[PATCH] fs/namespace: fix NULL pointer dereference in do_lock_mount()

Next message: Sasha Levin: "[PATCH AUTOSEL 7.0] dpll: export __dpll_pin_change_ntf() for use under dpll_lock"
Previous message: Miguel Ojeda: "Re: [PATCH 7.0 000/307] 7.0.4-rc1 review"
Next in thread: Jori Koolstra: "Re: [PATCH] fs/namespace: fix NULL pointer dereference in do_lock_mount()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vineet Agarwal

Date: Tue May 05 2026 - 05:53:26 EST

Syzkaller reported a NULL pointer dereference in do_lock_mount()
when calling inode_lock() on a dentry without an associated inode.

where_to_mount() may return a negative dentry (without an inode)
due to concurrent unlink or mount changes. The current code does
not validate this before calling inode_lock(), leading to a crash.

Fix this by checking dentry and dentry->d_inode before acquiring
the inode lock.

Reported-by: syzbot <syzbot@xxxxxxxxxxxxxxxxxxxxxxxxx>
Closes: https://syzkaller.appspot.com/
Signed-off-by: Vineet Agarwal <agarwal.vineet2006@xxxxxxxxx>
---
fs/namespace.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c
index fe919abd2f01..b1dccdf06836 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2760,6 +2760,17 @@ static void do_lock_mount(const struct path *path,
}
}

+ if (unlikely(!dentry || !dentry->d_inode)) {
+ err = -ENOENT;
+ if (&m->mnt != path->mnt) {
+ if (dentry)
+ dput(dentry);
+ mntput(&m->mnt);
+ }
+ res->parent = ERR_PTR(err);
+ return;
+ }
+
inode_lock(dentry->d_inode);
namespace_lock();

--
2.54.0