lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250924002850.7530-1-hdanton@sina.com>
Date: Wed, 24 Sep 2025 08:28:49 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+12479ae15958fc3f54ec@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] BUG: sleeping function called from invalid context in hook_sb_delete

> Date: Tue, 23 Sep 2025 15:59:37 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    ce7f1a983b07 Add linux-next specific files for 20250923
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
> dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000

#syz test

--- x/security/landlock/fs.c
+++ y/security/landlock/fs.c
@@ -1434,8 +1434,6 @@ static void hook_sb_delete(struct super_
 			spin_unlock(&inode->i_lock);
 			continue;
 		}
-		/* Keeps a reference to this inode until the next loop walk. */
-		__iget(inode);
 		spin_unlock(&inode->i_lock);
 
 		/*
@@ -1457,15 +1455,6 @@ static void hook_sb_delete(struct super_
 			 * It is therefore not necessary to lock inode->i_lock.
 			 */
 			rcu_assign_pointer(landlock_inode(inode)->object, NULL);
-			/*
-			 * At this point, we own the ihold() reference that was
-			 * originally set up by get_inode_object() and the
-			 * __iget() reference that we just set in this loop
-			 * walk.  Therefore the following call to iput() will
-			 * not sleep nor drop the inode because there is now at
-			 * least two references to it.
-			 */
-			iput(inode);
 		} else {
 			spin_unlock(&object->lock);
 			rcu_read_unlock();
@@ -1479,12 +1468,7 @@ static void hook_sb_delete(struct super_
 			 * disappear from under us until the next loop walk.
 			 */
 			spin_unlock(&sb->s_inode_list_lock);
-			/*
-			 * We can now actually put the inode reference from the
-			 * previous loop walk, which is not needed anymore.
-			 */
 			iput(prev_inode);
-			cond_resched();
 			spin_lock(&sb->s_inode_list_lock);
 		}
 		prev_inode = inode;
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ