From: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> commit 99c31f9feda41d0f10d030dc04ba106c93295aa2 upstream. Any cred that is destined for use by commit_creds must have a non-NULL cred->ucounts field. Only curing credential construction is a NULL cred->ucounts valid. Only abort_creds, put_cred, and put_cred_rcu needs to deal with a cred with a NULL ucount. As set_cred_ucounts is non of those case don't confuse people by handling something that can not happen. Link: https://lkml.kernel.org/r/871r4irzds.fsf_-_@disp2133 Tested-by: Yu Zhao <yuzhao@xxxxxxxxxx> Reviewed-by: Alexey Gladkov <legion@xxxxxxxxxx> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/cred.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/kernel/cred.c +++ b/kernel/cred.c @@ -676,15 +676,14 @@ int set_cred_ucounts(struct cred *new) * This optimization is needed because alloc_ucounts() uses locks * for table lookups. */ - if (old_ucounts && old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->euid)) + if (old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->euid)) return 0; if (!(new_ucounts = alloc_ucounts(new->user_ns, new->euid))) return -EAGAIN; new->ucounts = new_ucounts; - if (old_ucounts) - put_ucounts(old_ucounts); + put_ucounts(old_ucounts); return 0; } Patches currently in stable-queue which might be from ebiederm@xxxxxxxxxxxx are queue-5.15/ucounts-handle-wrapping-in-is_ucounts_overlimit.patch queue-5.15/ucounts-enforce-rlimit_nproc-not-rlimit_nproc-1.patch queue-5.15/ucounts-move-rlimit_nproc-handling-after-set_user.patch queue-5.15/ucounts-base-set_cred_ucounts-changes-on-the-real-user.patch queue-5.15/ucounts-in-set_cred_ucounts-assume-new-ucounts-is-non-null.patch queue-5.15/rlimit-fix-rlimit_nproc-enforcement-failure-caused-by-capability-calls-in-set_user.patch