Re: [PATCH] fix freeing user_struct in user cache

[Hillf Danton]

On Fri, Dec 24, 2010 at 11:55 AM, Greg KH <gregkh@xxxxxxx> wrote:
> On Thu, Dec 23, 2010 at 08:52:34PM +0800, Hillf Danton wrote:
>> When racing on adding into user cache, the new allocated from mm slab
>> is freed without putting user namespace.
>>
>> Since the user namespace is already operated by getting, putting has
>> to be issued.
>>
>> btw, it could be freed out of lock?
>>
>> Signed-off-by: Hillf Danton <dhillf@xxxxxxxxx>
>> ---
>>
>> --- a/kernel/user.c  2010-11-01 19:54:12.000000000 +0800
>> +++ b/kernel/user.c  2010-12-23 20:42:00.000000000 +0800
>> @@ -158,6 +158,7 @@ struct user_struct *alloc_uid(struct use
>> Â Â Â Â Â Â Â spin_lock_irq(&uidhash_lock);
>> Â Â Â Â Â Â Â up = uid_hash_find(uid, hashent);
>> Â Â Â Â Â Â Â if (up) {
>> + Â Â Â Â Â Â Â Â Â Â put_user_ns(ns);
>> Â Â Â Â Â Â Â Â Â Â Â key_put(new->uid_keyring);
>> Â Â Â Â Â Â Â Â Â Â Â key_put(new->session_keyring);
>> Â Â Â Â Â Â Â Â Â Â Â kmem_cache_free(uid_cachep, new);
>
> Hm, are you sure about this? ÂAlso, why send this to me, did I last
> touch this?
>

sure with no doubt.

I do not know if you touched that last, but I received the following message,

On Tue, Dec 21, 2010 at 3:42 AM,  <gregkh@xxxxxxx> wrote:
>
> This is a note to let you know that I've just added the patch titled
>
>    bonding: Fix slave selection bug.
>
> to the 2.6.36-stable tree which can be found at:
>    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

so you were Cced since you charge patch delivered.

Cheers

Hillf

> confused,
>
> greg k-h
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/