[[ sorry - this v3 is identical to v2 except that the linux-kernel@vger address is actually correct. Please reply to this one so that you don't get bounces like I did - NB ]] This patch set progresses my effort to improve concurrency of directory operations and specifically to allow concurrent updates in a given directory. It is a selection of patches from the 53-patch set I posted in March which got relatively little response. Maybe a shorter set will be more approachable. This set: - prepares the VFS in various ways - make use of these preparations in ovl and NFS (the most challenging filesystems for lookup as they do the most interesting things) - make use in efivars and shmem which for different reasons need a small change that seemed worth including here. The goal that these patch work towards is moving lookup out of i_rwsem on the directory - except for the actual ->lookup call. This is itself a step towards allowing broad concurrency of operations in a given directory. There are two particular requirements before lookup can move outside the lock: 1/ d_drop() mustn't be used before an operation completes: the dentry being present in the dcache becomes part of the locking protocol. This in turn requires d_splice_alias() to work with hashed negative dentries. 2/ d_alloc_parallel() mustn't be called while i_rw_sem is held, as this would result in a lock inversion. So d_alloc_noblock and others are introduced to handle the various cases. In a few cases we need to drop and re-take i_rw_sem inside ->lookup. As lookup might be called with a shared or exclusive lock this requires a new LOOKUP_SHARED flag which is ugly but can be removed after the lookup is moved out of the lock (then ->lookup will only ever be called with a shared lock). The full set of patches including these 19 and the rest to complete the lifting of lookup out of the exclusive lock can be found at github/neilbrown/linux in branch pdirops Significant changes since last time are: - use wait_var_event for d_alloc_parallel() rather than effectively duplicating that infrastructure - as suggested by Christop - changes to ovl_readdir handling as discussed with Amir. Thanks, NeilBrown [PATCH v3 01/19] VFS: fix various typos in documentation for [PATCH v3 02/19] VFS: enhance d_splice_alias() to handle in-lookup [PATCH v3 03/19] VFS: allow d_alloc_name() to be used with ->d_hash [PATCH v3 04/19] VFS: use wait_var_event for waiting in [PATCH v3 05/19] VFS: introduce d_alloc_noblock() [PATCH v3 06/19] VFS: add d_duplicate() [PATCH v3 07/19] VFS: Add LOOKUP_SHARED flag. [PATCH v3 08/19] VFS/xfs/ntfs: drop parent lock across [PATCH v3 09/19] ovl: stop using lookup_one() in iterate_shared() [PATCH v3 10/19] VFS/ovl: add d_alloc_noblock_return() [PATCH v3 11/19] efivarfs: use d_alloc_name() [PATCH v3 12/19] shmem: use d_duplicate() [PATCH v3 13/19] nfs: remove d_drop()/d_alloc_parallel() from [PATCH v3 14/19] nfs: use d_splice_alias() in nfs_link() [PATCH v3 15/19] nfs: don't d_drop() before d_splice_alias() [PATCH v3 16/19] nfs: don't d_drop() before d_splice_alias() in [PATCH v3 17/19] nfs: Use d_alloc_noblock() in nfs_prime_dcache() [PATCH v3 18/19] nfs: use d_alloc_noblock() in silly-rename [PATCH v3 19/19] nfs: use d_duplicate()
syzbot ci has tested the following series
[v3] Prepare to lift lookup out of exclusive lock for directory ops
https://lore.kernel.org/all/20260427040517.828226-1-neilb@ownmail.net
* [PATCH v3 01/19] VFS: fix various typos in documentation for start_creating start_removing etc
* [PATCH v3 02/19] VFS: enhance d_splice_alias() to handle in-lookup dentries
* [PATCH v3 03/19] VFS: allow d_alloc_name() to be used with ->d_hash
* [PATCH v3 04/19] VFS: use wait_var_event for waiting in d_alloc_parallel()
* [PATCH v3 05/19] VFS: introduce d_alloc_noblock()
* [PATCH v3 06/19] VFS: add d_duplicate()
* [PATCH v3 07/19] VFS: Add LOOKUP_SHARED flag.
* [PATCH v3 08/19] VFS/xfs/ntfs: drop parent lock across d_alloc_parallel() in d_add_ci()
* [PATCH v3 09/19] ovl: stop using lookup_one() in iterate_shared() handling.
* [PATCH v3 10/19] VFS/ovl: add d_alloc_noblock_return()
* [PATCH v3 11/19] efivarfs: use d_alloc_name()
* [PATCH v3 12/19] shmem: use d_duplicate()
* [PATCH v3 13/19] nfs: remove d_drop()/d_alloc_parallel() from nfs_atomic_open()
* [PATCH v3 14/19] nfs: use d_splice_alias() in nfs_link()
* [PATCH v3 15/19] nfs: don't d_drop() before d_splice_alias()
* [PATCH v3 16/19] nfs: don't d_drop() before d_splice_alias() in atomic_create.
* [PATCH v3 17/19] nfs: Use d_alloc_noblock() in nfs_prime_dcache()
* [PATCH v3 18/19] nfs: use d_alloc_noblock() in silly-rename
* [PATCH v3 19/19] nfs: use d_duplicate()
and found the following issues:
* KASAN: slab-out-of-bounds Read in __dentry_kill
* WARNING in __d_instantiate
Full report is available here:
https://ci.syzbot.org/series/9ec82ecc-cc80-4fe2-b595-e5c9d7c49aae
***
KASAN: slab-out-of-bounds Read in __dentry_kill
tree: torvalds
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base: 254f49634ee16a731174d2ae34bc50bd5f45e731
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/01f9ecd4-e5ae-4e96-aff5-2636e33c0528/config
syz repro: https://ci.syzbot.org/findings/ef8289e5-b522-4c69-bed5-f7be42e035c2/syz_repro
overlayfs: "xino" feature enabled using 3 upper inode bits.
==================================================================
BUG: KASAN: slab-out-of-bounds in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
BUG: KASAN: slab-out-of-bounds in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
Read of size 1 at addr ffff888119c6e5b8 by task syz.0.17/5869
CPU: 0 UID: 0 PID: 5869 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
_raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
complete_with_flags kernel/sched/completion.c:25 [inline]
complete+0x28/0x1b0 kernel/sched/completion.c:52
d_complete_waiters fs/dcache.c:651 [inline]
dentry_unlist fs/dcache.c:664 [inline]
__dentry_kill+0x552/0x690 fs/dcache.c:733
finish_dput+0xc9/0x480 fs/dcache.c:928
ovl_cache_update+0x68e/0xc30 fs/overlayfs/readdir.c:643
ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline]
ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930
wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67
iterate_dir+0x399/0x570 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:399 [inline]
__se_sys_getdents64+0xf1/0x280 fs/readdir.c:384
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7aa699cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7aa780a028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f7aa6c15fa0 RCX: 00007f7aa699cdd9
RDX: 0000000000001000 RSI: 0000200000000400 RDI: 0000000000000003
RBP: 00007f7aa6a32d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7aa6c16038 R14: 00007f7aa6c15fa0 R15: 00007ffce28f8638
</TASK>
Allocated by task 5869:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4917
__d_alloc+0x37/0x6f0 fs/dcache.c:1808
__d_alloc_parallel+0xe3/0x1660 fs/dcache.c:2758
ovl_cache_update+0x2c4/0xc30 fs/overlayfs/readdir.c:577
ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline]
ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930
wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67
iterate_dir+0x399/0x570 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:399 [inline]
__se_sys_getdents64+0xf1/0x280 fs/readdir.c:384
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
__call_rcu_common kernel/rcu/tree.c:3131 [inline]
call_rcu+0xee/0x890 kernel/rcu/tree.c:3251
__dentry_kill+0x4a9/0x690 fs/dcache.c:738
finish_dput+0xc9/0x480 fs/dcache.c:928
ovl_cache_update+0x68e/0xc30 fs/overlayfs/readdir.c:643
ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline]
ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930
wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67
iterate_dir+0x399/0x570 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:399 [inline]
__se_sys_getdents64+0xf1/0x280 fs/readdir.c:384
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888119c6e468
which belongs to the cache dentry of size 312
The buggy address is located 24 bytes to the right of
allocated 312-byte region [ffff888119c6e468, ffff888119c6e5a0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119c6e
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888119c6fed9
flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 017ff00000000040 ffff888160417140 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800150015 00000000f5000000 ffff888119c6fed9
head: 017ff00000000040 ffff888160417140 dead000000000100 dead000000000122
head: 0000000000000000 0000000800150015 00000000f5000000 ffff888119c6fed9
head: 017ff00000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5645, tgid 5645 (syz-executor), ts 69015847006, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x339/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
kmem_cache_alloc_lru_noprof+0x37c/0x640 mm/slub.c:4917
__d_alloc+0x37/0x6f0 fs/dcache.c:1808
d_alloc+0x4b/0x190 fs/dcache.c:1887
lookup_one_qstr_excl+0xd8/0x360 fs/namei.c:1801
__start_dirop fs/namei.c:2915 [inline]
start_dirop fs/namei.c:2937 [inline]
filename_create+0x20e/0x370 fs/namei.c:4949
filename_mkdirat+0xd2/0x510 fs/namei.c:5286
__do_sys_mkdirat fs/namei.c:5314 [inline]
__se_sys_mkdirat+0x35/0x150 fs/namei.c:5311
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing
Memory state around the buggy address:
ffff888119c6e480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888119c6e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888119c6e580: 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb
^
ffff888119c6e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888119c6e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
***
WARNING in __d_instantiate
tree: torvalds
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base: 254f49634ee16a731174d2ae34bc50bd5f45e731
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/01f9ecd4-e5ae-4e96-aff5-2636e33c0528/config
syz repro: https://ci.syzbot.org/findings/f4cad05d-60bf-4656-a4e7-27c99f4f056b/syz_repro
loop2: detected capacity change from 0 to 16
erofs (device loop2): mounted with root inode @ nid 36.
------------[ cut here ]------------
d_in_lookup(dentry)
WARNING: fs/dcache.c:2112 at __d_instantiate+0x3ea/0x6e0 fs/dcache.c:2112, CPU#0: syz.2.19/5857
Modules linked in:
CPU: 0 UID: 0 PID: 5857 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__d_instantiate+0x3ea/0x6e0 fs/dcache.c:2112
Code: 03 41 80 f6 01 41 0f b6 ce c1 e1 0d 09 c1 89 0b 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d e9 7d 25 61 09 cc e8 87 21 7c ff 90 <0f> 0b 90 e9 7f fd ff ff e8 79 21 7c ff 41 81 cc 00 00 01 00 e9 34
RSP: 0018:ffffc900038274a0 EFLAGS: 00010293
RAX: ffffffff82498229 RBX: ffff888114bb8a48 RCX: ffff88810b5e9d80
RDX: 0000000000000000 RSI: 0000000001000000 RDI: 0000000000000000
RBP: 0000000001000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000704e8c R12: 0000000000280000
R13: dffffc0000000000 R14: ffff888113d61960 R15: ffff888113d61964
FS: 00007fadb922c6c0(0000) GS:ffff88818dc93000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fadb8272700 CR3: 000000016d53e000 CR4: 00000000000006f0
Call Trace:
<TASK>
d_make_persistent+0x8e/0x180 fs/dcache.c:3068
shmem_mknod+0x2ea/0x360 mm/shmem.c:3881
shmem_whiteout mm/shmem.c:4012 [inline]
shmem_rename2+0x265/0x430 mm/shmem.c:4052
vfs_rename+0xa96/0xeb0 fs/namei.c:6053
ovl_do_rename_rd fs/overlayfs/overlayfs.h:372 [inline]
ovl_check_rename_whiteout fs/overlayfs/super.c:593 [inline]
ovl_make_workdir fs/overlayfs/super.c:713 [inline]
ovl_get_workdir fs/overlayfs/super.c:836 [inline]
ovl_fill_super_creds fs/overlayfs/super.c:1449 [inline]
ovl_fill_super+0x46b7/0x5e20 fs/overlayfs/super.c:1560
vfs_get_super fs/super.c:1327 [inline]
get_tree_nodev+0xbb/0x150 fs/super.c:1346
vfs_get_tree+0x92/0x2a0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount+0x341/0xd30 fs/namespace.c:3834
do_mount fs/namespace.c:4167 [inline]
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4360
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fadb839cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fadb922c028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fadb8615fa0 RCX: 00007fadb839cdd9
RDX: 0000200000000340 RSI: 00002000000000c0 RDI: 0000000000000000
RBP: 00007fadb8432d69 R08: 0000200000000380 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fadb8616038 R14: 00007fadb8615fa0 R15: 00007ffe45be7c28
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).
The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.
This crash suggests an in-lookup dentry was dput() without d_lookup_done() being called first. That results in ->waiters being used without being initialised. The inverted test on d_unhashed() in [PATCH v3 09/19] ovl: stop using lookup_one() in iterate_shared() handling. could easily cause that to happen. So I believe this is now fixed. Thanks, NeilBrown On Mon, 27 Apr 2026, syzbot ci wrote: > syzbot ci has tested the following series > > [v3] Prepare to lift lookup out of exclusive lock for directory ops > https://lore.kernel.org/all/20260427040517.828226-1-neilb@ownmail.net > * [PATCH v3 01/19] VFS: fix various typos in documentation for start_creating start_removing etc > * [PATCH v3 02/19] VFS: enhance d_splice_alias() to handle in-lookup dentries > * [PATCH v3 03/19] VFS: allow d_alloc_name() to be used with ->d_hash > * [PATCH v3 04/19] VFS: use wait_var_event for waiting in d_alloc_parallel() > * [PATCH v3 05/19] VFS: introduce d_alloc_noblock() > * [PATCH v3 06/19] VFS: add d_duplicate() > * [PATCH v3 07/19] VFS: Add LOOKUP_SHARED flag. > * [PATCH v3 08/19] VFS/xfs/ntfs: drop parent lock across d_alloc_parallel() in d_add_ci() > * [PATCH v3 09/19] ovl: stop using lookup_one() in iterate_shared() handling. > * [PATCH v3 10/19] VFS/ovl: add d_alloc_noblock_return() > * [PATCH v3 11/19] efivarfs: use d_alloc_name() > * [PATCH v3 12/19] shmem: use d_duplicate() > * [PATCH v3 13/19] nfs: remove d_drop()/d_alloc_parallel() from nfs_atomic_open() > * [PATCH v3 14/19] nfs: use d_splice_alias() in nfs_link() > * [PATCH v3 15/19] nfs: don't d_drop() before d_splice_alias() > * [PATCH v3 16/19] nfs: don't d_drop() before d_splice_alias() in atomic_create. > * [PATCH v3 17/19] nfs: Use d_alloc_noblock() in nfs_prime_dcache() > * [PATCH v3 18/19] nfs: use d_alloc_noblock() in silly-rename > * [PATCH v3 19/19] nfs: use d_duplicate() > > and found the following issues: > * KASAN: slab-out-of-bounds Read in __dentry_kill > * WARNING in __d_instantiate > > Full report is available here: > https://ci.syzbot.org/series/9ec82ecc-cc80-4fe2-b595-e5c9d7c49aae > > *** > > KASAN: slab-out-of-bounds Read in __dentry_kill > > tree: torvalds > URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 254f49634ee16a731174d2ae34bc50bd5f45e731 > arch: amd64 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: https://ci.syzbot.org/builds/01f9ecd4-e5ae-4e96-aff5-2636e33c0528/config > syz repro: https://ci.syzbot.org/findings/ef8289e5-b522-4c69-bed5-f7be42e035c2/syz_repro > > overlayfs: "xino" feature enabled using 3 upper inode bits. > ================================================================== > BUG: KASAN: slab-out-of-bounds in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] > BUG: KASAN: slab-out-of-bounds in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 > Read of size 1 at addr ffff888119c6e5b8 by task syz.0.17/5869 > > CPU: 0 UID: 0 PID: 5869 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574 > kasan_check_byte include/linux/kasan.h:402 [inline] > lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842 > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] > _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 > complete_with_flags kernel/sched/completion.c:25 [inline] > complete+0x28/0x1b0 kernel/sched/completion.c:52 > d_complete_waiters fs/dcache.c:651 [inline] > dentry_unlist fs/dcache.c:664 [inline] > __dentry_kill+0x552/0x690 fs/dcache.c:733 > finish_dput+0xc9/0x480 fs/dcache.c:928 > ovl_cache_update+0x68e/0xc30 fs/overlayfs/readdir.c:643 > ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline] > ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930 > wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents64 fs/readdir.c:399 [inline] > __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f7aa699cdd9 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f7aa780a028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 > RAX: ffffffffffffffda RBX: 00007f7aa6c15fa0 RCX: 00007f7aa699cdd9 > RDX: 0000000000001000 RSI: 0000200000000400 RDI: 0000000000000003 > RBP: 00007f7aa6a32d69 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f7aa6c16038 R14: 00007f7aa6c15fa0 R15: 00007ffce28f8638 > </TASK> > > Allocated by task 5869: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > unpoison_slab_object mm/kasan/common.c:340 [inline] > __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 > kasan_slab_alloc include/linux/kasan.h:253 [inline] > slab_post_alloc_hook mm/slub.c:4569 [inline] > slab_alloc_node mm/slub.c:4898 [inline] > kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4917 > __d_alloc+0x37/0x6f0 fs/dcache.c:1808 > __d_alloc_parallel+0xe3/0x1660 fs/dcache.c:2758 > ovl_cache_update+0x2c4/0xc30 fs/overlayfs/readdir.c:577 > ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline] > ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930 > wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents64 fs/readdir.c:399 [inline] > __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Last potentially related work creation: > kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 > kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 > __call_rcu_common kernel/rcu/tree.c:3131 [inline] > call_rcu+0xee/0x890 kernel/rcu/tree.c:3251 > __dentry_kill+0x4a9/0x690 fs/dcache.c:738 > finish_dput+0xc9/0x480 fs/dcache.c:928 > ovl_cache_update+0x68e/0xc30 fs/overlayfs/readdir.c:643 > ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline] > ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930 > wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents64 fs/readdir.c:399 [inline] > __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > The buggy address belongs to the object at ffff888119c6e468 > which belongs to the cache dentry of size 312 > The buggy address is located 24 bytes to the right of > allocated 312-byte region [ffff888119c6e468, ffff888119c6e5a0) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119c6e > head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > memcg:ffff888119c6fed9 > flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 017ff00000000040 ffff888160417140 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800150015 00000000f5000000 ffff888119c6fed9 > head: 017ff00000000040 ffff888160417140 dead000000000100 dead000000000122 > head: 0000000000000000 0000000800150015 00000000f5000000 ffff888119c6fed9 > head: 017ff00000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff > head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5645, tgid 5645 (syz-executor), ts 69015847006, free_ts 0 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858 > prep_new_page mm/page_alloc.c:1866 [inline] > get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3946 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7251 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651 > alloc_from_pcs mm/slub.c:4749 [inline] > slab_alloc_node mm/slub.c:4883 [inline] > kmem_cache_alloc_lru_noprof+0x37c/0x640 mm/slub.c:4917 > __d_alloc+0x37/0x6f0 fs/dcache.c:1808 > d_alloc+0x4b/0x190 fs/dcache.c:1887 > lookup_one_qstr_excl+0xd8/0x360 fs/namei.c:1801 > __start_dirop fs/namei.c:2915 [inline] > start_dirop fs/namei.c:2937 [inline] > filename_create+0x20e/0x370 fs/namei.c:4949 > filename_mkdirat+0xd2/0x510 fs/namei.c:5286 > __do_sys_mkdirat fs/namei.c:5314 [inline] > __se_sys_mkdirat+0x35/0x150 fs/namei.c:5311 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > page_owner free stack trace missing > > Memory state around the buggy address: > ffff888119c6e480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888119c6e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888119c6e580: 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb > ^ > ffff888119c6e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888119c6e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > *** > > WARNING in __d_instantiate > > tree: torvalds > URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 254f49634ee16a731174d2ae34bc50bd5f45e731 > arch: amd64 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: https://ci.syzbot.org/builds/01f9ecd4-e5ae-4e96-aff5-2636e33c0528/config > syz repro: https://ci.syzbot.org/findings/f4cad05d-60bf-4656-a4e7-27c99f4f056b/syz_repro > > loop2: detected capacity change from 0 to 16 > erofs (device loop2): mounted with root inode @ nid 36. > ------------[ cut here ]------------ > d_in_lookup(dentry) > WARNING: fs/dcache.c:2112 at __d_instantiate+0x3ea/0x6e0 fs/dcache.c:2112, CPU#0: syz.2.19/5857 > Modules linked in: > CPU: 0 UID: 0 PID: 5857 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 > RIP: 0010:__d_instantiate+0x3ea/0x6e0 fs/dcache.c:2112 > Code: 03 41 80 f6 01 41 0f b6 ce c1 e1 0d 09 c1 89 0b 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d e9 7d 25 61 09 cc e8 87 21 7c ff 90 <0f> 0b 90 e9 7f fd ff ff e8 79 21 7c ff 41 81 cc 00 00 01 00 e9 34 > RSP: 0018:ffffc900038274a0 EFLAGS: 00010293 > RAX: ffffffff82498229 RBX: ffff888114bb8a48 RCX: ffff88810b5e9d80 > RDX: 0000000000000000 RSI: 0000000001000000 RDI: 0000000000000000 > RBP: 0000000001000000 R08: 0000000000000003 R09: 0000000000000004 > R10: dffffc0000000000 R11: fffff52000704e8c R12: 0000000000280000 > R13: dffffc0000000000 R14: ffff888113d61960 R15: ffff888113d61964 > FS: 00007fadb922c6c0(0000) GS:ffff88818dc93000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fadb8272700 CR3: 000000016d53e000 CR4: 00000000000006f0 > Call Trace: > <TASK> > d_make_persistent+0x8e/0x180 fs/dcache.c:3068 > shmem_mknod+0x2ea/0x360 mm/shmem.c:3881 > shmem_whiteout mm/shmem.c:4012 [inline] > shmem_rename2+0x265/0x430 mm/shmem.c:4052 > vfs_rename+0xa96/0xeb0 fs/namei.c:6053 > ovl_do_rename_rd fs/overlayfs/overlayfs.h:372 [inline] > ovl_check_rename_whiteout fs/overlayfs/super.c:593 [inline] > ovl_make_workdir fs/overlayfs/super.c:713 [inline] > ovl_get_workdir fs/overlayfs/super.c:836 [inline] > ovl_fill_super_creds fs/overlayfs/super.c:1449 [inline] > ovl_fill_super+0x46b7/0x5e20 fs/overlayfs/super.c:1560 > vfs_get_super fs/super.c:1327 [inline] > get_tree_nodev+0xbb/0x150 fs/super.c:1346 > vfs_get_tree+0x92/0x2a0 fs/super.c:1754 > fc_mount fs/namespace.c:1193 [inline] > do_new_mount_fc fs/namespace.c:3758 [inline] > do_new_mount+0x341/0xd30 fs/namespace.c:3834 > do_mount fs/namespace.c:4167 [inline] > __do_sys_mount fs/namespace.c:4383 [inline] > __se_sys_mount+0x31d/0x420 fs/namespace.c:4360 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7fadb839cdd9 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fadb922c028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 > RAX: ffffffffffffffda RBX: 00007fadb8615fa0 RCX: 00007fadb839cdd9 > RDX: 0000200000000340 RSI: 00002000000000c0 RDI: 0000000000000000 > RBP: 00007fadb8432d69 R08: 0000200000000380 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007fadb8616038 R14: 00007fadb8615fa0 R15: 00007ffe45be7c28 > </TASK> > > > *** > > If these findings have caused you to resend the series or submit a > separate fix, please add the following tag to your commit message: > Tested-by: syzbot@syzkaller.appspotmail.com > > --- > This report is generated by a bot. It may contain errors. > syzbot ci engineers can be reached at syzkaller@googlegroups.com. > > To test a patch for this bug, please reply with `#syz test` > (should be on a separate line). > > The patch should be attached to the email. > Note: arguments like custom git repos and branches are not supported. > >
© 2016 - 2026 Red Hat, Inc.