Description of problem: knfsd crashes if you are using it to export shmemfs objects and run strict overcommit. In this situation the current->mm based modifier to the overcommit goes through a NULL pointer. We could simply check for NULL and skip the modifier but we've caught other real bugs in the past from mm being NULL here - cases where we did need a valid mm set up (eg the exec bug in 2005). To preserve the checks and get the logic we want shuffle the checking around and add a new helper to the vm_ security wrappers Also fix a current->mm reference in nommu that should use the passed mm Upstream commit: nfsd: fix vm overcommit crash http://git.kernel.org/linus/731572d39fcd3498702eda4600db4c43d51e0b26 nfsd: fix vm overcommit crash fix #2 http://git.kernel.org/linus/1b79cd04fab80be61dcd2732e2423aafde9a4c1c Reference: [PATCH] knfsd: add nfs-export support to tmpfs http://git.kernel.org/linus/91828a405ae454a9503c41a7744f6ff877a80714
Unable to handle kernel NULL pointer dereference at 0000000000000120 RIP: [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123 PGD 2e1c6067 PUD 2e14c067 PMD 0 Oops: 0000 [1] PREEMPT SMP CPU 0 Modules linked in: nfs nfsd nfs_acl auth_rpcgss exportfs autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 acpiphp dm_mirror dm_multipath scsi_dh dm_mod video output sbs sbshc battery lp sg floppy sr_mod cdrom serio_raw snd_ens1371 gameport snd_rawmidi snd_ac97_codec ac97_bus snd_seq_dummy ac snd_seq_oss parport_pc parport snd_seq_midi_event snd_seq button snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc e1000 pata_acpi ata_generic shpchp intel_agp pcspkr ata_piix libata mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Pid: 4836, comm: nfsd Not tainted 2.6.24.7-149.el5rt #1 RIP: 0010:[<ffffffff8109b05c>] [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123 RSP: 0018:ffff81002c61f990 EFLAGS: 00010202 RAX: 000000000001b5eb RBX: 0000000000ab0ffe RCX: 000000000001b5eb RDX: 0000000000000032 RSI: 0000000000000064 RDI: 0000000000000067 RBP: ffff81002c61f9b0 R08: ffff81002c61c440 R09: 0000000000000000 R10: ffff81002e01cb70 R11: 0000000000003000 R12: 0000000000000001 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fd46c9bd6e0(0000) GS:ffffffff813f7100(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000120 CR3: 000000002e19b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process nfsd (pid: 4836, threadinfo ffff81002c61e000, task ffff81002c61c440) Stack: ffff81002f5c1ac0 0000000000000001 0000000000000000 0000000000000000 ffff81002c61f9e0 ffffffff811157d8 0000000000000000 ffff81002f4e8840 ffff81002f4e8870 ffff81002e01ca10 ffff81002c61f9f0 ffffffff8110eb1b Call Trace: [<ffffffff811157d8>] selinux_vm_enough_memory+0x66/0x6e [<ffffffff8110eb1b>] security_vm_enough_memory+0x24/0x26 [<ffffffff810a7d79>] shmem_getpage+0x3e0/0x744 [<ffffffff8105ef24>] ? __rt_mutex_adjust_prio+0x11/0x24 [<ffffffff81113b2c>] ? selinux_inode_getsecurity+0x2c/0x8b [<ffffffff8110f560>] ? security_inode_getsecurity+0x1c/0x1e [<ffffffff810a63f4>] ? shmem_xattr_security_get+0x19/0x1b [<ffffffff810cc527>] ? generic_getxattr+0x4e/0x5c [<ffffffff8110e1e0>] ? cap_inode_need_killpriv+0x2d/0x3b [<ffffffff81112584>] ? selinux_inode_need_killpriv+0x11/0x13 [<ffffffff810a8f17>] shmem_file_write+0x124/0x214 [<ffffffff810a8df3>] ? shmem_file_write+0x0/0x214 [<ffffffff810b0bd4>] do_loop_readv_writev+0x3c/0x71 [<ffffffff810b155c>] do_readv_writev+0xec/0x1b4 [<ffffffff811132a9>] ? inode_has_perm+0x6b/0x7a [<ffffffff8128b29e>] ? rt_spin_lock+0x9/0xb [<ffffffff810b1665>] vfs_writev+0x41/0x4c [<ffffffff8837fc90>] :nfsd:nfsd_vfs_write+0x107/0x31d [<ffffffff810af931>] ? dentry_open+0x63/0x6b [<ffffffff88380390>] ? :nfsd:nfsd_open+0x167/0x17d [<ffffffff883805a7>] :nfsd:nfsd_write+0xbd/0xd9 [<ffffffff8838789c>] :nfsd:nfsd3_proc_write+0x106/0x126 [<ffffffff8837c26c>] :nfsd:nfsd_dispatch+0xe9/0x1c6 [<ffffffff882f6d4f>] :sunrpc:svc_process+0x404/0x6f9 [<ffffffff81048b79>] ? recalc_sigpending+0x12/0x41 [<ffffffff8837c85d>] :nfsd:nfsd+0x19f/0x2b6 [<ffffffff8100d088>] child_rip+0xa/0x12 [<ffffffff8837c6be>] ? :nfsd:nfsd+0x0/0x2b6 [<ffffffff8100d07e>] ? child_rip+0x0/0x12 Code: 00 00 00 48 29 c3 48 63 05 42 96 32 00 48 89 d6 31 d2 48 0f af d8 48 89 d8 48 f7 f6 45 85 ed 48 89 c1 75 07 48 c1 e8 05 48 29 c1 <49> 8b 86 20 01 00 00 48 8b 15 36 54 4e 00 48 c1 e8 05 48 29 c2 RIP [<ffffffff8109b05c>] __vm_enough_memory+0xe2/0x123 RSP <ffff81002c61f990>
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5 as they did not include nfs-export support for tmpfs. A future kernel update in Red Hat Enterprise MRG will address this issue.
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html