| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260116-kostbar-blass-171a72be1845@brauner>
Date: Fri, 16 Jan 2026 11:52:36 +0100
From: Christian Brauner <brauner@...nel.org>
To: syzbot <syzbot+55fd613012e606d75d45@...kaller.appspotmail.com>
Cc: jack@...e.cz, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk
Subject: Re: [syzbot] [fs?] possible deadlock in put_mnt_ns
On Fri, Jan 16, 2026 at 11:40:06AM +0100, Christian Brauner wrote:
> On Thu, Jan 15, 2026 at 01:50:24AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 0f853ca2a798 Add linux-next specific files for 20260113
> > git tree: linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1386f99a580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=789b351b8a4cafe1
> > dashboard link: https://syzkaller.appspot.com/bug?extid=55fd613012e606d75d45
> > compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1482859a580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13402052580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/9c7778b6d6be/disk-0f853ca2.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/ea278b0d6aff/vmlinux-0f853ca2.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/60b94236c918/bzImage-0f853ca2.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+55fd613012e606d75d45@...kaller.appspotmail.com
> >
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> > R13: 00007fca229e5fa0 R14: 00007fca229e5fa0 R15: 0000000000000003
> > </TASK>
> > ============================================
> > WARNING: possible recursive locking detected
> > syzkaller #0 Not tainted
> > --------------------------------------------
> > syz.0.23/6026 is trying to acquire lock:
> > ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: namespace_lock fs/namespace.c:1730 [inline]
> > ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: class_namespace_excl_constructor fs/namespace.c:101 [inline]
> > ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: put_mnt_ns+0x170/0x2f0 fs/namespace.c:6241
> >
> > but task is already holding lock:
> > ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: namespace_lock fs/namespace.c:1730 [inline]
> > ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: lock_mount_exact+0x89/0x630 fs/namespace.c:3852
> >
> > other info that might help us debug this:
> > Possible unsafe locking scenario:
> >
> > CPU0
> > ----
> > lock(namespace_sem);
> > lock(namespace_sem);
>
> Groan, simple fix. opening nsfs fd must be done outside of the lock as
> it would drop the mntns reference. Fixing.
#syz test: https://github.com/brauner/linux.git vfs-7.0.namespace
Powered by blists - more mailing lists