When cleaning up peer group ids in the failure path we need to make sure to hold on to the namespace lock. Otherwise another thread might just turn the mount from a shared into a non-shared mount concurrently. Reported-by: syzbot+8ac3859139c685c4f597@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://lore.kernel.org/lkml/00000000000088694505f8132d77@xxxxxxxxxx Fixes: 2a1867219c7b ("fs: add mount_setattr()") Cc: stable@xxxxxxxxxxxxxxx # 5.12+ Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx> --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index bc0f15257b49..6836e937ee61 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -4183,9 +4183,9 @@ static int do_mount_setattr(struct path *path, struct mount_kattr *kattr) unlock_mount_hash(); if (kattr->propagation) { - namespace_unlock(); if (err) cleanup_group_ids(mnt, NULL); + namespace_unlock(); } return err; --- base-commit: 197b6b60ae7bc51dd0814953c562833143b292aa change-id: 20230330-vfs-mount_setattr-propagation-fix-363b7c59d7fb
