From: Eric Biggers <ebiggers3@gmail.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: syzbot+d2586fde8fdcead3647f@syzkaller.appspotmail.com,
viro@ZenIV.linux.org.uk, hughd@google.com,
syzkaller-bugs@googlegroups.com, linux-mm@kvack.org,
Dave Chinner <dchinner@redhat.com>
Subject: Re: [PATCH] shmem: don't call put_super() when fill_super() failed.
Date: Mon, 14 May 2018 10:11:54 -0700 [thread overview]
Message-ID: <20180514171154.GB252575@gmail.com> (raw)
In-Reply-To: <20180514170423.GA252575@gmail.com>
On Mon, May 14, 2018 at 10:04:23AM -0700, Eric Biggers wrote:
> Hi Tetsuo,
>
> On Mon, May 14, 2018 at 03:57:31PM +0900, Tetsuo Handa wrote:
> > From 193d9cb8b5dfc50c693d4bdd345cedb615bbf5ae Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Date: Mon, 14 May 2018 15:25:13 +0900
> > Subject: [PATCH] shmem: don't call put_super() when fill_super() failed.
> >
> > syzbot is reporting NULL pointer dereference at shmem_unused_huge_count()
> > [1]. This is because shmem_fill_super() is calling shmem_put_super() which
> > immediately releases memory before unregister_shrinker() is called by
> > deactivate_locked_super() after fill_super() in mount_nodev() failed.
> > Fix this by leaving the call to shmem_put_super() to
> > generic_shutdown_super() from kill_anon_super() from kill_litter_super()
> > from deactivate_locked_super().
> >
> > [1] https://syzkaller.appspot.com/bug?id=46e792849791f4abbac898880e8522054e032391
> >
> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Reported-by: syzbot <syzbot+d2586fde8fdcead3647f@syzkaller.appspotmail.com>
> > Cc: Al Viro <viro@ZenIV.linux.org.uk>
> > ---
> > mm/shmem.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/mm/shmem.c b/mm/shmem.c
> > index 9d6c7e5..18e134c 100644
> > --- a/mm/shmem.c
> > +++ b/mm/shmem.c
> > @@ -3843,7 +3843,6 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
> > return 0;
> >
> > failed:
> > - shmem_put_super(sb);
> > return err;
> > }
> >
> > --
> > 1.8.3.1
>
> I'm not following, since generic_shutdown_super() only calls ->put_super() if
> ->s_root is set, which only happens at the end of shmem_fill_super(). Isn't the
> real problem that s_shrink is registered too early, causing super_cache_count()
> and shmem_unused_huge_count() to potentially run before shmem_fill_super() has
> completed? Or alternatively, the problem is that super_cache_count() doesn't
> check for SB_ACTIVE.
>
Coincidentally, this is already going to be fixed by commit 79f546a696bff259
("fs: don't scan the inode cache before SB_BORN is set") in vfs/for-linus.
- Eric
next prev parent reply other threads:[~2018-05-14 17:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-14 6:57 [PATCH] shmem: don't call put_super() when fill_super() failed Tetsuo Handa
2018-05-14 17:04 ` Eric Biggers
2018-05-14 17:11 ` Eric Biggers [this message]
2018-05-14 18:07 ` Al Viro
2018-05-14 20:59 ` Tetsuo Handa
2018-05-15 0:27 ` Tetsuo Handa
2018-05-15 0:39 ` Al Viro
2018-05-15 0:52 ` Tetsuo Handa
2018-05-15 1:13 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180514171154.GB252575@gmail.com \
--to=ebiggers3@gmail.com \
--cc=dchinner@redhat.com \
--cc=hughd@google.com \
--cc=linux-mm@kvack.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+d2586fde8fdcead3647f@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.