d_really_is_negative() checks for the dentry->d_inode whether it's NULL or not, but in open_xa_root(), when it checks 'privroot->d_inode', it doesn't check whether privroot is NULL or not, this leads to a null pointer dereference while calling it from open_xa_dir() while initializing xaroot. - fs/reiserfs/xattr.c The bug seems to get triggered at this line: if (d_really_is_negative(privroot)) return ERR_PTR(-EOPNOTSUPP); Fix it by adding a NULL check for privroot. Reported-and-tested-by: syzbot+9b33c9b118d77ff59b6f@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://syzkaller.appspot.com/bug?extid=9b33c9b118d77ff59b6f Signed-off-by: Anmol Karn <anmol.karan123@xxxxxxxxx> --- fs/reiserfs/xattr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c index 28b241cd6987..a75480d0ee7e 100644 --- a/fs/reiserfs/xattr.c +++ b/fs/reiserfs/xattr.c @@ -121,8 +121,9 @@ static struct dentry *open_xa_root(struct super_block *sb, int flags) struct dentry *privroot = REISERFS_SB(sb)->priv_root; struct dentry *xaroot; - if (d_really_is_negative(privroot)) + if (!privroot || d_really_is_negative(privroot)) { return ERR_PTR(-EOPNOTSUPP); + } inode_lock_nested(d_inode(privroot), I_MUTEX_XATTR); -- 2.28.0
