1. Patchew
  2. linux
  3. View series

[PATCH] fs/nsfs: skip dropping active refs on initial namespaces

Deepanshu Kartikey posted 1 patch 1 month, 1 week ago 
fs/nsfs.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
[PATCH] fs/nsfs: skip dropping active refs on initial namespaces
Posted by Deepanshu Kartikey 1 month, 1 week ago 
Initial namespaces are statically allocated and exist for the entire
lifetime of the system. They should not participate in active
reference counting.

When setns() is called with a file descriptor pointing to an initial
namespace, nsproxy_ns_active_put() was dropping active references on
them, causing the active count to hit zero and trigger a warning.

Fix by checking is_initial_namespace() before dropping the active
reference in nsproxy_ns_active_put().

Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/nsfs.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/fs/nsfs.c b/fs/nsfs.c
index ba6c8975c82e..ffe31c66d1d8 100644
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -19,6 +19,7 @@
 #include <linux/exportfs.h>
 #include <linux/nstree.h>
 #include <net/net_namespace.h>
+#include <linux/ns_common.h>
 
 #include "mount.h"
 #include "internal.h"
@@ -698,12 +699,20 @@ void nsproxy_ns_active_get(struct nsproxy *ns)
 
 void nsproxy_ns_active_put(struct nsproxy *ns)
 {
-	ns_ref_active_put(ns->mnt_ns);
-	ns_ref_active_put(ns->uts_ns);
-	ns_ref_active_put(ns->ipc_ns);
-	ns_ref_active_put(ns->pid_ns_for_children);
-	ns_ref_active_put(ns->cgroup_ns);
-	ns_ref_active_put(ns->net_ns);
-	ns_ref_active_put(ns->time_ns);
-	ns_ref_active_put(ns->time_ns_for_children);
+	if (ns->mnt_ns && !is_initial_namespace(&ns->mnt_ns->ns))
+		ns_ref_active_put(ns->mnt_ns);
+	if (ns->uts_ns && !is_initial_namespace(&ns->uts_ns->ns))
+		ns_ref_active_put(ns->uts_ns);
+	if (ns->ipc_ns && !is_initial_namespace(&ns->ipc_ns->ns))
+		ns_ref_active_put(ns->ipc_ns);
+	if (ns->pid_ns_for_children && !is_initial_namespace(&ns->pid_ns_for_children->ns))
+		ns_ref_active_put(ns->pid_ns_for_children);
+	if (ns->cgroup_ns && !is_initial_namespace(&ns->cgroup_ns->ns))
+		ns_ref_active_put(ns->cgroup_ns);
+	if (ns->net_ns && !is_initial_namespace(&ns->net_ns->ns))
+		ns_ref_active_put(ns->net_ns);
+	if (ns->time_ns && !is_initial_namespace(&ns->time_ns->ns))
+		ns_ref_active_put(ns->time_ns);
+	if (ns->time_ns_for_children && !is_initial_namespace(&ns->time_ns_for_children->ns))
+		ns_ref_active_put(ns->time_ns_for_children);
 }
-- 
2.43.0
Re: [PATCH] fs/nsfs: skip dropping active refs on initial namespaces
Posted by Deepanshu Kartikey 1 month, 1 week ago 
Hi,

I'm sending a v2 of this patch with the following changes:

Changes in v2:
- Extended fix to nsproxy_ns_active_get() for consistency
- Added fix for nsfs_evict() to handle initial namespaces
- Updated commit message to reflect all three fixes

After analyzing the code further, I realized that nsproxy_ns_active_get()
has the same issue as nsproxy_ns_active_put() - both will trigger warnings
when operating on initial namespaces. The nsfs_evict() function also needs
the same check.

The v1 patch only fixed nsproxy_ns_active_put(), but for consistency and
completeness, all three functions should skip active reference counting
for initial namespaces.

Thanks,
Deepanshu

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.