Fix failure path in alloc_pid()

commit 1a80dade upstream. The failure path removes the allocated PIDs from the wrong namespace. This could lead to us inadvertently reusing PIDs in the leaf namespace and leaking PIDs in parent namespaces. Fixes: 95846ecf ("pid: replace pid bitmap implementation with IDR API") Cc: <stable@vger.kernel.org> Signed-off-by: Matthew Wilcox <willy@infradead.org> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fix failure path in alloc_pid()
commit 1a80dade upstream. The failure path removes the allocated PIDs from the wrong namespace. This could lead to us inadvertently reusing PIDs in the leaf namespace and leaking PIDs in parent namespaces. Fixes: 95846ecf ("pid: replace pid bitmap implementation with IDR API") Cc: <stable@vger.kernel.org> Signed-off-by: Matthew Wilcox <willy@infradead.org> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
a8544919 · Matthew Wilcox · Greg Kroah-Hartman · 5781b53d · a8544919
Commit a8544919 authored Dec 28, 2018 by Matthew Wilcox Committed by Greg Kroah-Hartman Jan 13, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

kernel/pid.c kernel/pid.c +4 -2

No files found.
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -233,8 +233,10 @@ struct pid *alloc_pid(struct pid_namespace *ns)
 out_free:
 	spin_lock_irq(&pidmap_lock);
-	while (++i <= ns->level)
+	while (++i <= ns->level) {
-		idr_remove(&ns->idr, (pid->numbers + i)->nr);
+		upid = pid->numbers + i;
+		idr_remove(&upid->ns->idr, upid->nr);
+	}
 	/* On failure to allocate the first pid, reset the state */
 	if (ns->pid_allocated == PIDNS_ADDING)