From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EDFD214A9B for ; Sun, 30 Nov 2025 07:30:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.89.141.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764487812; cv=none; b=QXimXzVdixoEVUnxwxwt5QPFAG73/kDT7Isa4JqjkAFz5cOGRnn7/9ILsXe6vpEXt/J/l0Nof5DKaBnst/4+bia9SyNFIYNeirRqipKz6weoTbtlj2f22wMGRz3XB9ppjL/XTY/RHC8fjbCwb2oEQp/z51nz1KSxI9m3y02/7+U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764487812; c=relaxed/simple; bh=YMX3aFXy8M/8IhCxi8GHFXSGDsxUv1TgZ4+86UleICc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=qXOwJfynIdtzZuNVFVZA2+ugyzA8U7SsCkEAn3MEKyI4AFC7TV4hVCJ2nUDPgkSwX+Ox7P/QgJV3blIN2fTDXiTmfr0Ont+OL+EWCvTOc+xjzetoR8US42I34pAY8sRZEgbsk8EVzw+1rXtN3NHTBUU33dmeGkhjXYMQyc3Kup8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk; spf=none smtp.mailfrom=ftp.linux.org.uk; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b=W8sN4onf; arc=none smtp.client-ip=62.89.141.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ftp.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b="W8sN4onf" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=SrJfOtT7RY5yWsWGzR43bcLy7R68fijBfJR7ozIGCeo=; b=W8sN4onfn3975xG1QZNExejLc5 T1CgnZYdXhTd5kRWaxuMSDM2cIs8NDPueqN5ZSTRMpxUHsMbbXpOyDO3d59E8dVWanZU/ZOvNHHwF JvwohY0/GMomKNud8bsdQUgDHpokIkyltmwnF+zMMmgMcuJv9ir5HRtY1J/xkoA/m3EyZtm2sYhkB iz7eVayYPasVGEUZDZPmKNQYewOzFciaZNiJG1+a7uy2YxLWwuH/PQ8IuGAeBSu0PUL4SiUsdkEII ksKSCPWk/s/Hdhfy+UQlwIzuH2RntIqUT9RMON8m7VX11lKFaOMswWMxMssngrtueQCa05p7oTkdf 6pUb7AUw==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.99 #2 (Red Hat Linux)) id 1vPbsv-0000000HTO9-3jLb; Sun, 30 Nov 2025 07:30:17 +0000 Date: Sun, 30 Nov 2025 07:30:17 +0000 From: Al Viro To: syzbot Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: Forwarded: [PATCH] ipc/mqueue: fix dentry refcount imbalance in prepare_open() Message-ID: <20251130073017.GS3538@ZenIV> References: <692aef93.a70a0220.d98e3.015b.GAE@google.com> <692bee1c.a70a0220.d98e3.0167.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <692bee1c.a70a0220.d98e3.0167.GAE@google.com> Sender: Al Viro On Sat, Nov 29, 2025 at 11:11:24PM -0800, syzbot wrote: > When opening an existing message queue, prepare_open() does not increment > the dentry refcount, but end_creating() always calls dput(). This causes > a refcount imbalance that triggers a WARN_ON_ONCE in fast_dput() when the > file is later closed. That makes no sense. > --- a/ipc/mqueue.c > +++ b/ipc/mqueue.c > @@ -883,6 +883,7 @@ static int prepare_open(struct dentry *dentry, int oflag, int ro, > if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) > return -EINVAL; ... we return an error without refcount increment. > acc = oflag2acc[oflag & O_ACCMODE]; > + dget(dentry); > return inode_permission(&nop_mnt_idmap, d_inode(dentry), acc); ... with possibly return an error *with* refcount increment. How the caller is supposed to tell one from another?