Re: [syzbot] [fs?] possible deadlock in put_mnt_ns

[Christian Brauner]

On Thu, Jan 15, 2026 at 01:50:24AM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    0f853ca2a798 Add linux-next specific files for 20260113
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1386f99a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=789b351b8a4cafe1
> dashboard link: https://syzkaller.appspot.com/bug?extid=55fd613012e606d75d45
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1482859a580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13402052580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/9c7778b6d6be/disk-0f853ca2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ea278b0d6aff/vmlinux-0f853ca2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/60b94236c918/bzImage-0f853ca2.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+55fd613012e606d75d45@xxxxxxxxxxxxxxxxxxxxxxxxx
> 
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> R13: 00007fca229e5fa0 R14: 00007fca229e5fa0 R15: 0000000000000003
>  </TASK>
> ============================================
> WARNING: possible recursive locking detected
> syzkaller #0 Not tainted
> --------------------------------------------
> syz.0.23/6026 is trying to acquire lock:
> ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: namespace_lock fs/namespace.c:1730 [inline]
> ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: class_namespace_excl_constructor fs/namespace.c:101 [inline]
> ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: put_mnt_ns+0x170/0x2f0 fs/namespace.c:6241
> 
> but task is already holding lock:
> ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: namespace_lock fs/namespace.c:1730 [inline]
> ffffffff8e49efd0 (namespace_sem){++++}-{4:4}, at: lock_mount_exact+0x89/0x630 fs/namespace.c:3852
> 
> other info that might help us debug this:
>  Possible unsafe locking scenario:
> 
>        CPU0
>        ----
>   lock(namespace_sem);
>   lock(namespace_sem);

Groan, simple fix. opening nsfs fd must be done outside of the lock as
it would drop the mntns reference. Fixing.