| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <DG0B0GEW323Q.29Y4J0A0Q5DQ5@canonical.com>
Date: Wed, 28 Jan 2026 08:49:12 -0600
From: "Zachary M. Raines" <zachary.raines@...onical.com>
To: "Alexander Viro" <viro@...iv.linux.org.uk>, "Christian Brauner"
<brauner@...nel.org>
Cc: <linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: PROBLEM: Duplicated entries in /proc/<pid>/mountinfo
Greetings,
When mounting and unmounting many filesystems, /proc/<pid>/mountinfo sometimes
contains entries which are duplicated many times.
Summary
=======
Sometimes on a system that is mounting and unmounting filesystems frequently,
for example running lots of docker containers, the size of /proc/1/mountinfo,
can become very large -- 100s, to 1000s of entries or more -- with the vast
majority being a single entry duplicated many times.
This causes other problems on the system, due to systemd parsing the mount table
whenever it changes, and eating up a lot of memory, for example [1]. Waiting
long enough there are rare events where the length of mountinfo can go into the
millions of lines and lead to OOM and kernel panics.
Running the reproducers below, I pretty reliably see an Ubuntu virtual machine
kernel panic due to lack of memory within about 24hrs.
Versions
========
Bisecting the kernel git history, I was able to track the issue back to
'2eea9ce4310d8 mounts: keep list of mounts in an rbtree' [2].
I've tested on 6.19-rc7 in a virtual machine and the issue is still present
there. /proc/version:
Linux version 6.19.0-rc7+ (ubuntu@...nel-builder) (gcc (Ubuntu 15.2.0-4ubuntu4)
15.2.0, GNU ld (GNU Binutils for Ubuntu) 2.45) #8 SMP PREEMPT_DYNAMIC Tue Jan 27
22:33:35 UTC 2026
running on Ubuntu 25.10
Reproducer
==========
The problem can be reproduced by mounting and then unmounting tmpfs in a loop
and in a seperate process reading /proc/1/mountinfo and checking for duplicates.
I used the following scripts:
1. Mounts and unmounts tmpfs
#!/bin/bash
counter=0
while true; do
unique_name="tmpfs_$$_$counter"
mkdir -p "/tmp/$unique_name"
sudo mount -t tmpfs "$unique_name" "/tmp/$unique_name"
sudo umount "/tmp/$unique_name"
rmdir "/tmp/$unique_name"
((counter++))
sleep 0.1
done
2. Reads `/prod/1/mountinfo` and checks for duplicates
#!/bin/bash
THRESHOLD=75
echo "Starting monitoring at $(date)"
while true; do
# Get mountinfo entries and count total
mountinfo="$(cat /proc/1/mountinfo)"
mountinfo_count=$(echo "$mountinfo" | wc -l)
if ((mountinfo_count > THRESHOLD)); then
echo "$(date): Mount count ($mountinfo_count) exceeds threshold ($THRESHOLD)"
# Find and log duplicate mount points with their counts
duplicates=$(echo "$mountinfo" | sort | uniq -cd)
if [[ -n "$duplicates" ]]; then
echo "Duplicate mounts :"
echo "$duplicates"
fi
echo "====="
echo "$mountinfo"
echo "---"
fi
sleep 0.1
done
Typically, within 5-10 minutes duplicates can be observed, often including
hundreds or thousands of copies of the same mount point -- although the number
can rarely spike to much higher values. Given a long enough uptime, I've
observed up to 1.4 million duplicates at a time.
The duplication in mountinfo is very intermittent. `cat /proc/1/mountinfo` 100ms
later shows no duplication.
Additional diagnostics
======================
While running the script (2.) above, I also ran the following bpftrace script
3. Trace vfs_mounts as by `cat /proc/1/mountinfo`
#!/usr/bin/env bpftrace
fentry:show_mountinfo / comm == "cat"/ {
@mnts[args->mnt] = count();
}
tracepoint:sched:sched_process_exit / comm == "cat"/ {
for ($mnt : @mnts) {
if ($mnt.1 > 1) {
printf("Duplicate mount %p\n", $mnt.0);
@dups[$mnt.0] = $mnt.1;
}
}
clear(@mnts);
}
and observed that a single mount struct was reached multiple times -- perhaps
unsurprisingly exactly the same number as there were duplicates detected by
the above script.
Typical outputs of script (2.) and the bpftrace script above are
Starting monitoring at Tue Jan 27 20:48:13 UTC 2026
Tue Jan 27 20:50:43 UTC 2026: Mount count (696) exceeds threshold (75)
Duplicate mounts :
/proc/sys/fs/binfmt_misc: 2 occurrences
/tmp/tmpfs_856614_41491: 666 occurrences
and
@dups[0xffff88e5fb9f10a0]: 666
Best,
Zachary Raines
[1]: https://github.com/systemd/systemd/issues/37939
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2eea9ce4310d8c0f8ef1dbe7b0e7d9219ff02b97
Powered by blists - more mailing lists