From: syzbot <syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] isofs: fix inode leak caused by disconnected dentries from exportfs
Date: Wed, 01 Oct 2025 01:59:04 -0700 [thread overview]
Message-ID: <68dced58.050a0220.25d7ab.0774.GAE@google.com> (raw)
In-Reply-To: <68dc3ade.a70a0220.10c4b.015d.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] isofs: fix inode leak caused by disconnected dentries from exportfs
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When open_by_handle_at() is used with iso9660 filesystems, exportfs
creates disconnected dentries during file handle resolution. If the
operation fails (e.g., with -ESTALE during reconnect_path()), these
dentries remain cached with their associated inodes.
During unmount, shrink_dcache_for_umount() does not fully evict these
disconnected dentries, leaving their inodes with non-zero reference
counts. This triggers the "VFS: Busy inodes after unmount" warning
and causes inode leaks that accumulate across mount/unmount cycles.
The issue occurs because:
1. open_by_handle_at() calls exportfs_decode_fh_raw() to resolve
file handles
2. For iso9660 with Joliet extensions, this creates disconnected
dentries for both primary (iso9660) and secondary (Joliet) root
inodes
3. When path reconnection fails with -ESTALE, the dentries are left
in DCACHE_DISCONNECTED state
4. shrink_dcache_for_umount() in generic_shutdown_super() does not
aggressively evict these disconnected dentries
5. The associated inodes (typically root inodes 1792 and 1807)
remain with i_count=1, triggering the busy inode check
Add explicit shrink_dcache_sb() call in isofs_put_super() to ensure
all cached dentries, including disconnected ones created by exportfs
operations, are released before the superblock is destroyed.
Reported-by: syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/isofs/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
index 6f0e6b19383c..bee410705442 100644
--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -52,6 +52,7 @@ static int isofs_dentry_cmp_ms(const struct dentry *dentry,
static void isofs_put_super(struct super_block *sb)
{
struct isofs_sb_info *sbi = ISOFS_SB(sb);
+ shrink_dcache_sb(sb);
#ifdef CONFIG_JOLIET
unload_nls(sbi->s_nls_iocharset);
--
2.43.0
prev parent reply other threads:[~2025-10-01 8:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-30 20:17 [syzbot] [isofs?] VFS: Busy inodes after unmount (use-after-free) (3) syzbot
2025-10-01 8:59 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68dced58.050a0220.25d7ab.0774.GAE@google.com \
--to=syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.