efivarfs: Defer PM notifier registration until .fill_super

ardbiesheuvel · ardbiesheuvel · commit cb6ae457bc6a · 2025-02-23T17:30:05.000+01:00
syzbot reports an issue that turns out to be caused by the fact that the
efivarfs PM notifier may be invoked before the efivarfs_fs_info::sb
field is populated, resulting in a NULL deference.

So defer the registration until efivarfs_fill_super() is invoked.

Reported-by: syzbot+00d13e505ef530a45100@syzkaller.appspotmail.com
Tested-by: syzbot+00d13e505ef530a45100@syzkaller.appspotmail.com
Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
@@ -367,6 +367,8 @@ static int efivarfs_fill_super(struct super_block *sb, struct fs_context *fc)
 	if (err)
 		return err;
 
+	register_pm_notifier(&sfi->pm_nb);
+
 	return efivar_init(efivarfs_callback, sb, true);
 }
 
@@ -552,7 +554,6 @@ static int efivarfs_init_fs_context(struct fs_context *fc)
 
 	sfi->pm_nb.notifier_call = efivarfs_pm_notify;
 	sfi->pm_nb.priority = 0;
-	register_pm_notifier(&sfi->pm_nb);
 
 	return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -367,6 +367,8 @@ static int efivarfs_fill_super(struct super_block sb, struct fs_context fc)`
`367`	`367`	`if (err)`
`368`	`368`	`return err;`
`369`	`369`
	`370`	`+ register_pm_notifier(&sfi->pm_nb);`
	`371`	`+`
`370`	`372`	`return efivar_init(efivarfs_callback, sb, true);`
`371`	`373`	`}`
`372`	`374`
`@@ -552,7 +554,6 @@ static int efivarfs_init_fs_context(struct fs_context *fc)`
`552`	`554`
`553`	`555`	`sfi->pm_nb.notifier_call = efivarfs_pm_notify;`
`554`	`556`	`sfi->pm_nb.priority = 0;`
`555`		`- register_pm_notifier(&sfi->pm_nb);`
`556`	`557`
`557`	`558`	`return 0;`
`558`	`559`	`}`