Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net

author: David S. Miller <davem@davemloft.net> 2011-08-20 19:39:12 +0200
committer: David S. Miller <davem@davemloft.net> 2011-08-20 19:39:12 +0200
commit: 823dcd2506fa369aeb8cbd26da5663efe2fda9a9 (patch)
tree: 853b3e3c05f0b9ee1b5df8464db19b7acc57150c /kernel/sys.c
parent: tg3: Update version to 3.120 (diff)
parent: ipv6: Fix ipv6_getsockopt for IPV6_2292PKTOPTIONS (diff)
download: linux-823dcd2506fa369aeb8cbd26da5663efe2fda9a9.tar.xz
linux-823dcd2506fa369aeb8cbd26da5663efe2fda9a9.zip
1 files changed, 11 insertions, 4 deletions
diff --git a/kernel/sys.c b/kernel/sys.c
index a101ba36c444..dd948a1fca4c 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -621,11 +621,18 @@ static int set_user(struct cred *new)
 	if (!new_user)
 		return -EAGAIN;
 
+	/*
+	 * We don't fail in case of NPROC limit excess here because too many
+	 * poorly written programs don't check set*uid() return code, assuming
+	 * it never fails if called by root.  We may still enforce NPROC limit
+	 * for programs doing set*uid()+execve() by harmlessly deferring the
+	 * failure to the execve() stage.
+	 */
 	if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&
-			new_user != INIT_USER) {
-		free_uid(new_user);
-		return -EAGAIN;
-	}
+			new_user != INIT_USER)
+		current->flags |= PF_NPROC_EXCEEDED;
+	else
+		current->flags &= ~PF_NPROC_EXCEEDED;
 
 	free_uid(new->user);
 	new->user = new_user;
author	David S. Miller <davem@davemloft.net>	2011-08-20 19:39:12 +0200
committer	David S. Miller <davem@davemloft.net>	2011-08-20 19:39:12 +0200
commit	823dcd2506fa369aeb8cbd26da5663efe2fda9a9 (patch)
tree	853b3e3c05f0b9ee1b5df8464db19b7acc57150c /kernel/sys.c
parent	tg3: Update version to 3.120 (diff)
parent	ipv6: Fix ipv6_getsockopt for IPV6_2292PKTOPTIONS (diff)
download	linux-823dcd2506fa369aeb8cbd26da5663efe2fda9a9.tar.xz linux-823dcd2506fa369aeb8cbd26da5663efe2fda9a9.zip