[PATCH] unshare: Fix nsproxy leak on set_cred_ucounts() error path
From: Pavel Tikhomirov
Date: Tue Nov 18 2025 - 01:46:40 EST
If unshare_nsproxy_namespaces() successfully creates the new_nsproxy,
but then set_cred_ucounts() fails, on its error path there is no cleanup
for new_nsproxy, so it is leaked. Let's fix that by freeing new_nsproxy
if it's not NULL on this error path.
Fixes: 905ae01c4ae2a ("Add a reference to ucounts for each cred")
Signed-off-by: Pavel Tikhomirov <ptikhomirov@xxxxxxxxxxxxx>
---
kernel/fork.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 3da0f08615a95..6f7332e3e0c8c 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3133,8 +3133,11 @@ int ksys_unshare(unsigned long unshare_flags)
if (new_cred) {
err = set_cred_ucounts(new_cred);
- if (err)
+ if (err) {
+ if (new_nsproxy)
+ free_nsproxy(new_nsproxy);
goto bad_unshare_cleanup_cred;
+ }
}
if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
--
2.51.1