[PATCH] kernel/nsproxy: guard all put_*_ns() calls

[PATCH] kernel/nsproxy: guard all put_*_ns() calls

[Joel Savitz]

In free_nsproxy() and the error path of create_new_namespaces() all
calls to put_*_ns() are guarded by a null pointer check except for
put_cgroup_ns() and put_net(). When CONFIG_NET_NS or CONFIG_GROUP is
unset, either of these functions may be called with a NULL argument.
This may or may not be handled correctly, but at the very least it is
certainly quicker to just perform the null check in all cases.

Signed-off-by: Joel Savitz <jsavitz@redhat.com>
---
 kernel/nsproxy.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index c9d97ed20122..2b12d2c5d2e0 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -124,9 +124,11 @@ static struct nsproxy *create_new_namespaces(unsigned long flags,
 	return new_nsp;
 
 out_time:
-	put_net(new_nsp->net_ns);
+	if (new_nsp->net_ns)
+		put_net(new_nsp->net_ns);
 out_net:
-	put_cgroup_ns(new_nsp->cgroup_ns);
+	if (new_nsp->cgroup_ns)
+		put_cgroup_ns(new_nsp->cgroup_ns);
 out_cgroup:
 	if (new_nsp->pid_ns_for_children)
 		put_pid_ns(new_nsp->pid_ns_for_children);
@@ -201,8 +203,10 @@ void free_nsproxy(struct nsproxy *ns)
 		put_time_ns(ns->time_ns);
 	if (ns->time_ns_for_children)
 		put_time_ns(ns->time_ns_for_children);
-	put_cgroup_ns(ns->cgroup_ns);
-	put_net(ns->net_ns);
+	if (ns->cgroup_ns)
+		put_cgroup_ns(ns->cgroup_ns);
+	if (ns->net_ns)
+		put_net(ns->net_ns);
 	kmem_cache_free(nsproxy_cachep, ns);
 }
 
-- 
2.45.2

Re: [PATCH] kernel/nsproxy: guard all put_*_ns() calls

[Al Viro]

On Wed, May 07, 2025 at 12:13:28PM -0400, Joel Savitz wrote:
> In free_nsproxy() and the error path of create_new_namespaces() all
> calls to put_*_ns() are guarded by a null pointer check except for
> put_cgroup_ns() and put_net(). When CONFIG_NET_NS or CONFIG_GROUP is
> unset, either of these functions may be called with a NULL argument.
> This may or may not be handled correctly, but at the very least it is
> certainly quicker to just perform the null check in all cases.

Why not simply make put_net(NULL) et.al. no-op instead?

Re: [PATCH] kernel/nsproxy: guard all put_*_ns() calls

[Joel Savitz]

On Wed, May 7, 2025 at 5:41 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Wed, May 07, 2025 at 12:13:28PM -0400, Joel Savitz wrote:
> > In free_nsproxy() and the error path of create_new_namespaces() all
> > calls to put_*_ns() are guarded by a null pointer check except for
> > put_cgroup_ns() and put_net(). When CONFIG_NET_NS or CONFIG_GROUP is
> > unset, either of these functions may be called with a NULL argument.
> > This may or may not be handled correctly, but at the very least it is
> > certainly quicker to just perform the null check in all cases.
>
> Why not simply make put_net(NULL) et.al. no-op instead?
>

It looks like that's the case whenever a namespace is disabled, i.e.
when NULL might be passed as an argument. I posted a v2 that now
removes the include guards.