fix freeing user_struct in user cache

commit 4ef9e11d6867f88951e30db910fa015300e31871 upstream. When racing on adding into user cache, the new allocated from mm slab is freed without putting user namespace. Since the user namespace is already operated by getting, putting has to be issued. Signed-off-by: Hillf Danton <dhillf@gmail.com> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Hillf Danton <dhillf@gmail.com> 2010-12-29 21:55:28 +0800
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-01-07 13:58:42 -0800
commit: c9009e7208be5a127d302a63602af1a6f15b17d9 (patch)
tree: dbc63cf1f5596097ecf434f601c4955308c04476
parent: 3c1d55408817cce6fb21d95b1cad3ba0af041c9f (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/user.c b/kernel/user.c
index 7e72614b736d..8ce395f74d47 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -157,6 +157,7 @@ struct user_struct *alloc_uid(struct user_namespace *ns, uid_t uid)
 		spin_lock_irq(&uidhash_lock);
 		up = uid_hash_find(uid, hashent);
 		if (up) {
+			put_user_ns(ns);
 			key_put(new->uid_keyring);
 			key_put(new->session_keyring);
 			kmem_cache_free(uid_cachep, new);
author	Hillf Danton <dhillf@gmail.com>	2010-12-29 21:55:28 +0800
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-01-07 13:58:42 -0800
commit	c9009e7208be5a127d302a63602af1a6f15b17d9 (patch)
tree	dbc63cf1f5596097ecf434f601c4955308c04476
parent	3c1d55408817cce6fb21d95b1cad3ba0af041c9f (diff)