[syzbot ci] Re: ns: support file handles
2 views
Skip to first unread message
syzbot ci
Sep 10, 2025, 4:53:27 PM (3 days ago) Sep 10
to amir...@gmail.com, ax...@kernel.dk, bra...@kernel.org, cgr...@vger.kernel.org, chuck...@oracle.com, cyp...@cyphar.com, daan.j....@gmail.com, edum...@google.com, han...@cmpxchg.org, ho...@kernel.org, ja...@suse.cz, jla...@kernel.org, jo...@toxicpanda.com, ku...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux-k...@vger.kernel.org, linu...@vger.kernel.org, m...@yhndnzj.com, mko...@suse.com, mzxr...@0pointer.de, net...@vger.kernel.org, pab...@redhat.com, t...@kernel.org, vi...@zeniv.linux.org.uk, zby...@in.waw.pl, syz...@lists.linux.dev, syzkall...@googlegroups.com
syzbot ci has tested the following series
[v1] ns: support file handles
https://lore.kernel.org/all/20250910-work-namesp...@kernel.org
* [PATCH 01/32] pidfs: validate extensible ioctls
* [PATCH 02/32] nsfs: validate extensible ioctls
* [PATCH 03/32] block: use extensible_ioctl_valid()
* [PATCH 04/32] ns: move to_ns_common() to ns_common.h
* [PATCH 05/32] nsfs: add nsfs.h header
* [PATCH 06/32] ns: uniformly initialize ns_common
* [PATCH 07/32] mnt: use ns_common_init()
* [PATCH 08/32] ipc: use ns_common_init()
* [PATCH 09/32] cgroup: use ns_common_init()
* [PATCH 10/32] pid: use ns_common_init()
* [PATCH 11/32] time: use ns_common_init()
* [PATCH 12/32] uts: use ns_common_init()
* [PATCH 13/32] user: use ns_common_init()
* [PATCH 14/32] net: use ns_common_init()
* [PATCH 15/32] ns: remove ns_alloc_inum()
* [PATCH 16/32] nstree: make iterator generic
* [PATCH 17/32] mnt: support iterator
* [PATCH 18/32] cgroup: support iterator
* [PATCH 19/32] ipc: support iterator
* [PATCH 20/32] net: support iterator
* [PATCH 21/32] pid: support iterator
* [PATCH 22/32] time: support iterator
* [PATCH 23/32] userns: support iterator
* [PATCH 24/32] uts: support iterator
* [PATCH 25/32] ns: add to_<type>_ns() to respective headers
* [PATCH 26/32] nsfs: add current_in_namespace()
* [PATCH 27/32] nsfs: support file handles
* [PATCH 28/32] nsfs: support exhaustive file handles
* [PATCH 29/32] nsfs: add missing id retrieval support
* [PATCH 30/32] tools: update nsfs.h uapi header
* [PATCH 31/32] selftests/namespaces: add identifier selftests
* [PATCH 32/32] selftests/namespaces: add file handle selftests
and found the following issue:
WARNING in copy_net_ns
Full report is available here:
https://ci.syzbot.org/series/bc3dfd83-98cc-488c-b046-f849c79a6a41
***
WARNING in copy_net_ns
tree: net-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next.git
base: deb105f49879dd50d595f7f55207d6e74dec34e6
arch: amd64
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config: https://ci.syzbot.org/builds/a560fd28-b788-4442-a7c8-10c6240b4dbf/config
syz repro: https://ci.syzbot.org/findings/18e91b10-567e-4cae-a279-8a5f2f2cde80/syz_repro
------------[ cut here ]------------
ida_free called for id=1326 which is not allocated.
WARNING: CPU: 0 PID: 6146 at lib/idr.c:592 ida_free+0x280/0x310 lib/idr.c:592
Modules linked in:
CPU: 0 UID: 0 PID: 6146 Comm: syz.1.60 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:ida_free+0x280/0x310 lib/idr.c:592
Code: 00 00 00 00 fc ff df 48 8b 5c 24 10 48 8b 7c 24 40 48 89 de e8 d1 8a 0c 00 90 48 c7 c7 80 ee ba 8c 44 89 fe e8 11 87 12 f6 90 <0f> 0b 90 90 eb 34 e8 95 02 4f f6 49 bd 00 00 00 00 00 fc ff df eb
RSP: 0018:ffffc9000302fba0 EFLAGS: 00010246
RAX: c838d58ce4bb0000 RBX: 0000000000000a06 RCX: ffff88801eac0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffffc9000302fca0 R08: ffff88804b024293 R09: 1ffff11009604852
R10: dffffc0000000000 R11: ffffed1009604853 R12: 1ffff92000605f78
R13: dffffc0000000000 R14: ffff888026c1fd00 R15: 000000000000052e
FS: 00007f6d7aab16c0(0000) GS:ffff8880b8613000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000004000 CR3: 000000002726e000 CR4: 00000000000006f0
Call Trace:
<TASK>
copy_net_ns+0x37a/0x510 net/core/net_namespace.c:593
create_new_namespaces+0x3f3/0x720 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0x11c/0x170 kernel/nsproxy.c:218
ksys_unshare+0x4c8/0x8c0 kernel/fork.c:3127
__do_sys_unshare kernel/fork.c:3198 [inline]
__se_sys_unshare kernel/fork.c:3196 [inline]
__x64_sys_unshare+0x38/0x50 kernel/fork.c:3196
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6d79b8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6d7aab1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f6d79dd5fa0 RCX: 00007f6d79b8eba9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000062040200
RBP: 00007f6d79c11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6d79dd6038 R14: 00007f6d79dd5fa0 R15: 00007ffd5ab830f8
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syz...@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzk...@googlegroups.com.
[v1] ns: support file handles
https://lore.kernel.org/all/20250910-work-namesp...@kernel.org
* [PATCH 01/32] pidfs: validate extensible ioctls
* [PATCH 02/32] nsfs: validate extensible ioctls
* [PATCH 03/32] block: use extensible_ioctl_valid()
* [PATCH 04/32] ns: move to_ns_common() to ns_common.h
* [PATCH 05/32] nsfs: add nsfs.h header
* [PATCH 06/32] ns: uniformly initialize ns_common
* [PATCH 07/32] mnt: use ns_common_init()
* [PATCH 08/32] ipc: use ns_common_init()
* [PATCH 09/32] cgroup: use ns_common_init()
* [PATCH 10/32] pid: use ns_common_init()
* [PATCH 11/32] time: use ns_common_init()
* [PATCH 12/32] uts: use ns_common_init()
* [PATCH 13/32] user: use ns_common_init()
* [PATCH 14/32] net: use ns_common_init()
* [PATCH 15/32] ns: remove ns_alloc_inum()
* [PATCH 16/32] nstree: make iterator generic
* [PATCH 17/32] mnt: support iterator
* [PATCH 18/32] cgroup: support iterator
* [PATCH 19/32] ipc: support iterator
* [PATCH 20/32] net: support iterator
* [PATCH 21/32] pid: support iterator
* [PATCH 22/32] time: support iterator
* [PATCH 23/32] userns: support iterator
* [PATCH 24/32] uts: support iterator
* [PATCH 25/32] ns: add to_<type>_ns() to respective headers
* [PATCH 26/32] nsfs: add current_in_namespace()
* [PATCH 27/32] nsfs: support file handles
* [PATCH 28/32] nsfs: support exhaustive file handles
* [PATCH 29/32] nsfs: add missing id retrieval support
* [PATCH 30/32] tools: update nsfs.h uapi header
* [PATCH 31/32] selftests/namespaces: add identifier selftests
* [PATCH 32/32] selftests/namespaces: add file handle selftests
and found the following issue:
WARNING in copy_net_ns
Full report is available here:
https://ci.syzbot.org/series/bc3dfd83-98cc-488c-b046-f849c79a6a41
***
WARNING in copy_net_ns
tree: net-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next.git
base: deb105f49879dd50d595f7f55207d6e74dec34e6
arch: amd64
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config: https://ci.syzbot.org/builds/a560fd28-b788-4442-a7c8-10c6240b4dbf/config
syz repro: https://ci.syzbot.org/findings/18e91b10-567e-4cae-a279-8a5f2f2cde80/syz_repro
------------[ cut here ]------------
ida_free called for id=1326 which is not allocated.
WARNING: CPU: 0 PID: 6146 at lib/idr.c:592 ida_free+0x280/0x310 lib/idr.c:592
Modules linked in:
CPU: 0 UID: 0 PID: 6146 Comm: syz.1.60 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:ida_free+0x280/0x310 lib/idr.c:592
Code: 00 00 00 00 fc ff df 48 8b 5c 24 10 48 8b 7c 24 40 48 89 de e8 d1 8a 0c 00 90 48 c7 c7 80 ee ba 8c 44 89 fe e8 11 87 12 f6 90 <0f> 0b 90 90 eb 34 e8 95 02 4f f6 49 bd 00 00 00 00 00 fc ff df eb
RSP: 0018:ffffc9000302fba0 EFLAGS: 00010246
RAX: c838d58ce4bb0000 RBX: 0000000000000a06 RCX: ffff88801eac0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffffc9000302fca0 R08: ffff88804b024293 R09: 1ffff11009604852
R10: dffffc0000000000 R11: ffffed1009604853 R12: 1ffff92000605f78
R13: dffffc0000000000 R14: ffff888026c1fd00 R15: 000000000000052e
FS: 00007f6d7aab16c0(0000) GS:ffff8880b8613000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000004000 CR3: 000000002726e000 CR4: 00000000000006f0
Call Trace:
<TASK>
copy_net_ns+0x37a/0x510 net/core/net_namespace.c:593
create_new_namespaces+0x3f3/0x720 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0x11c/0x170 kernel/nsproxy.c:218
ksys_unshare+0x4c8/0x8c0 kernel/fork.c:3127
__do_sys_unshare kernel/fork.c:3198 [inline]
__se_sys_unshare kernel/fork.c:3196 [inline]
__x64_sys_unshare+0x38/0x50 kernel/fork.c:3196
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6d79b8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6d7aab1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f6d79dd5fa0 RCX: 00007f6d79b8eba9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000062040200
RBP: 00007f6d79c11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6d79dd6038 R14: 00007f6d79dd5fa0 R15: 00007ffd5ab830f8
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syz...@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzk...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages