Re: [PATCH] fs/namespace: fix NULL pointer dereference in do_lock_mount()

[Al Viro]

On Tue, May 05, 2026 at 11:32:45PM +0530, Vineet Agarwal wrote:
> Hi Jori,
> 
> Thanks for the review.
> 
> >From the syzkaller runs, the NULL dereference in do_lock_mount() is
> reproducible across multiple VMs, which suggests a real race rather than
> a one-off condition.
> 
> The suspected window is between where_to_mount() and inode_lock(). While

Suspected by whom or by what?

> where_to_mount() returns a dentry under mount_locked_reader, that
> protection is dropped before inode_lock() is taken. During this window,
> concurrent mount topology changes (e.g. rename, move_mount, or unmount)
> can occur.

Which of the exits from where_to_mount() has it taken?  And which
of your conditions does it trigger?

> As a result, the dentry obtained from where_to_mount() is not revalidated

"revalidated" in which sense?  "Has that local variable suddenly become
NULL while we hadn't been looking"?

> before use, and may no longer be in a state suitable for inode_lock(),
> leading to the observed NULL pointer dereference.
> 
> I’m still investigating the exact sequence that leads to this, and also
> whether retrying (similar to the existing -EAGAIN path) would be more
> appropriate than the current handling.

Do you have a reproducer?  Which kernel it is and what .config is used?
Incidentally, do the checks in your patch actually trigger on the setup
you are testing?