Re: general protection fault in __list_del_entry_valid (2)

Tue, 21 Nov 2017 06:05:21 -0800 

[Cc Al and Dave - email thread starts 
http://lkml.kernel.org/r/001a113f996099503a055e793...@google.com]

On Tue 21-11-17 20:11:26, Tetsuo Handa wrote:
> On 2017/11/21 16:35, syzbot wrote:
> > Hello,
> > 
> > syzkaller hit the following crash on 
> > ca91659962303d4fd5211a5e4e13df5cbb11e744
> > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
> > 
> > Unfortunately, I don't have any reproducer for this bug yet.
> 
> Fault injection found an unchecked register_shrinker() return code.
> Wow, register_shrinker()/unregister_shinker() is possibly frequently called 
> path?
> 
> 
> struct super_block *sget_userns(struct file_system_type *type,
>                               int (*test)(struct super_block *,void *),
>                               int (*set)(struct super_block *,void *),
>                               int flags, struct user_namespace *user_ns,
>                               void *data)
> {
> (...snipped...)
>       spin_unlock(&sb_lock);
>       get_filesystem(type);
>       register_shrinker(&s->s_shrink); // Error check required.
>       return s;

Yes, this is the case since numa aware shrinkers were introduced. I have
a bit hard time to follow the code flow but why cannot we simply
register the shrinker when we allocate the new super block? We
still have the s_umount held so the shrinker cannot race with the
registration code.

Something like the totally untested and possibly wrong
---
diff --git a/fs/super.c b/fs/super.c
index 994db21f59bf..1eb850413fdf 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -506,6 +506,11 @@ struct super_block *sget_userns(struct file_system_type 
*type,
                s = alloc_super(type, (flags & ~SB_SUBMOUNT), user_ns);
                if (!s)
                        return ERR_PTR(-ENOMEM);
+               if (register_shrinker(&s->s_shrink)) {
+                       up_write(&s->s_umount);
+                       destroy_super(s);
+                       return ERR_PTR(-ENOMEM);
+               }
                goto retry;
        }
 
@@ -522,7 +527,6 @@ struct super_block *sget_userns(struct file_system_type 
*type,
        hlist_add_head(&s->s_instances, &type->fs_supers);
        spin_unlock(&sb_lock);
        get_filesystem(type);
-       register_shrinker(&s->s_shrink);
        return s;
 }
 
-- 
Michal Hocko
SUSE Labs

Reply via email to