[PATCH 1/1] nsproxy: fix credential leak in prepare_nsset() on copy_fs_struct() failure

[Michal Grzedzicki]

nsset->flags is only set on the success path, so when copy_fs_struct()
fails put_nsset() sees flags == 0 and skips put_cred() for the
credential allocated by prepare_creds().

Set nsset->flags before copy_fs_struct() so put_nsset() performs
correct cleanup. This is safe because put_nsset() already checks
nsset->fs and nsset->nsproxy for NULL independently.

Fixes: f2a8d52e0a4d ("nsproxy: add struct nsset")
Signed-off-by: Michal Grzedzicki <mge@xxxxxxxx>
---
 kernel/nsproxy.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 259c4b4f1eeb..39ec77a2acc2 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -353,6 +353,9 @@ static int prepare_nsset(unsigned flags, struct nsset *nsset)
 	if (IS_ERR(nsset->nsproxy))
 		return PTR_ERR(nsset->nsproxy);
 
+	/* Set flags early so put_nsset() can clean up properly on failure. */
+	nsset->flags = flags;
+
 	if (flags & CLONE_NEWUSER)
 		nsset->cred = prepare_creds();
 	else
@@ -368,8 +371,6 @@ static int prepare_nsset(unsigned flags, struct nsset *nsset)
 		if (!nsset->fs)
 			goto out;
 	}
-
-	nsset->flags = flags;
 	return 0;
 
 out:
-- 
2.47.3