4 files changed, 10 insertions, 10 deletions

diff --git a/include/linux/cred.h b/include/linux/cred.h
index d12c4e475c15..2c60ec802678 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -146,7 +146,7 @@ struct cred {
         void            *security;      /* subjective LSM security */
 #endif
         struct user_struct *user;       /* real user ID subscription */
-        struct user_namespace *user_ns; /* cached user->user_ns */
+        struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
         struct group_info *group_info;  /* supplementary groups for euid/fsgid */
         struct rcu_head rcu;            /* RCU deletion hook */
 };
diff --git a/kernel/cred.c b/kernel/cred.c
index 97b36eeca4c9..7a0d80669886 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -148,6 +148,7 @@ static void put_cred_rcu(struct rcu_head *rcu)
         if (cred->group_info)
                 put_group_info(cred->group_info);
         free_uid(cred->user);
+        put_user_ns(cred->user_ns);
         kmem_cache_free(cred_jar, cred);
 }
 
@@ -303,6 +304,7 @@ struct cred *prepare_creds(void)
         set_cred_subscribers(new, 0);
         get_group_info(new->group_info);
         get_uid(new->user);
+        get_user_ns(new->user_ns);
 
 #ifdef CONFIG_KEYS
         key_get(new->thread_keyring);
@@ -412,11 +414,6 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
                         goto error_put;
         }
 
-        /* cache user_ns in cred.  Doesn't need a refcount because it will
-         * stay pinned by cred->user
-         */
-        new->user_ns = new->user->user_ns;
-
 #ifdef CONFIG_KEYS
         /* new threads get their own thread keyrings if their parent already
          * had one */
@@ -676,6 +673,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
         atomic_set(&new->usage, 1);
         set_cred_subscribers(new, 0);
         get_uid(new->user);
+        get_user_ns(new->user_ns);
         get_group_info(new->group_info);
 
 #ifdef CONFIG_KEYS
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index f084083a0fd3..58bb8781a778 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -24,7 +24,7 @@ static struct kmem_cache *user_ns_cachep __read_mostly;
  */
 int create_user_ns(struct cred *new)
 {
-        struct user_namespace *ns;
+        struct user_namespace *ns, *parent_ns = new->user_ns;
         struct user_struct *root_user;
         int n;
 
@@ -57,8 +57,10 @@ int create_user_ns(struct cred *new)
 #endif
         /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
 
-        /* root_user holds a reference to ns, our reference can be dropped */
-        put_user_ns(ns);
+        /* Leave the reference to our user_ns with the new cred */
+        new->user_ns = ns;
+
+        put_user_ns(parent_ns);
 
         return 0;
 }
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 70febff06da9..447fb7618ff3 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -858,7 +858,7 @@ void key_replace_session_keyring(void)
         new-> sgid      = old-> sgid;
         new->fsgid      = old->fsgid;
         new->user       = get_uid(old->user);
-        new->user_ns    = new->user_ns;
+        new->user_ns    = get_user_ns(new->user_ns);
         new->group_info = get_group_info(old->group_info);
 
         new->securebits = old->securebits;