From patchwork Fri Mar 24 07:55:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nikolay Borisov X-Patchwork-Id: 9642385 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 568C16020B for ; Fri, 24 Mar 2017 08:36:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 496EA27F9F for ; Fri, 24 Mar 2017 08:36:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3CD66283E8; Fri, 24 Mar 2017 08:36:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 03A5A27F9F for ; Fri, 24 Mar 2017 08:36:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751935AbdCXH4d (ORCPT ); Fri, 24 Mar 2017 03:56:33 -0400 Received: from mx2.suse.de ([195.135.220.15]:36257 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752109AbdCXHzx (ORCPT ); Fri, 24 Mar 2017 03:55:53 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 9D187AB22; Fri, 24 Mar 2017 07:55:51 +0000 (UTC) From: Nikolay Borisov To: dvyukov@google.com Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Nikolay Borisov Subject: [PATCH] fs: Handle register_shrinker failure Date: Fri, 24 Mar 2017 09:55:40 +0200 Message-Id: <1490342140-19138-1-git-send-email-nborisov@suse.com> X-Mailer: git-send-email 2.7.4 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP register_shrinker allocates dynamic memory and thus is susceptible to failures under low-memory situation. Currently,get_userns ignores the return value of register_shrinker, potentially exposing not fully initialised object. This can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced. Fix this by failing to register the filesystem in case there is not enough memory to fully construct the shrinker object. Signed-off-by: Nikolay Borisov Reviewed-by: Goldwyn Rodrigues --- fs/super.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/super.c b/fs/super.c index b8b6a086c03b..964b18447c92 100644 --- a/fs/super.c +++ b/fs/super.c @@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type, hlist_add_head(&s->s_instances, &type->fs_supers); spin_unlock(&sb_lock); get_filesystem(type); - register_shrinker(&s->s_shrink); + err = register_shrinker(&s->s_shrink); + if (err) { + spin_lock(&sb_lock); + list_del(&s->s_list); + hlist_del(&s->s_instances); + spin_unlock(&sb_lock); + + up_write(&s->s_umount); + destroy_super(s); + put_filesystem(type); + return ERR_PTR(err); + } + return s; }