[syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    84d39fb9d529 Add linux-next specific files for 20251105
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=122ec0b4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=413cf24e78b667b9
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12e09342580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14126114580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/49de85e8d717/disk-84d39fb9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4fd90ea7659f/vmlinux-84d39fb9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/235e0ee874fe/bzImage-84d39fb9.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: ./include/linux/ns_common.h:311 at __ns_ref_active_put include/linux/ns_common.h:311 [inline], CPU#0: syz.2.29/6060
WARNING: ./include/linux/ns_common.h:311 at nsproxy_ns_active_put+0xa19/0xd30 fs/nsfs.c:707, CPU#0: syz.2.29/6060
Modules linked in:
CPU: 0 UID: 0 PID: 6060 Comm: syz.2.29 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_active_put include/linux/ns_common.h:311 [inline]
RIP: 0010:nsproxy_ns_active_put+0xa19/0xd30 fs/nsfs.c:707
Code: 0f 0b 90 e9 71 fc ff ff e8 54 52 77 ff 90 0f 0b 90 e9 ab fc ff ff e8 46 52 77 ff 90 0f 0b 90 e9 41 fd ff ff e8 38 52 77 ff 90 <0f> 0b 90 e9 64 fd ff ff e8 2a 52 77 ff 90 0f 0b 90 e9 98 fd ff ff
RSP: 0018:ffffc900033f7d38 EFLAGS: 00010293

RAX: ffffffff824a1b88 RBX: ffff88805876a750 RCX: ffff88807e148000
RDX: 0000000000000000 RSI: 00000000effffff8 RDI: 00000000effffff8
RBP: 00000000effffff8 R08: ffffffff8e36cb4b R09: 1ffffffff1c6d969
R10: dffffc0000000000 R11: fffffbfff1c6d96a R12: dffffc0000000000
R13: 1ffffffff1c6d955 R14: ffffffff8e36ca80 R15: ffffffff8e36caa8
FS:  00005555653d3500(0000) GS:ffff888125a8b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30163fff CR3: 0000000076924000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 free_nsproxy+0x26/0x560 kernel/nsproxy.c:190
 put_nsset kernel/nsproxy.c:341 [inline]
 __do_sys_setns kernel/nsproxy.c:594 [inline]
 __se_sys_setns+0x1268/0x17d0 kernel/nsproxy.c:559
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in alloc_pid

------------[ cut here ]------------
WARNING: ./include/linux/ns_common.h:288 at __ns_ref_active_get include/linux/ns_common.h:288 [inline], CPU#1: syz-executor/6396
WARNING: ./include/linux/ns_common.h:288 at alloc_pid+0xad6/0xc70 kernel/pid.c:285, CPU#1: syz-executor/6396
Modules linked in:
CPU: 1 UID: 0 PID: 6396 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_active_get include/linux/ns_common.h:288 [inline]
RIP: 0010:alloc_pid+0xad6/0xc70 kernel/pid.c:285
Code: cc e8 7e d6 34 00 be 02 00 00 00 eb 0a e8 72 d6 34 00 be 01 00 00 00 48 89 df e8 05 d8 0c 03 e9 84 fa ff ff e8 5b d6 34 00 90 <0f> 0b 90 e9 2c fd ff ff e8 4d d6 34 00 90 0f 0b 90 e9 5b fd ff ff
RSP: 0018:ffffc900035d79d8 EFLAGS: 00010293
RAX: ffffffff818cf9d5 RBX: ffff888075669998 RCX: ffff8880279b1e80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffff888075cab901 R08: ffff88807566999b R09: 1ffff1100eacd333
R10: dffffc0000000000 R11: ffffed100eacd334 R12: dffffc0000000000
R13: 1ffff1100eb95751 R14: ffff888075669830 R15: dffffc0000000000
FS:  000055556cc43500(0000) GS:ffff888125b79000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7cfd1156c0 CR3: 00000000246e4000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 copy_process+0x18e7/0x3930 kernel/fork.c:2196
 kernel_clone+0x21e/0x840 kernel/fork.c:2609
 __do_sys_clone kernel/fork.c:2750 [inline]
 __se_sys_clone kernel/fork.c:2734 [inline]
 __x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2734
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7cfc385e13
Code: 1f 84 00 00 00 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00
RSP: 002b:00007ffeab10e9d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cfc385e13
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: 000055556cc437d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 0000000000021378 R15: 00007ffeab10eb70
 </TASK>


Tested on:

commit:         9c0826a5 Add linux-next specific files for 20251107
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=162110b4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4f8fcc6438a785e7
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12afd812580000

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in alloc_pid

------------[ cut here ]------------
WARNING: ./include/linux/ns_common.h:288 at __ns_ref_active_get include/linux/ns_common.h:288 [inline], CPU#1: syz-executor/6382
WARNING: ./include/linux/ns_common.h:288 at alloc_pid+0xad6/0xc70 kernel/pid.c:285, CPU#1: syz-executor/6382
Modules linked in:
CPU: 1 UID: 0 PID: 6382 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_active_get include/linux/ns_common.h:288 [inline]
RIP: 0010:alloc_pid+0xad6/0xc70 kernel/pid.c:285
Code: cc e8 3e d8 34 00 be 02 00 00 00 eb 0a e8 32 d8 34 00 be 01 00 00 00 48 89 df e8 65 da 0c 03 e9 84 fa ff ff e8 1b d8 34 00 90 <0f> 0b 90 e9 2c fd ff ff e8 0d d8 34 00 90 0f 0b 90 e9 5b fd ff ff
RSP: 0018:ffffc9000213f9d8 EFLAGS: 00010293
RAX: ffffffff818cfa95 RBX: ffff888074ae5998 RCX: ffff88802a181e80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffff888024e7a701 R08: ffff888074ae599b R09: 1ffff1100e95cb33
R10: dffffc0000000000 R11: ffffed100e95cb34 R12: dffffc0000000000
R13: 1ffff110049cf511 R14: ffff888074ae5830 R15: dffffc0000000000
FS:  000055558ad86500(0000) GS:ffff888125b79000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f201af156c0 CR3: 0000000078776000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 copy_process+0x18e7/0x3930 kernel/fork.c:2196
 kernel_clone+0x21e/0x840 kernel/fork.c:2609
 __do_sys_clone kernel/fork.c:2750 [inline]
 __se_sys_clone kernel/fork.c:2734 [inline]
 __x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2734
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f201a185e13
Code: 1f 84 00 00 00 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00
RSP: 002b:00007ffe79514908 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f201a185e13
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: 000055558ad867d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 00000000000271be R15: 00007ffe79514aa0
 </TASK>


Tested on:

commit:         9c0826a5 Add linux-next specific files for 20251107
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11f67012580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4f8fcc6438a785e7
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1755ca92580000

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

970707b2'
[   21.974518][    T1] zswap: loaded using pool 842
[   21.982912][    T1] Demotion targets for Node 0: null
[   21.988200][    T1] Demotion targets for Node 1: null
[   21.993522][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   24.797559][    T1] Key type .fscrypt registered
[   24.802517][    T1] Key type fscrypt-provisioning registered
[   24.811687][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   24.837336][    T1] Btrfs loaded, assert=on, zoned=yes, fsverity=yes
[   24.844500][    T1] Key type big_key registered
[   24.849260][    T1] Key type encrypted registered
[   24.854106][    T1] AppArmor: AppArmor sha256 policy hashing enabled
[   24.860731][    T1] ima: No TPM chip found, activating TPM-bypass!
[   24.867175][    T1] Loading compiled-in module X.509 certificates
[   24.894366][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: de56e482b03ecd8d239a6590830ee0f7970707b2'
[   24.905348][    T1] ima: Allocated hash algorithm: sha256
[   24.911357][    T1] ima: No architecture policies found
[   24.917173][    T1] evm: Initialising EVM extended attributes:
[   24.923151][    T1] evm: security.selinux (disabled)
[   24.928238][    T1] evm: security.SMACK64 (disabled)
[   24.933355][    T1] evm: security.SMACK64EXEC (disabled)
[   24.938815][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   24.944683][    T1] evm: security.SMACK64MMAP (disabled)
[   24.950134][    T1] evm: security.apparmor
[   24.954370][    T1] evm: security.ima
[   24.958145][    T1] evm: security.capability
[   24.962553][    T1] evm: HMAC attrs: 0x1
[   24.968988][    T1] PM:   Magic number: 1:272:986
[   24.973842][    T1] net rose20: hash matches
[   24.978361][    T1] dsp_pipeline hwec: hash matches
[   24.984302][    T1] netconsole: network logging started
[   24.990369][    T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[   25.002183][    T1] rdma_rxe: loaded
[   25.007915][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   25.019009][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   25.026972][    T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   25.038011][    T1] clk: Disabling unused clocks
[   25.043143][    T1] ALSA device list:
[   25.044532][  T793] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[   25.046952][    T1]   #0: Dummy 1
[   25.046964][    T1]   #1: Loopback 1
[   25.056659][  T793] faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
[   25.072704][    T1]   #2: Virtual MIDI Card 1
[   25.080464][    T1] check access for rdinit=/init failed: -2, ignoring
[   25.087134][    T1] md: Waiting for all devices to be available before autodetect
[   25.094786][    T1] md: If you don't use raid, use raid=noautodetect
[   25.101311][    T1] md: Autodetecting RAID arrays.
[   25.106328][    T1] md: autorun ...
[   25.109974][    T1] md: ... autorun DONE.
[   25.202934][    T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[   25.211522][    T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[   25.224301][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   25.234167][    T1] devtmpfs: mounted
[   25.311718][    T1] Freeing unused kernel image (initmem) memory: 26112K
[   25.322460][    T1] Write protecting the kernel read-only data: 212992k
[   25.341592][    T1] Freeing unused kernel image (text/rodata gap) memory: 1436K
[   25.353977][    T1] Freeing unused kernel image (rodata/data gap) memory: 1240K
[   25.458459][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   25.466412][    T1] x86/mm: Checking user space page tables
[   25.555644][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   25.568271][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   25.578126][    T1] Run /sbin/init as init process
[   25.833630][ T5157] mount (5157) used greatest stack depth: 23816 bytes left
[   25.885026][ T5158] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
[   25.897827][ T5158] mount (5158) used greatest stack depth: 23624 bytes left
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[   26.026823][ T5162] mount (5162) used greatest stack depth: 21672 bytes left
Starting syslogd: OK
Starting acpid: [   26.448559][ T5177] acpid (5177) used greatest stack depth: 20968 bytes left
OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [   27.039741][ T5192] udevd[5192]: starting version 3.2.14
[   27.206253][ T5193] udevd[5193]: starting eudev-3.2.14
[   27.210256][ T5192] udevd (5192) used greatest stack depth: 18088 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-10.2.0 starting
[   46.776298][ T5487] ------------[ cut here ]------------
[   46.781953][ T5487] WARNING: ./include/linux/ns_common.h:314 at nsfs_evict+0x18e/0x200, CPU#1: dhcpcd/5487
[   46.792403][ T5487] Modules linked in:
[   46.796337][ T5487] CPU: 1 UID: 0 PID: 5487 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   46.805316][ T5487] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   46.815409][ T5487] RIP: 0010:nsfs_evict+0x18e/0x200
[   46.820563][ T5487] Code: 4d 8b 1e 48 89 df 5b 41 5c 41 5d 41 5e 41 5f 5d 41 ff e3 cc cc cc e8 01 c7 76 ff 90 0f 0b 90 e9 1f ff ff ff e8 f3 c6 76 ff 90 <0f> 0b 90 e9 42 ff ff ff e8 e5 c6 76 ff 90 0f 0b 90 e9 72 ff ff ff
[   46.840207][ T5487] RSP: 0018:ffffc900039afa28 EFLAGS: 00010293
[   46.846262][ T5487] RAX: ffffffff824b0e3d RBX: ffffffff9a180fd8 RCX: ffff88802e6d1e80
[   46.854272][ T5487] RDX: 0000000000000000 RSI: 00000000effffff8 RDI: 00000000effffff8
[   46.862272][ T5487] RBP: 00000000effffff8 R08: ffffffff9a181093 R09: 1ffffffff3430212
[   46.870298][ T5487] R10: dffffc0000000000 R11: fffffbfff3430213 R12: dffffc0000000000
[   46.878265][ T5487] R13: 1ffffffff34301fe R14: ffff88807a7cf248 R15: ffffffff9a180ff0
[   46.886301][ T5487] FS:  00007f5b3bc92740(0000) GS:ffff888125b78000(0000) knlGS:0000000000000000
[   46.895267][ T5487] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   46.901937][ T5487] CR2: 0000563ddc89c4a0 CR3: 000000006f210000 CR4: 00000000003526f0
[   46.909942][ T5487] Call Trace:
[   46.913233][ T5487]  <TASK>
[   46.916163][ T5487]  ? __pfx_nsfs_evict+0x10/0x10
[   46.921065][ T5487]  evict+0x5f4/0xae0
[   46.925002][ T5487]  ? __pfx_evict+0x10/0x10
[   46.929539][ T5487]  ? _raw_spin_unlock+0x28/0x50
[   46.934391][ T5487]  ? iput+0xce7/0x1050
[   46.938444][ T5487]  __dentry_kill+0x209/0x660
[   46.943076][ T5487]  ? dput+0x37/0x2b0
[   46.946973][ T5487]  dput+0x19f/0x2b0
[   46.950799][ T5487]  path_put+0x39/0x60
[   46.954833][ T5487]  vfs_statx+0x36e/0x550
[   46.959106][ T5487]  ? __pfx_vfs_statx+0x10/0x10
[   46.963873][ T5487]  ? strncpy_from_user+0x150/0x2c0
[   46.969019][ T5487]  ? getname_flags+0x1e5/0x540
[   46.973824][ T5487]  vfs_fstatat+0x118/0x170
[   46.978223][ T5487]  __x64_sys_newfstatat+0x116/0x190
[   46.983447][ T5487]  ? __pfx___x64_sys_newfstatat+0x10/0x10
[   46.989202][ T5487]  ? do_syscall_64+0xbe/0xfa0
[   46.993883][ T5487]  do_syscall_64+0xfa/0xfa0
[   46.998365][ T5487]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   47.004477][ T5487]  ? clear_bhb_loop+0x60/0xb0
[   47.009189][ T5487]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   47.015094][ T5487] RIP: 0033:0x7f5b3bd86b0a
[   47.019580][ T5487] Code: 48 8b 15 f1 f2 0d 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 07 31 c0 c3 0f 1f 40 00 48 8b 15 b9 f2 0d 00 f7
[   47.039327][ T5487] RSP: 002b:00007ffc209e1718 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
[   47.047744][ T5487] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5b3bd86b0a
[   47.055741][ T5487] RDX: 00007ffc209e1720 RSI: 0000563ddc8c4557 RDI: 00000000ffffff9c
[   47.063747][ T5487] RBP: 00007ffc209e3eb8 R08: 0000000000000000 R09: 0000000000000000
[   47.071763][ T5487] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc209e2890
[   47.079775][ T5487] R13: 0000563e1752d8a0 R14: 0000000000001000 R15: 00007f5b3bc926c8
[   47.087762][ T5487]  </TASK>
[   47.090819][ T5487] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   47.098094][ T5487] CPU: 1 UID: 0 PID: 5487 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   47.107008][ T5487] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   47.117042][ T5487] Call Trace:
[   47.120305][ T5487]  <TASK>
[   47.123217][ T5487]  dump_stack_lvl+0x99/0x250
[   47.127804][ T5487]  ? __asan_memcpy+0x40/0x70
[   47.132372][ T5487]  ? __pfx_dump_stack_lvl+0x10/0x10
[   47.137549][ T5487]  ? __pfx__printk+0x10/0x10
[   47.142123][ T5487]  vpanic+0x237/0x6d0
[   47.146171][ T5487]  ? __pfx_vpanic+0x10/0x10
[   47.150648][ T5487]  ? is_bpf_text_address+0x292/0x2b0
[   47.155913][ T5487]  ? is_bpf_text_address+0x26/0x2b0
[   47.161096][ T5487]  panic+0xb9/0xc0
[   47.164798][ T5487]  ? __pfx_panic+0x10/0x10
[   47.169202][ T5487]  __warn+0x334/0x4c0
[   47.173160][ T5487]  ? nsfs_evict+0x18e/0x200
[   47.177641][ T5487]  ? nsfs_evict+0x18e/0x200
[   47.182126][ T5487]  report_bug+0x2be/0x4f0
[   47.186436][ T5487]  ? nsfs_evict+0x18e/0x200
[   47.190915][ T5487]  ? nsfs_evict+0x18e/0x200
[   47.195395][ T5487]  ? nsfs_evict+0x190/0x200
[   47.199876][ T5487]  handle_bug+0x84/0x160
[   47.204114][ T5487]  exc_invalid_op+0x1a/0x50
[   47.208629][ T5487]  asm_exc_invalid_op+0x1a/0x20
[   47.213486][ T5487] RIP: 0010:nsfs_evict+0x18e/0x200
[   47.218605][ T5487] Code: 4d 8b 1e 48 89 df 5b 41 5c 41 5d 41 5e 41 5f 5d 41 ff e3 cc cc cc e8 01 c7 76 ff 90 0f 0b 90 e9 1f ff ff ff e8 f3 c6 76 ff 90 <0f> 0b 90 e9 42 ff ff ff e8 e5 c6 76 ff 90 0f 0b 90 e9 72 ff ff ff
[   47.238215][ T5487] RSP: 0018:ffffc900039afa28 EFLAGS: 00010293
[   47.244897][ T5487] RAX: ffffffff824b0e3d RBX: ffffffff9a180fd8 RCX: ffff88802e6d1e80
[   47.252860][ T5487] RDX: 0000000000000000 RSI: 00000000effffff8 RDI: 00000000effffff8
[   47.260822][ T5487] RBP: 00000000effffff8 R08: ffffffff9a181093 R09: 1ffffffff3430212
[   47.268783][ T5487] R10: dffffc0000000000 R11: fffffbfff3430213 R12: dffffc0000000000
[   47.276756][ T5487] R13: 1ffffffff34301fe R14: ffff88807a7cf248 R15: ffffffff9a180ff0
[   47.284739][ T5487]  ? nsfs_evict+0x18d/0x200
[   47.289248][ T5487]  ? nsfs_evict+0x18d/0x200
[   47.293742][ T5487]  ? __pfx_nsfs_evict+0x10/0x10
[   47.298581][ T5487]  evict+0x5f4/0xae0
[   47.302483][ T5487]  ? __pfx_evict+0x10/0x10
[   47.306894][ T5487]  ? _raw_spin_unlock+0x28/0x50
[   47.311737][ T5487]  ? iput+0xce7/0x1050
[   47.315801][ T5487]  __dentry_kill+0x209/0x660
[   47.320380][ T5487]  ? dput+0x37/0x2b0
[   47.324265][ T5487]  dput+0x19f/0x2b0
[   47.328059][ T5487]  path_put+0x39/0x60
[   47.332030][ T5487]  vfs_statx+0x36e/0x550
[   47.336284][ T5487]  ? __pfx_vfs_statx+0x10/0x10
[   47.341048][ T5487]  ? strncpy_from_user+0x150/0x2c0
[   47.346174][ T5487]  ? getname_flags+0x1e5/0x540
[   47.350940][ T5487]  vfs_fstatat+0x118/0x170
[   47.355369][ T5487]  __x64_sys_newfstatat+0x116/0x190
[   47.360640][ T5487]  ? __pfx___x64_sys_newfstatat+0x10/0x10
[   47.366383][ T5487]  ? do_syscall_64+0xbe/0xfa0
[   47.371078][ T5487]  do_syscall_64+0xfa/0xfa0
[   47.375592][ T5487]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   47.381648][ T5487]  ? clear_bhb_loop+0x60/0xb0
[   47.386425][ T5487]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   47.392748][ T5487] RIP: 0033:0x7f5b3bd86b0a
[   47.397245][ T5487] Code: 48 8b 15 f1 f2 0d 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 07 31 c0 c3 0f 1f 40 00 48 8b 15 b9 f2 0d 00 f7
[   47.416866][ T5487] RSP: 002b:00007ffc209e1718 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
[   47.425277][ T5487] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5b3bd86b0a
[   47.433236][ T5487] RDX: 00007ffc209e1720 RSI: 0000563ddc8c4557 RDI: 00000000ffffff9c
[   47.441215][ T5487] RBP: 00007ffc209e3eb8 R08: 0000000000000000 R09: 0000000000000000
[   47.449171][ T5487] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc209e2890
[   47.457124][ T5487] R13: 0000563e1752d8a0 R14: 0000000000001000 R15: 00007f5b3bc926c8
[   47.465097][ T5487]  </TASK>
[   47.468346][ T5487] Kernel Offset: disabled
[   47.472660][ T5487] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1222549954=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at a6c9c731229
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea -X github.com/google/syzkaller/prog.gitRevisionDate=20251104-181356"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea -X github.com/google/syzkaller/prog.gitRevisionDate=20251104-181356"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea -X github.com/google/syzkaller/prog.gitRevisionDate=20251104-181356"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea\"
/usr/bin/ld: /tmp/ccl2NrsB.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=17b05084580000


Tested on:

commit:         9c0826a5 Add linux-next specific files for 20251107
git tree:       linux-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=4f8fcc6438a785e7
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11e03812580000

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

 26.481884][    T1] Loading compiled-in X.509 certificates
[   26.516950][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: f5143acf1d690a3971428b7fa3c37300acff3a6e'
[   26.900243][    T1] zswap: loaded using pool 842
[   26.908732][    T1] Demotion targets for Node 0: null
[   26.914058][    T1] Demotion targets for Node 1: null
[   26.919319][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   29.792072][    T1] Key type .fscrypt registered
[   29.796868][    T1] Key type fscrypt-provisioning registered
[   29.806376][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   29.835595][    T1] Btrfs loaded, assert=on, zoned=yes, fsverity=yes
[   29.843055][    T1] Key type big_key registered
[   29.847786][    T1] Key type encrypted registered
[   29.852651][    T1] AppArmor: AppArmor sha256 policy hashing enabled
[   29.859262][    T1] ima: No TPM chip found, activating TPM-bypass!
[   29.865703][    T1] Loading compiled-in module X.509 certificates
[   29.898151][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: f5143acf1d690a3971428b7fa3c37300acff3a6e'
[   29.909093][    T1] ima: Allocated hash algorithm: sha256
[   29.915206][    T1] ima: No architecture policies found
[   29.921406][    T1] evm: Initialising EVM extended attributes:
[   29.927394][    T1] evm: security.selinux (disabled)
[   29.932519][    T1] evm: security.SMACK64 (disabled)
[   29.937623][    T1] evm: security.SMACK64EXEC (disabled)
[   29.943088][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   29.948967][    T1] evm: security.SMACK64MMAP (disabled)
[   29.954435][    T1] evm: security.apparmor
[   29.958662][    T1] evm: security.ima
[   29.962478][    T1] evm: security.capability
[   29.966893][    T1] evm: HMAC attrs: 0x1
[   29.973825][    T1] PM:   Magic number: 1:963:583
[   29.978800][    T1] cec cec10: hash matches
[   29.983532][    T1] tty ptyc1: hash matches
[   29.988103][    T1] netconsole: network logging started
[   29.994201][    T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[   30.007061][    T1] rdma_rxe: loaded
[   30.013137][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   30.024801][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   30.034477][    T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   30.044095][ T1208] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[   30.051936][    T1] clk: Disabling unused clocks
[   30.053922][ T1208] faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
[   30.058707][    T1] ALSA device list:
[   30.071200][    T1]   #0: Dummy 1
[   30.074969][    T1]   #1: Loopback 1
[   30.078718][    T1]   #2: Virtual MIDI Card 1
[   30.086410][    T1] check access for rdinit=/init failed: -2, ignoring
[   30.093222][    T1] md: Waiting for all devices to be available before autodetect
[   30.100857][    T1] md: If you don't use raid, use raid=noautodetect
[   30.107485][    T1] md: Autodetecting RAID arrays.
[   30.112631][    T1] md: autorun ...
[   30.116274][    T1] md: ... autorun DONE.
[   30.242475][    T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[   30.251116][    T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[   30.263959][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   30.274587][    T1] devtmpfs: mounted
[   30.350955][    T1] Freeing unused kernel image (initmem) memory: 26112K
[   30.361768][    T1] Write protecting the kernel read-only data: 212992k
[   30.380228][    T1] Freeing unused kernel image (text/rodata gap) memory: 1436K
[   30.392825][    T1] Freeing unused kernel image (rodata/data gap) memory: 1240K
[   30.528715][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   30.536730][    T1] x86/mm: Checking user space page tables
[   30.654084][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   30.666870][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   30.676750][    T1] Run /sbin/init as init process
[   31.177715][ T5158] mount (5158) used greatest stack depth: 23576 bytes left
[   31.225728][ T5159] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[   31.387784][ T5163] mount (5163) used greatest stack depth: 21672 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [   32.674421][ T5193] udevd[5193]: starting version 3.2.14
[   32.996569][ T5194] udevd[5194]: starting eudev-3.2.14
[   33.000117][ T5193] udevd (5193) used greatest stack depth: 18696 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-10.2.0 starting
[   56.220735][ T5488] ------------[ cut here ]------------
[   56.226516][ T5488] WARNING: ./include/linux/ns_common.h:314 at nsfs_evict+0x18e/0x200, CPU#1: dhcpcd/5488
[   56.236736][ T5488] Modules linked in:
[   56.240773][ T5488] CPU: 1 UID: 0 PID: 5488 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   56.249797][ T5488] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   56.260095][ T5488] RIP: 0010:nsfs_evict+0x18e/0x200
[   56.265291][ T5488] Code: 4d 8b 1e 48 89 df 5b 41 5c 41 5d 41 5e 41 5f 5d 41 ff e3 cc cc cc e8 01 c7 76 ff 90 0f 0b 90 e9 1f ff ff ff e8 f3 c6 76 ff 90 <0f> 0b 90 e9 42 ff ff ff e8 e5 c6 76 ff 90 0f 0b 90 e9 72 ff ff ff
[   56.285086][ T5488] RSP: 0018:ffffc9000389fa28 EFLAGS: 00010293
[   56.291186][ T5488] RAX: ffffffff824b0e3d RBX: ffffffff9a180fd8 RCX: ffff888027d00000
[   56.299224][ T5488] RDX: 0000000000000000 RSI: 00000000effffff8 RDI: 00000000effffff8
[   56.307291][ T5488] RBP: 00000000effffff8 R08: ffffffff9a181093 R09: 1ffffffff3430212
[   56.315341][ T5488] R10: dffffc0000000000 R11: fffffbfff3430213 R12: dffffc0000000000
[   56.323376][ T5488] R13: 1ffffffff34301fe R14: ffff888077f26d50 R15: ffffffff9a180ff0
[   56.331386][ T5488] FS:  00007ff1e1049740(0000) GS:ffff888125b78000(0000) knlGS:0000000000000000
[   56.340332][ T5488] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   56.346978][ T5488] CR2: 00005604455e84a0 CR3: 000000007d5e6000 CR4: 00000000003526f0
[   56.354995][ T5488] Call Trace:
[   56.358288][ T5488]  <TASK>
[   56.361298][ T5488]  ? __pfx_nsfs_evict+0x10/0x10
[   56.366173][ T5488]  evict+0x5f4/0xae0
[   56.370068][ T5488]  ? __pfx_evict+0x10/0x10
[   56.374531][ T5488]  ? _raw_spin_unlock+0x28/0x50
[   56.379401][ T5488]  ? iput+0xce7/0x1050
[   56.383538][ T5488]  __dentry_kill+0x209/0x660
[   56.388147][ T5488]  ? dput+0x37/0x2b0
[   56.392093][ T5488]  dput+0x19f/0x2b0
[   56.395945][ T5488]  path_put+0x39/0x60
[   56.399929][ T5488]  vfs_statx+0x36e/0x550
[   56.404250][ T5488]  ? __pfx_vfs_statx+0x10/0x10
[   56.409209][ T5488]  ? strncpy_from_user+0x150/0x2c0
[   56.414394][ T5488]  ? getname_flags+0x1e5/0x540
[   56.419195][ T5488]  vfs_fstatat+0x118/0x170
[   56.423710][ T5488]  __x64_sys_newfstatat+0x116/0x190
[   56.428941][ T5488]  ? __pfx___x64_sys_newfstatat+0x10/0x10
[   56.434927][ T5488]  ? do_syscall_64+0xbe/0xfa0
[   56.439644][ T5488]  do_syscall_64+0xfa/0xfa0
[   56.444214][ T5488]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   56.450300][ T5488]  ? clear_bhb_loop+0x60/0xb0
[   56.455019][ T5488]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   56.460957][ T5488] RIP: 0033:0x7ff1e113db0a
[   56.465433][ T5488] Code: 48 8b 15 f1 f2 0d 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 07 31 c0 c3 0f 1f 40 00 48 8b 15 b9 f2 0d 00 f7
[   56.485147][ T5488] RSP: 002b:00007ffe530d70b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
[   56.493625][ T5488] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff1e113db0a
[   56.501659][ T5488] RDX: 00007ffe530d70c0 RSI: 0000560445610557 RDI: 00000000ffffff9c
[   56.509645][ T5488] RBP: 00007ffe530d9858 R08: 0000000000000000 R09: 0000000000000000
[   56.517679][ T5488] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe530d8230
[   56.525708][ T5488] R13: 000056044e3fd8a0 R14: 0000000000001000 R15: 00007ff1e10496c8
[   56.533830][ T5488]  </TASK>
[   56.536879][ T5488] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   56.544239][ T5488] CPU: 1 UID: 0 PID: 5488 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   56.553163][ T5488] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   56.563227][ T5488] Call Trace:
[   56.566502][ T5488]  <TASK>
[   56.569528][ T5488]  dump_stack_lvl+0x99/0x250
[   56.574131][ T5488]  ? __asan_memcpy+0x40/0x70
[   56.578721][ T5488]  ? __pfx_dump_stack_lvl+0x10/0x10
[   56.583912][ T5488]  ? __pfx__printk+0x10/0x10
[   56.588500][ T5488]  vpanic+0x237/0x6d0
[   56.592733][ T5488]  ? __pfx_vpanic+0x10/0x10
[   56.597237][ T5488]  ? is_bpf_text_address+0x292/0x2b0
[   56.602529][ T5488]  ? is_bpf_text_address+0x26/0x2b0
[   56.607740][ T5488]  panic+0xb9/0xc0
[   56.611464][ T5488]  ? __pfx_panic+0x10/0x10
[   56.615906][ T5488]  __warn+0x334/0x4c0
[   56.619892][ T5488]  ? nsfs_evict+0x18e/0x200
[   56.624402][ T5488]  ? nsfs_evict+0x18e/0x200
[   56.628910][ T5488]  report_bug+0x2be/0x4f0
[   56.633248][ T5488]  ? nsfs_evict+0x18e/0x200
[   56.637754][ T5488]  ? nsfs_evict+0x18e/0x200
[   56.642261][ T5488]  ? nsfs_evict+0x190/0x200
[   56.646864][ T5488]  handle_bug+0x84/0x160
[   56.651109][ T5488]  exc_invalid_op+0x1a/0x50
[   56.655637][ T5488]  asm_exc_invalid_op+0x1a/0x20
[   56.660495][ T5488] RIP: 0010:nsfs_evict+0x18e/0x200
[   56.665614][ T5488] Code: 4d 8b 1e 48 89 df 5b 41 5c 41 5d 41 5e 41 5f 5d 41 ff e3 cc cc cc e8 01 c7 76 ff 90 0f 0b 90 e9 1f ff ff ff e8 f3 c6 76 ff 90 <0f> 0b 90 e9 42 ff ff ff e8 e5 c6 76 ff 90 0f 0b 90 e9 72 ff ff ff
[   56.685231][ T5488] RSP: 0018:ffffc9000389fa28 EFLAGS: 00010293
[   56.691305][ T5488] RAX: ffffffff824b0e3d RBX: ffffffff9a180fd8 RCX: ffff888027d00000
[   56.699276][ T5488] RDX: 0000000000000000 RSI: 00000000effffff8 RDI: 00000000effffff8
[   56.707248][ T5488] RBP: 00000000effffff8 R08: ffffffff9a181093 R09: 1ffffffff3430212
[   56.715395][ T5488] R10: dffffc0000000000 R11: fffffbfff3430213 R12: dffffc0000000000
[   56.723457][ T5488] R13: 1ffffffff34301fe R14: ffff888077f26d50 R15: ffffffff9a180ff0
[   56.731441][ T5488]  ? nsfs_evict+0x18d/0x200
[   56.735961][ T5488]  ? nsfs_evict+0x18d/0x200
[   56.740466][ T5488]  ? __pfx_nsfs_evict+0x10/0x10
[   56.745344][ T5488]  evict+0x5f4/0xae0
[   56.749272][ T5488]  ? __pfx_evict+0x10/0x10
[   56.753700][ T5488]  ? _raw_spin_unlock+0x28/0x50
[   56.758559][ T5488]  ? iput+0xce7/0x1050
[   56.762727][ T5488]  __dentry_kill+0x209/0x660
[   56.767321][ T5488]  ? dput+0x37/0x2b0
[   56.771225][ T5488]  dput+0x19f/0x2b0
[   56.775046][ T5488]  path_put+0x39/0x60
[   56.779037][ T5488]  vfs_statx+0x36e/0x550
[   56.783307][ T5488]  ? __pfx_vfs_statx+0x10/0x10
[   56.788107][ T5488]  ? strncpy_from_user+0x150/0x2c0
[   56.793251][ T5488]  ? getname_flags+0x1e5/0x540
[   56.798034][ T5488]  vfs_fstatat+0x118/0x170
[   56.802466][ T5488]  __x64_sys_newfstatat+0x116/0x190
[   56.807674][ T5488]  ? __pfx___x64_sys_newfstatat+0x10/0x10
[   56.813445][ T5488]  ? do_syscall_64+0xbe/0xfa0
[   56.818158][ T5488]  do_syscall_64+0xfa/0xfa0
[   56.822684][ T5488]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   56.828855][ T5488]  ? clear_bhb_loop+0x60/0xb0
[   56.833544][ T5488]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   56.839529][ T5488] RIP: 0033:0x7ff1e113db0a
[   56.844039][ T5488] Code: 48 8b 15 f1 f2 0d 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 07 31 c0 c3 0f 1f 40 00 48 8b 15 b9 f2 0d 00 f7
[   56.863750][ T5488] RSP: 002b:00007ffe530d70b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
[   56.872366][ T5488] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff1e113db0a
[   56.880429][ T5488] RDX: 00007ffe530d70c0 RSI: 0000560445610557 RDI: 00000000ffffff9c
[   56.888417][ T5488] RBP: 00007ffe530d9858 R08: 0000000000000000 R09: 0000000000000000
[   56.896404][ T5488] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe530d8230
[   56.904382][ T5488] R13: 000056044e3fd8a0 R14: 0000000000001000 R15: 00007ff1e10496c8
[   56.912381][ T5488]  </TASK>
[   56.915663][ T5488] Kernel Offset: disabled
[   56.920100][ T5488] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3988901650=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at a6c9c731229
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea -X github.com/google/syzkaller/prog.gitRevisionDate=20251104-181356"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea -X github.com/google/syzkaller/prog.gitRevisionDate=20251104-181356"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea -X github.com/google/syzkaller/prog.gitRevisionDate=20251104-181356"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"a6c9c7312290da5bca2fc1be4872a7aeefb6e3ea\"
/usr/bin/ld: /tmp/ccZrqXJp.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14843812580000


Tested on:

commit:         9c0826a5 Add linux-next specific files for 20251107
git tree:       linux-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=4f8fcc6438a785e7
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=167110b4580000

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

syzbot has bisected this issue to:

commit 3a18f809184bc5a1cfad7cde5b8b026e2ff61587
Author: Christian Brauner <brauner@kernel.org>
Date:   Wed Oct 29 12:20:24 2025 +0000

    ns: add active reference count

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11a350b4580000
start commit:   9c0826a5d9aa Add linux-next specific files for 20251107
git tree:       linux-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=13a350b4580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15a350b4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f2ebeee52bf052b8
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1639d084580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1625aa92580000

Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
Fixes: 3a18f809184b ("ns: add active reference count")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Sun, Nov 09, 2025 at 12:24:02AM -0800, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 3a18f809184bc5a1cfad7cde5b8b026e2ff61587
> Author: Christian Brauner <brauner@kernel.org>
> Date:   Wed Oct 29 12:20:24 2025 +0000
> 
>     ns: add active reference count
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11a350b4580000
> start commit:   9c0826a5d9aa Add linux-next specific files for 20251107
> git tree:       linux-next
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=13a350b4580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=15a350b4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f2ebeee52bf052b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1639d084580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1625aa92580000
> 
> Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
> Fixes: 3a18f809184b ("ns: add active reference count")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

#syz test: https://github.com/brauner/linux.git namespace-6.19

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __ns_ref_active_put

------------[ cut here ]------------
WARNING: CPU: 0 PID: 6489 at kernel/nscommon.c:171 __ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Modules linked in:
CPU: 0 UID: 0 PID: 6489 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Code: 4d 8b 3e e9 1b fd ff ff e8 b6 61 32 00 90 0f 0b 90 e9 29 fd ff ff e8 a8 61 32 00 90 0f 0b 90 e9 59 fd ff ff e8 9a 61 32 00 90 <0f> 0b 90 e9 72 ff ff ff e8 8c 61 32 00 90 0f 0b 90 e9 64 ff ff ff
RSP: 0018:ffffc90003457d50 EFLAGS: 00010293
RAX: ffffffff818e5b86 RBX: 00000000ffffffff RCX: ffff88802cc69e40
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
RBP: ffffc90003457e00 R08: ffff8880320be42b R09: 1ffff11006417c85
R10: dffffc0000000000 R11: ffffed1006417c86 R12: dffffc0000000000
R13: 1ffff11006417c84 R14: ffff8880320be420 R15: ffff8880320be428
FS:  00007fe11c3746c0(0000) GS:ffff888125cf3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d863fff CR3: 000000007798c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 nsproxy_ns_active_put+0x4a/0x200 fs/nsfs.c:701
 free_nsproxy+0x21/0x140 kernel/nsproxy.c:190
 put_nsset kernel/nsproxy.c:341 [inline]
 __do_sys_setns kernel/nsproxy.c:594 [inline]
 __se_sys_setns+0x1459/0x1c60 kernel/nsproxy.c:559
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe11b590ef7
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 34 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe11c373fd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000134
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe11b590ef7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c9
RBP: 00007fe11b611f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe11b7e6038 R14: 00007fe11b7e5fa0 R15: 00007ffcd9b83d18
 </TASK>


Tested on:

commit:         18b5c400 Merge patch series "ns: header cleanups and i..
git tree:       https://github.com/brauner/linux.git namespace-6.19
console output: https://syzkaller.appspot.com/x/log.txt?x=12c08658580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59952e73920025e4
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 01:46:03AM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in __ns_ref_active_put

#syz test: https://github.com/brauner/linux.git namespace-6.19.fixes

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

SYZFAIL: failed to recv rpc

SYZFAIL: failed to recv rpc


Warning: Permanently added '10.128.1.29' (ED25519) to the list of known hosts.
2025/11/11 11:01:12 parsed 1 programs
[   92.366829][  T894] cfg80211: failed to load regulatory.db
[   94.101317][ T5831] cgroup: Unknown subsys name 'net'
[   94.208868][ T5831] cgroup: Unknown subsys name 'cpuset'
[   94.218695][ T5831] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   95.913996][ T5831] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   99.210494][ T5845] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   99.368014][   T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   99.376801][   T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   99.385991][   T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   99.394090][   T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   99.403295][   T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   99.760048][   T67] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   99.769465][   T67] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   99.812956][   T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   99.820978][   T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  101.094305][ T5880] chnl_net:caif_netlink_parms(): no params data found
[  101.244059][ T5880] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.252746][ T5880] bridge0: port 1(bridge_slave_0) entered disabled state
[  101.261818][ T5880] bridge_slave_0: entered allmulticast mode
[  101.270392][ T5880] bridge_slave_0: entered promiscuous mode
[  101.283473][ T5880] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.291198][ T5880] bridge0: port 2(bridge_slave_1) entered disabled state
[  101.298667][ T5880] bridge_slave_1: entered allmulticast mode
[  101.307108][ T5880] bridge_slave_1: entered promiscuous mode
[  101.360560][ T5880] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  101.373330][ T5880] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  101.413565][ T5880] team0: Port device team_slave_0 added
[  101.422832][ T5880] team0: Port device team_slave_1 added
[  101.463069][ T5880] batman_adv: batadv0: Adding interface: batadv_slave_0
[  101.470261][ T5880] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.497282][ T5880] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  101.511788][ T5880] batman_adv: batadv0: Adding interface: batadv_slave_1
[  101.518889][ T5880] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.545058][ T5880] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  101.590841][ T5880] hsr_slave_0: entered promiscuous mode
[  101.597434][ T5880] hsr_slave_1: entered promiscuous mode
[  101.741572][ T5880] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  101.754163][ T5880] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  101.764799][ T5880] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  101.774770][ T5880] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  101.805511][ T5880] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.812788][ T5880] bridge0: port 2(bridge_slave_1) entered forwarding state
[  101.820983][ T5880] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.828371][ T5880] bridge0: port 1(bridge_slave_0) entered forwarding state
[  101.843110][   T13] bridge0: port 1(bridge_slave_0) entered disabled state
[  101.851795][   T13] bridge0: port 2(bridge_slave_1) entered disabled state
[  101.904027][ T5880] 8021q: adding VLAN 0 to HW filter on device bond0
[  101.928006][ T5880] 8021q: adding VLAN 0 to HW filter on device team0
[  101.942529][ T3448] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.950392][ T3448] bridge0: port 1(bridge_slave_0) entered forwarding state
[  101.964563][   T13] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.971799][   T13] bridge0: port 2(bridge_slave_1) entered forwarding state
[  102.152983][ T5880] 8021q: adding VLAN 0 to HW filter on device batadv0
[  102.197805][ T5880] veth0_vlan: entered promiscuous mode
[  102.210102][ T5880] veth1_vlan: entered promiscuous mode
[  102.244663][ T5880] veth0_macvtap: entered promiscuous mode
[  102.254634][ T5880] veth1_macvtap: entered promiscuous mode
[  102.273656][ T5880] batman_adv: batadv0: Interface activated: batadv_slave_0
[  102.289496][ T5880] batman_adv: batadv0: Interface activated: batadv_slave_1
[  102.304731][   T67] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  102.314238][   T67] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  102.324278][   T67] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  102.334159][   T67] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  102.469673][   T67] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  102.543054][   T67] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  102.622429][   T67] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  102.698368][   T67] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/11/11 11:01:26 executed programs: 0
[  104.788606][   T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[  104.799432][   T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[  104.807512][   T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[  104.816410][   T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[  104.824560][   T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[  104.982601][ T5940] chnl_net:caif_netlink_parms(): no params data found
[  105.059249][ T5940] bridge0: port 1(bridge_slave_0) entered blocking state
[  105.066542][ T5940] bridge0: port 1(bridge_slave_0) entered disabled state
[  105.073685][ T5940] bridge_slave_0: entered allmulticast mode
[  105.081124][ T5940] bridge_slave_0: entered promiscuous mode
[  105.089124][ T5940] bridge0: port 2(bridge_slave_1) entered blocking state
[  105.096583][ T5940] bridge0: port 2(bridge_slave_1) entered disabled state
[  105.104018][ T5940] bridge_slave_1: entered allmulticast mode
[  105.111771][ T5940] bridge_slave_1: entered promiscuous mode
[  105.143334][ T5940] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  105.155734][ T5940] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  105.191407][ T5940] team0: Port device team_slave_0 added
[  105.201031][ T5940] team0: Port device team_slave_1 added
[  105.235802][ T5940] batman_adv: batadv0: Adding interface: batadv_slave_0
[  105.242802][ T5940] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  105.269608][ T5940] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  105.296300][ T5940] batman_adv: batadv0: Adding interface: batadv_slave_1
[  105.303516][ T5940] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  105.331738][ T5940] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  105.417552][ T5940] hsr_slave_0: entered promiscuous mode
[  105.424204][ T5940] hsr_slave_1: entered promiscuous mode
[  105.430828][ T5940] debugfs: 'hsr0' already exists in 'hsr'
[  105.437317][ T5940] Cannot create hsr debugfs directory
[  105.454873][   T67] bridge_slave_1: left allmulticast mode
[  105.460813][   T67] bridge_slave_1: left promiscuous mode
[  105.467853][   T67] bridge0: port 2(bridge_slave_1) entered disabled state
[  105.479304][   T67] bridge_slave_0: left allmulticast mode
[  105.485065][   T67] bridge_slave_0: left promiscuous mode
[  105.491001][   T67] bridge0: port 1(bridge_slave_0) entered disabled state
[  105.729562][   T67] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[  105.741503][   T67] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  105.752583][   T67] bond0 (unregistering): Released all slaves
[  105.835828][   T67] hsr_slave_0: left promiscuous mode
[  105.842862][   T67] hsr_slave_1: left promiscuous mode
[  105.849433][   T67] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  105.857469][   T67] batman_adv: batadv0: Removing interface: batadv_slave_0
[  105.865850][   T67] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  105.873344][   T67] batman_adv: batadv0: Removing interface: batadv_slave_1
[  105.890846][   T67] veth1_macvtap: left promiscuous mode
[  105.897610][   T67] veth0_macvtap: left promiscuous mode
[  105.903553][   T67] veth1_vlan: left promiscuous mode
[  105.910171][   T67] veth0_vlan: left promiscuous mode
[  106.222498][   T67] team0 (unregistering): Port device team_slave_1 removed
[  106.255035][   T67] team0 (unregistering): Port device team_slave_0 removed
[  106.849861][   T52] Bluetooth: hci0: command tx timeout
[  107.366951][ T5940] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  107.390747][ T5940] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  107.409101][ T5940] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  107.429220][ T5940] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  107.687917][ T5940] 8021q: adding VLAN 0 to HW filter on device bond0
[  107.729157][ T5940] 8021q: adding VLAN 0 to HW filter on device team0
[  107.757652][ T1309] bridge0: port 1(bridge_slave_0) entered blocking state
[  107.764863][ T1309] bridge0: port 1(bridge_slave_0) entered forwarding state
[  107.814393][ T1309] bridge0: port 2(bridge_slave_1) entered blocking state
[  107.821819][ T1309] bridge0: port 2(bridge_slave_1) entered forwarding state
[  108.188295][ T5940] 8021q: adding VLAN 0 to HW filter on device batadv0
[  108.234481][ T5940] veth0_vlan: entered promiscuous mode
[  108.246943][ T5940] veth1_vlan: entered promiscuous mode
[  108.277479][ T5940] veth0_macvtap: entered promiscuous mode
[  108.288108][ T5940] veth1_macvtap: entered promiscuous mode
[  108.306578][ T5940] batman_adv: batadv0: Interface activated: batadv_slave_0
[  108.321859][ T5940] batman_adv: batadv0: Interface activated: batadv_slave_1
[  108.336901][ T1322] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  108.346834][ T1322] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  108.358941][ T1322] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  108.368475][ T1322] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  108.430497][ T1309] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  108.438794][ T1309] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  108.474331][   T67] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  108.484170][   T67] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3388558029=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 4e1406b4def
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
/usr/bin/ld: /tmp/ccimHo7N.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         ae901e5e Merge patch series "ns: fixes for namespace i..
git tree:       https://github.com/brauner/linux.git namespace-6.19.fixes
kernel config:  https://syzkaller.appspot.com/x/.config?x=7b0bf36f88602817
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 03:02:03AM -0800, syzbot wrote:
> Hello,
> 
> syzbot tried to test the proposed patch but the build/boot failed:

I think that's unrelated. Anyway, I managed to point this to the wrong
branch. I'll send another test request in a bit.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 12:23:18PM +0100, Christian Brauner wrote:
> On Tue, Nov 11, 2025 at 03:02:03AM -0800, syzbot wrote:
> > Hello,
> > 
> > syzbot tried to test the proposed patch but the build/boot failed:
> 
> I think that's unrelated. Anyway, I managed to point this to the wrong
> branch. I'll send another test request in a bit.

#syz test: https://github.com/brauner/linux.git namespace-6.19

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __ns_ref_active_put

------------[ cut here ]------------
WARNING: CPU: 0 PID: 6581 at kernel/nscommon.c:171 __ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Modules linked in:
CPU: 0 UID: 0 PID: 6581 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Code: 4d 8b 3e e9 1b fd ff ff e8 76 62 32 00 90 0f 0b 90 e9 29 fd ff ff e8 68 62 32 00 90 0f 0b 90 e9 59 fd ff ff e8 5a 62 32 00 90 <0f> 0b 90 e9 72 ff ff ff e8 4c 62 32 00 90 0f 0b 90 e9 64 ff ff ff
RSP: 0018:ffffc9000238fd68 EFLAGS: 00010293
RAX: ffffffff818e5946 RBX: 00000000ffffffff RCX: ffff8880302ebc80
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
RBP: ffffc9000238fe00 R08: ffff888078968c2b R09: 1ffff1100f12d185
R10: dffffc0000000000 R11: ffffed100f12d186 R12: dffffc0000000000
R13: 1ffff1100f12d184 R14: ffff888078968c20 R15: ffff888078968c28
FS:  00007efc0fd536c0(0000) GS:ffff888125cf3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33263fff CR3: 0000000030876000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 nsproxy_ns_active_put+0x4a/0x200 fs/nsfs.c:701
 free_nsproxy kernel/nsproxy.c:80 [inline]
 put_nsset kernel/nsproxy.c:316 [inline]
 __do_sys_setns kernel/nsproxy.c:-1 [inline]
 __se_sys_setns+0x1349/0x1b60 kernel/nsproxy.c:534
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efc0ef90ef7
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 34 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efc0fd52fd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000134
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007efc0ef90ef7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c9
RBP: 00007efc0f011f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efc0f1e6038 R14: 00007efc0f1e5fa0 R15: 00007fff5692b648
 </TASK>


Tested on:

commit:         cc719c88 nsproxy: fix free_nsproxy() and simplify crea..
git tree:       https://github.com/brauner/linux.git namespace-6.19
console output: https://syzkaller.appspot.com/x/log.txt?x=1613f17c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59952e73920025e4
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 05:03:03AM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in __ns_ref_active_put

#syz test: https://github.com/brauner/linux.git namespace-6.19

Groan, forgot the actual important bit after the cleanup:

  * Called from unshare. Unshare all the namespaces part of nsproxy.
  * On success, returns the new nsproxy.
@@ -338,7 +313,7 @@ static void put_nsset(struct nsset *nsset)
        if (nsset->fs && (flags & CLONE_NEWNS) && (flags & ~CLONE_NEWNS))
                free_fs_struct(nsset->fs);
        if (nsset->nsproxy)
-               free_nsproxy(nsset->nsproxy);
+               nsproxy_free(nsset->nsproxy);
 }

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
Tested-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com

Tested on:

commit:         d2bab7f2 nsproxy: fix free_nsproxy() and simplify crea..
git tree:       https://github.com/brauner/linux.git namespace-6.19
console output: https://syzkaller.appspot.com/x/log.txt?x=123a8658580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59952e73920025e4
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.