get_detached_copy() builds a new anonymous mount namespace for
open_tree(OPEN_TREE_CLONE) by iterating all mounts in the cloned tree
and calling mnt_add_to_ns() for each. However, child mounts in the
cloned tree have their mnt_mp_list linked into the original mountpoint's
m_list via mnt_set_mountpoint(). mnt_add_to_ns() only updates the
namespace RB tree and never removes mnt_mp_list from that list.

When both the original and new anonymous namespaces are torn down on
process exit, put_mnt_ns() -> umount_tree() -> __umount_mnt() calls
hlist_del_init() on mnt_mp_list for each mount. Since the same mount
belongs to two namespaces, hlist_del_init() is called twice on the same
node, corrupting the list and causing a general protection fault.

Fix this by calling hlist_del_init() on mnt_mp_list and clearing mnt_mp
for each mount inside the loop in get_detached_copy(). This detaches
them from the original mountpoint's m_list. Clearing mnt_mp also
prevents __umount_mnt() from passing a stale pointer to
maybe_free_mountpoint() during teardown.

Reported-by: syzbot+e4470cc28308f2081ec8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e4470cc28308f2081ec8
Tested-by: syzbot+e4470cc28308f2081ec8@syzkaller.appspotmail.com
Fixes: 2eea9ce4310d ("mounts: keep list of mounts in an rbtree")
Signed-off-by: Deepanshu kartikey <Kartikey406@gmail.com>
---
 fs/namespace.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c
index 854f4fc66469..04e7ffd7fcf5 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3063,6 +3063,10 @@ static struct mnt_namespace *get_detached_copy(const struct path *path, unsigned
 
 	for (p = mnt; p; p = next_mnt(p, mnt)) {
 		mnt_add_to_ns(ns, p);
+		if (p->mnt_mp) {
+			hlist_del_init(&p->mnt_mp_list);
+			p->mnt_mp = NULL;
+		}
 		ns->nr_mounts++;
 	}
 	ns->root = mnt;
-- 
2.43.0

On Sat, Mar 21, 2026 at 11:54:12AM +0530, Deepanshu Kartikey wrote:
> get_detached_copy() builds a new anonymous mount namespace for
> open_tree(OPEN_TREE_CLONE) by iterating all mounts in the cloned tree
> and calling mnt_add_to_ns() for each. However, child mounts in the
> cloned tree have their mnt_mp_list linked into the original mountpoint's
> m_list via mnt_set_mountpoint(). mnt_add_to_ns() only updates the
> namespace RB tree and never removes mnt_mp_list from that list.
> 
> When both the original and new anonymous namespaces are torn down on
> process exit, put_mnt_ns() -> umount_tree() -> __umount_mnt() calls
> hlist_del_init() on mnt_mp_list for each mount. Since the same mount
> belongs to two namespaces, hlist_del_init() is called twice on the same
> node, corrupting the list and causing a general protection fault.
> 
> Fix this by calling hlist_del_init() on mnt_mp_list and clearing mnt_mp
> for each mount inside the loop in get_detached_copy(). This detaches
> them from the original mountpoint's m_list. Clearing mnt_mp also
> prevents __umount_mnt() from passing a stale pointer to
> maybe_free_mountpoint() during teardown.
> 
> Reported-by: syzbot+e4470cc28308f2081ec8@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=e4470cc28308f2081ec8
> Tested-by: syzbot+e4470cc28308f2081ec8@syzkaller.appspotmail.com
> Fixes: 2eea9ce4310d ("mounts: keep list of mounts in an rbtree")
> Signed-off-by: Deepanshu kartikey <Kartikey406@gmail.com>
> ---

Both the analysis and the fix are unfortunately very wrong.
The original cuplrit is how we create partial mount namespace copies.
I have a fix for that ready to go later.