[PATCH] ucounts: fix counter leak in inc_rlimit_get_ucounts()

From: Andrei Vagin
Date: Thu Oct 31 2024 - 00:56:26 EST

Next message: Binbin Wu: "Re: [PATCH v3 1/2] KVM: x86: Check hypercall's exit to userspace generically"
Previous message: kernel test robot: "Re: [PATCH v2 5/5] md/raid10: Atomic write support"
Next in thread: Alexey Gladkov: "Re: [PATCH] ucounts: fix counter leak in inc_rlimit_get_ucounts()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The inc_rlimit_get_ucounts() increments the specified rlimit counter and
then checks its limit. If the value exceeds the limit, the function
returns an error without decrementing the counter.

Fixes: 15bc01effefe ("ucounts: Fix signal ucount refcounting")
Tested-by: Roman Gushchin <roman.gushchin@xxxxxxxxx>
Co-debugged-by: Roman Gushchin <roman.gushchin@xxxxxxxxx>
Cc: Kees Cook <kees@xxxxxxxxxx>
Cc: Andrei Vagin <avagin@xxxxxxxxxx>
Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Cc: Alexey Gladkov <legion@xxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrei Vagin <avagin@xxxxxxxxxx>
---
kernel/ucount.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kernel/ucount.c b/kernel/ucount.c
index 8c07714ff27d..16c0ea1cb432 100644
--- a/kernel/ucount.c
+++ b/kernel/ucount.c
@@ -328,13 +328,12 @@ long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type)
if (new != 1)
continue;
if (!get_ucounts(iter))
- goto dec_unwind;
+ goto unwind;
}
return ret;
-dec_unwind:
+unwind:
dec = atomic_long_sub_return(1, &iter->rlimit[type]);
WARN_ON_ONCE(dec < 0);
-unwind:
do_dec_rlimit_put_ucounts(ucounts, iter, type);
return 0;
}
--
2.47.0.163.g1226f6d8fa-goog

Next message: Binbin Wu: "Re: [PATCH v3 1/2] KVM: x86: Check hypercall's exit to userspace generically"
Previous message: kernel test robot: "Re: [PATCH v2 5/5] md/raid10: Atomic write support"
Next in thread: Alexey Gladkov: "Re: [PATCH] ucounts: fix counter leak in inc_rlimit_get_ucounts()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]