On Tue, Nov 18, 2025 at 02:45:50PM +0800, Pavel Tikhomirov wrote:

If unshare_nsproxy_namespaces() successfully creates the new_nsproxy, but then set_cred_ucounts() fails, on its error path there is no cleanup for new_nsproxy, so it is leaked. Let's fix that by freeing new_nsproxy if it's not NULL on this error path.

Fixes: 905ae01c4ae2a ("Add a reference to ucounts for each cred") Signed-off-by: Pavel Tikhomirov ptikhomirov@virtuozzo.com

Cc: stable@vger.kernel.org Acked-by: Alexey Gladkov legion@kernel.org

---

kernel/fork.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/fork.c b/kernel/fork.c index 3da0f08615a95..6f7332e3e0c8c 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -3133,8 +3133,11 @@ int ksys_unshare(unsigned long unshare_flags) if (new_cred) { err = set_cred_ucounts(new_cred);

• if (err)
  

• if (err) {
  

• 	if (new_nsproxy)
  

• 		free_nsproxy(new_nsproxy);
  goto bad_unshare_cleanup_cred;
  

• }
  

  }

if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) { -- 2.51.1