f40998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff888028f40998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbc0 security/landlock/fs.c:1405
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 6483 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
[<0000000000000000>] 0x0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__might_resched+0x495/0x610 kernel/sched/core.c:8960
iput+0x2b/0xc50 fs/inode.c:1928
hook_sb_delete+0x6b7/0xbc0 security/landlock/fs.c:1468
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__might_resched+0x495/0x610 kernel/sched/core.c:8960
iput+0x2b/0xc50 fs/inode.c:1928
security_sb_delete+0x80/0x150 security/security.c:1467
generic_shutdown_super+0xaa/0x2c0 fs/super.c:634
kill_anon_super fs/super.c:1281 [inline]
kill_litter_super+0x76/0xb0 fs/super.c:1291
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8b7e78eec9
generic_shutdown_super+0xaa/0x2c0 fs/super.c:634
kill_anon_super fs/super.c:1281 [inline]
kill_litter_super+0x76/0xb0 fs/super.c:1291
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8b7f714038 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f8b7e9e5fa0 RCX: 00007f8b7e78eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000002c0
RBP: 00007f8b7e811f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8b7e9e6038 R14: 00007f8b7e9e5fa0 R15: 00007ffe75b4a848
</TASK>
Tested on:
commit: ce7f1a98 Add linux-next specific files for 20250923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13644f12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11724d34580000
dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Reply all
Reply to author
Forward
0 new messages