[syzbot] [exfat?] [gfs2?] WARNING in filename_symlinkat

[syzbot] [exfat?] [gfs2?] WARNING in filename_symlinkat

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ecc64d2dc9ff Merge tag 'sysctl-7.00-fixes-rc3' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1754b5aa580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=123dbe4a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15c99b5a580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ecc64d2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/86a2ecaacd1b/vmlinux-ecc64d2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b1dad86775e5/bzImage-ecc64d2d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1d38e5a93707/mount_4.gz
  fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=17c57006580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com

------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff8880460da1f8, owner = 0x0, curr 0xffff8880371624c0, list empty
WARNING: kernel/locking/rwsem.c:1381 at __up_write kernel/locking/rwsem.c:1380 [inline], CPU#0: syz.0.31/5575
WARNING: kernel/locking/rwsem.c:1381 at up_write+0x2d6/0x410 kernel/locking/rwsem.c:1643, CPU#0: syz.0.31/5575
Modules linked in:
CPU: 0 UID: 0 PID: 5575 Comm: syz.0.31 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_write kernel/locking/rwsem.c:1380 [inline]
RIP: 0010:up_write+0x388/0x410 kernel/locking/rwsem.c:1643
Code: cc 8b 49 c7 c2 80 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 08 48 c7 c6 e0 ed cc 8b 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 10 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5a 83 0b 03 e9 67 fd ff ff 48 c7 c1
RSP: 0018:ffffc9000298fd80 EFLAGS: 00010246
RAX: ffffffff8bcceb60 RBX: ffff8880460da1f8 RCX: ffff8880460da1f8
RDX: 0000000000000000 RSI: ffffffff8bccede0 RDI: ffffffff901501f0
RBP: ffff8880460da250 R08: 0000000000000000 R09: ffff8880371624c0
R10: ffffffff8bcceb60 R11: ffffed1008c1b441 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8880460da1f8 R15: 1ffff11008c1b440
FS:  00007fbd46c406c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbd45de9e80 CR3: 00000000412ea000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 inode_unlock include/linux/fs.h:1038 [inline]
 end_dirop fs/namei.c:2947 [inline]
 end_creating include/linux/namei.h:126 [inline]
 end_creating_path fs/namei.c:4962 [inline]
 filename_symlinkat+0x222/0x410 fs/namei.c:5642
 __do_sys_symlinkat fs/namei.c:5660 [inline]
 __se_sys_symlinkat+0x4e/0x2b0 fs/namei.c:5655
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbd45d9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbd46c40028 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007fbd46016090 RCX: 00007fbd45d9c799
RDX: 00002000000003c0 RSI: 0000000000000007 RDI: 0000200000000240
RBP: 00007fbd45e32bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fbd46016128 R14: 00007fbd46016090 R15: 00007ffcbe33eb58
 </TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	49 c7 c2 80 eb cc 8b 	mov    $0xffffffff8bcceb80,%r10
   7:	4c 0f 44 d0          	cmove  %rax,%r10
   b:	48 8b 7c 24 08       	mov    0x8(%rsp),%rdi
  10:	48 c7 c6 e0 ed cc 8b 	mov    $0xffffffff8bccede0,%rsi
  17:	48 8b 14 24          	mov    (%rsp),%rdx
  1b:	4c 89 f1             	mov    %r14,%rcx
  1e:	4d 89 e0             	mov    %r12,%r8
  21:	4c 8b 4c 24 10       	mov    0x10(%rsp),%r9
  26:	41 52                	push   %r10
* 28:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2d:	48 83 c4 08          	add    $0x8,%rsp
  31:	e8 5a 83 0b 03       	call   0x30b8390
  36:	e9 67 fd ff ff       	jmp    0xfffffda2
  3b:	48                   	rex.W
  3c:	c7                   	.byte 0xc7
  3d:	c1                   	.byte 0xc1


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] namei: fix parent inode unlock in end_creating_path()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] namei: fix parent inode unlock in end_creating_path()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


end_creating_path() calls end_dirop() which unlocks
dentry->d_parent->d_inode. However, the lock was originally acquired on
path->dentry by start_dirop() inside filename_create(). If a concurrent
operation such as renameat2(RENAME_EXCHANGE) modifies the dentry tree
between lock and unlock, dentry->d_parent may no longer point to the
originally locked inode, causing an unbalanced unlock.

Fix this by unlocking path->dentry directly in end_creating_path()
instead of deriving the parent from the child dentry. This ensures the
lock and unlock always operate on the same inode regardless of
concurrent dentry tree modifications.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/namei.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..c861de965d86 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4959,7 +4959,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
-- 
2.43.0

Forwarded: [PATCH] namei: add debug printk to trace parent inode lock state

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] namei: add debug printk to trace parent inode lock state
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add debug printk statements to trace the parent directory inode rwsem
state through the symlink creation path. This helps identify which
component is dropping the parent inode's i_rwsem between start_dirop()
and end_dirop(), causing the unbalanced unlock WARNING in
filename_symlinkat().

The printk traces:
- rwsem owner/count after start_dirop() acquires the lock
- rwsem owner/count after vfs_symlink() returns
- rwsem owner/count at end_dirop() just before the unlock
- dentry->d_parent and path->dentry at each point

This is a temporary diagnostic patch and should be reverted once the
root cause is identified.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/namei.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..9584ff6dff47 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2944,6 +2944,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4927,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4966,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5639,6 +5649,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c |  3 +++
 fs/namei.c      | 18 ++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..e38dafea198c 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -738,6 +738,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..9584ff6dff47 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2944,6 +2944,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4927,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4966,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5639,6 +5649,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c |  3 +++
 fs/namei.c      | 24 ++++++++++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..e38dafea198c 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -738,6 +738,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..caa2bf7c3401 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2944,6 +2944,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4927,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4966,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5595,6 +5605,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		struct dentry *dentry, const char *oldname,
 		struct delegated_inode *delegated_inode)
 {
+	pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	int error;
 
 	error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5626,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		return error;
 
 	error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+	pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, error,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	if (!error)
 		fsnotify_create(dir, dentry);
 	return error;
@@ -5639,6 +5655,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c |  3 +++
 fs/namei.c      | 30 ++++++++++++++++++++++++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..e38dafea198c 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -738,6 +738,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..768944691e24 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2922,7 +2922,13 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
 	} else {
 		inode_lock_nested(dir, I_MUTEX_PARENT);
 	}
+	pr_warn("DEBUG LOCK: __start_dirop locked dir=%px count=%ld owner=%px current=%px\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current);
 	dentry = lookup_one_qstr_excl(name, parent, lookup_flags);
+	pr_warn("DEBUG LOCK: __start_dirop after lookup dir=%px count=%ld owner=%px current=%px dentry_err=%d\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current, IS_ERR(dentry));
 	if (IS_ERR(dentry))
 		inode_unlock(dir);
 	return dentry;
@@ -2944,6 +2950,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4933,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4972,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5595,6 +5611,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		struct dentry *dentry, const char *oldname,
 		struct delegated_inode *delegated_inode)
 {
+	pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	int error;
 
 	error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5632,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		return error;
 
 	error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+	pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, error,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	if (!error)
 		fsnotify_create(dir, dentry);
 	return error;
@@ -5639,6 +5661,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c | 13 +++++++++++++
 fs/namei.c      | 30 ++++++++++++++++++++++++++++--
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..9a3df067bea6 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -725,6 +725,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	error = gfs2_rindex_update(sdp);
 	if (error)
 		goto fail;
+	pr_warn("DEBUG GFS2: after glock_nq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 
 	error = gfs2_glock_nq_init(dip->i_gl, LM_ST_EXCLUSIVE, 0, &d_gh);
 	if (error)
@@ -738,6 +740,9 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
@@ -893,6 +898,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
 	mark_inode_dirty(inode);
 	d_instantiate(dentry, inode);
+	pr_warn("DEBUG GFS2: before glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	/* After instantiate, errors should result in evict which will destroy
 	 * both inode and iopen glocks properly. */
 	if (file) {
@@ -900,6 +907,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		error = finish_open(file, dentry, gfs2_open_common);
 	}
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	gfs2_qa_put(ip);
 	gfs2_glock_dq_uninit(&gh);
 	gfs2_glock_put(io_gl);
@@ -937,7 +946,11 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	posix_acl_release(acl);
 fail_gunlock:
 	gfs2_dir_no_add(&da);
+	pr_warn("DEBUG GFS2: fail_gunlock before glock_dq dir=%px rwsem owner=%px current=%px error=%d\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current, error);
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: fail_gunlock after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	if (!IS_ERR_OR_NULL(inode)) {
 		if (inode_state_read_once(inode) & I_NEW)
 			iget_failed(inode);
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..768944691e24 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2922,7 +2922,13 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
 	} else {
 		inode_lock_nested(dir, I_MUTEX_PARENT);
 	}
+	pr_warn("DEBUG LOCK: __start_dirop locked dir=%px count=%ld owner=%px current=%px\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current);
 	dentry = lookup_one_qstr_excl(name, parent, lookup_flags);
+	pr_warn("DEBUG LOCK: __start_dirop after lookup dir=%px count=%ld owner=%px current=%px dentry_err=%d\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current, IS_ERR(dentry));
 	if (IS_ERR(dentry))
 		inode_unlock(dir);
 	return dentry;
@@ -2944,6 +2950,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4933,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4972,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5595,6 +5611,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		struct dentry *dentry, const char *oldname,
 		struct delegated_inode *delegated_inode)
 {
+	pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	int error;
 
 	error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5632,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		return error;
 
 	error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+	pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, error,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	if (!error)
 		fsnotify_create(dir, dentry);
 	return error;
@@ -5639,6 +5661,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c | 22 +++++++++++++++++++++-
 fs/namei.c      | 30 ++++++++++++++++++++++++++++--
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..a393d72597b8 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -725,19 +725,26 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	error = gfs2_rindex_update(sdp);
 	if (error)
 		goto fail;
+	pr_warn("DEBUG GFS2: after glock_nq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 
 	error = gfs2_glock_nq_init(dip->i_gl, LM_ST_EXCLUSIVE, 0, &d_gh);
+	pr_warn("DEBUG GFS2 A: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	if (error)
 		goto fail;
 	gfs2_holder_mark_uninitialized(&gh);
 
 	error = create_ok(dip, name, mode);
+	pr_warn("DEBUG GFS2 B: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock;
 
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
@@ -759,6 +766,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 
 	error = gfs2_diradd_alloc_required(dir, name, &da);
+	pr_warn("DEBUG GFS2 C: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error < 0)
 		goto fail_gunlock;
 
@@ -820,6 +828,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		blocks++;
 
 	error = alloc_dinode(ip, aflags, &blocks);
+	pr_warn("DEBUG GFS2 D: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_free_inode;
 
@@ -844,6 +853,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
 	error = gfs2_glock_nq_init(io_gl, LM_ST_SHARED, GL_EXACT | GL_NOPID,
 				   &ip->i_iopen_gh);
+	pr_warn("DEBUG GFS2 E: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock2;
 
@@ -862,7 +872,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 	init_dinode(dip, ip, symname);
 	gfs2_trans_end(sdp);
-
+	pr_warn("DEBUG GFS2 F: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	glock_set_object(ip->i_gl, ip);
 	glock_set_object(io_gl, ip);
 	gfs2_set_iop(inode);
@@ -888,11 +898,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		goto fail_gunlock4;
 
 	error = link_dinode(dip, name, ip, &da);
+	pr_warn("DEBUG GFS2 G: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock4;
 
 	mark_inode_dirty(inode);
 	d_instantiate(dentry, inode);
+	pr_warn("DEBUG GFS2 H: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
+	pr_warn("DEBUG GFS2: before glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	/* After instantiate, errors should result in evict which will destroy
 	 * both inode and iopen glocks properly. */
 	if (file) {
@@ -900,6 +914,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		error = finish_open(file, dentry, gfs2_open_common);
 	}
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	gfs2_qa_put(ip);
 	gfs2_glock_dq_uninit(&gh);
 	gfs2_glock_put(io_gl);
@@ -937,7 +953,11 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	posix_acl_release(acl);
 fail_gunlock:
 	gfs2_dir_no_add(&da);
+	pr_warn("DEBUG GFS2: fail_gunlock before glock_dq dir=%px rwsem owner=%px current=%px error=%d\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current, error);
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: fail_gunlock after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	if (!IS_ERR_OR_NULL(inode)) {
 		if (inode_state_read_once(inode) & I_NEW)
 			iget_failed(inode);
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..768944691e24 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2922,7 +2922,13 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
 	} else {
 		inode_lock_nested(dir, I_MUTEX_PARENT);
 	}
+	pr_warn("DEBUG LOCK: __start_dirop locked dir=%px count=%ld owner=%px current=%px\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current);
 	dentry = lookup_one_qstr_excl(name, parent, lookup_flags);
+	pr_warn("DEBUG LOCK: __start_dirop after lookup dir=%px count=%ld owner=%px current=%px dentry_err=%d\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current, IS_ERR(dentry));
 	if (IS_ERR(dentry))
 		inode_unlock(dir);
 	return dentry;
@@ -2944,6 +2950,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4933,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4972,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5595,6 +5611,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		struct dentry *dentry, const char *oldname,
 		struct delegated_inode *delegated_inode)
 {
+	pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	int error;
 
 	error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5632,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		return error;
 
 	error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+	pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, error,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	if (!error)
 		fsnotify_create(dir, dentry);
 	return error;
@@ -5639,6 +5661,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c | 26 +++++++++++++++++++++++++-
 fs/namei.c      | 30 ++++++++++++++++++++++++++++--
 2 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..e252f7720735 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -725,19 +725,26 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	error = gfs2_rindex_update(sdp);
 	if (error)
 		goto fail;
+	pr_warn("DEBUG GFS2: after glock_nq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 
 	error = gfs2_glock_nq_init(dip->i_gl, LM_ST_EXCLUSIVE, 0, &d_gh);
+	pr_warn("DEBUG GFS2 A: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	if (error)
 		goto fail;
 	gfs2_holder_mark_uninitialized(&gh);
 
 	error = create_ok(dip, name, mode);
+	pr_warn("DEBUG GFS2 B: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock;
 
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
@@ -759,6 +766,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 
 	error = gfs2_diradd_alloc_required(dir, name, &da);
+	pr_warn("DEBUG GFS2 C: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error < 0)
 		goto fail_gunlock;
 
@@ -820,16 +828,20 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		blocks++;
 
 	error = alloc_dinode(ip, aflags, &blocks);
+	pr_warn("DEBUG GFS2 D: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_free_inode;
 
 	gfs2_set_inode_blocks(inode, blocks);
 
 	error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_inode_glops, CREATE, &ip->i_gl);
+	pr_warn("DEBUG GFS2 D1: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
+ 	if (error)
 	if (error)
 		goto fail_dealloc_inode;
 
 	error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl);
+	pr_warn("DEBUG GFS2 D2: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_dealloc_inode;
 	gfs2_cancel_delete_work(io_gl);
@@ -837,6 +849,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
 retry:
 	error = insert_inode_locked4(inode, ip->i_no_addr, iget_test, &ip->i_no_addr);
+	pr_warn("DEBUG GFS2 D3: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error == -EBUSY)
 		goto retry;
 	if (error)
@@ -844,6 +857,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
 	error = gfs2_glock_nq_init(io_gl, LM_ST_SHARED, GL_EXACT | GL_NOPID,
 				   &ip->i_iopen_gh);
+	pr_warn("DEBUG GFS2 E: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock2;
 
@@ -862,7 +876,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 	init_dinode(dip, ip, symname);
 	gfs2_trans_end(sdp);
-
+	pr_warn("DEBUG GFS2 F: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	glock_set_object(ip->i_gl, ip);
 	glock_set_object(io_gl, ip);
 	gfs2_set_iop(inode);
@@ -888,11 +902,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		goto fail_gunlock4;
 
 	error = link_dinode(dip, name, ip, &da);
+	pr_warn("DEBUG GFS2 G: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock4;
 
 	mark_inode_dirty(inode);
 	d_instantiate(dentry, inode);
+	pr_warn("DEBUG GFS2 H: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
+	pr_warn("DEBUG GFS2: before glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	/* After instantiate, errors should result in evict which will destroy
 	 * both inode and iopen glocks properly. */
 	if (file) {
@@ -900,6 +918,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		error = finish_open(file, dentry, gfs2_open_common);
 	}
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	gfs2_qa_put(ip);
 	gfs2_glock_dq_uninit(&gh);
 	gfs2_glock_put(io_gl);
@@ -937,7 +957,11 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	posix_acl_release(acl);
 fail_gunlock:
 	gfs2_dir_no_add(&da);
+	pr_warn("DEBUG GFS2: fail_gunlock before glock_dq dir=%px rwsem owner=%px current=%px error=%d\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current, error);
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: fail_gunlock after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	if (!IS_ERR_OR_NULL(inode)) {
 		if (inode_state_read_once(inode) & I_NEW)
 			iget_failed(inode);
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..768944691e24 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2922,7 +2922,13 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
 	} else {
 		inode_lock_nested(dir, I_MUTEX_PARENT);
 	}
+	pr_warn("DEBUG LOCK: __start_dirop locked dir=%px count=%ld owner=%px current=%px\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current);
 	dentry = lookup_one_qstr_excl(name, parent, lookup_flags);
+	pr_warn("DEBUG LOCK: __start_dirop after lookup dir=%px count=%ld owner=%px current=%px dentry_err=%d\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current, IS_ERR(dentry));
 	if (IS_ERR(dentry))
 		inode_unlock(dir);
 	return dentry;
@@ -2944,6 +2950,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4933,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4972,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5595,6 +5611,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		struct dentry *dentry, const char *oldname,
 		struct delegated_inode *delegated_inode)
 {
+	pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	int error;
 
 	error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5632,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		return error;
 
 	error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+	pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, error,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	if (!error)
 		fsnotify_create(dir, dentry);
 	return error;
@@ -5639,6 +5661,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c        | 30 +++++++++++++++++++++++++++++-
 fs/namei.c             | 30 ++++++++++++++++++++++++++++--
 kernel/locking/rwsem.c | 10 ++++++++++
 3 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..2be4a899c665 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -36,6 +36,9 @@
 #include "super.h"
 #include "glops.h"
 
+void *gfs2_debug_watched_rwsem;
+EXPORT_SYMBOL(gfs2_debug_watched_rwsem);
+
 static const struct inode_operations gfs2_file_iops;
 static const struct inode_operations gfs2_dir_iops;
 static const struct inode_operations gfs2_symlink_iops;
@@ -725,19 +728,26 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	error = gfs2_rindex_update(sdp);
 	if (error)
 		goto fail;
+	pr_warn("DEBUG GFS2: after glock_nq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 
 	error = gfs2_glock_nq_init(dip->i_gl, LM_ST_EXCLUSIVE, 0, &d_gh);
+	pr_warn("DEBUG GFS2 A: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	if (error)
 		goto fail;
 	gfs2_holder_mark_uninitialized(&gh);
 
 	error = create_ok(dip, name, mode);
+	pr_warn("DEBUG GFS2 B: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock;
 
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
@@ -759,6 +769,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 
 	error = gfs2_diradd_alloc_required(dir, name, &da);
+	pr_warn("DEBUG GFS2 C: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error < 0)
 		goto fail_gunlock;
 
@@ -820,16 +831,19 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		blocks++;
 
 	error = alloc_dinode(ip, aflags, &blocks);
+	pr_warn("DEBUG GFS2 D: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_free_inode;
 
 	gfs2_set_inode_blocks(inode, blocks);
 
 	error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_inode_glops, CREATE, &ip->i_gl);
+	pr_warn("DEBUG GFS2 D1: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_dealloc_inode;
 
 	error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl);
+	pr_warn("DEBUG GFS2 D2: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_dealloc_inode;
 	gfs2_cancel_delete_work(io_gl);
@@ -837,13 +851,17 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
 retry:
 	error = insert_inode_locked4(inode, ip->i_no_addr, iget_test, &ip->i_no_addr);
+	pr_warn("DEBUG GFS2 D3: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error == -EBUSY)
 		goto retry;
 	if (error)
 		goto fail_gunlock2;
 
+	gfs2_debug_watched_rwsem = &dir->i_rwsem;
 	error = gfs2_glock_nq_init(io_gl, LM_ST_SHARED, GL_EXACT | GL_NOPID,
 				   &ip->i_iopen_gh);
+	gfs2_debug_watched_rwsem = NULL;
+	pr_warn("DEBUG GFS2 E: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock2;
 
@@ -862,7 +880,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 	init_dinode(dip, ip, symname);
 	gfs2_trans_end(sdp);
-
+	pr_warn("DEBUG GFS2 F: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	glock_set_object(ip->i_gl, ip);
 	glock_set_object(io_gl, ip);
 	gfs2_set_iop(inode);
@@ -888,11 +906,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		goto fail_gunlock4;
 
 	error = link_dinode(dip, name, ip, &da);
+	pr_warn("DEBUG GFS2 G: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock4;
 
 	mark_inode_dirty(inode);
 	d_instantiate(dentry, inode);
+	pr_warn("DEBUG GFS2 H: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
+	pr_warn("DEBUG GFS2: before glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	/* After instantiate, errors should result in evict which will destroy
 	 * both inode and iopen glocks properly. */
 	if (file) {
@@ -900,6 +922,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		error = finish_open(file, dentry, gfs2_open_common);
 	}
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	gfs2_qa_put(ip);
 	gfs2_glock_dq_uninit(&gh);
 	gfs2_glock_put(io_gl);
@@ -937,7 +961,11 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	posix_acl_release(acl);
 fail_gunlock:
 	gfs2_dir_no_add(&da);
+	pr_warn("DEBUG GFS2: fail_gunlock before glock_dq dir=%px rwsem owner=%px current=%px error=%d\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current, error);
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: fail_gunlock after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	if (!IS_ERR_OR_NULL(inode)) {
 		if (inode_state_read_once(inode) & I_NEW)
 			iget_failed(inode);
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..768944691e24 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2922,7 +2922,13 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
 	} else {
 		inode_lock_nested(dir, I_MUTEX_PARENT);
 	}
+	pr_warn("DEBUG LOCK: __start_dirop locked dir=%px count=%ld owner=%px current=%px\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current);
 	dentry = lookup_one_qstr_excl(name, parent, lookup_flags);
+	pr_warn("DEBUG LOCK: __start_dirop after lookup dir=%px count=%ld owner=%px current=%px dentry_err=%d\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current, IS_ERR(dentry));
 	if (IS_ERR(dentry))
 		inode_unlock(dir);
 	return dentry;
@@ -2944,6 +2950,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4933,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4972,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5595,6 +5611,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		struct dentry *dentry, const char *oldname,
 		struct delegated_inode *delegated_inode)
 {
+	pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	int error;
 
 	error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5632,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		return error;
 
 	error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+	pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, error,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	if (!error)
 		fsnotify_create(dir, dentry);
 	return error;
@@ -5639,6 +5661,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
index 24df4d98f7d2..4c4c6daf8172 100644
--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -1629,6 +1629,11 @@ EXPORT_SYMBOL(down_write_trylock);
  */
 void up_read(struct rw_semaphore *sem)
 {
+	extern void *gfs2_debug_watched_rwsem;
+	if (sem == gfs2_debug_watched_rwsem) {
+		pr_warn("DEBUG WATCHPOINT: up_read on watched rwsem=%px!\n", sem);
+		dump_stack();
+	}
 	rwsem_release(&sem->dep_map, _RET_IP_);
 	__up_read(sem);
 }
@@ -1639,6 +1644,11 @@ EXPORT_SYMBOL(up_read);
  */
 void up_write(struct rw_semaphore *sem)
 {
+	extern void *gfs2_debug_watched_rwsem;
+	if (sem == gfs2_debug_watched_rwsem) {
+		pr_warn("DEBUG WATCHPOINT: up_write on watched rwsem=%px!\n", sem);
+		dump_stack();
+	}
 	rwsem_release(&sem->dep_map, _RET_IP_);
 	__up_write(sem);
 }
-- 
2.43.0

Forwarded: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: add debug printk to trace existing entry in gfs2_create_inode
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add a debug printk when gfs2_dir_search finds an existing entry in
gfs2_create_inode. This helps confirm whether the rwsem unlock WARNING
in filename_symlinkat is caused by gfs2_create_inode returning false
success (0) when file is NULL and an existing entry is found on a
corrupted GFS2 image.

The printk logs the directory inode, creation mode, file pointer, found
inode, and rwsem owner at the point where the existing entry is
detected.

This is a temporary diagnostic patch and should be reverted once the
root cause is confirmed.

Reported-by: syzbot+2ed46b6b748df855347f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ed46b6b748df855347f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/inode.c        | 30 +++++++++++++++++++++++++++++-
 fs/namei.c             | 30 ++++++++++++++++++++++++++++--
 kernel/locking/rwsem.c | 20 ++++++++++++++++++++
 3 files changed, 77 insertions(+), 3 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..2be4a899c665 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -36,6 +36,9 @@
 #include "super.h"
 #include "glops.h"
 
+void *gfs2_debug_watched_rwsem;
+EXPORT_SYMBOL(gfs2_debug_watched_rwsem);
+
 static const struct inode_operations gfs2_file_iops;
 static const struct inode_operations gfs2_dir_iops;
 static const struct inode_operations gfs2_symlink_iops;
@@ -725,19 +728,26 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	error = gfs2_rindex_update(sdp);
 	if (error)
 		goto fail;
+	pr_warn("DEBUG GFS2: after glock_nq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 
 	error = gfs2_glock_nq_init(dip->i_gl, LM_ST_EXCLUSIVE, 0, &d_gh);
+	pr_warn("DEBUG GFS2 A: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	if (error)
 		goto fail;
 	gfs2_holder_mark_uninitialized(&gh);
 
 	error = create_ok(dip, name, mode);
+	pr_warn("DEBUG GFS2 B: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock;
 
 	inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
 	error = PTR_ERR(inode);
 	if (!IS_ERR(inode)) {
+		pr_warn("DEBUG GFS2: gfs2_create_inode found existing entry! dir=%px mode=%o file=%px inode=%px S_ISDIR=%d rwsem owner=%px current=%px\n",
+			dir, mode, file, inode, S_ISDIR(inode->i_mode),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		if (S_ISDIR(inode->i_mode)) {
 			iput(inode);
 			inode = NULL;
@@ -759,6 +769,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 
 	error = gfs2_diradd_alloc_required(dir, name, &da);
+	pr_warn("DEBUG GFS2 C: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error < 0)
 		goto fail_gunlock;
 
@@ -820,16 +831,19 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		blocks++;
 
 	error = alloc_dinode(ip, aflags, &blocks);
+	pr_warn("DEBUG GFS2 D: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_free_inode;
 
 	gfs2_set_inode_blocks(inode, blocks);
 
 	error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_inode_glops, CREATE, &ip->i_gl);
+	pr_warn("DEBUG GFS2 D1: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_dealloc_inode;
 
 	error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl);
+	pr_warn("DEBUG GFS2 D2: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_dealloc_inode;
 	gfs2_cancel_delete_work(io_gl);
@@ -837,13 +851,17 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
 retry:
 	error = insert_inode_locked4(inode, ip->i_no_addr, iget_test, &ip->i_no_addr);
+	pr_warn("DEBUG GFS2 D3: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error == -EBUSY)
 		goto retry;
 	if (error)
 		goto fail_gunlock2;
 
+	gfs2_debug_watched_rwsem = &dir->i_rwsem;
 	error = gfs2_glock_nq_init(io_gl, LM_ST_SHARED, GL_EXACT | GL_NOPID,
 				   &ip->i_iopen_gh);
+	gfs2_debug_watched_rwsem = NULL;
+	pr_warn("DEBUG GFS2 E: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock2;
 
@@ -862,7 +880,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	}
 	init_dinode(dip, ip, symname);
 	gfs2_trans_end(sdp);
-
+	pr_warn("DEBUG GFS2 F: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
 	glock_set_object(ip->i_gl, ip);
 	glock_set_object(io_gl, ip);
 	gfs2_set_iop(inode);
@@ -888,11 +906,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		goto fail_gunlock4;
 
 	error = link_dinode(dip, name, ip, &da);
+	pr_warn("DEBUG GFS2 G: dir=%px rwsem owner=%px error=%d\n", dir, READ_ONCE(dir->i_rwsem.owner), error);
 	if (error)
 		goto fail_gunlock4;
 
 	mark_inode_dirty(inode);
 	d_instantiate(dentry, inode);
+	pr_warn("DEBUG GFS2 H: dir=%px rwsem owner=%px\n", dir, READ_ONCE(dir->i_rwsem.owner));
+	pr_warn("DEBUG GFS2: before glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	/* After instantiate, errors should result in evict which will destroy
 	 * both inode and iopen glocks properly. */
 	if (file) {
@@ -900,6 +922,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 		error = finish_open(file, dentry, gfs2_open_common);
 	}
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	gfs2_qa_put(ip);
 	gfs2_glock_dq_uninit(&gh);
 	gfs2_glock_put(io_gl);
@@ -937,7 +961,11 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 	posix_acl_release(acl);
 fail_gunlock:
 	gfs2_dir_no_add(&da);
+	pr_warn("DEBUG GFS2: fail_gunlock before glock_dq dir=%px rwsem owner=%px current=%px error=%d\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current, error);
 	gfs2_glock_dq_uninit(&d_gh);
+	pr_warn("DEBUG GFS2: fail_gunlock after glock_dq dir=%px rwsem owner=%px current=%px\n",
+		dir, READ_ONCE(dir->i_rwsem.owner), current);
 	if (!IS_ERR_OR_NULL(inode)) {
 		if (inode_state_read_once(inode) & I_NEW)
 			iget_failed(inode);
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..768944691e24 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2922,7 +2922,13 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
 	} else {
 		inode_lock_nested(dir, I_MUTEX_PARENT);
 	}
+	pr_warn("DEBUG LOCK: __start_dirop locked dir=%px count=%ld owner=%px current=%px\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current);
 	dentry = lookup_one_qstr_excl(name, parent, lookup_flags);
+	pr_warn("DEBUG LOCK: __start_dirop after lookup dir=%px count=%ld owner=%px current=%px dentry_err=%d\n",
+		dir, atomic_long_read(&dir->i_rwsem.count),
+		READ_ONCE(dir->i_rwsem.owner), current, IS_ERR(dentry));
 	if (IS_ERR(dentry))
 		inode_unlock(dir);
 	return dentry;
@@ -2944,6 +2950,11 @@ struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
 void end_dirop(struct dentry *de)
 {
 	if (!IS_ERR(de)) {
+		struct inode *dir = d_inode(de->d_parent);
+		pr_warn("DEBUG: end_dirop: de=%px parent=%px inode=%px rwsem count=%ld owner=%px current=%px\n",
+			de, de->d_parent, dir,
+			atomic_long_read(&dir->i_rwsem.count),
+			READ_ONCE(dir->i_rwsem.owner), current);
 		inode_unlock(de->d_parent->d_inode);
 		dput(de);
 	}
@@ -4922,7 +4933,9 @@ static struct dentry *filename_create(int dfd, struct filename *name,
 	dentry = start_dirop(path->dentry, &last, reval_flag | create_flags);
 	if (IS_ERR(dentry))
 		goto out_drop_write;
-
+	pr_warn("DEBUG: after start_dirop: dentry=%px parent=%px parent_inode=%px rwsem owner=%px current=%px\n",
+		dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(dentry->d_parent)->i_rwsem.count), current);
 	if (unlikely(error))
 		goto fail;
 
@@ -4959,7 +4972,10 @@ EXPORT_SYMBOL(start_creating_path);
  */
 void end_creating_path(const struct path *path, struct dentry *dentry)
 {
-	end_creating(dentry);
+	if (!IS_ERR(dentry)) {
+		inode_unlock(d_inode(path->dentry));
+		dput(dentry);
+	}
 	mnt_drop_write(path->mnt);
 	path_put(path);
 }
@@ -5595,6 +5611,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		struct dentry *dentry, const char *oldname,
 		struct delegated_inode *delegated_inode)
 {
+	pr_warn("DEBUG VFS: before symlink: dir=%px sb_type=%s symlink_fn=%ps rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, dir->i_op->symlink,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	int error;
 
 	error = may_create_dentry(idmap, dir, dentry);
@@ -5613,6 +5632,9 @@ int vfs_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		return error;
 
 	error = dir->i_op->symlink(idmap, dir, dentry, oldname);
+	pr_warn("DEBUG VFS: after symlink: dir=%px sb_type=%s error=%d rwsem owner=%px current=%px\n",
+		dir, dir->i_sb->s_type->name, error,
+		READ_ONCE(dir->i_rwsem.owner), current);
 	if (!error)
 		fsnotify_create(dir, dentry);
 	return error;
@@ -5639,6 +5661,10 @@ int filename_symlinkat(struct filename *from, int newdfd, struct filename *to)
 	if (!error)
 		error = vfs_symlink(mnt_idmap(path.mnt), path.dentry->d_inode,
 				    dentry, from->name, &delegated_inode);
+	pr_warn("DEBUG: after vfs_symlink: error=%d dentry=%px parent=%px parent_inode=%px rwsem owner=%px path_dentry=%px path_inode=%px\n",
+		error, dentry, dentry->d_parent, d_inode(dentry->d_parent),
+		(void *)atomic_long_read(&d_inode(path.dentry)->i_rwsem.count),
+		path.dentry, d_inode(path.dentry));
 	end_creating_path(&path, dentry);
 	if (is_delegated(&delegated_inode)) {
 		error = break_deleg_wait(&delegated_inode);
diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
index 24df4d98f7d2..9c5969a585c6 100644
--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -146,6 +146,11 @@ static inline void rwsem_set_owner(struct rw_semaphore *sem)
 
 static inline void rwsem_clear_owner(struct rw_semaphore *sem)
 {
+	extern void *gfs2_debug_watched_rwsem;
+	if (sem == gfs2_debug_watched_rwsem) {
+		pr_warn("DEBUG WATCHPOINT: rwsem_clear_owner on watched rwsem=%px!\n", sem);
+		dump_stack();
+	}
 	lockdep_assert_preemption_disabled();
 	atomic_long_set(&sem->owner, 0);
 }
@@ -1452,6 +1457,11 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
 void __init_rwsem(struct rw_semaphore *sem, const char *name,
 		  struct lock_class_key *key)
 {
+	extern void *gfs2_debug_watched_rwsem;
+	if (sem == gfs2_debug_watched_rwsem) {
+		pr_warn("DEBUG WATCHPOINT: init_rwsem on watched rwsem=%px!\n", sem);
+		dump_stack();
+	}
 	init_rwbase_rt(&(sem)->rwbase);
 
 #ifdef CONFIG_DEBUG_LOCK_ALLOC
@@ -1629,6 +1639,11 @@ EXPORT_SYMBOL(down_write_trylock);
  */
 void up_read(struct rw_semaphore *sem)
 {
+	extern void *gfs2_debug_watched_rwsem;
+	if (sem == gfs2_debug_watched_rwsem) {
+		pr_warn("DEBUG WATCHPOINT: up_read on watched rwsem=%px!\n", sem);
+		dump_stack();
+	}
 	rwsem_release(&sem->dep_map, _RET_IP_);
 	__up_read(sem);
 }
@@ -1639,6 +1654,11 @@ EXPORT_SYMBOL(up_read);
  */
 void up_write(struct rw_semaphore *sem)
 {
+	extern void *gfs2_debug_watched_rwsem;
+	if (sem == gfs2_debug_watched_rwsem) {
+		pr_warn("DEBUG WATCHPOINT: up_write on watched rwsem=%px!\n", sem);
+		dump_stack();
+	}
 	rwsem_release(&sem->dep_map, _RET_IP_);
 	__up_write(sem);
 }
-- 
2.43.0