From: Eric W. Biederman <ebiederm@xmission.com>
Date: Thu, 10 Feb 2022 00:09:41 +0000 (-0600)
Subject: ucounts: Handle wrapping in is_ucounts_overlimit
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=d464492eb3917e8a1be67c5aa6a4ad8fe7551652;p=linux.git

ucounts: Handle wrapping in is_ucounts_overlimit

commit 0cbae9e24fa7d6c6e9f828562f084da82217a0c5 upstream.

While examining is_ucounts_overlimit and reading the various messages
I realized that is_ucounts_overlimit fails to deal with counts that
may have wrapped.

Being wrapped should be a transitory state for counts and they should
never be wrapped for long, but it can happen so handle it.

Cc: stable@vger.kernel.org
Fixes: 21d1c5e386bc ("Reimplement RLIMIT_NPROC on top of ucounts")
Link: https://lkml.kernel.org/r/20220216155832.680775-5-ebiederm@xmission.com
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/kernel/ucount.c b/kernel/ucount.c
index 804f64799fc14..a1d67261501a6 100644
--- a/kernel/ucount.c
+++ b/kernel/ucount.c
@@ -344,7 +344,8 @@ bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsign
 	if (rlimit > LONG_MAX)
 		max = LONG_MAX;
 	for (iter = ucounts; iter; iter = iter->ns->ucounts) {
-		if (get_ucounts_value(iter, type) > max)
+		long val = get_ucounts_value(iter, type);
+		if (val < 0 || val > max)
 			return true;
 		max = READ_ONCE(iter->ns->ucount_max[type]);
 	}