lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20dd8187.9d18.19a75eadc43.Coremail.xujiakai24@mails.ucas.ac.cn>
Date: Wed, 12 Nov 2025 10:35:17 +0800 (GMT+08:00)
From: 许佳凯 <xujiakai24@...ls.ucas.ac.cn>
To: linux-kernel@...r.kernel.org
Cc: linux-security-module@...r.kernel.org, 
	Günther Noack <gnoack@...gle.com>, 
	"Serge E. Hallyn" <serge@...lyn.com>
Subject: [BUG] landlock: sleeping function called from invalid context in
 hook_sb_delete()

Hello,
This issue occurs when unmounting a tmpfs filesystem that has previously been added to a Landlock path-beneath rule.
During this operation, the kernel reports a “sleeping function called from invalid context” bug in hook_sb_delete() (security/landlock/fs.c).


This bug was initially discovered on the Linux riscv branch via a fuzzing framework.
It was later confirmed reproducible on Linux mainline v6.18-rc5 (x86).
The tested kernel source, configuration, and related materials are provided below:
  Kernel source: https://git.kernel.org/torvalds/t/linux-6.18-rc5.tar.gz  
  Config file: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/.config  
  Reproducer source: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/repro.cprog  
  GCC compiler info: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/gcc.info  
  Kernel log (dmesg): https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/dmesg.info  
  Additional riscv fuzzing context (report0, etc.): https://github.com/j1akai/KConfigFuzz_bug/tree/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b


The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
This violates the locking context expectations and triggers __might_sleep() warnings.
The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().


I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ