From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755646AbdCXI2J (ORCPT ); Fri, 24 Mar 2017 04:28:09 -0400 Received: from mx2.suse.de ([195.135.220.15]:41459 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752405AbdCXI1N (ORCPT ); Fri, 24 Mar 2017 04:27:13 -0400 From: Nikolay Borisov To: dvyukov@google.com Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Nikolay Borisov Subject: [PATCHv2] fs: Handle register_shrinker failure Date: Fri, 24 Mar 2017 10:25:48 +0200 Message-Id: <1490343948-20840-1-git-send-email-nborisov@suse.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490342270-19240-1-git-send-email-nborisov@suse.com> References: <1490342270-19240-1-git-send-email-nborisov@suse.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org register_shrinker allocates dynamic memory and thus is susceptible to failures under low-memory situation. Currently,get_userns ignores the return value of register_shrinker, potentially exposing not fully initialised object. This can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced. Fix this by failing to register the filesystem in case there is not enough memory to fully construct the shrinker object. Signed-off-by: Nikolay Borisov Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work") Link: lkml.kernel.org/r/CACT4Y+b-purC3HHbw=SctmS3MA8FKqtNYZUS_KCo2WMctTwyNA@mail.gmail.com --- Add Fixes and Link tags for better traceability fs/super.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/super.c b/fs/super.c index b8b6a086c03b..964b18447c92 100644 --- a/fs/super.c +++ b/fs/super.c @@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type, hlist_add_head(&s->s_instances, &type->fs_supers); spin_unlock(&sb_lock); get_filesystem(type); - register_shrinker(&s->s_shrink); + err = register_shrinker(&s->s_shrink); + if (err) { + spin_lock(&sb_lock); + list_del(&s->s_list); + hlist_del(&s->s_instances); + spin_unlock(&sb_lock); + + up_write(&s->s_umount); + destroy_super(s); + put_filesystem(type); + return ERR_PTR(err); + } + return s; } -- 2.7.4