#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master Reject nsfs file handles that claim to have inode number 0, as no legitimate namespace can have inode 0. This prevents a warning in nsfs_fh_to_dentry() when open_by_handle_at() is called with malformed file handles. The issue occurs when userspace provides a file handle with valid namespace type and ID but claims the namespace has inode number 0. The namespace lookup succeeds but triggers VFS_WARN_ON_ONCE() when comparing the real inode number against the impossible claim of 0. Since inode 0 is reserved in all filesystems and no namespace can legitimately have inode 0, we can safely reject such handles early to prevent reaching the consistency check that triggers the warning. Testing confirmed that other invalid inode numbers (1, 255) do not trigger the same issue, indicating this is specific to inode 0 rather than a general problem with incorrect inode numbers. Reported-by: syzbot+9eefe09bedd093f156c2@syzkaller.appspotmail.com Tested-by: syzbot+9eefe09bedd093f156c2@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- fs/nsfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nsfs.c b/fs/nsfs.c index 32cb8c835a2b..42672cec293c 100644 --- a/fs/nsfs.c +++ b/fs/nsfs.c @@ -469,7 +469,8 @@ static struct dentry *nsfs_fh_to_dentry(struct super_block *sb, struct fid *fh, if (fh_len < NSFS_FID_SIZE_U32_VER0) return NULL; - + if (fid->ns_inum == 0) + return NULL; /* Check that any trailing bytes are zero. */ if ((fh_len > NSFS_FID_SIZE_U32_LATEST) && memchr_inv((void *)fid + NSFS_FID_SIZE_U32_LATEST, 0, -- 2.43.0