Hello, I'd like to report an overlayfs related crash. The stack trace is as follows: crash> bt PID: 1789 TASK: ffff89006ebc5200 CPU: 57 COMMAND: "lsof" #0 [ffffc900b24b74e8] machine_kexec at ffffffff810afa90 #1 [ffffc900b24b7558] __crash_kexec at ffffffff81219328 #2 [ffffc900b24b7630] panic at ffffffff810f5b01 #3 [ffffc900b24b76c0] oops_end at ffffffff81055835 #4 [ffffc900b24b7708] page_fault_oops at ffffffff810c7a17 #5 [ffffc900b24b7788] do_user_addr_fault at ffffffff810c84ae #6 [ffffc900b24b77f0] exc_page_fault at ffffffff82110102 #7 [ffffc900b24b7830] asm_exc_page_fault at ffffffff82200c27 [exception RIP: ovl_encode_real_fh+48] RIP: ffffffffc243dca0 RSP: ffffc900b24b78e0 RFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffc900b24b7a58 RCX: 0000000000000080 RDX: 61c8864680b583eb RSI: 0000000000000000 RDI: ffff890058bc9800 RBP: ffffc900b24b7938 R8: 0000000000000002 R9: ffff890673f21ce0 R10: 0000000000ffff10 R11: 000000000000000f R12: 0000000000000001 R13: ffff890058bc9800 R14: 0000000000000080 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #8 [ffffc900b24b7940] ovl_dentry_to_fid at ffffffffc24402b1 [overlay] #9 [ffffc900b24b79a0] ovl_encode_fh at ffffffffc2440435 [overlay] #10 [ffffc900b24b79f8] exportfs_encode_inode_fh at ffffffff8165937b #11 [ffffc900b24b7a38] show_mark_fhandle at ffffffff815208ec #12 [ffffc900b24b7b08] inotify_fdinfo at ffffffff81520ca0 #13 [ffffc900b24b7b40] show_fdinfo at ffffffff81520a7f #14 [ffffc900b24b7ba0] inotify_show_fdinfo at ffffffff81520cee #15 [ffffc900b24b7bc0] seq_show at ffffffff81580d4c #16 [ffffc900b24b7c18] seq_read_iter at ffffffff814f42a0 #17 [ffffc900b24b7c88] seq_read at ffffffff814f4713 #18 [ffffc900b24b7d48] vfs_read at ffffffff814ba791 #19 [ffffc900b24b7e10] ksys_read at ffffffff814bb7aa #20 [ffffc900b24b7e70] __x64_sys_read at ffffffff814bb85e #21 [ffffc900b24b7e90] x64_sys_call at ffffffff81006641 #22 [ffffc900b24b7eb0] do_syscall_64 at ffffffff82108b58 #23 [ffffc900b24b7f50] entry_SYSCALL_64_after_hwframe at ffffffff82200130 RIP: 0000772a57dd2a61 RSP: 00007ffcc0ebd2a8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 000063e265d7a2a0 RCX: 0000772a57dd2a61 RDX: 0000000000000400 RSI: 000063e265d7a500 RDI: 0000000000000007 RBP: 00007ffcc0ebd2e0 R8: 0000000000000001 R9: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000772a57eb9030 R13: 0000772a57eb8ee0 R14: 0000000000000000 R15: 000063e265d7a2a0 ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b I analyzed the crash dump, here is what I figured out: - The overlay fs is mounted with only 2 lowerdirs, and nfs_export=on - When ovl_dentry_to_fid() is called on the root dentry: - ovl_check_encode_origin(dentry) returns 0 as euc_lower (I believe it should return 1 in this case) - "enc_lower ? ovl_dentry_lower(dentry) : ovl_dentry_upper(dentry)" evaluates to NULL - NULL is passed as the second argument to ovl_encode_real_fh(), so it crashes This crash has been reproduced on both kernel 6.8 and 6.6, but I haven't tried on any newer kernel version. I have a simple C program to reproduce it, if needed I can upload its source to my github repository or email it here. Thanks, -Youzhong