ucount: Make get_ucount a safe get_user replacement

When the ucount code was refactored to create get_ucount it was missed
that some of the contexts in which a rlimit is kept elevated can be
the only reference to the user/ucount in the system.

Ordinary ucount references exist in places that also have a reference
to the user namspace, but in POSIX message queues, the SysV shm code,
and the SIGPENDING code there is no independent user namespace
reference.

Inspection of the the user_namespace show no instance of circular
references between struct ucounts and the user_namespace.  So
hold a reference from struct ucount to i's user_namespace to
resolve this problem.

Link: https://lore.kernel.org/lkml/[email protected]/
Reported-by: Qian Cai <[email protected]>
Reported-by: Mathias Krause <[email protected]>
Tested-by: Mathias Krause <[email protected]>
Reviewed-by: Mathias Krause <[email protected]>
Reviewed-by: Alexey Gladkov <[email protected]>
Fixes: d646969 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
Fixes: 6e52a9f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
Fixes: d7c9e99 ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
Cc: [email protected]
Signed-off-by: "Eric W. Biederman" <[email protected]>

Author: ebiederm

kernel/ucount.c

@@ -190,6 +190,7 @@ struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid)
 			kfree(new);
 		} else {
 			hlist_add_head(&new->node, hashent);
+			get_user_ns(new->ns);
 			spin_unlock_irq(&ucounts_lock);
 			return new;
 		}
@@ -210,6 +211,7 @@ void put_ucounts(struct ucounts *ucounts)
 	if (atomic_dec_and_lock_irqsave(&ucounts->count, &ucounts_lock, flags)) {
 		hlist_del_init(&ucounts->node);
 		spin_unlock_irqrestore(&ucounts_lock, flags);
+		put_user_ns(ucounts->ns);
 		kfree(ucounts);
 	}
 }