tipc: Fix namespace violation in tipc_sk_fill_sock_diag

To fetch UID info for socket diagnostics, we determine the
namespace of user context using tipc socket instance. This
may cause namespace violation, as the kernel will remap based
on UID.

We fix this by fetching namespace info using the calling userspace
netlink socket.

Fixes: c30b70deb5f4 (tipc: implement socket diagnostics for AF_TIPC)
Reported-by: syzbot+326e587eff1074657718@syzkaller.appspotmail.com
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: GhantaKrishnamurthy MohanKrishna <mohan.krishna.ghanta.krishnamurthy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 2 insertions, 1 deletions

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 3e5eba30865e..cee6674a3bf4 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -3280,7 +3280,8 @@ int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct tipc_sock *tsk,
             nla_put_u32(skb, TIPC_NLA_SOCK_TIPC_STATE, (u32)sk->sk_state) ||
             nla_put_u32(skb, TIPC_NLA_SOCK_INO, sock_i_ino(sk)) ||
             nla_put_u32(skb, TIPC_NLA_SOCK_UID,
-                        from_kuid_munged(sk_user_ns(sk), sock_i_uid(sk))) ||
+                        from_kuid_munged(sk_user_ns(NETLINK_CB(skb).sk),
+                                         sock_i_uid(sk))) ||
             nla_put_u64_64bit(skb, TIPC_NLA_SOCK_COOKIE,
                               tipc_diag_gen_cookie(sk),
                               TIPC_NLA_SOCK_PAD))