1. Patchew
  2. linux
  3. View series

[PATCH v3] statmount: Fix the null-ptr-deref in do_statmount()

Qing Wang posted 1 patch 1 month, 2 weeks ago 
fs/namespace.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH v3] statmount: Fix the null-ptr-deref in do_statmount()
Posted by Qing Wang 1 month, 2 weeks ago 
If the mount is internal, it's mnt_ns will be MNT_NS_INTERNAL, which is
defined as ERR_PTR(-EINVAL). So, in the do_statmount(), need to check ns
of mount by IS_ERR() and return.

Fixes: 0e5032237ee5 ("statmount: accept fd as a parameter")
Reported-by: syzbot+9e03a9535ea65f687a44@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698e287a.a70a0220.2c38d7.009e.GAE@google.com/
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
---
 fs/namespace.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c
index a67cbe42746d..90700df65f0d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5678,6 +5678,8 @@ static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
 
 		s->mnt = mnt_file->f_path.mnt;
 		ns = real_mount(s->mnt)->mnt_ns;
+		if (IS_ERR(ns))
+			return PTR_ERR(ns);
 		if (!ns)
 			/*
 			 * We can't set mount point and mnt_ns_id since we don't have a
-- 
2.34.1
Re: [PATCH v3] statmount: Fix the null-ptr-deref in do_statmount()
Posted by Andrei Vagin 1 month, 2 weeks ago 
On Fri, Feb 13, 2026 at 2:30 AM Qing Wang <wangqing7171@gmail.com> wrote:
>
> If the mount is internal, it's mnt_ns will be MNT_NS_INTERNAL, which is
> defined as ERR_PTR(-EINVAL). So, in the do_statmount(), need to check ns
> of mount by IS_ERR() and return.
>
> Fixes: 0e5032237ee5 ("statmount: accept fd as a parameter")
> Reported-by: syzbot+9e03a9535ea65f687a44@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/698e287a.a70a0220.2c38d7.009e.GAE@google.com/
> Signed-off-by: Qing Wang <wangqing7171@gmail.com>
> ---
>  fs/namespace.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index a67cbe42746d..90700df65f0d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -5678,6 +5678,8 @@ static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
>
>                 s->mnt = mnt_file->f_path.mnt;
>                 ns = real_mount(s->mnt)->mnt_ns;
> +               if (IS_ERR(ns))
> +                       return PTR_ERR(ns);

nit: EINVAL is overused in the kernel. ENODEV seems like a better fit
for this case.

Otherwise, the patch looks good to me:
Reviewed-by: Andrei Vagin <avagin@gmail.com>

>                 if (!ns)
>                         /*
>                          * We can't set mount point and mnt_ns_id since we don't have a
> --
> 2.34.1
>
Re: [PATCH v3] statmount: Fix the null-ptr-deref in do_statmount()
Posted by Christian Brauner 1 month, 2 weeks ago 
On Fri, 13 Feb 2026 18:30:06 +0800, Qing Wang wrote:
> If the mount is internal, it's mnt_ns will be MNT_NS_INTERNAL, which is
> defined as ERR_PTR(-EINVAL). So, in the do_statmount(), need to check ns
> of mount by IS_ERR() and return.
> 
> 

Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes

[1/1] statmount: Fix the null-ptr-deref in do_statmount()
      https://git.kernel.org/vfs/vfs/c/81f16c9778d7
Re: [PATCH v3] statmount: Fix the null-ptr-deref in do_statmount()
Posted by Bhavik Sachdev 1 month, 2 weeks ago 
On Fri Feb 13, 2026 at 4:00 PM IST, Qing Wang wrote:
> If the mount is internal, it's mnt_ns will be MNT_NS_INTERNAL, which is
> defined as ERR_PTR(-EINVAL). So, in the do_statmount(), need to check ns
> of mount by IS_ERR() and return.
>
> Fixes: 0e5032237ee5 ("statmount: accept fd as a parameter")
> Reported-by: syzbot+9e03a9535ea65f687a44@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/698e287a.a70a0220.2c38d7.009e.GAE@google.com/
> Signed-off-by: Qing Wang <wangqing7171@gmail.com>
> ---
>  fs/namespace.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index a67cbe42746d..90700df65f0d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -5678,6 +5678,8 @@ static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
>  
>  		s->mnt = mnt_file->f_path.mnt;
>  		ns = real_mount(s->mnt)->mnt_ns;
> +		if (IS_ERR(ns))
> +			return PTR_ERR(ns);
>  		if (!ns)
>  			/*
>  			 * We can't set mount point and mnt_ns_id since we don't have a

Looks good to me.

Reviewed-by: Bhavik Sachdev <b.sachdev1904@gmail.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.