When racing on adding into user cache, the new allocated from mm slab
is freed without putting user namespace.
Since the user namespace is already operated by getting, putting has
to be issued.
Signed-off-by: Hillf Danton <[email protected]>
---
--- a/kernel/user.c 2010-11-01 19:54:12.000000000 +0800
+++ b/kernel/user.c 2010-12-23 20:42:00.000000000 +0800
@@ -158,6 +158,7 @@ struct user_struct *alloc_uid(struct use
spin_lock_irq(&uidhash_lock);
up = uid_hash_find(uid, hashent);
if (up) {
+ put_user_ns(ns);
key_put(new->uid_keyring);
key_put(new->session_keyring);
kmem_cache_free(uid_cachep, new);
Quoting Hillf Danton ([email protected]):
> When racing on adding into user cache, the new allocated from mm slab
> is freed without putting user namespace.
>
> Since the user namespace is already operated by getting, putting has
> to be issued.
>
> Signed-off-by: Hillf Danton <[email protected]>
which was previously
> Acked-by: Serge Hallyn <[email protected]>
thanks again, Hillf.
> ---
>
> --- a/kernel/user.c 2010-11-01 19:54:12.000000000 +0800
> +++ b/kernel/user.c 2010-12-23 20:42:00.000000000 +0800
> @@ -158,6 +158,7 @@ struct user_struct *alloc_uid(struct use
> spin_lock_irq(&uidhash_lock);
> up = uid_hash_find(uid, hashent);
> if (up) {
> + put_user_ns(ns);
> key_put(new->uid_keyring);
> key_put(new->session_keyring);
> kmem_cache_free(uid_cachep, new);