[BUG] landlock: sleeping function called from invalid context in hook_sb_delete()

Wed Nov 12 02:35:17 UTC 2025

Hello,
This issue occurs when unmounting a tmpfs filesystem that has previously been added to a Landlock path-beneath rule.
During this operation, the kernel reports a “sleeping function called from invalid context” bug in hook_sb_delete() (security/landlock/fs.c).

This bug was initially discovered on the Linux riscv branch via a fuzzing framework.
It was later confirmed reproducible on Linux mainline v6.18-rc5 (x86).
The tested kernel source, configuration, and related materials are provided below:
  Kernel source: https://git.kernel.org/torvalds/t/linux-6.18-rc5.tar.gz  
  Config file: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/.config  
  Reproducer source: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/repro.cprog  
  GCC compiler info: https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/gcc.info  
  Kernel log (dmesg): https://github.com/j1akai/KConfigFuzz_bug/blob/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b/dmesg.info  
  Additional riscv fuzzing context (report0, etc.): https://github.com/j1akai/KConfigFuzz_bug/tree/main/report/0c844d5f7bcf0ac21ef4ed85459676ab264e8b6b

The call trace indicates that hook_sb_delete() holds s_inode_list_lock (a spinlock) while invoking operations that may eventually call iput(), which can sleep.
This violates the locking context expectations and triggers __might_sleep() warnings.
The issue seems to be related to how Landlock handles superblock cleanup during security_sb_delete().

I’m currently only reporting this issue to the community; the exact fix will likely need to be confirmed and implemented by the Landlock and filesystem maintainers.