Quoting David Howells (dhowells@xxxxxxxxxx): > Serge E. Hallyn <serue@xxxxxxxxxx> wrote: > > > Yes, but noone will pull the user_struct off the list without > > taking the lock. > > > > what am I missing? > > I believe that the hash link (uidhash_node) in the user_struct that is passed > to uid_hash_remove() points to, and is pointed to by the user_namespace to > which the user_struct belongs. > > In which case calling put_user_ns() may kfree the head pointer of the list > _before_ hlist_del_init() is invoked - in which case hlist_del_init() will act > upon freed memory. > > At least, I think it works like this. Yikes, you're right. I was thinking there was on hash table with the key calculated from ns+uid, but instead each ns has its own hash table keyed on uid. > Anyway, I have no objection to your new patch. > > Acked-by: David Howells <dhowells@xxxxxxxxxx> thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers