Commit 731572d3 authored by Alan Cox's avatar Alan Cox Committed by Linus Torvalds

nfsd: fix vm overcommit crash

Junjiro R.  Okajima reported a problem where knfsd crashes if you are
using it to export shmemfs objects and run strict overcommit.  In this
situation the current->mm based modifier to the overcommit goes through a
NULL pointer.

We could simply check for NULL and skip the modifier but we've caught
other real bugs in the past from mm being NULL here - cases where we did
need a valid mm set up (eg the exec bug about a year ago).

To preserve the checks and get the logic we want shuffle the checking
around and add a new helper to the vm_ security wrappers

Also fix a current->mm reference in nommu that should use the passed mm

[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: fix build]
Reported-by: default avatarJunjiro R. Okajima <hooanon05@yahoo.co.jp>
Acked-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarAlan Cox <alan@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 6c89161b
...@@ -1585,6 +1585,7 @@ int security_syslog(int type); ...@@ -1585,6 +1585,7 @@ int security_syslog(int type);
int security_settime(struct timespec *ts, struct timezone *tz); int security_settime(struct timespec *ts, struct timezone *tz);
int security_vm_enough_memory(long pages); int security_vm_enough_memory(long pages);
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
int security_vm_enough_memory_kern(long pages);
int security_bprm_alloc(struct linux_binprm *bprm); int security_bprm_alloc(struct linux_binprm *bprm);
void security_bprm_free(struct linux_binprm *bprm); void security_bprm_free(struct linux_binprm *bprm);
void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
...@@ -1820,6 +1821,11 @@ static inline int security_vm_enough_memory(long pages) ...@@ -1820,6 +1821,11 @@ static inline int security_vm_enough_memory(long pages)
return cap_vm_enough_memory(current->mm, pages); return cap_vm_enough_memory(current->mm, pages);
} }
static inline int security_vm_enough_memory_kern(long pages)
{
return cap_vm_enough_memory(current->mm, pages);
}
static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{ {
return cap_vm_enough_memory(mm, pages); return cap_vm_enough_memory(mm, pages);
......
...@@ -175,6 +175,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) ...@@ -175,6 +175,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
/* Don't let a single process grow too big: /* Don't let a single process grow too big:
leave 3% of the size of this process for other processes */ leave 3% of the size of this process for other processes */
if (mm)
allowed -= mm->total_vm / 32; allowed -= mm->total_vm / 32;
/* /*
......
...@@ -1454,7 +1454,8 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) ...@@ -1454,7 +1454,8 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
/* Don't let a single process grow too big: /* Don't let a single process grow too big:
leave 3% of the size of this process for other processes */ leave 3% of the size of this process for other processes */
allowed -= current->mm->total_vm / 32; if (mm)
allowed -= mm->total_vm / 32;
/* /*
* cast `allowed' as a signed long because vm_committed_space * cast `allowed' as a signed long because vm_committed_space
......
...@@ -161,8 +161,8 @@ static inline struct shmem_sb_info *SHMEM_SB(struct super_block *sb) ...@@ -161,8 +161,8 @@ static inline struct shmem_sb_info *SHMEM_SB(struct super_block *sb)
*/ */
static inline int shmem_acct_size(unsigned long flags, loff_t size) static inline int shmem_acct_size(unsigned long flags, loff_t size)
{ {
return (flags & VM_ACCOUNT)? return (flags & VM_ACCOUNT) ?
security_vm_enough_memory(VM_ACCT(size)): 0; security_vm_enough_memory_kern(VM_ACCT(size)) : 0;
} }
static inline void shmem_unacct_size(unsigned long flags, loff_t size) static inline void shmem_unacct_size(unsigned long flags, loff_t size)
...@@ -179,8 +179,8 @@ static inline void shmem_unacct_size(unsigned long flags, loff_t size) ...@@ -179,8 +179,8 @@ static inline void shmem_unacct_size(unsigned long flags, loff_t size)
*/ */
static inline int shmem_acct_block(unsigned long flags) static inline int shmem_acct_block(unsigned long flags)
{ {
return (flags & VM_ACCOUNT)? return (flags & VM_ACCOUNT) ?
0: security_vm_enough_memory(VM_ACCT(PAGE_CACHE_SIZE)); 0 : security_vm_enough_memory_kern(VM_ACCT(PAGE_CACHE_SIZE));
} }
static inline void shmem_unacct_blocks(unsigned long flags, long pages) static inline void shmem_unacct_blocks(unsigned long flags, long pages)
......
...@@ -198,14 +198,23 @@ int security_settime(struct timespec *ts, struct timezone *tz) ...@@ -198,14 +198,23 @@ int security_settime(struct timespec *ts, struct timezone *tz)
int security_vm_enough_memory(long pages) int security_vm_enough_memory(long pages)
{ {
WARN_ON(current->mm == NULL);
return security_ops->vm_enough_memory(current->mm, pages); return security_ops->vm_enough_memory(current->mm, pages);
} }
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{ {
WARN_ON(mm == NULL);
return security_ops->vm_enough_memory(mm, pages); return security_ops->vm_enough_memory(mm, pages);
} }
int security_vm_enough_memory_kern(long pages)
{
/* If current->mm is a kernel thread then we will pass NULL,
for this specific case that is fine */
return security_ops->vm_enough_memory(current->mm, pages);
}
int security_bprm_alloc(struct linux_binprm *bprm) int security_bprm_alloc(struct linux_binprm *bprm)
{ {
return security_ops->bprm_alloc_security(bprm); return security_ops->bprm_alloc_security(bprm);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment