Hello Matthew, It seems to me that there are other locations which do not check xas_store() failure. Is that really OK? If they are OK, I think we want a comment like /* This never fails. */ or /* Failure is OK because ... */ for each call without failure check. >From d6f24d6eecd79836502527624f8086f4e3e4c331 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Date: Mon, 9 Jul 2018 15:58:44 +0900 Subject: [PATCH] shmem: Fix crash upon xas_store() failure. syzbot is reporting list corruption [1]. This is because xas_store() from shmem_add_to_page_cache() is not handling memory allocation failure. Fix this by checking xas_error() after xas_store(). [1] https://syzkaller.appspot.com/bug?id=ccf34b892706ff6f3321da526329476eab23d5a0 Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Reported-by: syzbot+d8a8e42dfba0454286ff@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: "shmem: Convert shmem_add_to_page_cache to XArray" --- mm/shmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/shmem.c b/mm/shmem.c index 0f151c8..382aeb3 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -606,6 +606,8 @@ static int shmem_add_to_page_cache(struct page *page, } next: xas_store(&xas, page + i); + if (xas_error(&xas)) + goto unlock; if (++i < nr) { xas_next(&xas); goto next; -- 1.8.3.1
