[v5.15] Internal error in sys_name_to_handle_at

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: c79648372d02 Linux 5.15.189
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=143355bc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e47345638b85bd0
dashboard link: https://syzkaller.appspot.com/bug?extid=0cfc7680cffaf1117776
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ab49562317a/disk-c7964837.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e847ec1e38d3/vmlinux-c7964837.xz
kernel image: https://storage.googleapis.com/syzbot-assets/263158c6371c/Image-c7964837.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0cfc76...@syzkaller.appspotmail.com

rock: directory entry would overflow storage
rock: sig=0x5245, size=8, remaining=5
Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 7661 Comm: syz.0.1559 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc)
pc : do_sys_name_to_handle fs/fhandle.c:72 [inline]
pc : __do_sys_name_to_handle_at fs/fhandle.c:109 [inline]
pc : __se_sys_name_to_handle_at fs/fhandle.c:93 [inline]
pc : __arm64_sys_name_to_handle_at+0x4d0/0x678 fs/fhandle.c:93
lr : do_sys_name_to_handle fs/fhandle.c:72 [inline]
lr : __do_sys_name_to_handle_at fs/fhandle.c:109 [inline]
lr : __se_sys_name_to_handle_at fs/fhandle.c:93 [inline]
lr : __arm64_sys_name_to_handle_at+0x494/0x678 fs/fhandle.c:93
sp : ffff8000201c7c60
x29: ffff8000201c7d20 x28: dfff800000000000 x27: ffff8000201c7c80
x26: ffff700004038f90 x25: 0000000000000000 x24: 0000000000000008
x23: 00000000ffffffb5 x22: 0000000000400140 x21: 00000000fffffff2
x20: 0000000000000000 x19: 0000000020002680 x18: 0000000000000001
x17: ffff8000111b85b8 x16: ffff800008a81a80 x15: ffff80000805b008
x14: ffff80000805b234 x13: 1ffff0000282e06b x12: 0000000000ff0100
x11: 0000000000000000 x10: 0000000000000002 x9 : 0000ffffffffffff
x8 : 0000000000000076 x7 : ffff800008750ed4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
do_sys_name_to_handle fs/fhandle.c:72 [inline]
__do_sys_name_to_handle_at fs/fhandle.c:109 [inline]
__se_sys_name_to_handle_at fs/fhandle.c:93 [inline]
__arm64_sys_name_to_handle_at+0x4d0/0x678 fs/fhandle.c:93
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: b94002a8 2a1f03f5 2a1f03e0 b8000a88 (2a1503e1)
---[ end trace b0e334f5725e0c1a ]---
----------------
Code disassembly (best guess):
0: b94002a8 ldr w8, [x21]
4: 2a1f03f5 mov w21, wzr
8: 2a1f03e0 mov w0, wzr
c: b8000a88 sttr w8, [x20]
* 10: 2a1503e1 mov w1, w21 <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: c79648372d02 Linux 5.15.189
git tree: linux-5.15.y

console output: https://syzkaller.appspot.com/x/log.txt?x=1743c9a2580000

kernel config: https://syzkaller.appspot.com/x/.config?x=9e47345638b85bd0
dashboard link: https://syzkaller.appspot.com/bug?extid=0cfc7680cffaf1117776
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16dbb434580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1288f1a2580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ab49562317a/disk-c7964837.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e847ec1e38d3/vmlinux-c7964837.xz
kernel image: https://storage.googleapis.com/syzbot-assets/263158c6371c/Image-c7964837.gz.xz

mounted in repro: https://storage.googleapis.com/syzbot-assets/f5d4a27cb709/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=12dbb434580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0cfc76...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 256

Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP
Modules linked in:

CPU: 1 PID: 4247 Comm: syz.0.17 Not tainted 5.15.189-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc)
pc : do_sys_name_to_handle fs/fhandle.c:72 [inline]
pc : __do_sys_name_to_handle_at fs/fhandle.c:109 [inline]
pc : __se_sys_name_to_handle_at fs/fhandle.c:93 [inline]
pc : __arm64_sys_name_to_handle_at+0x4d0/0x678 fs/fhandle.c:93
lr : do_sys_name_to_handle fs/fhandle.c:72 [inline]
lr : __do_sys_name_to_handle_at fs/fhandle.c:109 [inline]
lr : __se_sys_name_to_handle_at fs/fhandle.c:93 [inline]
lr : __arm64_sys_name_to_handle_at+0x494/0x678 fs/fhandle.c:93

sp : ffff80001ffe7c60
x29: ffff80001ffe7d20 x28: dfff800000000000 x27: ffff80001ffe7c80
x26: ffff700003ffcf90 x25: 0000000000000000 x24: 0000000000000008

x23: 00000000ffffffb5 x22: 0000000000400140 x21: 00000000fffffff2

x20: 0000000000000000 x19: 00000000200000c0 x18: 0000000000000000

x17: ffff8000111b85b8 x16: ffff800008a81a80 x15: ffff80000805b008
x14: ffff80000805b234 x13: 1ffff0000282e06b x12: 0000000000ff0100

x11: 0000000000000000 x10: 0000000000000000 x9 : 0000ffffffffffff
x8 : 0000000000000032 x7 : ffff800008750ed4 x6 : 0000000000000000

x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
do_sys_name_to_handle fs/fhandle.c:72 [inline]
__do_sys_name_to_handle_at fs/fhandle.c:109 [inline]
__se_sys_name_to_handle_at fs/fhandle.c:93 [inline]
__arm64_sys_name_to_handle_at+0x4d0/0x678 fs/fhandle.c:93
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: b94002a8 2a1f03f5 2a1f03e0 b8000a88 (2a1503e1)

---[ end trace 6317c5b2db66b6bc ]---

----------------
Code disassembly (best guess):
0: b94002a8 ldr w8, [x21]
4: 2a1f03f5 mov w21, wzr
8: 2a1f03e0 mov w0, wzr
c: b8000a88 sttr w8, [x20]
* 10: 2a1503e1 mov w1, w21 <-- trapping instruction


---

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.