Syzkaller reported a NULL pointer dereference in do_lock_mount()
when calling inode_lock() on a dentry without an associated inode.

where_to_mount() may return a negative dentry (without an inode)
due to concurrent unlink or mount changes. The current code does
not validate this before calling inode_lock(), leading to a crash.

Fix this by checking dentry and dentry->d_inode before acquiring
the inode lock.

Reported-by: syzbot <syzbot@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/
Signed-off-by: Vineet Agarwal <agarwal.vineet2006@gmail.com>
---
 fs/namespace.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c
index fe919abd2f01..b1dccdf06836 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2760,6 +2760,17 @@ static void do_lock_mount(const struct path *path,
 			}
 		}
 
+		if (unlikely(!dentry || !dentry->d_inode)) {
+			err = -ENOENT;
+			if (&m->mnt != path->mnt) {
+				if (dentry)
+					dput(dentry);
+				mntput(&m->mnt);
+			}
+			res->parent = ERR_PTR(err);
+			return;
+		}
+
 		inode_lock(dentry->d_inode);
 		namespace_lock();
 
-- 
2.54.0