[PATCH] Fix failure path in alloc_pid()

[PATCH] Fix failure path in alloc_pid()

[Matthew Wilcox]

The failure path removes the allocated PIDs from the wrong namespace.
This could lead to us inadvertently reusing PIDs in the leaf namespace
and leaking PIDs in parent namespaces.

Fixes: 95846ecf9dac ("pid: replace pid bitmap implementation with IDR API")
Cc: <stable@vger.kernel.org>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
---
 kernel/pid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/pid.c b/kernel/pid.c
index b2f6c506035da..20881598bdfac 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -233,8 +233,10 @@ struct pid *alloc_pid(struct pid_namespace *ns)
 
 out_free:
 	spin_lock_irq(&pidmap_lock);
-	while (++i <= ns->level)
-		idr_remove(&ns->idr, (pid->numbers + i)->nr);
+	while (++i <= ns->level) {
+		upid = pid->numbers + i;
+		idr_remove(&upid->ns->idr, upid->nr);
+	}
 
 	/* On failure to allocate the first pid, reset the state */
 	if (ns->pid_allocated == PIDNS_ADDING)
-- 
2.19.2

Re: [PATCH] Fix failure path in alloc_pid()

[Linus Torvalds]

On Fri, Dec 28, 2018 at 7:22 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> The failure path removes the allocated PIDs from the wrong namespace.
> This could lead to us inadvertently reusing PIDs in the leaf namespace
> and leaking PIDs in parent namespaces.

Applied,

             Linus