lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250929-besuchen-ursachen-50b3f25ca435@brauner>
Date: Mon, 29 Sep 2025 10:51:30 +0200
From: Christian Brauner <brauner@...nel.org>
To: Jan Kara <jack@...e.cz>
Cc: syzbot <syzbot+12479ae15958fc3f54ec@...kaller.appspotmail.com>, 
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, 
	viro@...iv.linux.org.uk, Mickaël Salaün <mic@...ikod.net>, 
	linux-security-module@...r.kernel.org, Günther Noack <gnoack@...gle.com>
Subject: Re: [syzbot] [fs?] BUG: sleeping function called from invalid
 context in hook_sb_delete

On Wed, Sep 24, 2025 at 01:05:03PM +0200, Jan Kara wrote:
> Hello!
> 
> Added Landlock guys to CC since this is a bug in Landlock.
> 
> On Tue 23-09-25 15:59:37, syzbot wrote:
> > syzbot found the following issue on:
> > 
> > HEAD commit:    ce7f1a983b07 Add linux-next specific files for 20250923
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=118724e2580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=1be6fa3d47bce66e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=12479ae15958fc3f54ec
> > compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1376e27c580000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=136e78e2580000
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/c30be6f36c31/disk-ce7f1a98.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/ae9ea347d4d8/vmlinux-ce7f1a98.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/d59682a4f33c/bzImage-ce7f1a98.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+12479ae15958fc3f54ec@...kaller.appspotmail.com
> > 
> > BUG: sleeping function called from invalid context at fs/inode.c:1928
> 
> The first catch from the new might_sleep() annotations in iput().
> 
> > in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6028, name: syz.0.17
> > preempt_count: 1, expected: 0
> > RCU nest depth: 0, expected: 0
> > 2 locks held by syz.0.17/6028:
> >  #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
> >  #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
> >  #0: ffff8880326bc0e0 (&type->s_umount_key#48){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
> >  #1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
> >  #1: ffff8880326bc998 (&s->s_inode_list_lock){+.+.}-{3:3}, at: hook_sb_delete+0xae/0xbd0 security/landlock/fs.c:1405
> > Preemption disabled at:
> > [<0000000000000000>] 0x0
> > CPU: 0 UID: 0 PID: 6028 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
> > Call Trace:
> >  <TASK>
> >  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> >  __might_resched+0x495/0x610 kernel/sched/core.c:8960
> >  iput+0x2b/0xc50 fs/inode.c:1928
> >  hook_sb_delete+0x6b5/0xbd0 security/landlock/fs.c:1468
> 
> Indeed looks like a bug because we can call iput() while holding
> sb->s_inode_list_lock in one case in hook_sb_delete().

Very nice that the annotations help finding this!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ