Hello Al Viro,
Commit 386e98ec6285 ("ecryptfs: get rid of pointless mount references
in ecryptfs dentries") from Jul 24, 2025 (linux-next), leads to the
following Smatch static checker warning:
fs/ecryptfs/main.c:545 ecryptfs_get_tree()
warn: pointer dereferenced without being set 'sbi'
fs/ecryptfs/main.c
433 static int ecryptfs_get_tree(struct fs_context *fc)
434 {
435 struct super_block *s;
436 struct ecryptfs_fs_context *ctx = fc->fs_private;
437 struct ecryptfs_sb_info *sbi = fc->s_fs_info;
438 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
439 const char *err = "Getting sb failed";
440 struct inode *inode;
441 struct path path;
442 int rc;
443
444 if (!fc->source) {
445 rc = -EINVAL;
446 err = "Device name cannot be null";
447 goto out;
448 }
449
450 mount_crypt_stat = &sbi->mount_crypt_stat;
451 rc = ecryptfs_validate_options(fc);
452 if (rc) {
453 err = "Error validating options";
454 goto out;
455 }
456
457 s = sget_fc(fc, NULL, set_anon_super_fc);
458 if (IS_ERR(s)) {
459 rc = PTR_ERR(s);
460 goto out;
461 }
462
463 rc = super_setup_bdi(s);
464 if (rc)
465 goto out1;
466
467 ecryptfs_set_superblock_private(s, sbi);
468
469 /* ->kill_sb() will take care of sbi after that point */
470 sbi = NULL;
^^^^^^^^^^^
sbi is set to NULL
471 s->s_op = &ecryptfs_sops;
472 s->s_xattr = ecryptfs_xattr_handlers;
473 set_default_d_op(s, &ecryptfs_dops);
474
475 err = "Reading sb failed";
476 rc = kern_path(fc->source, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
477 if (rc) {
478 ecryptfs_printk(KERN_WARNING, "kern_path() failed\n");
479 goto out1;
480 }
481 if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) {
482 rc = -EINVAL;
483 printk(KERN_ERR "Mount on filesystem of type "
484 "eCryptfs explicitly disallowed due to "
485 "known incompatibilities\n");
486 goto out_free;
487 }
488
489 if (is_idmapped_mnt(path.mnt)) {
490 rc = -EINVAL;
491 printk(KERN_ERR "Mounting on idmapped mounts currently disallowed\n");
492 goto out_free;
493 }
494
495 if (ctx->check_ruid &&
496 !uid_eq(d_inode(path.dentry)->i_uid, current_uid())) {
497 rc = -EPERM;
498 printk(KERN_ERR "Mount of device (uid: %d) not owned by "
499 "requested user (uid: %d)\n",
500 i_uid_read(d_inode(path.dentry)),
501 from_kuid(&init_user_ns, current_uid()));
502 goto out_free;
503 }
504
505 ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
506
507 /**
508 * Set the POSIX ACL flag based on whether they're enabled in the lower
509 * mount.
510 */
511 s->s_flags = fc->sb_flags & ~SB_POSIXACL;
512 s->s_flags |= path.dentry->d_sb->s_flags & SB_POSIXACL;
513
514 /**
515 * Force a read-only eCryptfs mount when:
516 * 1) The lower mount is ro
517 * 2) The ecryptfs_encrypted_view mount option is specified
518 */
519 if (sb_rdonly(path.dentry->d_sb) || mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
520 s->s_flags |= SB_RDONLY;
521
522 s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
523 s->s_blocksize = path.dentry->d_sb->s_blocksize;
524 s->s_magic = ECRYPTFS_SUPER_MAGIC;
525 s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
526
527 rc = -EINVAL;
528 if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
529 pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
530 goto out_free;
531 }
532
533 inode = ecryptfs_get_inode(d_inode(path.dentry), s);
534 rc = PTR_ERR(inode);
535 if (IS_ERR(inode))
536 goto out_free;
537
538 s->s_root = d_make_root(inode);
539 if (!s->s_root) {
540 rc = -ENOMEM;
541 goto out_free;
542 }
543
544 ecryptfs_set_dentry_lower(s->s_root, path.dentry);
--> 545 sbi->lower_mnt = path.mnt;
^^^^^^^^^^^^^^
The patch adds a NULL pointer dereference.
546
547 s->s_flags |= SB_ACTIVE;
548 fc->root = dget(s->s_root);
549 return 0;
550
551 out_free:
552 path_put(&path);
553 out1:
554 deactivate_locked_super(s);
555 out:
556 if (sbi)
557 ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat);
558
559 printk(KERN_ERR "%s; rc = [%d]\n", err, rc);
560 return rc;
561 }
regards,
dan carpenter
