Re: [PATCH] unshare: Fix nsproxy leak on set_cred_ucounts() error path
From: Liam R. Howlett
Date: Tue Nov 18 2025 - 16:35:16 EST
* Pavel Tikhomirov <ptikhomirov@xxxxxxxxxxxxx> [251118 01:46]:
> If unshare_nsproxy_namespaces() successfully creates the new_nsproxy,
> but then set_cred_ucounts() fails, on its error path there is no cleanup
> for new_nsproxy, so it is leaked. Let's fix that by freeing new_nsproxy
> if it's not NULL on this error path.
new_nsproxy may be set to an error pointer, but that case is handled
earlier in this function. That's a pretty subtle detail.
unshare_nsproxy_namespaces() should probably set it to NULL if it's an
error.. everywhere else looks fine.
This fix looks good!
Reviewed-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
>
> Fixes: 905ae01c4ae2a ("Add a reference to ucounts for each cred")
> Signed-off-by: Pavel Tikhomirov <ptikhomirov@xxxxxxxxxxxxx>
> ---
> kernel/fork.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 3da0f08615a95..6f7332e3e0c8c 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -3133,8 +3133,11 @@ int ksys_unshare(unsigned long unshare_flags)
>
> if (new_cred) {
> err = set_cred_ucounts(new_cred);
> - if (err)
> + if (err) {
> + if (new_nsproxy)
> + free_nsproxy(new_nsproxy);
> goto bad_unshare_cleanup_cred;
> + }
> }
>
> if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
> --
> 2.51.1
>