[CRIU] [PATCH] kernel: limit a value of ns_last_pid to (0, max_pid)

[Andrew Vagin]

The kernel doesn't check pid on a negative values, so if
you would try to write -2 in /proc/sys/kernel/ns_last_pid,
you will get a kernel panic.

In this case the next pid is -1, and alloc_pidmap will try to access
to a nonexistent pidmap.

map = &pid_ns->pidmap[pid/BITS_PER_PAGE];

Cc: Andrew Morton <akpm at linux-foundation.org>
Cc: Oleg Nesterov <oleg at redhat.com>
Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Pavel Emelyanov <xemul at parallels.com>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
Signed-off-by: Andrew Vagin <avagin at openvz.org>
---
 kernel/pid_namespace.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index b3c7fd5..6144bab 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -232,15 +232,19 @@ static int pid_ns_ctl_handler(struct ctl_table *table, int write,
 	 */
 
 	tmp.data = &current->nsproxy->pid_ns->last_pid;
-	return proc_dointvec(&tmp, write, buffer, lenp, ppos);
+	return proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
 }
 
+extern int pid_max;
+static int zero = 0;
 static struct ctl_table pid_ns_ctl_table[] = {
 	{
 		.procname = "ns_last_pid",
 		.maxlen = sizeof(int),
 		.mode = 0666, /* permissions are checked in the handler */
 		.proc_handler = pid_ns_ctl_handler,
+		.extra1 = &zero,
+		.extra2 = &pid_max,
 	},
 	{ }
 };
-- 
1.7.1