[PATCH] find_user locking and leak fix

find_user() is being called from set/get_priority(), but it doesn't take the needed lock, and those callers were forgetting to drop the refcount which find_user() took.

[PATCH] find_user locking and leak fix
find_user() is being called from set/get_priority(), but it doesn't take the needed lock, and those callers were forgetting to drop the refcount which find_user() took.
475c3656 · Andrew Morton · Linus Torvalds · 5a80c2ea · 475c3656 · 475c3656
Commit 475c3656 authored May 10, 2004 by Andrew Morton Committed by Linus Torvalds May 10, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 1 deletion

kernel/sys.c kernel/sys.c +4 -0

kernel/user.c kernel/user.c +12 -1

No files found.
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -348,6 +348,8 @@ asmlinkage long sys_setpriority(int which, int who, int niceval)
 				if (p->uid == who)
 					error = set_one_prio(p, niceval, error);
 			while_each_thread(g, p);
+			if (who)
+				free_uid(user);		/* For find_user() */
 			break;
 	}
 out_unlock:
@@ -410,6 +412,8 @@ asmlinkage long sys_getpriority(int which, int who)
 						retval = niceval;
 				}
 			while_each_thread(g, p);
+			if (who)
+				free_uid(user);		/* for find_user() */
 			break;
 	}
 out_unlock:

--- a/kernel/user.c
+++ b/kernel/user.c
@@ -64,9 +64,20 @@ static inline struct user_struct *uid_hash_find(uid_t uid, struct list_head *has
 	return NULL;
 }

+/*
+ * Locate the user_struct for the passed UID.  If found, take a ref on it.  The
+ * caller must undo that ref with free_uid().
+ *
+ * If the user_struct could not be found, return NULL.
+ */
 struct user_struct *find_user(uid_t uid)
 {
-	return uid_hash_find(uid, uidhashentry(uid));
+	struct user_struct *ret;
+
+	spin_lock(&uidhash_lock);
+	ret = uid_hash_find(uid, uidhashentry(uid));
+	spin_unlock(&uidhash_lock);
+	return ret;
 }

 void free_uid(struct user_struct *up)