Commit fe303ba7 authored by Eric Biggers's avatar Eric Biggers Committed by Greg Kroah-Hartman
Browse files

KEYS: allow reaching the keys quotas exactly

commit a08bf91c upstream.

If the sysctl 'kernel.keys.maxkeys' is set to some number n, then
actually users can only add up to 'n - 1' keys.  Likewise for
'kernel.keys.maxbytes' and the root_* versions of these sysctls.  But
these sysctls are apparently supposed to be *maximums*, as per their
names and all documentation I could find -- the keyrings(7) man page,
Documentation/security/keys/core.rst, and all the mentions of EDQUOT
meaning that the key quota was *exceeded* (as opposed to reached).

Thus, fix the code to allow reaching the quotas exactly.

Fixes: 0b77f5bf

 ("keys: make the keyring quotas controllable through /proc/sys")
Signed-off-by: default avatarEric Biggers <>
Signed-off-by: default avatarDavid Howells <>
Signed-off-by: default avatarJames Morris <>
Signed-off-by: default avatarGreg Kroah-Hartman <>
parent e69eb7e8
......@@ -265,8 +265,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
if (user->qnkeys + 1 >= maxkeys ||
user->qnbytes + quotalen >= maxbytes ||
if (user->qnkeys + 1 > maxkeys ||
user->qnbytes + quotalen > maxbytes ||
user->qnbytes + quotalen < user->qnbytes)
goto no_quota;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment