Nikolay Borisov
unread,Mar 24, 2017, 3:57:53 AM3/24/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dvy...@google.com, vi...@zeniv.linux.org.uk, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com, Nikolay Borisov
register_shrinker allocates dynamic memory and thus is susceptible to failures
under low-memory situation. Currently,get_userns ignores the return value of
register_shrinker, potentially exposing not fully initialised object. This
can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced.
Fix this by failing to register the filesystem in case there is not enough
memory to fully construct the shrinker object.
Signed-off-by: Nikolay Borisov <
nbor...@suse.com>
---
fs/super.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/fs/super.c b/fs/super.c
index b8b6a086c03b..964b18447c92 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type,
hlist_add_head(&s->s_instances, &type->fs_supers);
spin_unlock(&sb_lock);
get_filesystem(type);
- register_shrinker(&s->s_shrink);
+ err = register_shrinker(&s->s_shrink);
+ if (err) {
+ spin_lock(&sb_lock);
+ list_del(&s->s_list);
+ hlist_del(&s->s_instances);
+ spin_unlock(&sb_lock);
+
+ up_write(&s->s_umount);
+ destroy_super(s);
+ put_filesystem(type);
+ return ERR_PTR(err);
+ }
+
return s;
}
--
2.7.4