From nobody Sat Feb  7 15:10:56 2026
Received: from mail-dy1-f170.google.com (mail-dy1-f170.google.com
 [74.125.82.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D2E161E8332
	for <linux-kernel@vger.kernel.org>; Mon,  2 Feb 2026 02:39:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769999987; cv=none;
 b=RGHjymPh6KfHvO+WpYpvqxEOOVlGUC1tixEf5WEJQ32vM8Z6mH+iJuRYKgWEeFt+468//RvFIWm2NTBbPQg+xEVFJU5nah+4zLoz7XM8BcR7GiM9p0bqfe9LOBvRHwIr3ZY0V0C9B0wnHzO8wLaCsZZwX6kR2gQFvYWeDYhBAH8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769999987; c=relaxed/simple;
	bh=Z7zPk3LEOfLna/wInmtQon2g2llZ/GxvcxtzL0FuoJE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=qdq2wUpcK6rowmRFHANE0JC7MucVEkwdR7Fvn8qJCXw9xh/r8EPbzpo3djaeDy1t5kGPUO1YU3ktezY2pz4RyXgbZI35Ggc5a51DwIMAE2B7zbHYId5Xtx+mJEOoWj5ccwAXCMWKkokZOpiVLKteylg1sHbwwwlKbjF77MwtSn0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=A/4ynlUh; arc=none smtp.client-ip=74.125.82.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="A/4ynlUh"
Received: by mail-dy1-f170.google.com with SMTP id
 5a478bee46e88-2b4520f6b32so7229935eec.0
        for <linux-kernel@vger.kernel.org>;
 Sun, 01 Feb 2026 18:39:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769999984; x=1770604784;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=S6bhRTSu7n3BtGDmVoIOQl35YeNLuyGxN6y3r/5ixOk=;
        b=A/4ynlUhqgXaygKfUtI3HuV3rQLhrO9z8NXhuMdgQ3bMNmNtxGPzKVJncRkUe3YiGJ
         Km5jJ0PAvqlhCTS1PX3I5EOqBGz+vduU2zY5JqYeyDijBWmoOTVGnrEUh4Sm9Q3i1fiQ
         3U1NCM1BkK1qXanG3ZEKM9NxMVVD85u5ENVx8ld1a1FeFDJkWMs0sX8zFyN4eoFnXgKM
         8iuhJXs8QrUyFzp/zMUBqAhMTfmAWEeUtBLOHpF2DfQiFaRGGtL92RDxSivQLqpsHU0N
         E29mjryPcmDTSgoZ6YEWMwL81LKeJoHg2rBlTJ0muetWoJbfA1hvuYkrtMMoRhkYXKNL
         oAOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769999984; x=1770604784;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=S6bhRTSu7n3BtGDmVoIOQl35YeNLuyGxN6y3r/5ixOk=;
        b=RcaADGW8GtSOrJno2j+6x5LQ7ZB+a2c7df2NllglRRM4BO/X2NPfx1dhJh5obKyxcT
         8mCr/DBr9DsVPPG+NuYycOE32hvHqRzOo6Ek/UJPoFA1g7ihfIepwbEhBUa5keXM7RHi
         9cONJZluV85hDsamgNTzUu8DqrRf+Sr75ngFCnKElkMwFG+IlFmfxaP8gk3LP4DAeQ0W
         qacFZ3gaz5nHAVoO6ijYFscWzzgHoaGy2KaSbfRfhu2aM8YfNI2zbUopKvRnoedMmC0e
         r5NnwCqUn6fu06GsP6Nh4qkmS73sk8gaflzd+5jbSxUNyVI47iYgBZk8Xri2BCfLG8t5
         4jhw==
X-Forwarded-Encrypted: i=1;
 AJvYcCW4MXG2+cd4Pnr12Sgs4zJvQjfhM710LUJY6FvOEjyZSkB2aLGm+diV7n3twww5jfFjpinnRYawv9gIEXY=@vger.kernel.org
X-Gm-Message-State: AOJu0YxpxLf/K80GOfmLSJOpv0p642k/R3r6oDx/6JrMV/HjjbA7MMdf
	jv0qbI7cubXpocP9ghixwI+st6+5BVaGofHtK4hyIfy92GNSZsz5ddZn
X-Gm-Gg: AZuq6aK9geP/nUIGO3FdDVoeZqm3AxYihzLqK4Wl3ZQiGZyHzPRwFG9NuxDncfcF6A4
	DTHQvoralOTqWlzGKdxiUBDPxst3Fegs1AHbxoIGmGDT+ubU7HDWRUOiZC1uVSFFAMJuEpNePyF
	BRCzXmNu3gbnhNTKWn0UaJFQNTngHieCCuD0/e1o4CSOP3pJqCwyfG3d2QxLxPy4R6hmmvVkhRq
	V1Nywl88ccLpPSSbecCCa6PIW/aAK+mXAvETuwtfmGlyQBYn6Uy9qSzyKB/GF/aVPm08B36cQWp
	KPMciBi8toO44/EE6nLlcSR+hms0F8rFMJ/xDq282vp8IVK3X1zl9vLlt4scfDUKqENxxcvPm9X
	dHuz0fdEjxJUJSlIU9J1FKzFajJMHvdVVioIQUuw5YdMxvrZLNZqYTuIBzNx7p+/hfTaN9ybyKF
	pKrOU=
X-Received: by 2002:a05:7301:6095:b0:2ae:5ddf:e223 with SMTP id
 5a478bee46e88-2b7c865e73emr5379977eec.15.1769999983728;
        Sun, 01 Feb 2026 18:39:43 -0800 (PST)
Received: from debian ([74.48.213.230])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2b7a16eab80sm18842353eec.9.2026.02.01.18.39.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 01 Feb 2026 18:39:43 -0800 (PST)
From: Qiliang Yuan <realwujing@gmail.com>
To: "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Christian Brauner <brauner@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Jan Kara <jack@suse.cz>,
	Jeff Layton <jlayton@kernel.org>,
	Qiliang Yuan <realwujing@gmail.com>
Cc: Qiliang Yuan <yuanql9@chinatelecom.cn>,
	Simon Horman <horms@kernel.org>,
	Sabrina Dubroca <sd@queasysnail.net>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v5] netns: optimize netns cleaning by batching unhash_nsid
 calls
Date: Sun,  1 Feb 2026 21:39:19 -0500
Message-ID: <20260202023931.2788955-1-realwujing@gmail.com>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Currently, unhash_nsid() scans the entire system for each netns being
killed, leading to O(M_batch * N_system * log(N_ids)) complexity.

Optimize this to O(N_system * N_ids) by batching unhash operations. Move
unhash_nsid() out of the per-netns loop in cleanup_net() to perform a
single-pass traversal over survivor namespaces.

Identify dying peers by an 'is_dying' flag, which is set under net_rwsem
write lock after the netns is removed from the global list. This batches
the unhashing work and eliminates the O(M_batch) multiplier.

Use a restartable idr_get_next() loop for iteration. This avoids the
unsafe modification issue inherent to idr_for_each() callbacks and allows
dropping the nsid_lock to safely call sleepy rtnl_net_notifyid().

Clean up redundant nsid_lock and simplify the destruction loop now that
unhashing is centralized.

Signed-off-by: Qiliang Yuan <yuanql9@chinatelecom.cn>
---
v5:
 - Use idr_get_next() for restartable iteration safely handling removals.
 - Drop unhash_nsid_callback() to avoid context safety issues.
v4:
 - Move unhash_nsid() out of the batch loop to reduce complexity from O(M*N=
) to O(N).
 - Use idr_for_each() for efficient, single-pass IDR traversal.
 - Mark 'is_dying' under net_rwsem to safely identify and batch unhashing.
 - Simplify destruction loop by removing redundant locking and per-netns un=
hash logic.
v3:
 - Update target tree to net-next.
 - Post as a new thread instead of a reply.
v2:
 - Move 'is_dying' setting to __put_net() to eliminate the O(M_batch) loop.
 - Remove redundant initializations in preinit_net().
v1:
 - Initial implementation of batch unhash_nsid().

 include/net/net_namespace.h |  1 +
 net/core/net_namespace.c    | 34 ++++++++++++++++++++--------------
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index cb664f6e3558..bd1acc6056ac 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -69,6 +69,7 @@ struct net {
=20
 	unsigned int		dev_base_seq;	/* protected by rtnl_mutex */
 	u32			ifindex;
+	bool			is_dying;
=20
 	spinlock_t		nsid_lock;
 	atomic_t		fnhe_genid;
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index a6e6a964a287..3061c83786ac 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -624,9 +624,11 @@ void net_ns_get_ownership(const struct net *net, kuid_=
t *uid, kgid_t *gid)
 }
 EXPORT_SYMBOL_GPL(net_ns_get_ownership);
=20
-static void unhash_nsid(struct net *net, struct net *last)
+static void unhash_nsid(struct net *last)
 {
-	struct net *tmp;
+	struct net *tmp, *peer;
+	int id;
+
 	/* This function is only called from cleanup_net() work,
 	 * and this work is the only process, that may delete
 	 * a net from net_namespace_list. So, when the below
@@ -634,22 +636,23 @@ static void unhash_nsid(struct net *net, struct net *=
last)
 	 * use for_each_net_rcu() or net_rwsem.
 	 */
 	for_each_net(tmp) {
-		int id;
-
+		id =3D 0;
 		spin_lock(&tmp->nsid_lock);
-		id =3D __peernet2id(tmp, net);
-		if (id >=3D 0)
-			idr_remove(&tmp->netns_ids, id);
+		while ((peer =3D idr_get_next(&tmp->netns_ids, &id))) {
+			if (peer->is_dying) {
+				idr_remove(&tmp->netns_ids, id);
+				spin_unlock(&tmp->nsid_lock);
+				rtnl_net_notifyid(tmp, RTM_DELNSID, id, 0, NULL,
+						  GFP_KERNEL);
+				spin_lock(&tmp->nsid_lock);
+			} else {
+				id++;
+			}
+		}
 		spin_unlock(&tmp->nsid_lock);
-		if (id >=3D 0)
-			rtnl_net_notifyid(tmp, RTM_DELNSID, id, 0, NULL,
-					  GFP_KERNEL);
 		if (tmp =3D=3D last)
 			break;
 	}
-	spin_lock(&net->nsid_lock);
-	idr_destroy(&net->netns_ids);
-	spin_unlock(&net->nsid_lock);
 }
=20
 static LLIST_HEAD(cleanup_list);
@@ -674,6 +677,7 @@ static void cleanup_net(struct work_struct *work)
 	llist_for_each_entry(net, net_kill_list, cleanup_list) {
 		ns_tree_remove(net);
 		list_del_rcu(&net->list);
+		net->is_dying =3D true;
 	}
 	/* Cache last net. After we unlock rtnl, no one new net
 	 * added to net_namespace_list can assign nsid pointer
@@ -688,8 +692,10 @@ static void cleanup_net(struct work_struct *work)
 	last =3D list_last_entry(&net_namespace_list, struct net, list);
 	up_write(&net_rwsem);
=20
+	unhash_nsid(last);
+
 	llist_for_each_entry(net, net_kill_list, cleanup_list) {
-		unhash_nsid(net, last);
+		idr_destroy(&net->netns_ids);
 		list_add_tail(&net->exit_list, &net_exit_list);
 	}
=20
--=20
2.51.0