[BUG] landlock: sleeping function called from invalid context in hook_sb_delete()

[BUG] landlock: sleeping function called from invalid context in hook_sb_delete()

[许佳凯]

Hello,
This issue occurs when unmounting a tmpfs filesystem that has previously been added to a Landlock path-beneath rule.
During this operation, the kernel reports a “sleeping function called from invalid context” bug in hook_sb_delete() (security/landlock/fs.c).


This bug was initially discovered on the Linux riscv branch via a fuzzing framework.
It was later confirmed reproducible on Linux mainline v6.18-rc5 (x86).
The tested kernel source, configuration, and related materials are provided below:
  Kernel source: https://git.kernel.org/torvalds/t/linux-6.18-rc5.tar.gz  
  Config file: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/.config  
  Reproducer source: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/repro.cprog  
  GCC compiler info: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/gcc.info  
  Kernel log (dmesg): https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/dmesg.info  
  Additional riscv fuzzing context (report0, etc.): https://github.com/j1akai/KConfigFuzz_bug/tree/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b


The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
This violates the locking context expectations and triggers __might_sleep() warnings.
The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().


I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.

Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()

[Günther Noack]

Hello!

Thanks for the report!

CC-ing Mickaël, who authored that code

On Wed, Nov 12, 2025 at 10:35:17AM +0800, 许佳凯 wrote:
> The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
> This violates the locking context expectations and triggers __might_sleep() warnings.
> The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().
> 
> 
> I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.

This looks like a false positive to me.

There are three places where iput() is being called in hook_sb_delete,
two of them are in places where it is *not* holding the
s_inode_list_lock.  The one that *is* holding the s_inode_list_lock
has the following comment:

/*
 * At this point, we own the ihold() reference that was
 * originally set up by get_inode_object() and the
 * __iget() reference that we just set in this loop
 * walk.  Therefore the following call to iput() will
 * not sleep nor drop the inode because there is now at
 * least two references to it.
 */

That seems to indicate that the sleepability concern was taken into
consideration.  iput() only sleeps if the refcount reaches zero, and
if you can exclude that, it won't sleep.

—Günther

-- 

Re: Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()

[许佳凯]

Hello Günther,

Thanks a lot for your detailed reply.

Your explanation makes perfect sense. I agree this is indeed a false positive.
Thanks for pointing that out and for the clarification.

I appreciate your time and the helpful analysis.

Best regards,
-Jiakai

Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()

[Mickaël Salaün]

Thanks for the report.

This was indeed a false positive.  The fix (previously reported by
syzkaller) is merged in -next and soon in the master branche:
https://lore.kernel.org/r/20251105212025.807549-1-mjguzik@gmail.com


On Thu, Nov 20, 2025 at 09:48:43AM +0100, Günther Noack wrote:
> Hello!
> 
> Thanks for the report!
> 
> CC-ing Mickaël, who authored that code
> 
> On Wed, Nov 12, 2025 at 10:35:17AM +0800, 许佳凯 wrote:
> > The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
> > This violates the locking context expectations and triggers __might_sleep() warnings.
> > The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().
> > 
> > 
> > I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.
> 
> This looks like a false positive to me.
> 
> There are three places where iput() is being called in hook_sb_delete,
> two of them are in places where it is *not* holding the
> s_inode_list_lock.  The one that *is* holding the s_inode_list_lock
> has the following comment:
> 
> /*
>  * At this point, we own the ihold() reference that was
>  * originally set up by get_inode_object() and the
>  * __iget() reference that we just set in this loop
>  * walk.  Therefore the following call to iput() will
>  * not sleep nor drop the inode because there is now at
>  * least two references to it.
>  */
> 
> That seems to indicate that the sleepability concern was taken into
> consideration.  iput() only sleeps if the refcount reaches zero, and
> if you can exclude that, it won't sleep.
> 
> —Günther
> 
> -- 
> 

Re: Re: [BUG] landlock: sleeping function called from invalid context in hook_sb_delete()

[许佳凯]

Hello Mickaël,

Thanks a lot for your reply.

Best regards,
-Jiakai