From nobody Mon Jun 22 14:25:28 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27756C433EF for ; Mon, 21 Mar 2022 11:34:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346771AbiCULf1 (ORCPT ); Mon, 21 Mar 2022 07:35:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235038AbiCULfY (ORCPT ); Mon, 21 Mar 2022 07:35:24 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E92B036168 for ; Mon, 21 Mar 2022 04:33:58 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KMXXT2HJwzfZN2; Mon, 21 Mar 2022 19:32:25 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Mon, 21 Mar 2022 19:33:56 +0800 From: Miaohe Lin To: , , CC: , , , Subject: [PATCH v3] mm/mlock: fix two bugs in user_shm_lock() Date: Tue, 22 Mar 2022 16:09:18 +0800 Message-ID: <20220322080918.59861-1-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" user_shm_lock forgets to set allowed to 0 when get_ucounts fails. So the later user_shm_unlock might do the extra dec_rlimit_ucounts. Also in the RLIM_INFINITY case, user_shm_lock will success regardless of the value of memlock where memblock =3D=3D LONG_MAX && !capable(CAP_IPC_LOCK) should fai= l. Fix all of these by changing the code to leave lock_limit at ULONG_MAX aka RLIM_INFINITY, leave "allowed" initialized to 0 and remove the special case of RLIM_INFINITY as nothing can be greater than ULONG_MAX. Credit goes to Eric W. Biederman for proposing simplifying the code and thus catching the later bug. Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts") Signed-off-by: Miaohe Lin --- v2->v3: simplify the code and fix another bug per Eric. Thanks Eric for discussio= n. drop Acked-by tag as the code changes. Sorry Hugh. v1->v2: correct Fixes tag and collect Acked-by tag. Thanks Hugh for review! --- mm/mlock.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mm/mlock.c b/mm/mlock.c index 25934e7db3e1..37f969ec68fa 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -827,13 +827,12 @@ int user_shm_lock(size_t size, struct ucounts *ucount= s) =20 locked =3D (size + PAGE_SIZE - 1) >> PAGE_SHIFT; lock_limit =3D rlimit(RLIMIT_MEMLOCK); - if (lock_limit =3D=3D RLIM_INFINITY) - allowed =3D 1; - lock_limit >>=3D PAGE_SHIFT; + if (lock_limit !=3D RLIM_INFINITY) + lock_limit >>=3D PAGE_SHIFT; spin_lock(&shmlock_user_lock); memlock =3D inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); =20 - if (!allowed && (memlock =3D=3D LONG_MAX || memlock > lock_limit) && !cap= able(CAP_IPC_LOCK)) { + if ((memlock =3D=3D LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC= _LOCK)) { dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); goto out; } --=20 2.23.0