>From 193d9cb8b5dfc50c693d4bdd345cedb615bbf5ae Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Date: Mon, 14 May 2018 15:25:13 +0900 Subject: [PATCH] shmem: don't call put_super() when fill_super() failed. syzbot is reporting NULL pointer dereference at shmem_unused_huge_count() [1]. This is because shmem_fill_super() is calling shmem_put_super() which immediately releases memory before unregister_shrinker() is called by deactivate_locked_super() after fill_super() in mount_nodev() failed. Fix this by leaving the call to shmem_put_super() to generic_shutdown_super() from kill_anon_super() from kill_litter_super() from deactivate_locked_super(). [1] https://syzkaller.appspot.com/bug?id=46e792849791f4abbac898880e8522054e032391 Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Reported-by: syzbot <syzbot+d2586fde8fdcead3647f@xxxxxxxxxxxxxxxxxxxxxxxxx> Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> --- mm/shmem.c | 1 - 1 file changed, 1 deletion(-) diff --git a/mm/shmem.c b/mm/shmem.c index 9d6c7e5..18e134c 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -3843,7 +3843,6 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) return 0; failed: - shmem_put_super(sb); return err; } -- 1.8.3.1
