Return value of a function 'next_mnt' is dereferenced at namespace.c:3377 without checking for null, but it is usually checked for this function Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Denis Arefev <arefev@xxxxxxxxx> --- fs/namespace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index cebaa3e81794..06472a110257 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3348,9 +3348,9 @@ struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns, } p = next_mnt(p, old); q = next_mnt(q, new); - if (!q) + if (!q || !p) break; - while (p->mnt.mnt_root != q->mnt.mnt_root) + while (p && (p->mnt.mnt_root != q->mnt.mnt_root)) p = next_mnt(p, old); } namespace_unlock(); -- 2.25.1
