From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C9FD73A3833; Wed, 20 May 2026 16:50:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779295805; cv=none; b=L4GqXcjXreKKbW8ZXZIZTRKS3I70UADnMv7j6bpKbMb+KRdk3Lm2Dw3lGZKCcVncqhI0TODICboPYIHfzcS/5X5AbotcFfNMhWRbSF1/9GtQGNzBLLkA1Sb+uZ+EeKb8HIHg+qbqpq9C4pY0d+glvYNO63VlOquDynv3Ou50PIM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779295805; c=relaxed/simple; bh=p3XqMivfBu2QuUrw7EXqMhoEcJH5Mo3/wFtk+iD3cBA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YO5g6UMCNuhhqnhFvyYEJgoyUAE1yZmtQQ7Y60o/G5BC0pBqfKpn0hrmdSpzl0IQ5WaybGDkozaKOYCsTuOVAFkS3rryHRu4NIyrN9Epjqlr2Ydti7H0PCG6mwPfDdlvI0e/wDNORzr88noRyn1iJukuN+pEM9BtI/oYkkV9Lds= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=KJV4fBSd; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="KJV4fBSd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DFCC01F000E9; Wed, 20 May 2026 16:50:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779295803; bh=5MIKsYncANgWrjed1fZJKKde4Y8owVSNfSdmE0mlBwA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=KJV4fBSdJC2Iaj8cx259jFZQyQrzBoDeQm5+KKvql729RnQMI9mXn7BuZ/yZEO0nt 4aomke0V+UPRqpp+Ntpmgtf7YaqiLa0Kieapfsmbm8hbM7eJyap5SuBrineGD4iR8r PfJEtef6Qz9d0lGmnwMAKPg1bk0RAm0ZPYn6gFUY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Michal Grzedzicki , Andrew Morton , "Alexey Gladkov (Intel)" , Ben Segall , David Hildenbrand , Dietmar Eggemann , Ingo Molnar , Juri Lelli , Kees Cook , "Liam R. Howlett" , "Lorenzo Stoakes (Oracle)" , Mel Gorman , Michal Hocko , Mike Rapoport , Peter Zijlstra , Steven Rostedt , Suren Baghdasaryan , Valentin Schneider , Vincent Guittot , Vlastimil Babka , Sasha Levin Subject: [PATCH 7.0 0556/1146] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Date: Wed, 20 May 2026 18:13:26 +0200 Message-ID: <20260520162200.763446686@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260520162148.390695140@linuxfoundation.org> References: <20260520162148.390695140@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michal Grzedzicki [ Upstream commit a98621a0f187a934c115dcfe79a49520ae892111 ] When set_cred_ucounts() fails in ksys_unshare() new_nsproxy is leaked. Let's call put_nsproxy() if that happens. Link: https://lkml.kernel.org/r/20260213193959.2556730-1-mge@meta.com Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred") Signed-off-by: Michal Grzedzicki Reviewed-by: Andrew Morton Cc: Alexey Gladkov (Intel) Cc: Ben Segall Cc: David Hildenbrand Cc: Dietmar Eggemann Cc: Ingo Molnar Cc: Juri Lelli Cc: Kees Cook Cc: "Liam R. Howlett" Cc: Lorenzo Stoakes (Oracle) Cc: Mel Gorman Cc: Michal Hocko Cc: Mike Rapoport Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Suren Baghdasaryan Cc: Valentin Schneider Cc: Vincent Guittot Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin --- kernel/fork.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 2383c25b9fd49..87f3b8d48c0db 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -3176,11 +3176,10 @@ int ksys_unshare(unsigned long unshare_flags) new_cred, new_fs); if (err) goto bad_unshare_cleanup_cred; - if (new_cred) { err = set_cred_ucounts(new_cred); if (err) - goto bad_unshare_cleanup_cred; + goto bad_unshare_cleanup_nsproxy; } if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) { @@ -3196,8 +3195,10 @@ int ksys_unshare(unsigned long unshare_flags) shm_init_task(current); } - if (new_nsproxy) + if (new_nsproxy) { switch_task_namespaces(current, new_nsproxy); + new_nsproxy = NULL; + } task_lock(current); @@ -3226,13 +3227,15 @@ int ksys_unshare(unsigned long unshare_flags) perf_event_namespaces(current); +bad_unshare_cleanup_nsproxy: + if (new_nsproxy) + put_nsproxy(new_nsproxy); bad_unshare_cleanup_cred: if (new_cred) put_cred(new_cred); bad_unshare_cleanup_fd: if (new_fd) put_files_struct(new_fd); - bad_unshare_cleanup_fs: if (new_fs) free_fs_struct(new_fs); -- 2.53.0