Re: [PATCH v4] xfs: Fix error pointer dereference
From: Nirjhar Roy (IBM)
Date: Fri Feb 20 2026 - 05:01:54 EST
On Thu, 2026-02-19 at 21:38 -0600, Ethan Tidmore wrote:
> The function try_lookup_noperm() can return an error pointer and is not
> checked for one.
>
> Add checks for error pointer in xrep_adoption_check_dcache() and
> xrep_adoption_zap_dcache().
>
> Detected by Smatch:
> fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error:
> 'd_child' dereferencing possible ERR_PTR()
>
> fs/xfs/scrub/orphanage.c:485 xrep_adoption_zap_dcache() error:
> 'd_child' dereferencing possible ERR_PTR()
>
> Fixes: 73597e3e42b4 ("xfs: ensure dentry consistency when the orphanage adopts a file")
> Cc: <stable@xxxxxxxxxxxxxxx> # v6.16
> Signed-off-by: Ethan Tidmore <ethantidmore06@xxxxxxxxx>
> Reviewed-by: "Darrick J. Wong" <djwong@xxxxxxxxxx>
> ---
> v4:
> - Add blank line after closing brace.
> v3:
> - Add dput(d_orphanage) before returning error code in
> xrep_adoption_check_dcache().
> - Revert xrep_adoption_zap_dcache() change back to v1 version.
> - Include function names where error pointer checks were added.
> v2:
> - Propagate the error back in xrep_adoption_check_dcache().
> - Add Cc to stable.
> - Add correct Fixes tag.
> fs/xfs/scrub/orphanage.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/xfs/scrub/orphanage.c b/fs/xfs/scrub/orphanage.c
> index 52a108f6d5f4..33c6db6b4498 100644
> --- a/fs/xfs/scrub/orphanage.c
> +++ b/fs/xfs/scrub/orphanage.c
> @@ -442,6 +442,11 @@ xrep_adoption_check_dcache(
> return 0;
>
> d_child = try_lookup_noperm(&qname, d_orphanage);
> + if (IS_ERR(d_child)) {
> + dput(d_orphanage);
> + return PTR_ERR(d_child);
> + }
> +
> if (d_child) {
> trace_xrep_adoption_check_child(sc->mp, d_child);
>
> @@ -479,7 +484,7 @@ xrep_adoption_zap_dcache(
> return;
>
> d_child = try_lookup_noperm(&qname, d_orphanage);
> - while (d_child != NULL) {
> + while (!IS_ERR_OR_NULL(d_child)) {
> trace_xrep_adoption_invalidate_child(sc->mp, d_child);
>
> ASSERT(d_is_negative(d_child));
Okay, so you sent a v4. I gave my RB in v3 - also giving it here too.
Based on my reviews in the previous version[1], this looks good to me.
Reviewed-by: Nirjhar Roy (IBM) <nirjhar.roy.lists@xxxxxxxxx>
[1] https://lore.kernel.org/all/61386abf00c817e65ab70c994ed584fde339f9ed.camel@xxxxxxxxx/
--NR