Commit 7fc4c64b authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] fix current->user->__count leak

From: Arvind Kandhare <arvind.kan@wipro.com>

When switch_uid is called, the reference count of the new user is
incremented twice.  I think the increment in the switch_uid is done because
of the reparent_to_init() function which does not increase the __count for
root user.

But if switch_uid is called from any other function, the reference count is
already incremented by the caller by calling alloc_uid for the new user.
Hence the count is incremented twice.  The user struct will not be deleted
even when there are no processes holding a reference count for it.  This
does not cause any problem currently because nothing is dependent on timely
deletion of the user struct.
parent 0d98604b
...@@ -230,6 +230,7 @@ void reparent_to_init(void) ...@@ -230,6 +230,7 @@ void reparent_to_init(void)
/* signals? */ /* signals? */
security_task_reparent_to_init(current); security_task_reparent_to_init(current);
memcpy(current->rlim, init_task.rlim, sizeof(*(current->rlim))); memcpy(current->rlim, init_task.rlim, sizeof(*(current->rlim)));
atomic_inc(&(INIT_USER->__count));
switch_uid(INIT_USER); switch_uid(INIT_USER);
write_unlock_irq(&tasklist_lock); write_unlock_irq(&tasklist_lock);
......
...@@ -126,7 +126,6 @@ void switch_uid(struct user_struct *new_user) ...@@ -126,7 +126,6 @@ void switch_uid(struct user_struct *new_user)
* we should be checking for it. -DaveM * we should be checking for it. -DaveM
*/ */
old_user = current->user; old_user = current->user;
atomic_inc(&new_user->__count);
atomic_inc(&new_user->processes); atomic_inc(&new_user->processes);
atomic_dec(&old_user->processes); atomic_dec(&old_user->processes);
current->user = new_user; current->user = new_user;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment