From nobody Mon Apr 6 09:20:03 2026 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 567C033C1AD; Fri, 20 Mar 2026 21:29:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.149.199.84 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774042168; cv=none; b=AgGFOEUA3QeDvyQE5z1PEx5C1Jx9uogs1/Ye/DJcWxYt51+yi/sz4a6EQF8c8X4UL74b+CYNMaIf4iWigrnNqf9LmhGQsf+NyW1Xc3bnT0XR9GdXBeFJHYbrRdV+wiji1FIiRIWXLvsGI1hKQ6tK+5MePHouibe/ss8gHJa74MA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774042168; c=relaxed/simple; bh=qvKwRPrTGtoe5Nn/l5oNzjEmfSi8fBsgmvmYimT+BJs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=XKrT6r6pbom3L07dY8B3cMTW/H79AKTpo5XB5qBQH32Kqjv4/szfej6AZIBGvRnbdTAXDI3121a+EPTbXzVLqN2u8LFy7BjJFXwCmXPgsM29l+DHtJlGlssOXrGy0LPTOFrijv+ZAZHD0fVQo0IiJ8J1Js1DvzvWCy7l2sg7B20= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru; spf=pass smtp.mailfrom=ispras.ru; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b=edhAWjDq; arc=none smtp.client-ip=83.149.199.84 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="edhAWjDq" Received: from regular-pc (unknown [95.53.240.206]) by mail.ispras.ru (Postfix) with ESMTPSA id 791E340737A8; Fri, 20 Mar 2026 21:29:16 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 791E340737A8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1774042156; bh=TflC/dLhshvAtr8LCG8K68ImOAVtF01o17Mirg6SLwk=; h=From:To:Cc:Subject:Date:From; b=edhAWjDqnMod6jxrOXgE0/YB/KgrVqR9eUnF89kpxI+zZATmUPsgExP0n3mSbzJ7c Ifqu7TeP9nQjLgPLZrLHrABfSa3nU/IMi+/B0bYZcTKOqBx/lGCghwTu+5dN8igZ+m vVkvdNT+39dH3EjAVSsTbMYQ3dZEJDVhOGNomjxI= From: Matvey Kovalev To: David Howells , Marc Dionne Cc: Matvey Kovalev , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, stable@vger.kernel.org Subject: [PATCH] afs: fix NULL pointer dereference in afs_get_tree() Date: Sat, 21 Mar 2026 00:28:58 +0300 Message-ID: <20260320212901.20383-1-matvey.kovalev@ispras.ru> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" afs_alloc_sbi() uses kzalloc for memory allocation. And, if ctx->dyn_root is not null, as->cell and as->volume are null. In trace_afs_get_tree() they are dereferenced. KASAN error message: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 2 PID: 18478 Comm: syz-executor.7 Not tainted 5.10.246-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:perf_trace_afs_get_tree+0x1d9/0x550 include/trace/events/afs.h:1365 Call Trace: trace_afs_get_tree include/trace/events/afs.h:1365 [inline] afs_get_tree+0x922/0x1350 fs/afs/super.c:599 vfs_get_tree+0x8e/0x300 fs/super.c:1572 do_new_mount fs/namespace.c:3011 [inline] path_mount+0x14a5/0x2220 fs/namespace.c:3341 do_mount fs/namespace.c:3354 [inline] __do_sys_mount fs/namespace.c:3562 [inline] __se_sys_mount fs/namespace.c:3539 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3539 do_syscall_64+0x33/0x50 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 80548b03991f5 ("afs: Add more tracepoints") Cc: stable@vger.kernel.org Signed-off-by: Matvey Kovalev --- fs/afs/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/afs/super.c b/fs/afs/super.c index 942f3e9800d7..dec091e569c4 100644 --- a/fs/afs/super.c +++ b/fs/afs/super.c @@ -587,7 +587,8 @@ static int afs_get_tree(struct fs_context *fc) } =20 fc->root =3D dget(sb->s_root); - trace_afs_get_tree(as->cell, as->volume); + if (!ctx->dyn_root) + trace_afs_get_tree(as->cell, as->volume); _leave(" =3D 0 [%p]", sb); return 0; =20 --=20 2.53.0