Re: [PATCH v3] xfs: Fix error pointer dereference
From: Darrick J. Wong
Date: Thu Feb 19 2026 - 16:07:19 EST
On Thu, Feb 19, 2026 at 02:07:15PM -0600, Ethan Tidmore wrote:
> The function try_lookup_noperm() can return an error pointer and is not
> checked for one.
>
> Add checks for error pointer in xrep_adoption_check_dcache() and
> xrep_adoption_zap_dcache().
>
> Detected by Smatch:
> fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error:
> 'd_child' dereferencing possible ERR_PTR()
>
> fs/xfs/scrub/orphanage.c:485 xrep_adoption_zap_dcache() error:
> 'd_child' dereferencing possible ERR_PTR()
>
> Fixes: 73597e3e42b4 ("xfs: ensure dentry consistency when the orphanage adopts a file")
> Cc: <stable@xxxxxxxxxxxxxxx> # v6.16
> Signed-off-by: Ethan Tidmore <ethantidmore06@xxxxxxxxx>
> ---
> v3:
> - Add dput(d_orphanage) before returning error code in
> xrep_adoption_check_dcache().
> - Revert xrep_adoption_zap_dcache() change back to v1 version.
> - Include function names where error pointer checks were added.
> v2:
> - Propagate the error back in xrep_adoption_check_dcache().
> - Add Cc to stable.
> - Add correct Fixes tag.
>
> fs/xfs/scrub/orphanage.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/fs/xfs/scrub/orphanage.c b/fs/xfs/scrub/orphanage.c
> index 52a108f6d5f4..682af1bcf131 100644
> --- a/fs/xfs/scrub/orphanage.c
> +++ b/fs/xfs/scrub/orphanage.c
> @@ -442,6 +442,10 @@ xrep_adoption_check_dcache(
> return 0;
>
> d_child = try_lookup_noperm(&qname, d_orphanage);
> + if (IS_ERR(d_child)) {
> + dput(d_orphanage);
> + return PTR_ERR(d_child);
> + }
Nit: blank link after the closing brace.
Other than me nitpicking this looks ok to me so
Reviewed-by: "Darrick J. Wong" <djwong@xxxxxxxxxx>
Thanks for fixing this!
--D
> if (d_child) {
> trace_xrep_adoption_check_child(sc->mp, d_child);
>
> @@ -479,7 +483,7 @@ xrep_adoption_zap_dcache(
> return;
>
> d_child = try_lookup_noperm(&qname, d_orphanage);
> - while (d_child != NULL) {
> + while (!IS_ERR_OR_NULL(d_child)) {
> trace_xrep_adoption_invalidate_child(sc->mp, d_child);
>
> ASSERT(d_is_negative(d_child));
> --
> 2.53.0
>