From: "Bhavik Sachdev" <b.sachdev1904@gmail.com>
To: "Qing Wang" <wangqing7171@gmail.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Bhavik Sachdev" <b.sachdev1904@gmail.com>,
"Andrei Vagin" <avagin@gmail.com>
Cc: <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<syzbot+9e03a9535ea65f687a44@syzkaller.appspotmail.com>
Subject: Re: [PATCH] statmount: Fix the null-ptr-deref in do_statmount()
Date: Fri, 13 Feb 2026 15:08:44 +0530 [thread overview]
Message-ID: <DGDQFGJLPLU0.19QNB0MQLITQO@gmail.com> (raw)
In-Reply-To: <20260213084259.2423971-1-wangqing7171@gmail.com>
On Fri Feb 13, 2026 at 2:12 PM IST, Qing Wang wrote:
> If the mount is internal, it's mnt_ns will be MNT_NS_INTERNAL, which is
> defined as ERR_PTR(-EINVAL). So, in the do_statmount(), need to check ns
> of mount by IS_ERR_OR_NULL().
>
> Fixes: 0e5032237ee5 ("statmount: accept fd as a parameter")
> Reported-by: syzbot+9e03a9535ea65f687a44@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/698e287a.a70a0220.2c38d7.009e.GAE@google.com/
> Tested-by: syzbot+9e03a9535ea65f687a44@syzkaller.appspotmail.com
> Signed-off-by: Qing Wang <wangqing7171@gmail.com>
> ---
> fs/namespace.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index a67cbe42746d..d769d50de5d6 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -5678,13 +5678,15 @@ static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
>
> s->mnt = mnt_file->f_path.mnt;
> ns = real_mount(s->mnt)->mnt_ns;
> - if (!ns)
> + if (IS_ERR_OR_NULL(ns)) {
> /*
> * We can't set mount point and mnt_ns_id since we don't have a
> * ns for the mount. This can happen if the mount is unmounted
> - * with MNT_DETACH.
> + * with MNT_DETACH or if it's an internal mount.
> */
> s->mask &= ~(STATMOUNT_MNT_POINT | STATMOUNT_MNT_NS_ID);
> + ns = NULL;
> + }
> } else {
> /* Has the namespace already been emptied? */
> if (mnt_ns_id && mnt_ns_empty(ns))
Hey!
I think the fix should be the following instead, AFAIU we don't want a
call to an internal mount to succeed.
diff --git a/fs/namespace.c b/fs/namespace.c
index a67cbe42746d..55152bf64785 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5678,6 +5678,8 @@ static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
s->mnt = mnt_file->f_path.mnt;
ns = real_mount(s->mnt)->mnt_ns;
+ if (IS_ERR(ns))
+ return -EINVAL;
if (!ns)
/*
* We can't set mount point and mnt_ns_id since we don't have a
Thanks,
Bhavik
next prev parent reply other threads:[~2026-02-13 9:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 8:42 [PATCH] statmount: Fix the null-ptr-deref in do_statmount() Qing Wang
2026-02-13 9:38 ` Bhavik Sachdev [this message]
2026-02-13 10:34 ` Qing Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGDQFGJLPLU0.19QNB0MQLITQO@gmail.com \
--to=b.sachdev1904@gmail.com \
--cc=avagin@gmail.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ptikhomirov@virtuozzo.com \
--cc=syzbot+9e03a9535ea65f687a44@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wangqing7171@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.