1. Patchew
  2. linux
  3. View series

[PATCH] fs/namespace: fix NULL pointer dereference in do_lock_mount()

Vineet Agarwal posted 1 patch 1 month, 1 week ago 
fs/namespace.c | 11 +++++++++++
1 file changed, 11 insertions(+)
[PATCH] fs/namespace: fix NULL pointer dereference in do_lock_mount()
Posted by Vineet Agarwal 1 month, 1 week ago 
Syzkaller reported a NULL pointer dereference in do_lock_mount()
when calling inode_lock() on a dentry without an associated inode.

where_to_mount() may return a negative dentry (without an inode)
due to concurrent unlink or mount changes. The current code does
not validate this before calling inode_lock(), leading to a crash.

Fix this by checking dentry and dentry->d_inode before acquiring
the inode lock.

Reported-by: syzbot <syzbot@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/
Signed-off-by: Vineet Agarwal <agarwal.vineet2006@gmail.com>
---
 fs/namespace.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c
index fe919abd2f01..b1dccdf06836 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2760,6 +2760,17 @@ static void do_lock_mount(const struct path *path,
 			}
 		}
 
+		if (unlikely(!dentry || !dentry->d_inode)) {
+			err = -ENOENT;
+			if (&m->mnt != path->mnt) {
+				if (dentry)
+					dput(dentry);
+				mntput(&m->mnt);
+			}
+			res->parent = ERR_PTR(err);
+			return;
+		}
+
 		inode_lock(dentry->d_inode);
 		namespace_lock();
 
-- 
2.54.0
Re: [PATCH] fs/namespace: fix NULL pointer dereference in do_lock_mount()
Posted by Jori Koolstra 1 month, 1 week ago 
On Tue, May 05, 2026 at 03:21:31PM +0530, Vineet Agarwal wrote:
> Syzkaller reported a NULL pointer dereference in do_lock_mount()
> when calling inode_lock() on a dentry without an associated inode.
> 
> where_to_mount() may return a negative dentry (without an inode)
> due to concurrent unlink or mount changes. The current code does
> not validate this before calling inode_lock(), leading to a crash.

Can you explain what call path could lead to having path here refer
to a negative dentry? Is it not the case that a positive dentry's
d_inode is stable as long as you hold a reference to the dentry? If,
so it cannot be killed underneath us.

> 
> Fix this by checking dentry and dentry->d_inode before acquiring
> the inode lock.
> 
> Reported-by: syzbot <syzbot@syzkaller.appspotmail.com>

This is not enough. Which syzbot issue are you trying to fix?

> Closes: https://syzkaller.appspot.com/
> Signed-off-by: Vineet Agarwal <agarwal.vineet2006@gmail.com>
> ---
>  fs/namespace.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index fe919abd2f01..b1dccdf06836 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2760,6 +2760,17 @@ static void do_lock_mount(const struct path *path,
>  			}
>  		}
>  
> +		if (unlikely(!dentry || !dentry->d_inode)) {
> +			err = -ENOENT;
> +			if (&m->mnt != path->mnt) {
> +				if (dentry)
> +					dput(dentry);
> +				mntput(&m->mnt);
> +			}
> +			res->parent = ERR_PTR(err);
> +			return;
> +		}
> +
>  		inode_lock(dentry->d_inode);
>  		namespace_lock();
>  
> -- 
> 2.54.0
> 

Thanks,
Jori.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.