[v6.1] WARNING in collect_domain_accesses

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 50cbba13faa2 Linux 6.1.159
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=123261c2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=31ea1cecaf34f0db
dashboard link: https://syzkaller.appspot.com/bug?extid=7148617bf2c2bd21c798
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ad0bd66715a/disk-50cbba13.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3284d626258e/vmlinux-50cbba13.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a1f92ca7bbfc/Image-50cbba13.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+714861...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5290 at security/landlock/fs.c:752 collect_domain_accesses+0x6d8/0x738 security/landlock/fs.c:-1
Modules linked in:
CPU: 0 PID: 5290 Comm: syz.2.250 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : collect_domain_accesses+0x6d8/0x738 security/landlock/fs.c:-1
lr : collect_domain_accesses+0x6d4/0x738 security/landlock/fs.c:752
sp : ffff800020dd78c0
x29: ffff800020dd7900 x28: 0000000000000001 x27: ffff800020dd79fa
x26: ffff0000d5aa04ac x25: 0000000000000000 x24: ffff0000e04ae5e0
x23: 0000000000002004 x22: ffffffffffffffff x21: ffffffffffffffff
x20: ffff0000e04af1a0 x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: ffff8000082d2558 x15: 0000000000000002
x14: 00000000118fa6bc x13: 1ffff00002a0a0b1 x12: 0000000000080000
x11: 0000000000000ff7 x10: ffff8000288eb000 x9 : ffff80000a547038
x8 : 0000000000000ff8 x7 : ffff80000a5427f0 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000008 x1 : ffff800011a5e980 x0 : ffff0000e04ae630
Call trace:
collect_domain_accesses+0x6d8/0x738 security/landlock/fs.c:-1
current_check_refer_path+0x3e0/0x7a4 security/landlock/fs.c:883
hook_path_rename+0x4c/0x60 security/landlock/fs.c:1112
security_path_rename+0x154/0x1f0 security/security.c:1217
do_renameat2+0x5ac/0xa54 fs/namei.c:5022
__do_sys_renameat2 fs/namei.c:5068 [inline]
__se_sys_renameat2 fs/namei.c:5065 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5065
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 1630
hardirqs last enabled at (1629): [<ffff80000892aa90>] mod_objcg_state+0x338/0x500 mm/memcontrol.c:3217
hardirqs last disabled at (1630): [<ffff8000118fa220>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (1606): [<ffff8000080309e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (1604): [<ffff8000080309ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 50cbba13faa2 Linux 6.1.159
git tree: linux-6.1.y

console output: https://syzkaller.appspot.com/x/log.txt?x=15ff6a1a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=31ea1cecaf34f0db
dashboard link: https://syzkaller.appspot.com/bug?extid=7148617bf2c2bd21c798
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=155f5eb4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124661c2580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ad0bd66715a/disk-50cbba13.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3284d626258e/vmlinux-50cbba13.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a1f92ca7bbfc/Image-50cbba13.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+714861...@syzkaller.appspotmail.com

------------[ cut here ]------------

WARNING: CPU: 0 PID: 4503 at security/landlock/fs.c:752 collect_domain_accesses+0x6d8/0x738 security/landlock/fs.c:-1
Modules linked in:
CPU: 0 PID: 4503 Comm: syz.0.17 Not tainted syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : collect_domain_accesses+0x6d8/0x738 security/landlock/fs.c:-1
lr : collect_domain_accesses+0x6d4/0x738 security/landlock/fs.c:752

sp : ffff800020da78c0
x29: ffff800020da7900 x28: 0000000000000001 x27: ffff800020da79fa
x26: ffff0000da8934ac x25: 0000000000000000 x24: ffff0000e57bb490

x23: 0000000000002004 x22: ffffffffffffffff x21: ffffffffffffffff

x20: ffff0000e556e468 x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: ffff8000082d2558 x15: 0000000000000000
x14: 00000000118fa6bc x13: 1ffff00002a0a0b1 x12: 0000000000ff0100
x11: ff0080000a547038 x10: 0000000000000000 x9 : ffff80000a547038
x8 : ffff0000d8010000 x7 : ffff80000a5427f0 x6 : 0000000000000000

x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002

x2 : 0000000000000008 x1 : ffff800011a5e980 x0 : ffff0000e57bb4e0

Call trace:
collect_domain_accesses+0x6d8/0x738 security/landlock/fs.c:-1
current_check_refer_path+0x3e0/0x7a4 security/landlock/fs.c:883
hook_path_rename+0x4c/0x60 security/landlock/fs.c:1112
security_path_rename+0x154/0x1f0 security/security.c:1217
do_renameat2+0x5ac/0xa54 fs/namei.c:5022
__do_sys_renameat2 fs/namei.c:5068 [inline]
__se_sys_renameat2 fs/namei.c:5065 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5065
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

irq event stamp: 3582
hardirqs last enabled at (3581): [<ffff80000892aa90>] mod_objcg_state+0x338/0x500 mm/memcontrol.c:3217
hardirqs last disabled at (3582): [<ffff8000118fa220>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (3552): [<ffff8000080309e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (3550): [<ffff8000080309ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19

---[ end trace 0000000000000000 ]---


---

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.