Re: [PATCH 3/4] do_move_mount(): don't leak MNTNS_PROPAGATING on failures

Al Viro <viro@xxxxxxxxxxxxxxxxxx> · Tue, 13 May 2025 13:08:58 +0100

On Tue, May 13, 2025 at 07:03:14PM +0800, Lai, Yi wrote:
> Hi Al Viro,
> 
> Greetings!
> 
> I used Syzkaller and found that there is general protection fault in do_move_mount in linux v6.15-rc6.
> 
> After bisection and the first bad commit is:
> "
> 267fc3a06a37 do_move_mount(): don't leak MNTNS_PROPAGATING on failures
> "
> 
> All detailed into can be found at:
> https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount
> Syzkaller repro code:
> https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/repro.c
> Syzkaller repro syscall steps:
> https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/repro.prog
> Syzkaller report:
> https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/repro.report
> Kconfig(make olddefconfig):
> https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/kconfig_origin
> Bisect info:
> https://github.com/laifryiee/syzkaller_logs/tree/main/250513_095133_do_move_mount/bisect_info.log
> bzImage:
> https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/250513_095133_do_move_mount/bzImage_82f2b0b97b36ee3fcddf0f0780a9a0825d52fec3
> Issue dmesg:
> https://github.com/laifryiee/syzkaller_logs/blob/main/250513_095133_do_move_mount/bzImage_82f2b0b97b36ee3fcddf0f0780a9a0825d52fec3

Are you sure that stack traces are from the same reproducer?  Because they
look nothing like what it's doing...

I'm pretty sure I see the problem there, but I don't see how it could
fail to oops right in do_move_mount() itself if triggered...

As a quick check, could you see if the same kernel + diff below still
gives the same report?

diff --git a/fs/namespace.c b/fs/namespace.c
index 1b466c54a357..a5983726e51d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3722,7 +3722,7 @@ static int do_move_mount(struct path *old_path,
 	if (attached)
 		put_mountpoint(old_mp);
 out:
-	if (is_anon_ns(ns))
+	if (!IS_ERR_OR_NULL(ns) && is_anon_ns(ns))
 		ns->mntns_flags &= ~MNTNS_PROPAGATING;
 	unlock_mount(mp);
 	if (!err) {







