On 24.03.2017 10:25, Nikolay Borisov wrote: > register_shrinker allocates dynamic memory and thus is susceptible to failures > under low-memory situation. Currently,get_userns ignores the return value of > register_shrinker, potentially exposing not fully initialised object. This > can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced. > > Fix this by failing to register the filesystem in case there is not enough > memory to fully construct the shrinker object. > > Signed-off-by: Nikolay Borisov <nborisov@xxxxxxxx> > Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work") > Link: lkml.kernel.org/r/CACT4Y+b-purC3HHbw=SctmS3MA8FKqtNYZUS_KCo2WMctTwyNA@xxxxxxxxxxxxxx > --- PING, Al is there something bothering you with this patch that needs fixing before it's merged? Also I think it should be tagged stable. > > Add Fixes and Link tags for better traceability > > fs/super.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/fs/super.c b/fs/super.c > index b8b6a086c03b..964b18447c92 100644 > --- a/fs/super.c > +++ b/fs/super.c > @@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type, > hlist_add_head(&s->s_instances, &type->fs_supers); > spin_unlock(&sb_lock); > get_filesystem(type); > - register_shrinker(&s->s_shrink); > + err = register_shrinker(&s->s_shrink); > + if (err) { > + spin_lock(&sb_lock); > + list_del(&s->s_list); > + hlist_del(&s->s_instances); > + spin_unlock(&sb_lock); > + > + up_write(&s->s_umount); > + destroy_super(s); > + put_filesystem(type); > + return ERR_PTR(err); > + } > + > return s; > } > >