USB: pid_ns: ensure pid is not freed during kill_pid_info_as_uid

Alan Stern points out that after spin_unlock(&ps->lock) there is no
guarantee that ps->pid won't be freed.  Since kill_pid_info_as_uid() is
called after the spin_unlock(), the pid passed to it must be pinned.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

1 files changed, 4 insertions, 2 deletions

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 37518dfdeb98..eea53ebe6706 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -407,7 +407,7 @@ static void async_completed(struct urb *urb)
                 sinfo.si_errno = as->status;
                 sinfo.si_code = SI_ASYNCIO;
                 sinfo.si_addr = as->userurb;
-                pid = as->pid;
+                pid = get_pid(as->pid);
                 uid = as->uid;
                 euid = as->euid;
                 secid = as->secid;
@@ -422,9 +422,11 @@ static void async_completed(struct urb *urb)
                 cancel_bulk_urbs(ps, as->bulk_addr);
         spin_unlock(&ps->lock);
 
-        if (signr)
+        if (signr) {
                 kill_pid_info_as_uid(sinfo.si_signo, &sinfo, pid, uid,
                                       euid, secid);
+                put_pid(pid);
+        }
 
         wake_up(&ps->wait);
 }