It was found that out of memory (oom) killing a process that has large spans of mlocked memory can result in deferencing a NULL pointer, leading to denial of service.
The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas. This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked).
An upstream patch:
Name: David Rientjes (Google)
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1571596]
This was fixed for Fedora with the 4.15 rebases
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948