[PATCH] fix current->user->__count leak

From: Arvind Kandhare <arvind.kan@wipro.com>

When switch_uid is called, the reference count of the new user is
incremented twice.  I think the increment in the switch_uid is done because
of the reparent_to_init() function which does not increase the __count for
root user.

But if switch_uid is called from any other function, the reference count is
already incremented by the caller by calling alloc_uid for the new user.
Hence the count is incremented twice.  The user struct will not be deleted
even when there are no processes holding a reference count for it.  This
does not cause any problem currently because nothing is dependent on timely
deletion of the user struct.

diff --git a/kernel/exit.c b/kernel/exit.c
index ebc839b645a73f1dcd68b9822c0c4cb7968caa8d..c52fc310cb16e48cd0d0879fd58a687183d59ef9 100644 (file)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -230,6 +230,7 @@ void reparent_to_init(void)
        /* signals? */
        security_task_reparent_to_init(current);
        memcpy(current->rlim, init_task.rlim, sizeof(*(current->rlim)));
+       atomic_inc(&(INIT_USER->__count));
        switch_uid(INIT_USER);
 
        write_unlock_irq(&tasklist_lock);

diff --git a/kernel/user.c b/kernel/user.c
index 592680d8cc68cbf7a6e64cb08409b594bf225e0b..86bd412b85dafebcf7ea4a5c80d07b08c0c22f80 100644 (file)
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -126,7 +126,6 @@ void switch_uid(struct user_struct *new_user)
         * we should be checking for it.  -DaveM
         */
        old_user = current->user;
-       atomic_inc(&new_user->__count);
        atomic_inc(&new_user->processes);
        atomic_dec(&old_user->processes);
        current->user = new_user;