user namespace: fix copy_user_ns return value

When a CONFIG_USER_NS=n and a user tries to unshare some namespace other
than the user namespace, the dummy copy_user_ns returns NULL rather than
the old_ns.

This value then gets assigned to task->nsproxy->user_ns, so that a
subsequent setuid, which uses task->nsproxy->user_ns, causes a NULL
pointer deref.

Fix this by returning old_ns.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index bb320573bb9ee6ab216f28a138c9f1ce83ed5caf..1101b0ce878f67973d5037f7b651cabf1fb8d28e 100644 (file)
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -49,7 +49,7 @@ static inline struct user_namespace *copy_user_ns(int flags,
        if (flags & CLONE_NEWUSER)
                return ERR_PTR(-EINVAL);
 
-       return NULL;
+       return old_ns;
 }
 
 static inline void put_user_ns(struct user_namespace *ns)