[bug report] ecryptfs: get rid of pointless mount references in ecryptfs dentries

[bug report] ecryptfs: get rid of pointless mount references in ecryptfs dentries

[Dan Carpenter]

Hello Al Viro,

Commit 386e98ec6285 ("ecryptfs: get rid of pointless mount references
in ecryptfs dentries") from Jul 24, 2025 (linux-next), leads to the
following Smatch static checker warning:

	fs/ecryptfs/main.c:545 ecryptfs_get_tree()
	warn: pointer dereferenced without being set 'sbi'

fs/ecryptfs/main.c
    433 static int ecryptfs_get_tree(struct fs_context *fc)
    434 {
    435         struct super_block *s;
    436         struct ecryptfs_fs_context *ctx = fc->fs_private;
    437         struct ecryptfs_sb_info *sbi = fc->s_fs_info;
    438         struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
    439         const char *err = "Getting sb failed";
    440         struct inode *inode;
    441         struct path path;
    442         int rc;
    443 
    444         if (!fc->source) {
    445                 rc = -EINVAL;
    446                 err = "Device name cannot be null";
    447                 goto out;
    448         }
    449 
    450         mount_crypt_stat = &sbi->mount_crypt_stat;
    451         rc = ecryptfs_validate_options(fc);
    452         if (rc) {
    453                 err = "Error validating options";
    454                 goto out;
    455         }
    456 
    457         s = sget_fc(fc, NULL, set_anon_super_fc);
    458         if (IS_ERR(s)) {
    459                 rc = PTR_ERR(s);
    460                 goto out;
    461         }
    462 
    463         rc = super_setup_bdi(s);
    464         if (rc)
    465                 goto out1;
    466 
    467         ecryptfs_set_superblock_private(s, sbi);
    468 
    469         /* ->kill_sb() will take care of sbi after that point */
    470         sbi = NULL;
                ^^^^^^^^^^^
sbi is set to NULL

    471         s->s_op = &ecryptfs_sops;
    472         s->s_xattr = ecryptfs_xattr_handlers;
    473         set_default_d_op(s, &ecryptfs_dops);
    474 
    475         err = "Reading sb failed";
    476         rc = kern_path(fc->source, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
    477         if (rc) {
    478                 ecryptfs_printk(KERN_WARNING, "kern_path() failed\n");
    479                 goto out1;
    480         }
    481         if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) {
    482                 rc = -EINVAL;
    483                 printk(KERN_ERR "Mount on filesystem of type "
    484                         "eCryptfs explicitly disallowed due to "
    485                         "known incompatibilities\n");
    486                 goto out_free;
    487         }
    488 
    489         if (is_idmapped_mnt(path.mnt)) {
    490                 rc = -EINVAL;
    491                 printk(KERN_ERR "Mounting on idmapped mounts currently disallowed\n");
    492                 goto out_free;
    493         }
    494 
    495         if (ctx->check_ruid &&
    496             !uid_eq(d_inode(path.dentry)->i_uid, current_uid())) {
    497                 rc = -EPERM;
    498                 printk(KERN_ERR "Mount of device (uid: %d) not owned by "
    499                        "requested user (uid: %d)\n",
    500                         i_uid_read(d_inode(path.dentry)),
    501                         from_kuid(&init_user_ns, current_uid()));
    502                 goto out_free;
    503         }
    504 
    505         ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
    506 
    507         /**
    508          * Set the POSIX ACL flag based on whether they're enabled in the lower
    509          * mount.
    510          */
    511         s->s_flags = fc->sb_flags & ~SB_POSIXACL;
    512         s->s_flags |= path.dentry->d_sb->s_flags & SB_POSIXACL;
    513 
    514         /**
    515          * Force a read-only eCryptfs mount when:
    516          *   1) The lower mount is ro
    517          *   2) The ecryptfs_encrypted_view mount option is specified
    518          */
    519         if (sb_rdonly(path.dentry->d_sb) || mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
    520                 s->s_flags |= SB_RDONLY;
    521 
    522         s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
    523         s->s_blocksize = path.dentry->d_sb->s_blocksize;
    524         s->s_magic = ECRYPTFS_SUPER_MAGIC;
    525         s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
    526 
    527         rc = -EINVAL;
    528         if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
    529                 pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
    530                 goto out_free;
    531         }
    532 
    533         inode = ecryptfs_get_inode(d_inode(path.dentry), s);
    534         rc = PTR_ERR(inode);
    535         if (IS_ERR(inode))
    536                 goto out_free;
    537 
    538         s->s_root = d_make_root(inode);
    539         if (!s->s_root) {
    540                 rc = -ENOMEM;
    541                 goto out_free;
    542         }
    543 
    544         ecryptfs_set_dentry_lower(s->s_root, path.dentry);
--> 545         sbi->lower_mnt = path.mnt;
                ^^^^^^^^^^^^^^
The patch adds a NULL pointer dereference.

    546 
    547         s->s_flags |= SB_ACTIVE;
    548         fc->root = dget(s->s_root);
    549         return 0;
    550 
    551 out_free:
    552         path_put(&path);
    553 out1:
    554         deactivate_locked_super(s);
    555 out:
    556         if (sbi)
    557                 ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat);
    558 
    559         printk(KERN_ERR "%s; rc = [%d]\n", err, rc);
    560         return rc;
    561 }

regards,
dan carpenter