[syzbot] [exfat?] [ocfs2?] kernel BUG in link_path_walk

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 7d31f578f323 Add linux-next specific files for 20251128
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1612b912580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6336d8e94a7c517d
dashboard link: https://syzkaller.appspot.com/bug?extid=d222f4b7129379c3d5bc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172c8192580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c3b0c2580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b49d8ad90de/disk-7d31f578.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dbe2d4988ca7/vmlinux-7d31f578.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc0448ab2411/bzImage-7d31f578.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ec39deb2cf11/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=12c3b0c2580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d222f4...@syzkaller.appspotmail.com

VFS_BUG_ON_INODE(!S_ISDIR(inode->i_mode)) encountered for inode ffff88805618b338
fs ocfs2 mode 100000 opflags 0x2 flags 0x20 state 0x0 count 2
------------[ cut here ]------------
kernel BUG at fs/namei.c:630!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6303 Comm: syz.0.92 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:lookup_inode_permission_may_exec fs/namei.c:630 [inline]
RIP: 0010:may_lookup fs/namei.c:1900 [inline]
RIP: 0010:link_path_walk+0x18cb/0x18d0 fs/namei.c:2537
Code: e8 5a 1f ea fe 90 0f 0b e8 b2 96 83 ff 44 89 fd e9 6a fd ff ff e8 a5 96 83 ff 48 89 ef 48 c7 c6 40 d8 79 8b e8 36 1f ea fe 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55
RSP: 0018:ffffc900046ef8a0 EFLAGS: 00010282
RAX: 000000000000008e RBX: ffffc900046efc58 RCX: f91f6529a96d0200
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805618b338 R08: ffffc900046ef567 R09: 1ffff920008ddeac
R10: dffffc0000000000 R11: fffff520008ddead R12: 0000000000008000
R13: ffffc900046efc20 R14: 0000000000008000 R15: ffff88802509b320
FS: 000055555cffa500(0000) GS:ffff888125e4f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc32730f000 CR3: 0000000072f4e000 CR4: 00000000003526f0
Call Trace:
<TASK>
path_openat+0x2b3/0x3dd0 fs/namei.c:4783
do_filp_open+0x1fa/0x410 fs/namei.c:4814
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_open fs/open.c:1444 [inline]
__se_sys_open fs/open.c:1440 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1440
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4644d8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe02ccf2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f4644fe5fa0 RCX: 00007f4644d8f749
RDX: 0000000000000000 RSI: 0000000000145142 RDI: 0000200000000240
RBP: 00007f4644e13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4644fe5fa0 R14: 00007f4644fe5fa0 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lookup_inode_permission_may_exec fs/namei.c:630 [inline]
RIP: 0010:may_lookup fs/namei.c:1900 [inline]
RIP: 0010:link_path_walk+0x18cb/0x18d0 fs/namei.c:2537
Code: e8 5a 1f ea fe 90 0f 0b e8 b2 96 83 ff 44 89 fd e9 6a fd ff ff e8 a5 96 83 ff 48 89 ef 48 c7 c6 40 d8 79 8b e8 36 1f ea fe 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55
RSP: 0018:ffffc900046ef8a0 EFLAGS: 00010282
RAX: 000000000000008e RBX: ffffc900046efc58 RCX: f91f6529a96d0200
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88805618b338 R08: ffffc900046ef567 R09: 1ffff920008ddeac
R10: dffffc0000000000 R11: fffff520008ddead R12: 0000000000008000
R13: ffffc900046efc20 R14: 0000000000008000 R15: ffff88802509b320
FS: 000055555cffa500(0000) GS:ffff888125e4f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc32730f000 CR3: 0000000072f4e000 CR4: 00000000003526f0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Mateusz Guzik]

this is probably mine, but first some extra debug:


#syz test

diff --git a/fs/namei.c b/fs/namei.c
index bf0f66f0e9b9..0df3bd2b947d 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1896,6 +1896,7 @@ static inline int may_lookup(struct mnt_idmap *idmap,
{
int err, mask;

+ VFS_BUG_ON(!d_can_lookup(nd->path.dentry));
mask = nd->flags & LOOKUP_RCU ? MAY_NOT_BLOCK : 0;
err = lookup_inode_permission_may_exec(idmap, nd->inode, mask);
if (likely(!err))
@@ -2527,6 +2528,9 @@ static int link_path_walk(const char *name, struct nameidata *nd)
return 0;
}

+ VFS_BUG_ON(!d_can_lookup(nd->path.dentry));
+ VFS_BUG_ON(!S_ISDIR(nd->path.dentry->d_inode->i_mode));
+
/* At this point we know we have a real path component. */
for(;;) {
struct mnt_idmap *idmap;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in link_path_walk

(syz.0.73,6964,1):ocfs2_find_entry_id:420 ERROR: status = -30
------------[ cut here ]------------
kernel BUG at fs/namei.c:2532!

Oops: invalid opcode: 0000 [#1] SMP KASAN PTI

CPU: 1 UID: 0 PID: 6964 Comm: syz.0.73 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

RIP: 0010:link_path_walk+0x1a57/0x1a90 fs/namei.c:2532
Code: 89 e9 80 e1 07 fe c1 38 c1 0f 8c be fd ff ff 4c 89 ef e8 2c e5 e9 ff e9 b1 fd ff ff e8 62 90 83 ff 90 0f 0b e8 5a 90 83 ff 90 <0f> 0b e8 52 90 83 ff 90 0f 0b e8 4a 90 83 ff 4c 89 ff 48 c7 c6 40
RSP: 0018:ffffc9000491f8a0 EFLAGS: 00010293
RAX: ffffffff823e22d6 RBX: dffffc0000000000 RCX: ffff8880250f3d00
RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000004000
RBP: ffff888079181120 R08: ffff8880299ef520 R09: ffff88807acd2000
R10: ffff8880299ef520 R11: ffff88807acd2000 R12: ffffc9000491fc58
R13: ffffc9000491fc28 R14: 0000000000008000 R15: 0000000000100000
FS: 00007ff92e2e36c0(0000) GS:ffff888125f49000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555575344808 CR3: 0000000025c92000 CR4: 00000000003526f0
Call Trace:
<TASK>
path_openat+0x2b3/0x3dd0 fs/namei.c:4787
do_filp_open+0x1fa/0x410 fs/namei.c:4818

do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_open fs/open.c:1444 [inline]
__se_sys_open fs/open.c:1440 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1440
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7ff92d38f749

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ff92e2e3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ff92d5e5fa0 RCX: 00007ff92d38f749

RDX: 0000000000000000 RSI: 0000000000145142 RDI: 0000200000000240

RBP: 00007ff92d413f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007ff92d5e6038 R14: 00007ff92d5e5fa0 R15: 00007ffda4bd0278

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:link_path_walk+0x1a57/0x1a90 fs/namei.c:2532
Code: 89 e9 80 e1 07 fe c1 38 c1 0f 8c be fd ff ff 4c 89 ef e8 2c e5 e9 ff e9 b1 fd ff ff e8 62 90 83 ff 90 0f 0b e8 5a 90 83 ff 90 <0f> 0b e8 52 90 83 ff 90 0f 0b e8 4a 90 83 ff 4c 89 ff 48 c7 c6 40
RSP: 0018:ffffc9000491f8a0 EFLAGS: 00010293
RAX: ffffffff823e22d6 RBX: dffffc0000000000 RCX: ffff8880250f3d00
RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000004000
RBP: ffff888079181120 R08: ffff8880299ef520 R09: ffff88807acd2000
R10: ffff8880299ef520 R11: ffff88807acd2000 R12: ffffc9000491fc58
R13: ffffc9000491fc28 R14: 0000000000008000 R15: 0000000000100000
FS: 00007ff92e2e36c0(0000) GS:ffff888125e49000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f1310116e9c CR3: 0000000025c92000 CR4: 00000000003526f0


Tested on:

commit: b2c27842 Add linux-next specific files for 20251203
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15d7801a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=caadf525b0ab8d17

dashboard link: https://syzkaller.appspot.com/bug?extid=d222f4b7129379c3d5bc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1281d4c2580000

[Mateusz Guzik]

On Thu, Dec 4, 2025 at 2:21 AM syzbot
<syzbot+d222f4...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> kernel BUG in link_path_walk
>
> (syz.0.73,6964,1):ocfs2_find_entry_id:420 ERROR: status = -30
> ------------[ cut here ]------------
> kernel BUG at fs/namei.c:2532!

On the commit syzbot is testing on (b2c27842) and with the patch, the
triggered assert is the second one on S_ISDIR:
VFS_BUG_ON(!d_can_lookup(nd->path.dentry));
VFS_BUG_ON(!S_ISDIR(nd->path.dentry->d_inode->i_mode));

d_can_lookup is __d_entry_type(dentry) == DCACHE_DIRECTORY_TYPE;

Or to put it differently, lookup got entered with a bogus state of a
dentry claiming it is a directory, with an inode which is not. Per the
i_mode reported in the opening mail it is a regular file instead.

While I don't see how this can happen, I don't think it is *my* bug
either -- merely nothing else asserted on the 2 things being in
tandem.

syzbot likes to operate on corrupted filesystems, so I'm going to
assume things are going haywire in ocfs2 until proven otherwise.

[Al Viro]

On Thu, Dec 04, 2025 at 08:45:08AM +0100, Mateusz Guzik wrote:

> Or to put it differently, lookup got entered with a bogus state of a
> dentry claiming it is a directory, with an inode which is not. Per the
> i_mode reported in the opening mail it is a regular file instead.
>
> While I don't see how this can happen,

->i_op set to something with ->lookup != NULL, ->i_mode - to regular.
Which is to say, bogus ->i_mode change somewhere.

Theoretically it should bail out, having detected the type change
(on inode_wrong_type()). I'd suggest slapping
BUG_ON(inode_wrong_type(inode, new_i_mode_value));
in front of all reassignments (ocfs2_populate_inode() is the initialization
and thus exempt; all other stores to ->i_mode of struct inode in there
are, in principle, suspect. Something like inode->i_mode &= ~S_ISUID
doesn't need checking - we obviously can't change the type there.
Unpleasant part is that struct ocfs2_dinode also has a member called
i_mode (__le16, that one), so stores to that clutter the grep results...

[Mateusz Guzik]

Now that I wrote this I suspect there is at least one way, regardless
of whether ocfs2 is culprit.

Suppose you are in rcu-walk and someone continuously issues mkdir,
rmdir, creat, unlink on the same pathname. Affected dentry will keep
flipping between directory, negative entry and regular.

While such fuckery will be caught with seq changes, perhaps the
intermediate state can indeed result in finding such a mismatch but
only because of a race.

I'm going to have to chew on it, I don't know if I';ll have time today
to deal with it. Worst case the fix will be to check if this is a dir
in lookup_inode_permission_may_exec instead of merely asserting on it.

[Mateusz Guzik]

On Wed, Dec 03, 2025 at 04:07:27PM -0800, syzbot wrote:

#syz test

diff --git a/fs/namei.c b/fs/namei.c

index bf0f66f0e9b9..87c99149a152 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1896,6 +1896,14 @@ static inline int may_lookup(struct mnt_idmap *idmap,
{
int err, mask;

+ struct dentry *_dentry = nd->path.dentry;
+ struct inode *_inode = READ_ONCE(_dentry->d_inode);
+ if (!d_can_lookup(_dentry) || !_inode || !S_ISDIR(_inode->i_mode)) {
+ spin_lock(&_dentry->d_lock);
+ VFS_BUG_ON_INODE(d_can_lookup(_dentry) && !S_ISDIR(_dentry->d_inode->i_mode), _dentry->d_inode);
+ spin_unlock(&_dentry->d_lock);
+ }
+

mask = nd->flags & LOOKUP_RCU ? MAY_NOT_BLOCK : 0;
err = lookup_inode_permission_may_exec(idmap, nd->inode, mask);
if (likely(!err))

@@ -2527,6 +2535,14 @@ static int link_path_walk(const char *name, struct nameidata *nd)
return 0;
}

+ struct dentry *_dentry = nd->path.dentry;
+ struct inode *_inode = READ_ONCE(_dentry->d_inode);
+ if (!d_can_lookup(_dentry) || !_inode || !S_ISDIR(_inode->i_mode)) {
+ spin_lock(&_dentry->d_lock);
+ VFS_BUG_ON_INODE(d_can_lookup(_dentry) && !S_ISDIR(_dentry->d_inode->i_mode), _dentry->d_inode);
+ spin_unlock(&_dentry->d_lock);
+ }

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

SYZFAIL: failed to recv rpc

SYZFAIL: failed to recv rpc


Warning: Permanently added '10.128.0.177' (ED25519) to the list of known hosts.
2025/12/04 10:11:47 parsed 1 programs
[ 78.910789][ T5830] cgroup: Unknown subsys name 'net'
[ 79.061524][ T5830] cgroup: Unknown subsys name 'cpuset'
[ 79.071037][ T5830] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 80.470098][ T5830] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 83.462586][ T5842] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 83.768296][ T1303] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 83.776268][ T1303] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 84.018160][ T36] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 84.026332][ T36] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 84.079691][ T5149] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 84.089721][ T5149] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 84.097886][ T5149] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 84.120020][ T5149] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 84.128054][ T5149] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 86.764273][ T5914] chnl_net:caif_netlink_parms(): no params data found
[ 86.952176][ T10] cfg80211: failed to load regulatory.db
[ 86.970822][ T5914] bridge0: port 1(bridge_slave_0) entered blocking state
[ 86.987663][ T5914] bridge0: port 1(bridge_slave_0) entered disabled state
[ 86.995387][ T5914] bridge_slave_0: entered allmulticast mode
[ 87.004680][ T5914] bridge_slave_0: entered promiscuous mode
[ 87.019597][ T5914] bridge0: port 2(bridge_slave_1) entered blocking state
[ 87.038879][ T5914] bridge0: port 2(bridge_slave_1) entered disabled state
[ 87.046589][ T5914] bridge_slave_1: entered allmulticast mode
[ 87.055691][ T5914] bridge_slave_1: entered promiscuous mode
[ 87.132629][ T5914] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 87.165237][ T5914] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 87.263236][ T5914] team0: Port device team_slave_0 added
[ 87.273397][ T5914] team0: Port device team_slave_1 added
[ 87.303206][ T5914] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 87.311015][ T5914] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 87.339107][ T5914] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 87.352524][ T5914] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 87.360592][ T5914] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 87.387771][ T5914] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 87.429283][ T5914] hsr_slave_0: entered promiscuous mode
[ 87.436383][ T5914] hsr_slave_1: entered promiscuous mode
[ 87.589866][ T5914] netdevsim netdevsim2 netdevsim0: renamed from eth0
[ 87.602532][ T5914] netdevsim netdevsim2 netdevsim1: renamed from eth1
[ 87.612793][ T5914] netdevsim netdevsim2 netdevsim2: renamed from eth2
[ 87.624712][ T5914] netdevsim netdevsim2 netdevsim3: renamed from eth3
[ 87.702119][ T5914] 8021q: adding VLAN 0 to HW filter on device bond0
[ 87.727060][ T5914] 8021q: adding VLAN 0 to HW filter on device team0
[ 87.742924][ T3460] bridge0: port 1(bridge_slave_0) entered blocking state
[ 87.750338][ T3460] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 87.767840][ T13] bridge0: port 2(bridge_slave_1) entered blocking state
[ 87.775679][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 87.951069][ T5914] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 87.997784][ T5914] veth0_vlan: entered promiscuous mode
[ 88.011677][ T5914] veth1_vlan: entered promiscuous mode
[ 88.040488][ T5914] veth0_macvtap: entered promiscuous mode
[ 88.050521][ T5914] veth1_macvtap: entered promiscuous mode
[ 88.070672][ T5914] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 88.086679][ T5914] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 88.102451][ T1303] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 88.112929][ T1303] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 88.125269][ T1303] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 88.138936][ T1303] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2025/12/04 10:11:58 executed programs: 0
[ 88.265933][ T5149] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 88.275000][ T5149] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 88.283928][ T5149] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 88.294110][ T5149] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 88.303601][ T5149] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 88.516655][ T5945] chnl_net:caif_netlink_parms(): no params data found
[ 88.589071][ T5945] bridge0: port 1(bridge_slave_0) entered blocking state
[ 88.597183][ T5945] bridge0: port 1(bridge_slave_0) entered disabled state
[ 88.605206][ T5945] bridge_slave_0: entered allmulticast mode
[ 88.613430][ T5945] bridge_slave_0: entered promiscuous mode
[ 88.621792][ T5945] bridge0: port 2(bridge_slave_1) entered blocking state
[ 88.629190][ T5945] bridge0: port 2(bridge_slave_1) entered disabled state
[ 88.636388][ T5945] bridge_slave_1: entered allmulticast mode
[ 88.644502][ T5945] bridge_slave_1: entered promiscuous mode
[ 88.679834][ T5945] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 88.693258][ T5945] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 88.729876][ T5945] team0: Port device team_slave_0 added
[ 88.739741][ T5945] team0: Port device team_slave_1 added
[ 88.770447][ T5945] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 88.778982][ T5945] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 88.806119][ T5945] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 88.819400][ T5945] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 88.826898][ T5945] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 88.854775][ T5945] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 88.906117][ T5945] hsr_slave_0: entered promiscuous mode
[ 88.913653][ T5945] hsr_slave_1: entered promiscuous mode
[ 88.920136][ T5945] debugfs: 'hsr0' already exists in 'hsr'
[ 88.926073][ T5945] Cannot create hsr debugfs directory
[ 89.100742][ T5945] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 89.113003][ T5945] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 89.123282][ T5945] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 89.134611][ T5945] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 89.164880][ T5945] bridge0: port 2(bridge_slave_1) entered blocking state
[ 89.172220][ T5945] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 89.180595][ T5945] bridge0: port 1(bridge_slave_0) entered blocking state
[ 89.188151][ T5945] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 89.201467][ T13] bridge0: port 1(bridge_slave_0) entered disabled state
[ 89.210194][ T13] bridge0: port 2(bridge_slave_1) entered disabled state
[ 89.271133][ T5945] 8021q: adding VLAN 0 to HW filter on device bond0
[ 89.292385][ T5945] 8021q: adding VLAN 0 to HW filter on device team0
[ 89.304472][ T13] bridge0: port 1(bridge_slave_0) entered blocking state
[ 89.311731][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 89.328520][ T1303] bridge0: port 2(bridge_slave_1) entered blocking state
[ 89.336026][ T1303] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 89.510299][ T5945] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 89.555268][ T5945] veth0_vlan: entered promiscuous mode
[ 89.567506][ T5945] veth1_vlan: entered promiscuous mode
[ 89.602029][ T5945] veth0_macvtap: entered promiscuous mode
[ 89.611643][ T5945] veth1_macvtap: entered promiscuous mode
[ 89.630992][ T5945] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 89.645744][ T5945] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 89.661459][ T13] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 89.675047][ T13] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 89.685863][ T13] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 89.695952][ T13] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 89.763899][ T3460] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 89.773242][ T3460] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 89.806188][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 89.814827][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
[ 90.239026][ T13] netdevsim netdevsim2 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2089224975=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at d6526ea3e
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d6526ea3e6ad9081c902859bbb80f9f840377cb4\"
/usr/bin/ld: /tmp/cc9mWJPn.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit: bc04acf4 Add linux-next specific files for 20251204
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18

dashboard link: https://syzkaller.appspot.com/bug?extid=d222f4b7129379c3d5bc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1731d01a580000

[Mateusz Guzik]

syzbot had an internal failure, so let's try again

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in link_path_walk

VFS_BUG_ON_INODE(d_can_lookup(_dentry) && !S_ISDIR(_dentry->d_inode->i_mode)) encountered for inode ffff888074eca4f8

fs ocfs2 mode 100000 opflags 0x2 flags 0x20 state 0x0 count 2
------------[ cut here ]------------

kernel BUG at fs/namei.c:2542!

Oops: invalid opcode: 0000 [#1] SMP KASAN PTI

CPU: 1 UID: 0 PID: 7668 Comm: syz.0.211 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

RIP: 0010:link_path_walk+0x1d7f/0x1d90 fs/namei.c:2542
Code: e8 a6 16 ea fe 90 0f 0b e8 de 8c 83 ff 41 89 ef e9 d2 fc ff ff e8 d1 8c 83 ff 4c 89 ff 48 c7 c6 40 d6 79 8b e8 82 16 ea fe 90 <0f> 0b 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc9000c5a78a0 EFLAGS: 00010282
RAX: 00000000000000b2 RBX: ffffc9000c5a7c20 RCX: 68650f632580b300
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888011640020 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1bbae20 R12: 0000000000008000
R13: ffffc9000c5a7c28 R14: ffff888074f0a0b8 R15: ffff888074eca4f8
FS: 00007f56a8b4f6c0(0000) GS:ffff888125f3a000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f56a73fdf98 CR3: 00000000742f6000 CR4: 00000000003526f0
Call Trace:
<TASK>
path_openat+0x2b3/0x3dd0 fs/namei.c:4799
do_filp_open+0x1fa/0x410 fs/namei.c:4830

do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_open fs/open.c:1444 [inline]
__se_sys_open fs/open.c:1440 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1440
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f56a7d8f749

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f56a8b4f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f56a7fe5fa0 RCX: 00007f56a7d8f749

RDX: 0000000000000000 RSI: 0000000000145142 RDI: 0000200000000240

RBP: 00007f56a7e13f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f56a7fe6038 R14: 00007f56a7fe5fa0 R15: 00007ffd61dc1878

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:link_path_walk+0x1d7f/0x1d90 fs/namei.c:2542
Code: e8 a6 16 ea fe 90 0f 0b e8 de 8c 83 ff 41 89 ef e9 d2 fc ff ff e8 d1 8c 83 ff 4c 89 ff 48 c7 c6 40 d6 79 8b e8 82 16 ea fe 90 <0f> 0b 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc9000c5a78a0 EFLAGS: 00010282
RAX: 00000000000000b2 RBX: ffffc9000c5a7c20 RCX: 68650f632580b300
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888011640020 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1bbae20 R12: 0000000000008000
R13: ffffc9000c5a7c28 R14: ffff888074f0a0b8 R15: ffff888074eca4f8
FS: 00007f56a8b4f6c0(0000) GS:ffff888125f3a000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f56a73fdf98 CR3: 00000000742f6000 CR4: 00000000003526f0

Tested on:

commit: bc04acf4 Add linux-next specific files for 20251204
git tree: linux-next

console output: https://syzkaller.appspot.com/x/log.txt?x=107bd01a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=d222f4b7129379c3d5bc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1377401a580000

[Mateusz Guzik]

On Thu, Dec 4, 2025 at 12:56 PM syzbot
<syzbot+d222f4...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> kernel BUG in link_path_walk
>
> VFS_BUG_ON_INODE(d_can_lookup(_dentry) && !S_ISDIR(_dentry->d_inode->i_mode)) encountered for inode ffff888074eca4f8
> fs ocfs2 mode 100000 opflags 0x2 flags 0x20 state 0x0 count 2

note the patch at hand made sure to avoid transient states by taking a
lock on the dentry:

+ struct dentry *_dentry = nd->path.dentry;
+ struct inode *_inode = READ_ONCE(_dentry->d_inode);
+ if (!d_can_lookup(_dentry) || !_inode || !S_ISDIR(_inode->i_mode)) {
+ spin_lock(&_dentry->d_lock);
+ VFS_BUG_ON_INODE(d_can_lookup(_dentry) &&
!S_ISDIR(_dentry->d_inode->i_mode), _dentry->d_inode);
+ spin_unlock(&_dentry->d_lock);
+ }

So the state *is* indeed bogus and this is most likely something ocfs2-internal.

I'm buggering off this report.