On Fri, Aug 26, 2016 at 04:08:08PM -0700, Andrei Vagin wrote:

+struct ns_common *ns_get_owner(struct ns_common *ns)
+{
+	struct user_namespace *my_user_ns = current_user_ns();
+	struct user_namespace *owner, *p;
+
+	/* See if the owner is in the current user namespace */
+	owner = p = ns->ops->get_owner(ns);
+	for (;;) {
+		if (!p)
+			return ERR_PTR(-EPERM);
+		if (p == my_user_ns)
+			break;
+		p = p->parent;
+	}
+
+	return &get_user_ns(owner)->ns;

get_user_ns() bumps the owner's refcount.  I don't see where
this is being dropped, especially when ns_ioctl() uses it in
the next patch.