From: Arvind Kandhare When switch_uid is called, the reference count of the new user is incremented twice. I think the increment in the switch_uid is done because of the reparent_to_init() function which does not increase the __count for root user. But if switch_uid is called from any other function, the reference count is already incremented by the caller by calling alloc_uid for the new user. Hence the count is incremented twice. The user struct will not be deleted even when there are no processes holding a reference count for it. This does not cause any problem currently because nothing is dependent on timely deletion of the user struct. kernel/exit.c | 1 + kernel/user.c | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff -puN kernel/exit.c~fix-user-leak kernel/exit.c --- 25/kernel/exit.c~fix-user-leak 2003-07-03 00:41:26.000000000 -0700 +++ 25-akpm/kernel/exit.c 2003-07-03 00:41:26.000000000 -0700 @@ -230,6 +230,7 @@ void reparent_to_init(void) /* signals? */ security_task_reparent_to_init(current); memcpy(current->rlim, init_task.rlim, sizeof(*(current->rlim))); + atomic_inc(&(INIT_USER->__count)); switch_uid(INIT_USER); write_unlock_irq(&tasklist_lock); diff -puN kernel/user.c~fix-user-leak kernel/user.c --- 25/kernel/user.c~fix-user-leak 2003-07-03 00:41:26.000000000 -0700 +++ 25-akpm/kernel/user.c 2003-07-03 00:41:26.000000000 -0700 @@ -126,7 +126,6 @@ void switch_uid(struct user_struct *new_ * we should be checking for it. -DaveM */ old_user = current->user; - atomic_inc(&new_user->__count); atomic_inc(&new_user->processes); atomic_dec(&old_user->processes); current->user = new_user; _