From: "Lai, Yi" <yi1.lai@linux.intel.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>,
linux-fsdevel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
yi1.lai@intel.com
Subject: Re: [PATCH 3/4] do_move_mount(): don't leak MNTNS_PROPAGATING on failures
Date: Tue, 13 May 2025 22:33:23 +0800 [thread overview]
Message-ID: <aCNYM7XAXBXTdo9G@ly-workstation> (raw)
In-Reply-To: <20250513120858.GG2023217@ZenIV>
On Tue, May 13, 2025 at 01:08:58PM +0100, Al Viro wrote:
> On Tue, May 13, 2025 at 07:03:14PM +0800, Lai, Yi wrote:
> > Hi Al Viro,
> >
> > Greetings!
> >
> > I used Syzkaller and found that there is general protection fault in do_move_mount in linux v6.15-rc6.
> >
> > After bisection and the first bad commit is:
> > "
> > 267fc3a06a37 do_move_mount(): don't leak MNTNS_PROPAGATING on failures
> > "
> >
> > All detailed into can be found at:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount
> > Syzkaller repro code:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/repro.c
> > Syzkaller repro syscall steps:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/repro.prog
> > Syzkaller report:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/repro.report
> > Kconfig(make olddefconfig):
> > https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/kconfig_origin
> > Bisect info:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/bisect_info.log
> > bzImage:
> > https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/250513_095133_do_move_mount/bzImage_82f2b0b97b36ee3fcddf0f0780a9a0825d52fec3
> > Issue dmesg:
> > https://github.com/laifryiee/syzkaller_logs/blob/main/250513_095133_do_move_mount/bzImage_82f2b0b97b36ee3fcddf0f0780a9a0825d52fec3
>
> Are you sure that stack traces are from the same reproducer? Because they
> look nothing like what it's doing...
>
Yes. The reproducer causes the OOP in do_move_mount().
> I'm pretty sure I see the problem there, but I don't see how it could
> fail to oops right in do_move_mount() itself if triggered...
>
> As a quick check, could you see if the same kernel + diff below still
> gives the same report?
>
After applying the diff, the issue cannot be reproduced.
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 1b466c54a357..a5983726e51d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -3722,7 +3722,7 @@ static int do_move_mount(struct path *old_path,
> if (attached)
> put_mountpoint(old_mp);
> out:
> - if (is_anon_ns(ns))
> + if (!IS_ERR_OR_NULL(ns) && is_anon_ns(ns))
> ns->mntns_flags &= ~MNTNS_PROPAGATING;
> unlock_mount(mp);
> if (!err) {
next prev parent reply other threads:[~2025-05-13 14:43 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-28 6:30 [RFC] move_mount(2): still breakage around new mount detection Al Viro
2025-04-28 7:03 ` Al Viro
2025-04-28 8:50 ` Christian Brauner
2025-04-28 18:53 ` Al Viro
2025-04-29 4:03 ` Al Viro
2025-04-29 5:10 ` Al Viro
2025-04-29 5:27 ` Al Viro
2025-04-29 8:21 ` Christian Brauner
2025-05-05 5:08 ` Al Viro
2025-05-05 14:20 ` Christian Brauner
2025-04-29 7:56 ` Christian Brauner
2025-04-29 12:27 ` Al Viro
2025-04-29 7:52 ` Christian Brauner
2025-05-08 5:56 ` more breakage there (was Re: [RFC] move_mount(2): still breakage around new mount detection) Al Viro
2025-05-08 19:59 ` Al Viro
2025-05-08 20:00 ` [PATCH 1/4] __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock Al Viro
2025-05-09 11:02 ` Christian Brauner
2025-05-08 20:01 ` [PATCH 2/4] do_umount(): add missing barrier before refcount checks in sync case Al Viro
2025-05-09 11:02 ` Christian Brauner
2025-05-08 20:02 ` [PATCH 3/4] do_move_mount(): don't leak MNTNS_PROPAGATING on failures Al Viro
2025-05-08 20:03 ` reproducer for "do_move_mount(): don't leak MNTNS_PROPAGATING on failures" Al Viro
2025-05-09 11:02 ` [PATCH 3/4] do_move_mount(): don't leak MNTNS_PROPAGATING on failures Christian Brauner
2025-05-13 11:03 ` Lai, Yi
2025-05-13 12:08 ` Al Viro
2025-05-13 14:33 ` Lai, Yi [this message]
2025-05-08 20:02 ` [PATCH 4/4] fix IS_MNT_PROPAGATING uses Al Viro
2025-05-08 20:04 ` reproducer for "fix IS_MNT_PROPAGATING uses" Al Viro
2025-05-09 11:01 ` [PATCH 4/4] fix IS_MNT_PROPAGATING uses Christian Brauner
2025-05-09 11:06 ` more breakage there (was Re: [RFC] move_mount(2): still breakage around new mount detection) Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aCNYM7XAXBXTdo9G@ly-workstation \
--to=yi1.lai@linux.intel.com \
--cc=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yi1.lai@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).