From: Christian Brauner <brauner@kernel.org>
To: linux-fsdevel@vger.kernel.org, Josef Bacik <josef@toxicpanda.com>,
Jeff Layton <jlayton@kernel.org>
Cc: "Jann Horn" <jannh@google.com>, "Mike Yuan" <me@yhndnzj.com>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
"Lennart Poettering" <mzxreary@0pointer.de>,
"Daan De Meyer" <daan.j.demeyer@gmail.com>,
"Aleksa Sarai" <cyphar@cyphar.com>,
"Amir Goldstein" <amir73il@gmail.com>,
"Tejun Heo" <tj@kernel.org>,
"Johannes Weiner" <hannes@cmpxchg.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Jan Kara" <jack@suse.cz>,
linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
bpf@vger.kernel.org, "Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
netdev@vger.kernel.org, "Arnd Bergmann" <arnd@arndb.de>,
"Christian Brauner" <brauner@kernel.org>
Subject: [PATCH 3/8] ns: make sure reference are dropped outside of rcu lock
Date: Sun, 09 Nov 2025 22:11:24 +0100 [thread overview]
Message-ID: <20251109-namespace-6-19-fixes-v1-3-ae8a4ad5a3b3@kernel.org> (raw)
In-Reply-To: <20251109-namespace-6-19-fixes-v1-0-ae8a4ad5a3b3@kernel.org>
The mount namespace may in fact sleep when putting the last passive
reference so we need to drop the namespace reference outside of the rcu
read lock. Do this by delaying the put until the next iteration where
we've already moved on to the next namespace and legitimized it. Once we
drop the rcu read lock to call put_user() we will also drop the
reference to the previous namespace in the tree.
Fixes: 76b6f5dfb3fd ("nstree: add listns()")
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
kernel/nstree.c | 32 +++++++++++++++++++++++---------
1 file changed, 23 insertions(+), 9 deletions(-)
diff --git a/kernel/nstree.c b/kernel/nstree.c
index 4a8838683b6b..55b72d4f8de4 100644
--- a/kernel/nstree.c
+++ b/kernel/nstree.c
@@ -505,13 +505,13 @@ static inline bool __must_check may_list_ns(const struct klistns *kls,
return false;
}
-static void __ns_put(struct ns_common *ns)
+static inline void ns_put(struct ns_common *ns)
{
- if (ns->ops)
+ if (ns && ns->ops)
ns->ops->put(ns);
}
-DEFINE_FREE(ns_put, struct ns_common *, if (!IS_ERR_OR_NULL(_T)) __ns_put(_T))
+DEFINE_FREE(ns_put, struct ns_common *, if (!IS_ERR_OR_NULL(_T)) ns_put(_T))
static inline struct ns_common *__must_check legitimize_ns(const struct klistns *kls,
struct ns_common *candidate)
@@ -535,7 +535,7 @@ static ssize_t do_listns_userns(struct klistns *kls)
{
u64 __user *ns_ids = kls->uns_ids;
size_t nr_ns_ids = kls->nr_ns_ids;
- struct ns_common *ns = NULL, *first_ns = NULL;
+ struct ns_common *ns = NULL, *first_ns = NULL, *prev = NULL;
const struct list_head *head;
ssize_t ret;
@@ -568,9 +568,10 @@ static ssize_t do_listns_userns(struct klistns *kls)
if (!first_ns)
first_ns = list_entry_rcu(head->next, typeof(*ns), ns_owner_entry);
+
for (ns = first_ns; &ns->ns_owner_entry != head && nr_ns_ids;
ns = list_entry_rcu(ns->ns_owner_entry.next, typeof(*ns), ns_owner_entry)) {
- struct ns_common *valid __free(ns_put);
+ struct ns_common *valid;
valid = legitimize_ns(kls, ns);
if (!valid)
@@ -578,8 +579,14 @@ static ssize_t do_listns_userns(struct klistns *kls)
rcu_read_unlock();
- if (put_user(valid->ns_id, ns_ids + ret))
+ ns_put(prev);
+ prev = valid;
+
+ if (put_user(valid->ns_id, ns_ids + ret)) {
+ ns_put(prev);
return -EINVAL;
+ }
+
nr_ns_ids--;
ret++;
@@ -587,6 +594,7 @@ static ssize_t do_listns_userns(struct klistns *kls)
}
rcu_read_unlock();
+ ns_put(prev);
return ret;
}
@@ -668,7 +676,7 @@ static ssize_t do_listns(struct klistns *kls)
{
u64 __user *ns_ids = kls->uns_ids;
size_t nr_ns_ids = kls->nr_ns_ids;
- struct ns_common *ns, *first_ns = NULL;
+ struct ns_common *ns, *first_ns = NULL, *prev = NULL;
struct ns_tree *ns_tree = NULL;
const struct list_head *head;
u32 ns_type;
@@ -705,7 +713,7 @@ static ssize_t do_listns(struct klistns *kls)
for (ns = first_ns; !ns_common_is_head(ns, head, ns_tree) && nr_ns_ids;
ns = next_ns_common(ns, ns_tree)) {
- struct ns_common *valid __free(ns_put);
+ struct ns_common *valid;
valid = legitimize_ns(kls, ns);
if (!valid)
@@ -713,8 +721,13 @@ static ssize_t do_listns(struct klistns *kls)
rcu_read_unlock();
- if (put_user(valid->ns_id, ns_ids + ret))
+ ns_put(prev);
+ prev = valid;
+
+ if (put_user(valid->ns_id, ns_ids + ret)) {
+ ns_put(prev);
return -EINVAL;
+ }
nr_ns_ids--;
ret++;
@@ -723,6 +736,7 @@ static ssize_t do_listns(struct klistns *kls)
}
rcu_read_unlock();
+ ns_put(prev);
return ret;
}
--
2.47.3
next prev parent reply other threads:[~2025-11-09 21:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-09 21:11 [PATCH 0/8] ns: fixes for namespace iteration and active reference counting Christian Brauner
2025-11-09 21:11 ` [PATCH 1/8] ns: don't skip active reference count initialization Christian Brauner
2025-11-09 21:11 ` [PATCH 2/8] ns: don't increment or decrement initial namespaces Christian Brauner
2025-11-09 21:11 ` Christian Brauner [this message]
2025-11-09 21:11 ` [PATCH 4/8] ns: return EFAULT on put_user() error Christian Brauner
2025-11-09 21:11 ` [PATCH 5/8] ns: handle setns(pidfd, ...) cleanly Christian Brauner
2025-11-09 21:11 ` [PATCH 6/8] ns: add asserts for active refcount underflow Christian Brauner
2025-11-09 21:11 ` [PATCH 7/8] selftests/namespaces: add active reference count regression test Christian Brauner
2025-11-09 21:11 ` [PATCH 8/8] selftests/namespaces: test for efault Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251109-namespace-6-19-fixes-v1-3-ae8a4ad5a3b3@kernel.org \
--to=brauner@kernel.org \
--cc=amir73il@gmail.com \
--cc=arnd@arndb.de \
--cc=bpf@vger.kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=cyphar@cyphar.com \
--cc=daan.j.demeyer@gmail.com \
--cc=edumazet@google.com \
--cc=hannes@cmpxchg.org \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@yhndnzj.com \
--cc=mzxreary@0pointer.de \
--cc=netdev@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).