Serge E. Hallyn <se...@us.ibm.com> wrote: > Yes, but noone will pull the user_struct off the list without > taking the lock. > > what am I missing?
I believe that the hash link (uidhash_node) in the user_struct that is passed to uid_hash_remove() points to, and is pointed to by the user_namespace to which the user_struct belongs. In which case calling put_user_ns() may kfree the head pointer of the list _before_ hlist_del_init() is invoked - in which case hlist_del_init() will act upon freed memory. At least, I think it works like this. Anyway, I have no objection to your new patch. Acked-by: David Howells <dhowe...@redhat.com> _______________________________________________ Containers mailing list contain...@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list Devel@openvz.org https://openvz.org/mailman/listinfo/devel
