1. Patchew
  2. linux
  3. View series

[PATCH v4] xfs: Fix error pointer dereference

Ethan Tidmore posted 1 patch 1 month, 2 weeks ago 
fs/xfs/scrub/orphanage.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
[PATCH v4] xfs: Fix error pointer dereference
Posted by Ethan Tidmore 1 month, 2 weeks ago 
The function try_lookup_noperm() can return an error pointer and is not
checked for one.

Add checks for error pointer in xrep_adoption_check_dcache() and
xrep_adoption_zap_dcache().

Detected by Smatch:
fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error:
'd_child' dereferencing possible ERR_PTR()

fs/xfs/scrub/orphanage.c:485 xrep_adoption_zap_dcache() error:
'd_child' dereferencing possible ERR_PTR()

Fixes: 73597e3e42b4 ("xfs: ensure dentry consistency when the orphanage adopts a file")
Cc: <stable@vger.kernel.org> # v6.16
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
---
v4:
- Add blank line after closing brace.
v3:
- Add dput(d_orphanage) before returning error code in 
  xrep_adoption_check_dcache().
- Revert xrep_adoption_zap_dcache() change back to v1 version.
- Include function names where error pointer checks were added.
v2:
- Propagate the error back in xrep_adoption_check_dcache().
- Add Cc to stable.
- Add correct Fixes tag.
 fs/xfs/scrub/orphanage.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/xfs/scrub/orphanage.c b/fs/xfs/scrub/orphanage.c
index 52a108f6d5f4..33c6db6b4498 100644
--- a/fs/xfs/scrub/orphanage.c
+++ b/fs/xfs/scrub/orphanage.c
@@ -442,6 +442,11 @@ xrep_adoption_check_dcache(
 		return 0;
 
 	d_child = try_lookup_noperm(&qname, d_orphanage);
+	if (IS_ERR(d_child)) {
+		dput(d_orphanage);
+		return PTR_ERR(d_child);
+	}
+
 	if (d_child) {
 		trace_xrep_adoption_check_child(sc->mp, d_child);
 
@@ -479,7 +484,7 @@ xrep_adoption_zap_dcache(
 		return;
 
 	d_child = try_lookup_noperm(&qname, d_orphanage);
-	while (d_child != NULL) {
+	while (!IS_ERR_OR_NULL(d_child)) {
 		trace_xrep_adoption_invalidate_child(sc->mp, d_child);
 
 		ASSERT(d_is_negative(d_child));
-- 
2.53.0
Re: [PATCH v4] xfs: Fix error pointer dereference
Posted by Carlos Maiolino 1 month, 1 week ago 
On Thu, 19 Feb 2026 21:38:25 -0600, Ethan Tidmore wrote:
> The function try_lookup_noperm() can return an error pointer and is not
> checked for one.
> 
> Add checks for error pointer in xrep_adoption_check_dcache() and
> xrep_adoption_zap_dcache().
> 
> Detected by Smatch:
> fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error:
> 'd_child' dereferencing possible ERR_PTR()
> 
> [...]

Applied to for-next, thanks!

[1/1] xfs: Fix error pointer dereference
      commit: 98899e053df0678bcabde2114d509b0e308cf52c

Best regards,
-- 
Carlos Maiolino <cem@kernel.org>
Re: [PATCH v4] xfs: Fix error pointer dereference
Posted by Nirjhar Roy (IBM) 1 month, 2 weeks ago 
On Thu, 2026-02-19 at 21:38 -0600, Ethan Tidmore wrote:
> The function try_lookup_noperm() can return an error pointer and is not
> checked for one.
> 
> Add checks for error pointer in xrep_adoption_check_dcache() and
> xrep_adoption_zap_dcache().
> 
> Detected by Smatch:
> fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error:
> 'd_child' dereferencing possible ERR_PTR()
> 
> fs/xfs/scrub/orphanage.c:485 xrep_adoption_zap_dcache() error:
> 'd_child' dereferencing possible ERR_PTR()
> 
> Fixes: 73597e3e42b4 ("xfs: ensure dentry consistency when the orphanage adopts a file")
> Cc: <stable@vger.kernel.org> # v6.16
> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
> Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
> ---
> v4:
> - Add blank line after closing brace.
> v3:
> - Add dput(d_orphanage) before returning error code in 
>   xrep_adoption_check_dcache().
> - Revert xrep_adoption_zap_dcache() change back to v1 version.
> - Include function names where error pointer checks were added.
> v2:
> - Propagate the error back in xrep_adoption_check_dcache().
> - Add Cc to stable.
> - Add correct Fixes tag.
>  fs/xfs/scrub/orphanage.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/xfs/scrub/orphanage.c b/fs/xfs/scrub/orphanage.c
> index 52a108f6d5f4..33c6db6b4498 100644
> --- a/fs/xfs/scrub/orphanage.c
> +++ b/fs/xfs/scrub/orphanage.c
> @@ -442,6 +442,11 @@ xrep_adoption_check_dcache(
>  		return 0;
>  
>  	d_child = try_lookup_noperm(&qname, d_orphanage);
> +	if (IS_ERR(d_child)) {
> +		dput(d_orphanage);
> +		return PTR_ERR(d_child);
> +	}
> +
>  	if (d_child) {
>  		trace_xrep_adoption_check_child(sc->mp, d_child);
>  
> @@ -479,7 +484,7 @@ xrep_adoption_zap_dcache(
>  		return;
>  
>  	d_child = try_lookup_noperm(&qname, d_orphanage);
> -	while (d_child != NULL) {
> +	while (!IS_ERR_OR_NULL(d_child)) {
>  		trace_xrep_adoption_invalidate_child(sc->mp, d_child);
>  
>  		ASSERT(d_is_negative(d_child));

Okay, so you sent a v4. I gave my RB in v3 - also giving it here too.
Based on my reviews in the previous version[1], this looks good to me.
Reviewed-by: Nirjhar Roy (IBM) <nirjhar.roy.lists@gmail.com>
[1] https://lore.kernel.org/all/61386abf00c817e65ab70c994ed584fde339f9ed.camel@gmail.com/
--NR

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.