[PATCH] fs: Handle register_shrinker failure

Nikolay Borisov <nborisov@xxxxxxxx> · Fri, 24 Mar 2017 09:55:40 +0200

register_shrinker allocates dynamic memory and thus is susceptible to failures
under low-memory situation. Currently,get_userns ignores the return value of
register_shrinker, potentially exposing not fully initialised object. This
can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced.

Fix this by failing to register the filesystem in case there is not enough
memory to fully construct the shrinker object.

Signed-off-by: Nikolay Borisov <nborisov@xxxxxxxx>
---
 fs/super.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/super.c b/fs/super.c
index b8b6a086c03b..964b18447c92 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type,
 	hlist_add_head(&s->s_instances, &type->fs_supers);
 	spin_unlock(&sb_lock);
 	get_filesystem(type);
-	register_shrinker(&s->s_shrink);
+	err = register_shrinker(&s->s_shrink);
+	if (err) {
+		spin_lock(&sb_lock);
+		list_del(&s->s_list);
+		hlist_del(&s->s_instances);
+		spin_unlock(&sb_lock);
+
+		up_write(&s->s_umount);
+		destroy_super(s);
+		put_filesystem(type);
+		return ERR_PTR(err);
+	}
+
 	return s;
 }
 
-- 
2.7.4







