From d5700a69c91b90a9f510cdaca335162acfdea2f1 Mon Sep 17 00:00:00 2001
From: 3idey <3idey@users.noreply.github.com>
Date: Thu, 22 Jan 2026 16:32:32 +0200
Subject: [PATCH] fsnotify: Add null checks and error handling in
 get_mark_path()

Add validation for potential error conditions in get_mark_path():

- Check mntns_get_root_by_mnt_id() return value before using mntns_root
- Add null check for f_handle before dereferencing
- Rename local variable 'path' to 'fpath' to avoid shadowing
- Improve error message for open failure to include device and inode

These checks prevent potential crashes when restore encounters
unexpected conditions like missing mount namespaces or corrupted
image data.

Signed-off-by: 3idey <3idey@users.noreply.github.com>
---
 criu/fsnotify.c | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/criu/fsnotify.c b/criu/fsnotify.c
index 2c1033d9a..8c087ccea 100644
--- a/criu/fsnotify.c
+++ b/criu/fsnotify.c
@@ -501,28 +501,44 @@ static char *get_mark_path(const char *who, struct file_remap *remap, FhEntry *f
 		int mntns_root;
 
 		mntns_root = mntns_get_root_by_mnt_id(remap->rmnt_id);
+		if (mntns_root < 0) {
+			pr_err("Can't get mntns root for %s remap (mnt_id %d)\n",
+			       who, remap->rmnt_id);
+			goto err;
+		}
 
 		pr_debug("\t\tRestore %s watch for %#08x:%#016lx (via %s)\n", who, s_dev, i_ino, remap->rpath);
 		*target = openat(mntns_root, remap->rpath, O_PATH);
-	} else if (f_handle->path) {
+	} else if (f_handle && f_handle->path) {
 		int mntns_root;
-		char *path = ".";
+		char *fpath = ".";
 		uint32_t mnt_id = f_handle->has_mnt_id ? f_handle->mnt_id : -1;
 
 		/* irmap cache is collected in the root namespaces. */
 		mntns_root = mntns_get_root_by_mnt_id(mnt_id);
+		if (mntns_root < 0) {
+			pr_err("Can't get mntns root for %s path hint (mnt_id %d)\n",
+			       who, mnt_id);
+			goto err;
+		}
 
 		/* change "/foo" into "foo" and "/" into "." */
 		if (f_handle->path[1] != '\0')
-			path = f_handle->path + 1;
+			fpath = f_handle->path + 1;
 
-		pr_debug("\t\tRestore with path hint %d:%s\n", mnt_id, path);
-		*target = openat(mntns_root, path, O_PATH);
-	} else
+		pr_debug("\t\tRestore with path hint %d:%s\n", mnt_id, fpath);
+		*target = openat(mntns_root, fpath, O_PATH);
+	} else {
+		if (!f_handle) {
+			pr_err("Null f_handle for %s mark (dev %#x ino %#lx)\n",
+			       who, s_dev, i_ino);
+			goto err;
+		}
 		*target = open_handle(s_dev, i_ino, f_handle);
+	}
 
 	if (*target < 0) {
-		pr_perror("Unable to open %s", f_handle->path);
+		pr_perror("Unable to open %s mark (dev %#x ino %#lx)", who, s_dev, i_ino);
 		goto err;
 	}