fix freeing user_struct in user cache

When racing on adding into user cache, the new allocated from mm slab
is freed without putting user namespace.

Since the user namespace is already operated by getting, putting has
to be issued.

Signed-off-by: Hillf Danton <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Cc: [email protected]
Signed-off-by: Linus Torvalds <[email protected]>

diff --git a/kernel/user.c b/kernel/user.c
index 2c7d8d5914b188be65c36a686a81fba7eed07d8c..5c598ca781df4bf6f907043ed1d43f98b3b7ef58 100644 (file)
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -158,6 +158,7 @@ struct user_struct *alloc_uid(struct user_namespace *ns, uid_t uid)
                spin_lock_irq(&uidhash_lock);
                up = uid_hash_find(uid, hashent);
                if (up) {
+                       put_user_ns(ns);
                        key_put(new->uid_keyring);
                        key_put(new->session_keyring);
                        kmem_cache_free(uid_cachep, new);