Fix failure path in alloc_pid()

The failure path removes the allocated PIDs from the wrong namespace.
This could lead to us inadvertently reusing PIDs in the leaf namespace
and leaking PIDs in parent namespaces.

Fixes: 95846ecf9dac ("pid: replace pid bitmap implementation with IDR API")
Cc: <stable@vger.kernel.org>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/kernel/pid.c b/kernel/pid.c
index b2f6c506035da7c75b6b7e277f8d7c1a7ee244a2..20881598bdfaccc2e0ad736e1e2f8228ca3299bf 100644 (file)
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -233,8 +233,10 @@ out_unlock:
 
 out_free:
        spin_lock_irq(&pidmap_lock);
-       while (++i <= ns->level)
-               idr_remove(&ns->idr, (pid->numbers + i)->nr);
+       while (++i <= ns->level) {
+               upid = pid->numbers + i;
+               idr_remove(&upid->ns->idr, upid->nr);
+       }
 
        /* On failure to allocate the first pid, reset the state */
        if (ns->pid_allocated == PIDNS_ADDING)