[syzbot] [exfat?] [gfs2?] WARNING in filename_symlinkat
1 view
Skip to first unread message
syzbot
Mar 5, 2026, 1:39:28 AM (yesterday) Mar 5
to bra...@kernel.org, gf...@lists.linux.dev, ja...@suse.cz, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following issue on:
HEAD commit: ecc64d2dc9ff Merge tag 'sysctl-7.00-fixes-rc3' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1754b5aa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=123dbe4a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c99b5a580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ecc64d2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/86a2ecaacd1b/vmlinux-ecc64d2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b1dad86775e5/bzImage-ecc64d2d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1d38e5a93707/mount_4.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=17c57006580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff8880460da1f8, owner = 0x0, curr 0xffff8880371624c0, list empty
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.31/5575
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.31/5575
Modules linked in:
CPU: 0 UID: 0 PID: 5575 Comm: syz.0.31 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5a 83 0b 03 e9 67 fd ff ff 48 c7 c1
RSP: 0018:ffffc9000298fd80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff8880460da1f8 RCX: ffff8880460da1f8
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901501f0
RBP: ffff8880460da250 R08: 0000000000000000 R09: ffff8880371624c0
R10: ffffffff8bcceb60 R11: ffffed1008c1b441 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8880460da1f8 R15: 1ffff11008c1b440
FS: 00007fbd46c406c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbd45de9e80 CR3: 00000000412ea000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_dirop fs/namei.c:2947 [inline]
end_creating include/linux/namei.h:126 [inline]
end_creating_path fs/namei.c:4962 [inline]
filename_symlinkat+0x222/0x410 fs/namei.c:5642
__do_sys_symlinkat fs/namei.c:5660 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbd45d9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbd46c40028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007fbd46016090 RCX: 00007fbd45d9c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007fbd45e32bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fbd46016128 R14: 00007fbd46016090 R15: 00007ffcbe33eb58
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
31: e8 5a 83 0b 03 call 0x30b8390
36: e9 67 fd ff ff jmp 0xfffffda2
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ecc64d2dc9ff Merge tag 'sysctl-7.00-fixes-rc3' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1754b5aa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=123dbe4a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c99b5a580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ecc64d2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/86a2ecaacd1b/vmlinux-ecc64d2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b1dad86775e5/bzImage-ecc64d2d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1d38e5a93707/mount_4.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=17c57006580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff8880460da1f8, owner = 0x0, curr 0xffff8880371624c0, list empty
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.31/5575
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.31/5575
Modules linked in:
CPU: 0 UID: 0 PID: 5575 Comm: syz.0.31 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5a 83 0b 03 e9 67 fd ff ff 48 c7 c1
RSP: 0018:ffffc9000298fd80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff8880460da1f8 RCX: ffff8880460da1f8
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901501f0
RBP: ffff8880460da250 R08: 0000000000000000 R09: ffff8880371624c0
R10: ffffffff8bcceb60 R11: ffffed1008c1b441 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8880460da1f8 R15: 1ffff11008c1b440
FS: 00007fbd46c406c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbd45de9e80 CR3: 00000000412ea000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_dirop fs/namei.c:2947 [inline]
end_creating include/linux/namei.h:126 [inline]
end_creating_path fs/namei.c:4962 [inline]
filename_symlinkat+0x222/0x410 fs/namei.c:5642
__do_sys_symlinkat fs/namei.c:5660 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbd45d9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbd46c40028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007fbd46016090 RCX: 00007fbd45d9c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007fbd45e32bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fbd46016128 R14: 00007fbd46016090 R15: 00007ffcbe33eb58
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
31: e8 5a 83 0b 03 call 0x30b8390
36: e9 67 fd ff ff jmp 0xfffffda2
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 5, 2026, 11:38:21 PM (5 hours ago) Mar 5
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] namei: fix parent inode unlock in end_creating_path()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
end_creating_path() calls end_dirop() which unlocks
dentry->d_parent->d_inode. However, the lock was originally acquired on
path->dentry by start_dirop() inside filename_create(). If a concurrent
operation such as renameat2(RENAME_EXCHANGE) modifies the dentry tree
between lock and unlock, dentry->d_parent may no longer point to the
originally locked inode, causing an unbalanced unlock.
Fix this by unlocking path->dentry directly in end_creating_path()
instead of deriving the parent from the child dentry. This ensures the
lock and unlock always operate on the same inode regardless of
concurrent dentry tree modifications.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/namei.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..c861de965d86 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4959,7 +4959,10 @@ EXPORT_SYMBOL(start_creating_path);
*/
void end_creating_path(const struct path *path, struct dentry *dentry)
{
- end_creating(dentry);
+ if (!IS_ERR(dentry)) {
+ inode_unlock(d_inode(path->dentry));
+ dput(dentry);
+ }
mnt_drop_write(path->mnt);
path_put(path);
}
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] namei: fix parent inode unlock in end_creating_path()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
end_creating_path() calls end_dirop() which unlocks
dentry->d_parent->d_inode. However, the lock was originally acquired on
path->dentry by start_dirop() inside filename_create(). If a concurrent
operation such as renameat2(RENAME_EXCHANGE) modifies the dentry tree
between lock and unlock, dentry->d_parent may no longer point to the
originally locked inode, causing an unbalanced unlock.
Fix this by unlocking path->dentry directly in end_creating_path()
instead of deriving the parent from the child dentry. This ensures the
lock and unlock always operate on the same inode regardless of
concurrent dentry tree modifications.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/namei.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..c861de965d86 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4959,7 +4959,10 @@ EXPORT_SYMBOL(start_creating_path);
*/
void end_creating_path(const struct path *path, struct dentry *dentry)
{
- end_creating(dentry);
+ if (!IS_ERR(dentry)) {
+ inode_unlock(d_inode(path->dentry));
+ dput(dentry);
+ }
mnt_drop_write(path->mnt);
path_put(path);
}
--
2.43.0
syzbot
Mar 5, 2026, 11:58:04 PM (5 hours ago) Mar 5
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff888046fac318, owner = 0x0, curr 0xffff888034380000, list empty
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.17/5821
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.17/5821
Modules linked in:
CPU: 0 UID: 0 PID: 5821 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
RSP: 0018:ffffc90004e77d80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff888046fac318 RCX: ffff888046fac318
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901506e0
RBP: ffff888046fac370 R08: 0000000000000000 R09: ffff888034380000
R10: ffffffff8bcceb60 R11: ffffed1008df5865 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888046fac318 R15: 1ffff11008df5864
FS: 00007f56261876c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
filename_symlinkat+0x20a/0x430 fs/namei.c:5645
__do_sys_symlinkat fs/namei.c:5663 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5658
RAX: ffffffffffffffda RBX: 00007f5625616090 RCX: 00007f562539c799
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=163658d6580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff888046fac318, owner = 0x0, curr 0xffff888034380000, list empty
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.17/5821
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.17/5821
Modules linked in:
CPU: 0 UID: 0 PID: 5821 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 7a a0 0b 03 e9 67 fd ff ff 48 c7 c1
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
RSP: 0018:ffffc90004e77d80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff888046fac318 RCX: ffff888046fac318
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901506e0
RBP: ffff888046fac370 R08: 0000000000000000 R09: ffff888034380000
R10: ffffffff8bcceb60 R11: ffffed1008df5865 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888046fac318 R15: 1ffff11008df5864
FS: 00007f56261876c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000037fcc000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_creating_path fs/namei.c:4963 [inline]
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
filename_symlinkat+0x20a/0x430 fs/namei.c:5645
__do_sys_symlinkat fs/namei.c:5663 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5658
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f562539c799
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5626187028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007f5625616090 RCX: 00007f562539c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007f5625432bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5625616128 R14: 00007f5625616090 R15: 00007ffcc1726508
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
31: e8 7a a0 0b 03 call 0x30ba0b0
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
36: e9 67 fd ff ff jmp 0xfffffda2
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=163658d6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=118d1552580000
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syzbot
12:22 AM (4 hours ago) 12:22 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] namei: add debug printk to trace parent inode lock state
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add debug printk statements to trace the parent directory inode rwsem
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
state through the symlink creation path. This helps identify which
component is dropping the parent inode's i_rwsem between start_dirop()
and end_dirop(), causing the unbalanced unlock WARNING in
filename_symlinkat().
The printk traces:
- rwsem owner/count after start_dirop() acquires the lock
- rwsem owner/count after vfs_symlink() returns
- rwsem owner/count at end_dirop() just before the unlock
- dentry->d_parent and path->dentry at each point
This is a temporary diagnostic patch and should be reverted once the
root cause is identified.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..9584ff6dff47 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2944,6 +2944,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
void end_dirop(struct dentry *de)
{
if (!IS_ERR(de)) {
+ struct inode *dir = d_inode(de->d_parent);
+ pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+ de, de->d_parent, dir,
+ atomic_long_read(&dir->i_rwsem.count),
+ READ_ONCE(dir->i_rwsem.owner), current);
inode_unlock(de->d_parent->d_inode);
dput(de);
}
@@ -4922,7 +4927,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
if (IS_ERR(dentry))
goto out_drop_write;
-
+ pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+ dentry, dentry->d_parent, d_inode(dentry->d_parent),
+ (void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
if (unlikely(error))
goto fail;
@@ -4959,7 +4966,10 @@ EXPORT_SYMBOL(start_creating_path);
*/
void end_creating_path(const struct path *path, struct dentry *dentry)
{
- end_creating(dentry);
+ if (!IS_ERR(dentry)) {
+ inode_unlock(d_inode(path->dentry));
+ dput(dentry);
+ }
mnt_drop_write(path->mnt);
path_put(path);
}
@@ -5639,6 +5649,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
void end_creating_path(const struct path *path, struct dentry *dentry)
{
- end_creating(dentry);
+ if (!IS_ERR(dentry)) {
+ inode_unlock(d_inode(path->dentry));
+ dput(dentry);
+ }
mnt_drop_write(path->mnt);
path_put(path);
}
if (!error)
error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
dentry, from->name, &delegated_inode);
+ pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+ error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+ (void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+ path.dentry, d_inode(path.dentry));
end_creating_path(&path, dentry);
if (is_delegated(&delegated_inode)) {
error = break_deleg_wait(&delegated_inode);
--
2.43.0
syzbot
1:04 AM (4 hours ago) 1:04 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff88801248a898, owner = 0x0, curr 0xffff8880008924c0, list empty
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.108/6598
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.108/6598
Modules linked in:
CPU: 0 UID: 0 PID: 6598 Comm: syz.0.108 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 da a6 0b 03 e9 67 fd ff ff 48 c7 c1
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
RSP: 0018:ffffc9000c06fd80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff88801248a898 RCX: ffff88801248a898
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901506e0
RBP: ffff88801248a8f0 R08: 0000000000000000 R09: ffff8880008924c0
R10: ffffffff8bcceb60 R11: ffffed1002491515 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88801248a898 R15: 1ffff11002491514
FS: 00007f7a71dfe6c0(0000) GS:ffff88808ca56000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000040e68000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_creating_path fs/namei.c:4970 [inline]
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
filename_symlinkat+0x314/0x570 fs/namei.c:5656
__do_sys_symlinkat fs/namei.c:5674 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5669
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a7279c799
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7a71dfe028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007f7a72a16090 RCX: 00007f7a7279c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007f7a72832bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7a72a16128 R14: 00007f7a72a16090 R15: 00007ffd323678c8
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
31: e8 da a6 0b 03 call 0x30ba710
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
36: e9 67 fd ff ff jmp 0xfffffda2
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1602f006580000
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1666ab5a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syzbot
1:25 AM (3 hours ago) 1:25 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add a debug printk when gfs2_dir_search finds an existing entry in
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.
The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.
This is a temporary diagnostic patch and should be reverted once the
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/namei.c | 18 ++++++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..e38dafea198c 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -738,6 +738,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
error = PTR_ERR(inode);
if (!IS_ERR(inode)) {
+ pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+ dir, mode, file, inode, S_ISDIR(inode->i_mode),
+ READ_ONCE(dir->i_rwsem.owner), current);
if (S_ISDIR(inode->i_mode)) {
iput(inode);
inode = NULL;
syzbot
1:48 AM (3 hours ago) 1:48 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff88801a946ad8, owner = 0x0, curr 0xffff8880363424c0, list empty
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.83/6376
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.83/6376
Modules linked in:
CPU: 0 UID: 0 PID: 6376 Comm: syz.0.83 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 fa a8 0b 03 e9 67 fd ff ff 48 c7 c1
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
RSP: 0018:ffffc90002b17d80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff88801a946ad8 RCX: ffff88801a946ad8
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901507e0
RBP: ffff88801a946b30 R08: 0000000000000000 R09: ffff8880363424c0
R10: ffffffff8bcceb60 R11: ffffed1003528d5d R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88801a946ad8 R15: 1ffff11003528d5c
FS: 00007fc9ab5c26c0(0000) GS:ffff88808ca56000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000128f5000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_creating_path fs/namei.c:4970 [inline]
filename_symlinkat+0x314/0x570 fs/namei.c:5656
__do_sys_symlinkat fs/namei.c:5674 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5669
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc9aa79c799
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_creating_path fs/namei.c:4970 [inline]
filename_symlinkat+0x314/0x570 fs/namei.c:5656
__do_sys_symlinkat fs/namei.c:5674 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5669
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc9ab5c2028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007fc9aaa16090 RCX: 00007fc9aa79c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007fc9aa832bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc9aaa16128 R14: 00007fc9aaa16090 R15: 00007ffcf3b37768
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
31: e8 fa a8 0b 03 call 0x30ba930
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
36: e9 67 fd ff ff jmp 0xfffffda2
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ceab5a580000
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=110eab5a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syzbot
2:51 AM (2 hours ago) 2:51 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.
The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.
This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/gfs2/inode.c | 3 +++
fs/namei.c | 24 ++++++++++++++++++++++--
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.
The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.
This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/gfs2/inode.c | 3 +++
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..e38dafea198c 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -738,6 +738,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
error = PTR_ERR(inode);
if (!IS_ERR(inode)) {
+ pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+ dir, mode, file, inode, S_ISDIR(inode->i_mode),
+ READ_ONCE(dir->i_rwsem.owner), current);
if (S_ISDIR(inode->i_mode)) {
iput(inode);
inode = NULL;
diff --git a/fs/namei.c b/fs/namei.c
struct dentry *dentry, const char *oldname,
struct delegated_inode *delegated_inode)
{
+ pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+ dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+ READ_ONCE(dir->i_rwsem.owner), current);
int error;
error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5626,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
return error;
error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+ pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+ dir, dir->i_sb->s_type->name, error,
+ READ_ONCE(dir->i_rwsem.owner), current);
if (!error)
fsnotify_create(dir, dentry);
return error;
@@ -5639,6 +5655,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
syzbot
3:17 AM (1 hour ago) 3:17 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff888046557818, owner = 0x0, curr 0xffff8880357ec980, list empty
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.62/6230
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.62/6230
Modules linked in:
CPU: 0 UID: 0 PID: 6230 Comm: syz.0.62 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 ba a5 0b 03 e9 67 fd ff ff 48 c7 c1
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
RSP: 0018:ffffc900038afd80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff888046557818 RCX: ffff888046557818
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901507e0
RBP: ffff888046557870 R08: 0000000000000000 R09: ffff8880357ec980
R10: ffffffff8bcceb60 R11: ffffed1008caaf05 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888046557818 R15: 1ffff11008caaf04
FS: 00007f29326c56c0(0000) GS:ffff88808ca56000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000042fba000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_creating_path fs/namei.c:4970 [inline]
filename_symlinkat+0x314/0x570 fs/namei.c:5662
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_creating_path fs/namei.c:4970 [inline]
__do_sys_symlinkat fs/namei.c:5680 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5675
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f293179c799
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f29326c5028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007f2931a16090 RCX: 00007f293179c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007f2931832bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2931a16128 R14: 00007f2931a16090 R15: 00007ffc68660968
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
31: e8 ba a5 0b 03 call 0x30ba5f0
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
36: e9 67 fd ff ff jmp 0xfffffda2
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1201ab5a580000
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12ea4a02580000
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syzbot
3:25 AM (1 hour ago) 3:25 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.
The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.
This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/gfs2/inode.c | 3 +++
fs/namei.c | 30 ++++++++++++++++++++++++++++--
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.
The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.
This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/gfs2/inode.c | 3 +++
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..e38dafea198c 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -738,6 +738,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
error = PTR_ERR(inode);
if (!IS_ERR(inode)) {
+ pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+ dir, mode, file, inode, S_ISDIR(inode->i_mode),
+ READ_ONCE(dir->i_rwsem.owner), current);
if (S_ISDIR(inode->i_mode)) {
iput(inode);
inode = NULL;
diff --git a/fs/namei.c b/fs/namei.c
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2922,7 +2922,13 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
} else {
inode_lock_nested(dir, I_MUTEX_PARENT);
}
+ pr_warn("DEBUG LOCK: __start_dirop locked dir=%px count=%ld owner=%px current=%px\n",
+ dir, atomic_long_read(&dir->i_rwsem.count),
+ READ_ONCE(dir->i_rwsem.owner), current);
dentry = lookup_one_qstr_excl(name, parent, lookup_flags);
+ pr_warn("DEBUG LOCK: __start_dirop after lookup dir=%px count=%ld owner=%px current=%px dentry_err=%d\n",
+ dir, atomic_long_read(&dir->i_rwsem.count),
+ READ_ONCE(dir->i_rwsem.owner), current, IS_ERR(dentry));
if (IS_ERR(dentry))
inode_unlock(dir);
return dentry;
@@ -2944,6 +2950,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
void end_dirop(struct dentry *de)
{
if (!IS_ERR(de)) {
+ struct inode *dir = d_inode(de->d_parent);
+ pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+ de, de->d_parent, dir,
+ atomic_long_read(&dir->i_rwsem.count),
+ READ_ONCE(dir->i_rwsem.owner), current);
inode_unlock(de->d_parent->d_inode);
dput(de);
}
@@ -4922,7 +4933,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
{
if (!IS_ERR(de)) {
+ struct inode *dir = d_inode(de->d_parent);
+ pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+ de, de->d_parent, dir,
+ atomic_long_read(&dir->i_rwsem.count),
+ READ_ONCE(dir->i_rwsem.owner), current);
inode_unlock(de->d_parent->d_inode);
dput(de);
}
dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
if (IS_ERR(dentry))
goto out_drop_write;
-
+ pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+ dentry, dentry->d_parent, d_inode(dentry->d_parent),
+ (void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
if (unlikely(error))
goto fail;
@@ -4959,7 +4972,10 @@ EXPORT_SYMBOL(start_creating_path);
if (IS_ERR(dentry))
goto out_drop_write;
-
+ pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+ dentry, dentry->d_parent, d_inode(dentry->d_parent),
+ (void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
if (unlikely(error))
goto fail;
*/
void end_creating_path(const struct path *path, struct dentry *dentry)
{
- end_creating(dentry);
+ if (!IS_ERR(dentry)) {
+ inode_unlock(d_inode(path->dentry));
+ dput(dentry);
+ }
mnt_drop_write(path->mnt);
path_put(path);
}
@@ -5595,6 +5611,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
void end_creating_path(const struct path *path, struct dentry *dentry)
{
- end_creating(dentry);
+ if (!IS_ERR(dentry)) {
+ inode_unlock(d_inode(path->dentry));
+ dput(dentry);
+ }
mnt_drop_write(path->mnt);
path_put(path);
}
struct dentry *dentry, const char *oldname,
struct delegated_inode *delegated_inode)
{
+ pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+ dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+ READ_ONCE(dir->i_rwsem.owner), current);
int error;
error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5632,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
struct delegated_inode *delegated_inode)
{
+ pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+ dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+ READ_ONCE(dir->i_rwsem.owner), current);
int error;
error = may_create_dentry(idmap, dir, dentry);
return error;
error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+ pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+ dir, dir->i_sb->s_type->name, error,
+ READ_ONCE(dir->i_rwsem.owner), current);
if (!error)
fsnotify_create(dir, dentry);
return error;
@@ -5639,6 +5661,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+ pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+ dir, dir->i_sb->s_type->name, error,
+ READ_ONCE(dir->i_rwsem.owner), current);
if (!error)
fsnotify_create(dir, dentry);
return error;
syzbot
3:54 AM (1 hour ago) 3:54 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff888046d36ad8, owner = 0x0, curr 0xffff888032e9c980, list empty
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in filename_symlinkat
------------[ cut here ]------------
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.96/6490
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.96/6490
Modules linked in:
CPU: 0 UID: 0 PID: 6490 Comm: syz.0.96 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 7a a4 0b 03 e9 67 fd ff ff 48 c7 c1
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
RSP: 0018:ffffc9000685fd80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff888046d36ad8 RCX: ffff888046d36ad8
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901508e0
RBP: ffff888046d36b30 R08: 0000000000000000 R09: ffff888032e9c980
R10: ffffffff8bcceb60 R11: ffffed1008da6d5d R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888046d36ad8 R15: 1ffff11008da6d5c
FS: 00007f9759bfe6c0(0000) GS:ffff88808ca56000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f975a5e9e80 CR3: 0000000042607000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
end_creating_path fs/namei.c:4976 [inline]
<TASK>
inode_unlock include/linux/fs.h:1038 [inline]
filename_symlinkat+0x314/0x570 fs/namei.c:5668
__do_sys_symlinkat fs/namei.c:5686 [inline]
__se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5681
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f975a59c799
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9759bfe028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007f975a816090 RCX: 00007f975a59c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007f975a632bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f975a816128 R14: 00007f975a816090 R15: 00007ffc9cd85aa8
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
31: e8 7a a4 0b 03 call 0x30ba4b0
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 49 c7 c2 80 eb cc 8b mov $0xffffffff8bcceb80,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
10: 48 c7 c6 e0 ed cc 8b mov $0xffffffff8bccede0,%rsi
17: 48 8b 14 24 mov (%rsp),%rdx
1b: 4c 89 f1 mov %r14,%rcx
1e: 4d 89 e0 mov %r12,%r8
21: 4c 8b 4c 24 10 mov 0x10(%rsp),%r9
26: 41 52 push %r10
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: 48 83 c4 08 add $0x8,%rsp
36: e9 67 fd ff ff jmp 0xfffffda2
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146308ba580000
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c1 .byte 0xc1
Tested on:
commit: 5ee8dbf5 Merge tag 'fsverity-for-linus' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12cb1552580000
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syzbot
4:16 AM (27 minutes ago) 4:16 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.
The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.
This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/gfs2/inode.c | 13 +++++++++++++
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.
The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.
This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.
Reported-by: syzbot+2ed46b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/namei.c | 30 ++++++++++++++++++++++++++++--
2 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..9a3df067bea6 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -725,6 +725,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
error = gfs2_rindex_update(sdp);
if (error)
goto fail;
+ pr_warn("DEBUG GFS2: after glock_nq dir=%px rwsem owner=%px current=%px\n",
+ dir, READ_ONCE(dir->i_rwsem.owner), current);
error = gfs2_glock_nq_init(dip->i_gl, LM_ST_EXCLUSIVE, 0, &d_gh);
if (error)
@@ -738,6 +740,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
error = PTR_ERR(inode);
if (!IS_ERR(inode)) {
+ pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+ dir, mode, file, inode, S_ISDIR(inode->i_mode),
+ READ_ONCE(dir->i_rwsem.owner), current);
if (S_ISDIR(inode->i_mode)) {
iput(inode);
inode = NULL;
@@ -893,6 +898,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
error = PTR_ERR(inode);
if (!IS_ERR(inode)) {
+ pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+ dir, mode, file, inode, S_ISDIR(inode->i_mode),
+ READ_ONCE(dir->i_rwsem.owner), current);
if (S_ISDIR(inode->i_mode)) {
iput(inode);
inode = NULL;
mark_inode_dirty(inode);
d_instantiate(dentry, inode);
+ pr_warn("DEBUG GFS2: before glock_dq dir=%px rwsem owner=%px current=%px\n",
+ dir, READ_ONCE(dir->i_rwsem.owner), current);
/* After instantiate, errors should result in evict which will destroy
* both inode and iopen glocks properly. */
if (file) {
@@ -900,6 +907,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
error = finish_open(file, dentry, gfs2_open_common);
}
gfs2_glock_dq_uninit(&d_gh);
+ pr_warn("DEBUG GFS2: after glock_dq dir=%px rwsem owner=%px current=%px\n",
+ dir, READ_ONCE(dir->i_rwsem.owner), current);
gfs2_qa_put(ip);
gfs2_glock_dq_uninit(&gh);
gfs2_glock_put(io_gl);
@@ -937,7 +946,11 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
posix_acl_release(acl);
fail_gunlock:
gfs2_dir_no_add(&da);
+ pr_warn("DEBUG GFS2: fail_gunlock before glock_dq dir=%px rwsem owner=%px current=%px error=%d\n",
+ dir, READ_ONCE(dir->i_rwsem.owner), current, error);
gfs2_glock_dq_uninit(&d_gh);
+ pr_warn("DEBUG GFS2: fail_gunlock after glock_dq dir=%px rwsem owner=%px current=%px\n",
+ dir, READ_ONCE(dir->i_rwsem.owner), current);
if (!IS_ERR_OR_NULL(inode)) {
if (inode_state_read_once(inode) & I_NEW)
iget_failed(inode);
Reply all
Reply to author
Forward
0 new messages