When vfs_create_mount() fails and returns an error pointer, the
__free(path_put) cleanup attribute causes path_put() to be called
on the error pointer, which then calls mntput() on an invalid
pointer value (e.g., -ENOENT = 0xfffffffffffffff4).

This results in a general protection fault in mntput() when KASAN
tries to check the shadow memory for the near-null address computed
from the error pointer offset.

Fix this by clearing newmount.mnt to NULL after extracting the error
code, preventing the path_put cleanup from operating on the error
pointer.

Reported-by: syzbot+94048264da5715c251f9@syzkaller.appspotmail.com
Tested-by: syzbot+94048264da5715c251f9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=94048264da5715c251f9
Fixes: 67c68da01266 ("namespace: convert fsmount() to FD_PREPARE()")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/namespace.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index e5240df614de..236482fd503f 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -4343,8 +4343,11 @@ SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags,
 		warn_mandlock();
 
 	newmount.mnt = vfs_create_mount(fc);
-	if (IS_ERR(newmount.mnt))
-		return PTR_ERR(newmount.mnt);
+	if (IS_ERR(newmount.mnt)) {
+		ret = PTR_ERR(newmount.mnt);
+		newmount.mnt = NULL;
+		return ret;
+	}
 	newmount.dentry = dget(fc->root);
 	newmount.mnt->mnt_flags = mnt_flags;
 
-- 
2.43.0