Skip to content
Commit 503f3f91 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Bruce Ashfield
Browse files

ucount: Make get_ucount a safe get_user replacement

commit 61956630e41032f05c1e95e85f715c8f317304b1 from
https://github.com/altera-opensource/linux-socfpga.git

[upstream commit f9d87929]

When the ucount code was refactored to create get_ucount it was missed
that some of the contexts in which a rlimit is kept elevated can be
the only reference to the user/ucount in the system.

Ordinary ucount references exist in places that also have a reference
to the user namspace, but in POSIX message queues, the SysV shm code,
and the SIGPENDING code there is no independent user namespace
reference.

Inspection of the the user_namespace show no instance of circular
references between struct ucounts and the user_namespace.  So
hold a reference from struct ucount to i's user_namespace to
resolve this problem.

Link: https://lore.kernel.org/lkml/YZV7Z+yXbsx9p3JN@fixkernel.com/


Reported-by: default avatarQian Cai <quic_qiancai@quicinc.com>
Reported-by: default avatarMathias Krause <minipli@grsecurity.net>
Tested-by: default avatarMathias Krause <minipli@grsecurity.net>
Reviewed-by: default avatarMathias Krause <minipli@grsecurity.net>
Reviewed-by: default avatarAlexey Gladkov <legion@kernel.org>
Fixes: d6469690 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
Fixes: 6e52a9f0 ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
Fixes: d7c9e99a ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
Cc: stable@vger.kernel.org
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarWenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: default avatarBruce Ashfield <bruce.ashfield@gmail.com>
parent a24ace15
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment