* [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()
@ 2025-11-12 2:35 许佳凯
2025-11-20 8:48 ` Günther Noack
0 siblings, 1 reply; 5+ messages in thread
From: 许佳凯 @ 2025-11-12 2:35 UTC (permalink / raw)
To: linux-kernel; +Cc: linux-security-module, Günther Noack, Serge E. Hallyn
Hello,
This issue occurs when unmounting a tmpfs filesystem that has previously been added to a Landlock path-beneath rule.
During this operation, the kernel reports a “sleeping function called from invalid context” bug in hook_sb_delete() (security/landlock/fs.c).
This bug was initially discovered on the Linux riscv branch via a fuzzing framework.
It was later confirmed reproducible on Linux mainline v6.18-rc5 (x86).
The tested kernel source, configuration, and related materials are provided below:
Kernel source: https://git.kernel.org/torvalds/t/linux-6.18-rc5.tar.gz
Config file: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/.config
Reproducer source: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/repro.cprog
GCC compiler info: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/gcc.info
Kernel log (dmesg): https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/dmesg.info
Additional riscv fuzzing context (report0, etc.): https://github.com/j1akai/KConfigFuzz_bug/tree/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b
The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
This violates the locking context expectations and triggers __might_sleep() warnings.
The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().
I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()
2025-11-12 2:35 [BUG] landlock: sleeping function called from invalid context in hook_sb_delete() 许佳凯
@ 2025-11-20 8:48 ` Günther Noack
2025-11-20 10:52 ` 许佳凯
2025-11-20 14:48 ` Mickaël Salaün
0 siblings, 2 replies; 5+ messages in thread
From: Günther Noack @ 2025-11-20 8:48 UTC (permalink / raw)
To: 许佳凯
Cc: linux-kernel, linux-security-module, Günther Noack,
Serge E. Hallyn, Mickaël Salaün
Hello!
Thanks for the report!
CC-ing Mickaël, who authored that code
On Wed, Nov 12, 2025 at 10:35:17AM +0800, 许佳凯 wrote:
> The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
> This violates the locking context expectations and triggers __might_sleep() warnings.
> The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().
>
>
> I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.
This looks like a false positive to me.
There are three places where iput() is being called in hook_sb_delete,
two of them are in places where it is *not* holding the
s_inode_list_lock. The one that *is* holding the s_inode_list_lock
has the following comment:
/*
* At this point, we own the ihold() reference that was
* originally set up by get_inode_object() and the
* __iget() reference that we just set in this loop
* walk. Therefore the following call to iput() will
* not sleep nor drop the inode because there is now at
* least two references to it.
*/
That seems to indicate that the sleepability concern was taken into
consideration. iput() only sleeps if the refcount reaches zero, and
if you can exclude that, it won't sleep.
—Günther
--
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()
2025-11-20 8:48 ` Günther Noack
@ 2025-11-20 10:52 ` 许佳凯
2025-11-20 14:48 ` Mickaël Salaün
1 sibling, 0 replies; 5+ messages in thread
From: 许佳凯 @ 2025-11-20 10:52 UTC (permalink / raw)
To: Günther Noack
Cc: linux-kernel, linux-security-module, Günther Noack,
Serge E. Hallyn, Mickaël Salaün
Hello Günther,
Thanks a lot for your detailed reply.
Your explanation makes perfect sense. I agree this is indeed a false positive.
Thanks for pointing that out and for the clarification.
I appreciate your time and the helpful analysis.
Best regards,
-Jiakai
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()
2025-11-20 8:48 ` Günther Noack
2025-11-20 10:52 ` 许佳凯
@ 2025-11-20 14:48 ` Mickaël Salaün
2025-11-21 1:01 ` 许佳凯
1 sibling, 1 reply; 5+ messages in thread
From: Mickaël Salaün @ 2025-11-20 14:48 UTC (permalink / raw)
To: Günther Noack
Cc: 许佳凯, linux-kernel, linux-security-module,
Günther Noack, Serge E. Hallyn
Thanks for the report.
This was indeed a false positive. The fix (previously reported by
syzkaller) is merged in -next and soon in the master branche:
https://lore.kernel.org/r/20251105212025.807549-1-mjguzik@gmail.com
On Thu, Nov 20, 2025 at 09:48:43AM +0100, Günther Noack wrote:
> Hello!
>
> Thanks for the report!
>
> CC-ing Mickaël, who authored that code
>
> On Wed, Nov 12, 2025 at 10:35:17AM +0800, 许佳凯 wrote:
> > The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
> > This violates the locking context expectations and triggers __might_sleep() warnings.
> > The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().
> >
> >
> > I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.
>
> This looks like a false positive to me.
>
> There are three places where iput() is being called in hook_sb_delete,
> two of them are in places where it is *not* holding the
> s_inode_list_lock. The one that *is* holding the s_inode_list_lock
> has the following comment:
>
> /*
> * At this point, we own the ihold() reference that was
> * originally set up by get_inode_object() and the
> * __iget() reference that we just set in this loop
> * walk. Therefore the following call to iput() will
> * not sleep nor drop the inode because there is now at
> * least two references to it.
> */
>
> That seems to indicate that the sleepability concern was taken into
> consideration. iput() only sleeps if the refcount reaches zero, and
> if you can exclude that, it won't sleep.
>
> —Günther
>
> --
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()
2025-11-20 14:48 ` Mickaël Salaün
@ 2025-11-21 1:01 ` 许佳凯
0 siblings, 0 replies; 5+ messages in thread
From: 许佳凯 @ 2025-11-21 1:01 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Günther Noack, linux-kernel, linux-security-module,
Günther Noack, Serge E. Hallyn
Hello Mickaël,
Thanks a lot for your reply.
Best regards,
-Jiakai
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-11-21 1:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-12 2:35 [BUG] landlock: sleeping function called from invalid context in hook_sb_delete() 许佳凯
2025-11-20 8:48 ` Günther Noack
2025-11-20 10:52 ` 许佳凯
2025-11-20 14:48 ` Mickaël Salaün
2025-11-21 1:01 ` 许佳凯
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).