Re: [syzbot] WARNING in mntput_no_expire (2)

[Al Viro <viro@zeniv.linux.org.uk>]

On Sun, Apr 04, 2021 at 01:34:45PM +0200, Christian Brauner wrote:

> Sorry for not replying to your earlier mail but I've been debugging this
> too. My current theory is that it's related to LOOKUP_ROOT_GRABBED when
> LOOKUP_CACHED is specified _possibly_ with an interaction how
> create_io_thread() is created with CLONE_FS. The reproducer requires you
> either have called pivot_root() or chroot() in order for the failure to
> happen. So I think the fact that we skip legitimize_root() when
> LOOKUP_CACHED is set might figure into this. I can keep digging.
> 

> Funny enough I already placed a printk statement into the place you
> wanted one too so I just amended mine. Here's what you get:
> 
> If pivot pivot_root() is used before the chroot() you get:
> 
> [  637.464555] AAAA: count(-1) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(579) | dev(tmpfs)
> 
> if you only call chroot, i.e. make the pivot_root() branch a simple
> if (true) you get:
> 
> [  955.206117] AAAA: count(-2) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(580) | dev(tmpfs)

Very interesting.  What happens if you call loop() twice?  And now I wonder
whether it's root or cwd, actually...  Hmm...

How about this:
	fd = open("/proc/self/mountinfo", 0);
	mkdir("./newroot/foo", 0777);
	mount("./newroot/foo", "./newroot/foo", 0, MS_BIND, NULL);
	chroot("./newroot");
	chdir("/foo");
	while (1) {
		static char buf[4096];
		int n = read(fd, buf, 4096);
		if (n <= 0)
			break;
		write(1, buf, n);
	}
	close(fd);
	drop_caps();
	loop();
as the end of namespace_sandbox_proc(), instead of
	chroot("./newroot");
	chdir("/");
	drop_caps();
	loop();
sequence we have there?

> The cat /proc/self/mountinfo is for the id(579) below:
... and it misses the damn thing, since we call it before the mount
in question had been created ;-/  So we'd probably be better off not
trying to be clever and just doing that as explicit (and completely
untested) read-write loop above.