On Tue 21-11-17 15:05:00, Michal Hocko wrote: > [Cc Al and Dave - email thread starts http://lkml.kernel.org/r/001a113f996099503a055e793dd3@xxxxxxxxxx] > > On Tue 21-11-17 20:11:26, Tetsuo Handa wrote: > > On 2017/11/21 16:35, syzbot wrote: > > > Hello, > > > > > > syzkaller hit the following crash on ca91659962303d4fd5211a5e4e13df5cbb11e744 > > > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > > > compiler: gcc (GCC) 7.1.1 20170620 > > > .config is attached > > > Raw console output is attached. > > > > > > Unfortunately, I don't have any reproducer for this bug yet. > > > > Fault injection found an unchecked register_shrinker() return code. > > Wow, register_shrinker()/unregister_shinker() is possibly frequently called path? > > > > > > struct super_block *sget_userns(struct file_system_type *type, > > int (*test)(struct super_block *,void *), > > int (*set)(struct super_block *,void *), > > int flags, struct user_namespace *user_ns, > > void *data) > > { > > (...snipped...) > > spin_unlock(&sb_lock); > > get_filesystem(type); > > register_shrinker(&s->s_shrink); // Error check required. > > return s; > > Yes, this is the case since numa aware shrinkers were introduced. I meant 1d3d4437eae1 ("vmscan: per-node deferred work") > I have > a bit hard time to follow the code flow but why cannot we simply > register the shrinker when we allocate the new super block? We > still have the s_umount held so the shrinker cannot race with the > registration code. > > Something like the totally untested and possibly wrong > --- > diff --git a/fs/super.c b/fs/super.c > index 994db21f59bf..1eb850413fdf 100644 > --- a/fs/super.c > +++ b/fs/super.c > @@ -506,6 +506,11 @@ struct super_block *sget_userns(struct file_system_type *type, > s = alloc_super(type, (flags & ~SB_SUBMOUNT), user_ns); > if (!s) > return ERR_PTR(-ENOMEM); > + if (register_shrinker(&s->s_shrink)) { > + up_write(&s->s_umount); > + destroy_super(s); > + return ERR_PTR(-ENOMEM); > + } > goto retry; > } > > @@ -522,7 +527,6 @@ struct super_block *sget_userns(struct file_system_type *type, > hlist_add_head(&s->s_instances, &type->fs_supers); > spin_unlock(&sb_lock); > get_filesystem(type); > - register_shrinker(&s->s_shrink); > return s; > } > > -- > Michal Hocko > SUSE Labs -- Michal Hocko SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
