[syzbot] [xfs?] general protection fault in do_move_mount (3)

[syzbot <syzbot+799d4cf78a7476483ba2@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    bec6f00f120e Merge tag 'usb-6.15-rc6' of git://git.kernel...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1030b4d4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b9683d529ec1b880
dashboard link: https://syzkaller.appspot.com/bug?extid=799d4cf78a7476483ba2
compiler:       Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17eb1670580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17794cf4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f0524618260b/disk-bec6f00f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/130c881068f0/vmlinux-bec6f00f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cb7c13b37bb0/bzImage-bec6f00f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/291441c6276e/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=13eb1670580000)

The issue was bisected to:

commit 267fc3a06a37bec30cc5b4d97fb8409102bc7a9d
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Tue Apr 29 01:43:23 2025 +0000

    do_move_mount(): don't leak MNTNS_PROPAGATING on failures

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16979670580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=15979670580000
console output: https://syzkaller.appspot.com/x/log.txt?x=11979670580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+799d4cf78a7476483ba2@syzkaller.appspotmail.com
Fixes: 267fc3a06a37 ("do_move_mount(): don't leak MNTNS_PROPAGATING on failures")

XFS (loop0): Ending clean mount
XFS (loop0): Quotacheck needed: Please wait.
XFS (loop0): Quotacheck: Done.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 UID: 0 PID: 5821 Comm: syz-executor358 Not tainted 6.15.0-rc5-syzkaller-00275-gbec6f00f120e #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:is_anon_ns fs/mount.h:165 [inline]
RIP: 0010:do_move_mount+0x27d/0xb10 fs/namespace.c:3725
Code: e8 98 53 85 ff 41 be ea ff ff ff 49 bd 00 00 00 00 00 fc ff df 48 8b 6c 24 18 4c 8b 7c 24 08 48 8d 5d 48 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 54 22 e5 ff 48 8b 1b 31 ff 48 89
RSP: 0018:ffffc90004197d50 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000032 RCX: ffff888034268000
RDX: 0000000000000000 RSI: ffffffff8d9214e1 RDI: ffff88801b2d77b8
RBP: ffffffffffffffea R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff8238eb99 R12: ffffffff8dde9718
R13: dffffc0000000000 R14: 00000000ffffffea R15: ffff88803401e480
FS:  0000555582a39380(0000) GS:ffff888126200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000066c7e0 CR3: 000000003414c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __do_sys_move_mount fs/namespace.c:4678 [inline]
 __se_sys_move_mount+0x41e/0x580 fs/namespace.c:4616
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7effb3efc739
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcb2b585e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001ad
RAX: ffffffffffffffda RBX: 00007ffcb2b587b8 RCX: 00007effb3efc739
RDX: 00000000ffffff9c RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007effb3f78610 R08: 0000000000000224 R09: 00007ffcb2b587b8
R10: 0000200000000040 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffcb2b587a8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:is_anon_ns fs/mount.h:165 [inline]
RIP: 0010:do_move_mount+0x27d/0xb10 fs/namespace.c:3725
Code: e8 98 53 85 ff 41 be ea ff ff ff 49 bd 00 00 00 00 00 fc ff df 48 8b 6c 24 18 4c 8b 7c 24 08 48 8d 5d 48 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 54 22 e5 ff 48 8b 1b 31 ff 48 89
RSP: 0018:ffffc90004197d50 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000032 RCX: ffff888034268000
RDX: 0000000000000000 RSI: ffffffff8d9214e1 RDI: ffff88801b2d77b8
RBP: ffffffffffffffea R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff8238eb99 R12: ffffffff8dde9718
R13: dffffc0000000000 R14: 00000000ffffffea R15: ffff88803401e480
FS:  0000555582a39380(0000) GS:ffff888126200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000066c7e0 CR3: 000000003414c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e8 98 53 85 ff       	call   0xff85539d
   5:	41 be ea ff ff ff    	mov    $0xffffffea,%r14d
   b:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
  12:	fc ff df
  15:	48 8b 6c 24 18       	mov    0x18(%rsp),%rbp
  1a:	4c 8b 7c 24 08       	mov    0x8(%rsp),%r15
  1f:	48 8d 5d 48          	lea    0x48(%rbp),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 54 22 e5 ff       	call   0xffe5228d
  39:	48 8b 1b             	mov    (%rbx),%rbx
  3c:	31 ff                	xor    %edi,%edi
  3e:	48                   	rex.W
  3f:	89                   	.byte 0x89


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup