Creds and user namespaces both need one more ref taken.
A new user_ns needs a ref to remain pinned by its root user.
current_user_ns needs an extra ref bc objhash drops two on
restart.
cred needs a ref for the real credentials because commit_creds
eats one ref.
Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
---
checkpoint/process.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/checkpoint/process.c b/checkpoint/process.c
index 5047944..74872ba 100644
--- a/checkpoint/process.c
+++ b/checkpoint/process.c
@@ -601,7 +601,8 @@ static struct user_namespace *restore_read_userns(struct ckpt_ctx *ctx)
return ERR_PTR(PTR_ERR(h));
if (h->flags & CKPT_USERNS_INIT) {
ckpt_hdr_put(ctx, h);
- return current_user_ns();
+ /* grab an extra ref bc objhash will drop an extra */
+ return get_user_ns(current_user_ns());
}
creator = ckpt_obj_fetch(ctx, h->creator_ref, CKPT_OBJ_USER);
ckpt_hdr_put(ctx, h);
@@ -616,6 +617,10 @@ static struct user_namespace *restore_read_userns(struct ckpt_ctx *ctx)
/* new_user_ns() doesn't bump creator's refcount */
get_uid(creator);
+ /* objhash will drop new_ns refcount, but new_root
+ * should hold a ref */
+ get_user_ns(ns);
+
return ns;
}
@@ -1088,6 +1093,10 @@ static int restore_creds(struct ckpt_ctx *ctx, struct cred *rcred,
int ret;
const struct cred *old;
+ /* commit_creds will take one ref for the eff creds, but
+ * expects us to hold a ref for the obj creds, so take a
+ * ref here */
+ get_cred(rcred);
ret = commit_creds(rcred);
if (ret)
return ret;
--
1.6.1
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
