Commit d6bbd515 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull pid allocation bug fix from Eric Biederman:
 "The replacement of the pid hash table and the pid bitmap with an idr
  resulted in an implementation that now fails more often in low memory
  situations. Allowing fuzzers to observe bad behavior from a memory
  allocation failure during pid allocation.

  This is a small change to fix this by making the kernel more robust in
  the case of error. The non-error paths are left alone so the only
  danger is to the already broken error path. I have manually injected
  errors and verified that this new error handling works"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  pid: Handle failure to allocate the first pid in a pid namespace
parents 50d0f78f c0ee5549
...@@ -193,10 +193,8 @@ struct pid *alloc_pid(struct pid_namespace *ns) ...@@ -193,10 +193,8 @@ struct pid *alloc_pid(struct pid_namespace *ns)
} }
if (unlikely(is_child_reaper(pid))) { if (unlikely(is_child_reaper(pid))) {
if (pid_ns_prepare_proc(ns)) { if (pid_ns_prepare_proc(ns))
disable_pid_allocation(ns);
goto out_free; goto out_free;
}
} }
get_pid_ns(ns); get_pid_ns(ns);
...@@ -226,6 +224,10 @@ struct pid *alloc_pid(struct pid_namespace *ns) ...@@ -226,6 +224,10 @@ struct pid *alloc_pid(struct pid_namespace *ns)
while (++i <= ns->level) while (++i <= ns->level)
idr_remove(&ns->idr, (pid->numbers + i)->nr); idr_remove(&ns->idr, (pid->numbers + i)->nr);
/* On failure to allocate the first pid, reset the state */
if (ns->pid_allocated == PIDNS_ADDING)
idr_set_cursor(&ns->idr, 0);
spin_unlock_irq(&pidmap_lock); spin_unlock_irq(&pidmap_lock);
kmem_cache_free(ns->pid_cachep, pid); kmem_cache_free(ns->pid_cachep, pid);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment