Nagarathnam Muthusamy <nagarathnam.muthusamy@oracle.com> writes:

> Hi Eric,
>
>     From
> https://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git/tree/ipc/shm.c?h=for-next
>
> It looks like if the following condition in Line 616 succeeds
>
> error = PTR_ERR(file);
> if (IS_ERR(file))
>     goto no_file;
>
> we get to no_file with garbage value in shm_cprid. An attempt to
> put_pid on this garbage value might be causing panic.
>
> We could initialize shm_cprid to NULL as soon as it was created.

Yes.  I misread the kvmalloc as a kvzalloc.
I am planning on placing the pid freeing under the no_id label
instead of the no_file label.  Which should also avoid the issue.

It is a rare enough issue an incremental patch should be fine.

Eric