On 03/24/2017 02:55 AM, Nikolay Borisov wrote:
> register_shrinker allocates dynamic memory and thus is susceptible to failures
> under low-memory situation. Currently,get_userns ignores the return value of
> register_shrinker, potentially exposing not fully initialised object. This
> can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced.
>
> Fix this by failing to register the filesystem in case there is not enough
> memory to fully construct the shrinker object.
>
> Signed-off-by: Nikolay Borisov <nborisov@xxxxxxxx>
Looks good, though the situation seems rare.
Reviewed-by: Goldwyn Rodrigues <rgoldwyn@xxxxxxxx>
> ---
> fs/super.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/fs/super.c b/fs/super.c
> index b8b6a086c03b..964b18447c92 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type,
> hlist_add_head(&s->s_instances, &type->fs_supers);
> spin_unlock(&sb_lock);
> get_filesystem(type);
> - register_shrinker(&s->s_shrink);
> + err = register_shrinker(&s->s_shrink);
> + if (err) {
> + spin_lock(&sb_lock);
> + list_del(&s->s_list);
> + hlist_del(&s->s_instances);
> + spin_unlock(&sb_lock);
> +
> + up_write(&s->s_umount);
> + destroy_super(s);
> + put_filesystem(type);
> + return ERR_PTR(err);
> + }
> +
> return s;
> }
>
>
--
Goldwyn
