From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.suse.de ([195.135.220.15]:36525 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752206AbdCXH6g (ORCPT ); Fri, 24 Mar 2017 03:58:36 -0400 From: Nikolay Borisov To: dvyukov@google.com Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Nikolay Borisov Subject: [PATCH] fs: Handle register_shrinker failure Date: Fri, 24 Mar 2017 09:57:50 +0200 Message-Id: <1490342270-19240-1-git-send-email-nborisov@suse.com> In-Reply-To: References: Sender: linux-fsdevel-owner@vger.kernel.org List-ID: register_shrinker allocates dynamic memory and thus is susceptible to failures under low-memory situation. Currently,get_userns ignores the return value of register_shrinker, potentially exposing not fully initialised object. This can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced. Fix this by failing to register the filesystem in case there is not enough memory to fully construct the shrinker object. Signed-off-by: Nikolay Borisov --- fs/super.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/super.c b/fs/super.c index b8b6a086c03b..964b18447c92 100644 --- a/fs/super.c +++ b/fs/super.c @@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type, hlist_add_head(&s->s_instances, &type->fs_supers); spin_unlock(&sb_lock); get_filesystem(type); - register_shrinker(&s->s_shrink); + err = register_shrinker(&s->s_shrink); + if (err) { + spin_lock(&sb_lock); + list_del(&s->s_list); + hlist_del(&s->s_instances); + spin_unlock(&sb_lock); + + up_write(&s->s_umount); + destroy_super(s); + put_filesystem(type); + return ERR_PTR(err); + } + return s; } -- 2.7.4