nsfs: handle inode number mismatches gracefully in file handles

Replace VFS_WARN_ON_ONCE() with graceful error handling when file
handles contain inode numbers that don't match the actual namespace
inode. This prevents userspace from triggering kernel warnings by
providing malformed file handles to open_by_handle_at().

The issue occurs when userspace provides a file handle with valid
namespace type and ID that successfully locates a namespace, but
specifies an incorrect inode number. Previously, this would trigger
VFS_WARN_ON_ONCE() when comparing the real inode number against the
provided value.

Since file handle data is user-controllable, inode number mismatches
should be treated as invalid input rather than kernel consistency
errors. Handle this case by returning NULL to indicate the file
handle is invalid, rather than warning about what is essentially
user input validation.

Reported-by: syzbot+9eefe09bedd093f156c2@syzkaller.appspotmail.com
Suggested-by: Jan Kara <jack@suse.cz>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/nsfs.c b/fs/nsfs.c
index 648dc59bef7f2456f963f0c55c38a36102c3141b..79b026a36fb628db69700f7441cf611bb26531e3 100644 (file)
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -490,7 +490,9 @@ static struct dentry *nsfs_fh_to_dentry(struct super_block *sb, struct fid *fh,
 
                VFS_WARN_ON_ONCE(ns->ns_id != fid->ns_id);
                VFS_WARN_ON_ONCE(ns->ns_type != fid->ns_type);
-               VFS_WARN_ON_ONCE(ns->inum != fid->ns_inum);
+
+               if (ns->inum != fid->ns_inum)
+                       return NULL;
 
                if (!__ns_ref_get(ns))
                        return NULL;