From: Arvind Kandhare <arvind.kan@wipro.com>

When switch_uid is called, the reference count of the new user is
incremented twice.  I think the increment in the switch_uid is done because
of the reparent_to_init() function which does not increase the __count for
root user.  

But if switch_uid is called from any other function, the reference count is
already incremented by the caller by calling alloc_uid for the new user. 
Hence the count is incremented twice.  The user struct will not be deleted
even when there are no processes holding a reference count for it.  This
does not cause any problem currently because nothing is dependent on timely
deletion of the user struct.  




 kernel/exit.c |    1 +
 kernel/user.c |    1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff -puN kernel/exit.c~fix-user-leak kernel/exit.c
--- 25/kernel/exit.c~fix-user-leak	2003-07-03 00:41:26.000000000 -0700
+++ 25-akpm/kernel/exit.c	2003-07-03 00:41:26.000000000 -0700
@@ -230,6 +230,7 @@ void reparent_to_init(void)
 	/* signals? */
 	security_task_reparent_to_init(current);
 	memcpy(current->rlim, init_task.rlim, sizeof(*(current->rlim)));
+	atomic_inc(&(INIT_USER->__count));
 	switch_uid(INIT_USER);
 
 	write_unlock_irq(&tasklist_lock);
diff -puN kernel/user.c~fix-user-leak kernel/user.c
--- 25/kernel/user.c~fix-user-leak	2003-07-03 00:41:26.000000000 -0700
+++ 25-akpm/kernel/user.c	2003-07-03 00:41:26.000000000 -0700
@@ -126,7 +126,6 @@ void switch_uid(struct user_struct *new_
 	 * we should be checking for it.  -DaveM
 	 */
 	old_user = current->user;
-	atomic_inc(&new_user->__count);
 	atomic_inc(&new_user->processes);
 	atomic_dec(&old_user->processes);
 	current->user = new_user;

_