2.6.36-stable review patch. If anyone has any objections, please let us know.
------------------ From: Hillf Danton <[email protected]> commit 4ef9e11d6867f88951e30db910fa015300e31871 upstream. When racing on adding into user cache, the new allocated from mm slab is freed without putting user namespace. Since the user namespace is already operated by getting, putting has to be issued. Signed-off-by: Hillf Danton <[email protected]> Acked-by: Serge Hallyn <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- kernel/user.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/user.c +++ b/kernel/user.c @@ -157,6 +157,7 @@ struct user_struct *alloc_uid(struct use spin_lock_irq(&uidhash_lock); up = uid_hash_find(uid, hashent); if (up) { + put_user_ns(ns); key_put(new->uid_keyring); key_put(new->session_keyring); kmem_cache_free(uid_cachep, new); _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
