get_detached_copy() builds a new anonymous mount namespace for open_tree(OPEN_TREE_CLONE) by iterating all mounts in the cloned tree and calling mnt_add_to_ns() for each. However, child mounts in the cloned tree have their mnt_mp_list linked into the original mountpoint's m_list via mnt_set_mountpoint(). mnt_add_to_ns() only updates the namespace RB tree and never removes mnt_mp_list from that list. When both the original and new anonymous namespaces are torn down on process exit, put_mnt_ns() -> umount_tree() -> __umount_mnt() calls hlist_del_init() on mnt_mp_list for each mount. Since the same mount belongs to two namespaces, hlist_del_init() is called twice on the same node, corrupting the list and causing a general protection fault. Fix this by calling hlist_del_init() on mnt_mp_list and clearing mnt_mp for each mount inside the loop in get_detached_copy(). This detaches them from the original mountpoint's m_list. Clearing mnt_mp also prevents __umount_mnt() from passing a stale pointer to maybe_free_mountpoint() during teardown. Reported-by: syzbot+e4470cc28308f2081ec8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=e4470cc28308f2081ec8 Tested-by: syzbot+e4470cc28308f2081ec8@syzkaller.appspotmail.com Fixes: 2eea9ce4310d ("mounts: keep list of mounts in an rbtree") Signed-off-by: Deepanshu kartikey --- fs/namespace.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index 854f4fc66469..04e7ffd7fcf5 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3063,6 +3063,10 @@ static struct mnt_namespace *get_detached_copy(const struct path *path, unsigned for (p = mnt; p; p = next_mnt(p, mnt)) { mnt_add_to_ns(ns, p); + if (p->mnt_mp) { + hlist_del_init(&p->mnt_mp_list); + p->mnt_mp = NULL; + } ns->nr_mounts++; } ns->root = mnt; -- 2.43.0