Re: [PATCH] fs/namespace: fix NULL pointer dereference in do_lock_mount()
From: Jori Koolstra
Date: Tue May 05 2026 - 10:44:13 EST
On Tue, May 05, 2026 at 03:21:31PM +0530, Vineet Agarwal wrote:
> Syzkaller reported a NULL pointer dereference in do_lock_mount()
> when calling inode_lock() on a dentry without an associated inode.
>
> where_to_mount() may return a negative dentry (without an inode)
> due to concurrent unlink or mount changes. The current code does
> not validate this before calling inode_lock(), leading to a crash.
Can you explain what call path could lead to having path here refer
to a negative dentry? Is it not the case that a positive dentry's
d_inode is stable as long as you hold a reference to the dentry? If,
so it cannot be killed underneath us.
>
> Fix this by checking dentry and dentry->d_inode before acquiring
> the inode lock.
>
> Reported-by: syzbot <syzbot@xxxxxxxxxxxxxxxxxxxxxxxxx>
This is not enough. Which syzbot issue are you trying to fix?
> Closes: https://syzkaller.appspot.com/
> Signed-off-by: Vineet Agarwal <agarwal.vineet2006@xxxxxxxxx>
> ---
> fs/namespace.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index fe919abd2f01..b1dccdf06836 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2760,6 +2760,17 @@ static void do_lock_mount(const struct path *path,
> }
> }
>
> + if (unlikely(!dentry || !dentry->d_inode)) {
> + err = -ENOENT;
> + if (&m->mnt != path->mnt) {
> + if (dentry)
> + dput(dentry);
> + mntput(&m->mnt);
> + }
> + res->parent = ERR_PTR(err);
> + return;
> + }
> +
> inode_lock(dentry->d_inode);
> namespace_lock();
>
> --
> 2.54.0
>
Thanks,
Jori.