[PATCH 1/1] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure

Next message: Tim Kovalenko via B4 Relay: "[PATCH v2] gpu: nova-core: fix stack overflow in GSP memory allocation"
Previous message: Chris Arges: "Re: [PATCH 0/2] bnxt_en: Add XDP RSS hash metadata"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Grzedzicki

Date: Fri Feb 13 2026 - 14:40:38 EST

When set_cred_ucounts() fails in ksys_unshare() new_nsproxy is leaked.

Let's call put_nsproxy() if that happens.

Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
Signed-off-by: Michal Grzedzicki <mge@xxxxxxxx>
---
kernel/fork.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index e832da9d15a4..f6a5ed2067b7 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3175,11 +3175,10 @@ int ksys_unshare(unsigned long unshare_flags)
new_cred, new_fs);
if (err)
goto bad_unshare_cleanup_cred;
-
if (new_cred) {
err = set_cred_ucounts(new_cred);
if (err)
- goto bad_unshare_cleanup_cred;
+ goto bad_unshare_cleanup_nsproxy;
}

if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
@@ -3195,8 +3194,10 @@ int ksys_unshare(unsigned long unshare_flags)
shm_init_task(current);
}

- if (new_nsproxy)
+ if (new_nsproxy) {
switch_task_namespaces(current, new_nsproxy);
+ new_nsproxy = NULL;
+ }

task_lock(current);

@@ -3225,13 +3226,15 @@ int ksys_unshare(unsigned long unshare_flags)

perf_event_namespaces(current);

+bad_unshare_cleanup_nsproxy:
+ if (new_nsproxy)
+ put_nsproxy(new_nsproxy);
bad_unshare_cleanup_cred:
if (new_cred)
put_cred(new_cred);
bad_unshare_cleanup_fd:
if (new_fd)
put_files_struct(new_fd);
-
bad_unshare_cleanup_fs:
if (new_fs)
free_fs_struct(new_fs);
--
2.47.3