1. Patchew
  2. linux
  3. View series

[PATCH] unshare: Fix nsproxy leak on set_cred_ucounts() error path

Pavel Tikhomirov posted 1 patch 1 week, 6 days ago 
kernel/fork.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH] unshare: Fix nsproxy leak on set_cred_ucounts() error path
Posted by Pavel Tikhomirov 1 week, 6 days ago 
If unshare_nsproxy_namespaces() successfully creates the new_nsproxy,
but then set_cred_ucounts() fails, on its error path there is no cleanup
for new_nsproxy, so it is leaked. Let's fix that by freeing new_nsproxy
if it's not NULL on this error path.

Fixes: 905ae01c4ae2a ("Add a reference to ucounts for each cred")
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 kernel/fork.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 3da0f08615a95..6f7332e3e0c8c 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3133,8 +3133,11 @@ int ksys_unshare(unsigned long unshare_flags)
 
 	if (new_cred) {
 		err = set_cred_ucounts(new_cred);
-		if (err)
+		if (err) {
+			if (new_nsproxy)
+				free_nsproxy(new_nsproxy);
 			goto bad_unshare_cleanup_cred;
+		}
 	}
 
 	if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
-- 
2.51.1
Re: [PATCH] unshare: Fix nsproxy leak on set_cred_ucounts() error path
Posted by Liam R. Howlett 1 week, 6 days ago 
* Pavel Tikhomirov <ptikhomirov@virtuozzo.com> [251118 01:46]:
> If unshare_nsproxy_namespaces() successfully creates the new_nsproxy,
> but then set_cred_ucounts() fails, on its error path there is no cleanup
> for new_nsproxy, so it is leaked. Let's fix that by freeing new_nsproxy
> if it's not NULL on this error path.

new_nsproxy may be set to an error pointer, but that case is handled
earlier in this function.  That's a pretty subtle detail.
unshare_nsproxy_namespaces() should probably set it to NULL if it's an
error.. everywhere else looks fine.

This fix looks good!

Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>

> 
> Fixes: 905ae01c4ae2a ("Add a reference to ucounts for each cred")
> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
> ---
>  kernel/fork.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 3da0f08615a95..6f7332e3e0c8c 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -3133,8 +3133,11 @@ int ksys_unshare(unsigned long unshare_flags)
>  
>  	if (new_cred) {
>  		err = set_cred_ucounts(new_cred);
> -		if (err)
> +		if (err) {
> +			if (new_nsproxy)
> +				free_nsproxy(new_nsproxy);
>  			goto bad_unshare_cleanup_cred;
> +		}
>  	}
>  
>  	if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
> -- 
> 2.51.1
>
Re: [PATCH] unshare: Fix nsproxy leak on set_cred_ucounts() error path
Posted by Alexey Gladkov 1 week, 6 days ago 
On Tue, Nov 18, 2025 at 02:45:50PM +0800, Pavel Tikhomirov wrote:
> If unshare_nsproxy_namespaces() successfully creates the new_nsproxy,
> but then set_cred_ucounts() fails, on its error path there is no cleanup
> for new_nsproxy, so it is leaked. Let's fix that by freeing new_nsproxy
> if it's not NULL on this error path.
> 
> Fixes: 905ae01c4ae2a ("Add a reference to ucounts for each cred")
> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>

Cc: stable@vger.kernel.org 
Acked-by: Alexey Gladkov <legion@kernel.org>

> ---
>  kernel/fork.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 3da0f08615a95..6f7332e3e0c8c 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -3133,8 +3133,11 @@ int ksys_unshare(unsigned long unshare_flags)
>  
>  	if (new_cred) {
>  		err = set_cred_ucounts(new_cred);
> -		if (err)
> +		if (err) {
> +			if (new_nsproxy)
> +				free_nsproxy(new_nsproxy);
>  			goto bad_unshare_cleanup_cred;
> +		}
>  	}
>  
>  	if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
> -- 
> 2.51.1
> 

-- 
Rgrds, legion

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.