The failure path removes the allocated PIDs from the wrong namespace. This could lead to us inadvertently reusing PIDs in the leaf namespace and leaking PIDs in parent namespaces.
Fixes: 95846ecf9dac ("pid: replace pid bitmap implementation with IDR API") Cc: stable@vger.kernel.org Signed-off-by: Matthew Wilcox willy@infradead.org Acked-by: "Eric W. Biederman" ebiederm@xmission.com Reviewed-by: Oleg Nesterov oleg@redhat.com --- kernel/pid.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/pid.c b/kernel/pid.c index b2f6c506035da..20881598bdfac 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -233,8 +233,10 @@ struct pid *alloc_pid(struct pid_namespace *ns)
out_free: spin_lock_irq(&pidmap_lock); - while (++i <= ns->level) - idr_remove(&ns->idr, (pid->numbers + i)->nr); + while (++i <= ns->level) { + upid = pid->numbers + i; + idr_remove(&upid->ns->idr, upid->nr); + }
/* On failure to allocate the first pid, reset the state */ if (ns->pid_allocated == PIDNS_ADDING)
On Fri, Dec 28, 2018 at 7:22 AM Matthew Wilcox willy@infradead.org wrote:
The failure path removes the allocated PIDs from the wrong namespace. This could lead to us inadvertently reusing PIDs in the leaf namespace and leaking PIDs in parent namespaces.
Applied,
Linus
linux-stable-mirror@lists.linaro.org
-
Linus Torvalds -
Matthew Wilcox