From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCAA33AF669; Mon, 1 Jun 2026 13:56:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322220; cv=none; b=HBtzuq09lz6QfrKXvGajAcDbqrcWIZpsAI7pmdyOo5iwPqas4yQvNq74EZ1RgsiPm8xoNWAQPr3sx6NxxR2RenoAv7zR+hY02wHDl58rVXQ9GZIB0rKW27dhtnv9OxkWeCPX0heYVIvx1z4oncA3H7wKg1bHQmeaqvkFz5FQSvI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322220; c=relaxed/simple; bh=uzDsq5saOQh+1Y1bm40YmrgnDb4r207ZRmo9VeInStw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=PGG2aFTZjoUb+ObNi7rGvHumqP8vSZVinRA5DDi2YggHfKYr5s/T70w6PNIp4A0+oq80Kp7z5Lk2IjC/NQ04OL74LRzeMUFcD1J8VB4yPG8PlCVDvhgYM4edQ++iCck7FScJQ1Lzw0P/kQn+8m0slDW0A6T4ODimGkrhqg7yg94= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JJ0HbSTA; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JJ0HbSTA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DB3A21F00898; Mon, 1 Jun 2026 13:56:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322219; bh=+2qRXu5+Zv2hewWQhS9ylqafA5cEsVCwivOZguEcn6k=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=JJ0HbSTAKgfVk/VovJMwvvhgqKo/i9b+EHCqYUWT+pxJmbVoIBk8almx6ACfiR50d zAMDH27BZ/6IuBFqsRauo0wf7fBQyYUEbrLbwWsiXkImRks73BfJELHCew6qWy7jKO Rsv5cesv9OoAgPH8W0cIaX8Qeyb+x/ILFOtKcexWV34a1EwHrwYaDAvlFD9yNyjOnB gwqEmLE62ptEQxSKKs8XUhbM7/boDm5E+HVfHfQzvK5134+hldeqZrXbEg9ZChrTaq iytdZXLCKosk50fgh/nOZCRqTBdyPvTy5tWBKG23+1YzHSlN3C28F8+xp3eLYaQqpi lBocByvkbkwVg== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:34 +0200 Subject: [PATCH RFC v4 01/25] fs: add switch_fs_struct() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-1-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=2552; i=brauner@kernel.org; h=from:subject:message-id; bh=uzDsq5saOQh+1Y1bm40YmrgnDb4r207ZRmo9VeInStw=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i/13/iPZ57KmnRWvhkat1fbXZh0omuHieakzq+BH Du7vqcs7ChlYRDjYpAVU2RxaDcJl1vOU7HZKFMDZg4rE8gQBi5OAZjIBVlGhjUef77czfjun/uR n+/eB/Wr/MeMSt/68u7XlD7lsDPvZS0jw6tXj38XG1kdjzTvZfG5P23fg3Odi3PD7TJ4zq0sznz /lRcA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Don't open-code the guts of replacing current's fs struct. Signed-off-by: Christian Brauner (Amutable) --- fs/fs_struct.c | 18 ++++++++++++++++++ include/linux/fs_struct.h | 2 ++ kernel/fork.c | 22 ++++++---------------- 3 files changed, 26 insertions(+), 16 deletions(-) diff --git a/fs/fs_struct.c b/fs/fs_struct.c index 394875d06fd6..c441586537e7 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -147,6 +147,24 @@ int unshare_fs_struct(void) } EXPORT_SYMBOL_GPL(unshare_fs_struct); =20 +struct fs_struct *switch_fs_struct(struct fs_struct *new_fs) +{ + struct fs_struct *fs; + + scoped_guard(task_lock, current) { + fs =3D current->fs; + read_seqlock_excl(&fs->seq); + current->fs =3D new_fs; + if (--fs->users) + new_fs =3D NULL; + else + new_fs =3D fs; + read_sequnlock_excl(&fs->seq); + } + + return new_fs; +} + /* to be mentioned only in INIT_TASK */ struct fs_struct init_fs =3D { .users =3D 1, diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h index 0070764b790a..ade459383f92 100644 --- a/include/linux/fs_struct.h +++ b/include/linux/fs_struct.h @@ -40,6 +40,8 @@ static inline void get_fs_pwd(struct fs_struct *fs, struc= t path *pwd) read_sequnlock_excl(&fs->seq); } =20 +struct fs_struct *switch_fs_struct(struct fs_struct *new_fs); + extern bool current_chrooted(void); =20 static inline int current_umask(void) diff --git a/kernel/fork.c b/kernel/fork.c index f1ad69c6dc2d..846a49088fae 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -3192,7 +3192,7 @@ static int unshare_fd(unsigned long unshare_flags, st= ruct files_struct **new_fdp */ int ksys_unshare(unsigned long unshare_flags) { - struct fs_struct *fs, *new_fs =3D NULL; + struct fs_struct *new_fs =3D NULL; struct files_struct *new_fd =3D NULL; struct cred *new_cred =3D NULL; struct nsproxy *new_nsproxy =3D NULL; @@ -3270,23 +3270,13 @@ int ksys_unshare(unsigned long unshare_flags) new_nsproxy =3D NULL; } =20 - task_lock(current); + if (new_fs) + new_fs =3D switch_fs_struct(new_fs); =20 - if (new_fs) { - fs =3D current->fs; - read_seqlock_excl(&fs->seq); - current->fs =3D new_fs; - if (--fs->users) - new_fs =3D NULL; - else - new_fs =3D fs; - read_sequnlock_excl(&fs->seq); - } - - if (new_fd) + if (new_fd) { + guard(task_lock)(current); swap(current->files, new_fd); - - task_unlock(current); + } =20 if (new_cred) { /* Install the new user namespace */ --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBB3B3B19A5; Mon, 1 Jun 2026 13:57:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322222; cv=none; b=UeKRjYFbyAd/4GjjXY9g5n4Q4PvEhIBnuNepBr7pIgBbhYfyYpRFG+ZiSkUnP1nntnfV0PKAMT6fXLoDcGcowNxlJXSD4E0UnmZTlurDKGLuQae4eAveBf5g+FwMzzpAynkjI025Xu4piILgMmMaUBqptVZRXguimwVnMyIHsmY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322222; c=relaxed/simple; bh=KCPdiX6BH/IBnrnw84ASQ+v0phwip0MhXYRHVBBlZ+k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=KUnAogdfufjYklbNgSNZS556g6iPxgdZwvDu+D9et7OtnYPrtN20cQgg14Kwlpz5DB43MBIGfU7UsyEov2dHVVYyuBqTlwPvuGV+cg/lB0tfZOX+quWxlqVW4Wq46H3ZuWtIR9jE1QKft9O2AAK5Vb0iV3MRmEUwgAWm5zw03qg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hOvMc9I+; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hOvMc9I+" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E69851F00893; Mon, 1 Jun 2026 13:56:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322221; bh=/ist+XEJ15RumsCrqpUFl4FU7hObKp3HJhM31n6k+qg=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=hOvMc9I+5HR8yHw5H8CHRnDnvwW4rwzJwLg5XxT0dnkAol0PNqTZFQv7KXcJj/MN1 7s0x6ZycuVsZi3vZaofUciX28oY8bBrICyqzloNym5+2yJS+OFt0Wk7af9yTJAJO3n KMSBdak8+fa7PDgeDPZt8vUwQiEIWvzFY1dWe9LEiJ/T5EGgDBI++MjFvjp8aPIAJn Vh65TOS+qUa4pTlG1np0hkUcj83zUj6CSiA6yvNEiUuLUCf4KZy2qkjLq0N/Sm9Y+T JopC1kKp8lHNSHwMGdG19ZFVowEuyKQjKmc9vh7Ez4VpZbfS90H36O6WdSU2kx6IrP SZr/hHWAWk3gw== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:35 +0200 Subject: [PATCH RFC v4 02/25] fs: notice when init abandons fs sharing Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-2-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=2275; i=brauner@kernel.org; h=from:subject:message-id; bh=KCPdiX6BH/IBnrnw84ASQ+v0phwip0MhXYRHVBBlZ+k=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i9TO2mpLzWXZYkK26ZdU0wvXkj3FC9O2ZfbZbZ0x qb7y+yTOkpZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACbCspuR4cjVMtnC+avWnZqp v4hhXeWj2V+NRW9wGto8tZJ0EfK4kMrIMHNze0XRNkelZIGTka2/NyROzv3gZL8ufuUe/a/elYw KjAA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 PID 1 may choose to stop sharing fs_struct state with us. Either via unshare(CLONE_FS) or unshare(CLONE_NEWNS). Of course, PID 1 could have chosen to create arbitrary process trees that all share fs_struct state via CLONE_FS. This is a strong statement: We only care about PID 1 aka the thread-group leader so subthread's fs_struct state doesn't matter. PID 1 unsharing fs_struct state is a bug. PID 1 relies on various kthreads to be able to perform work based on its fs_struct state. Breaking that contract sucks for both sides. So just don't bother with extra work for this. No sane init system should ever do this. Signed-off-by: Christian Brauner (Amutable) --- fs/fs_struct.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/fs/fs_struct.c b/fs/fs_struct.c index c441586537e7..fcecf209f1a9 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -147,6 +147,30 @@ int unshare_fs_struct(void) } EXPORT_SYMBOL_GPL(unshare_fs_struct); =20 +/* + * PID 1 may choose to stop sharing fs_struct state with us. + * Either via unshare(CLONE_FS) or unshare(CLONE_NEWNS). Of + * course, PID 1 could have chosen to create arbitrary process + * trees that all share fs_struct state via CLONE_FS. This is a + * strong statement: We only care about PID 1 aka the thread-group + * leader so subthread's fs_struct state doesn't matter. + * + * PID 1 unsharing fs_struct state is a bug. PID 1 relies on + * various kthreads to be able to perform work based on its + * fs_struct state. Breaking that contract sucks for both sides. + * So just don't bother with extra work for this. No sane init + * system should ever do this. + */ +static inline void validate_fs_switch(struct fs_struct *old_fs) +{ + if (likely(current->pid !=3D 1)) + return; + /* @old_fs may be dangling but for comparison it's fine */ + if (old_fs !=3D &init_fs) + return; + pr_warn("VFS: Pid 1 stopped sharing filesystem state\n"); +} + struct fs_struct *switch_fs_struct(struct fs_struct *new_fs) { struct fs_struct *fs; @@ -162,6 +186,7 @@ struct fs_struct *switch_fs_struct(struct fs_struct *ne= w_fs) read_sequnlock_excl(&fs->seq); } =20 + validate_fs_switch(fs); return new_fs; } =20 --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9356F3B2FE5; Mon, 1 Jun 2026 13:57:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322224; cv=none; b=PSB75M3skbDlxULwLj0vIwB8LiPZ5Lzo4kqSLWnt8Wcx+Uwj1uT9FMtI3EOPTO1xU3a3UcfdoTMy/aH/IU36JUC4FQMgW32Ih6DL9tXsz6S3fDB4rNLRbFzhxiRPwNLlyDUqQsOJ6Y6QLP3AmoKCEG3Uao8ktiSqtPyGUMpFiUo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322224; c=relaxed/simple; bh=BliA19S07rKsVkf4xeLasH02Rb4ERGW+MohJKrIOM2g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Rjy4OA/m9CmmIALI9oIzbLsu7kvVebVbKn4xMyr/nJsyqINFWnY0uXzzX77ak3kcgEemtQGJzeUzrDJvzojloRecuCaKz9n8jKe90voytKO44gAg/5R1sG/SOVxQlK9P8vx/r0WseLESoXbvP6xdx8rebyDHjfn7uHRYfzyV7Ro= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=a8vvKcnh; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="a8vvKcnh" Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED3B91F00898; Mon, 1 Jun 2026 13:57:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322223; bh=mTIpKAHMdDKkQPRhXjj8t3+oXF1jvWG1sx7dcBjeR8c=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=a8vvKcnhGWtfVHtAPaxANEHq0nux0Cz3rGFjEnVv54BGeSCLhgQ4rDOXzcwnGIHST SZP6Lb5BO+kVD5xXWBccp2encQf0Otgqci6gBuvz/wtmsylQSzTEPmsksMK13Gw1Vm 7sVM0kPKYZzSVOZH1IsEwaOpoRCYlGkjXSKJIsDq8gyApeZYOfgx/ERozDxEfk3xw5 l5rzfk//dBgioDqMqab00GJPZQiBnt0lqXA7wUKm8b7FT953wcHN9qfS8oPuEJ6pFA xhEYSUEjP4ZedWkPQei0tTvSX3OW9hEtC6fjed473pfvTjvWTYs6X8kqAmyTQyZSl6 oST5CNvruDNng== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:36 +0200 Subject: [PATCH RFC v4 03/25] fs: add scoped_with_init_fs() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-3-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1648; i=brauner@kernel.org; h=from:subject:message-id; bh=BliA19S07rKsVkf4xeLasH02Rb4ERGW+MohJKrIOM2g=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i/jtZR+ftEk1qp0vdBK6SviL/Yk91wo/HH/2DbOi E/3G15s6ChlYRDjYpAVU2RxaDcJl1vOU7HZKFMDZg4rE8gQBi5OAZhITifDXzmmOncug9D7mlOT 464cm/TizI4Lr15OWHJw9fVQYQkdkVUM/2vff+GfuTiM6TxXwE6L0wnzTi3g8tI+cjc5/VrLvZg H/1kA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Similar to scoped_with_kernel_creds() allow a temporary override of current->fs to serve the few places where lookup is performed from kthread context or needs init's filesytem state. Signed-off-by: Christian Brauner (Amutable) --- include/linux/fs_struct.h | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h index ade459383f92..e11d0e57168f 100644 --- a/include/linux/fs_struct.h +++ b/include/linux/fs_struct.h @@ -6,6 +6,7 @@ #include #include #include +#include =20 struct fs_struct { int users; @@ -49,4 +50,34 @@ static inline int current_umask(void) return current->fs->umask; } =20 +/* + * Temporarily use userspace_init_fs for path resolution in kthreads. + * Callers should use scoped_with_init_fs() which automatically + * restores the original fs_struct at scope exit. + */ +static inline struct fs_struct *__override_init_fs(void) +{ + struct fs_struct *fs; + + fs =3D current->fs; + WRITE_ONCE(current->fs, fs); + return fs; +} + +static inline void __revert_init_fs(struct fs_struct *revert_fs) +{ + VFS_WARN_ON_ONCE(current->fs !=3D revert_fs); + WRITE_ONCE(current->fs, revert_fs); +} + +DEFINE_CLASS(__override_init_fs, + struct fs_struct *, + __revert_init_fs(_T), + __override_init_fs(), void) + +#define scoped_with_init_fs() \ + scoped_class(__override_init_fs, __UNIQUE_ID(label)) + +void __init init_userspace_fs(void); + #endif /* _LINUX_FS_STRUCT_H */ --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6FDC3B3C06; Mon, 1 Jun 2026 13:57:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322227; cv=none; b=NWFJlT2qtFGuiHF9lUh6kYoJSlp74Hml2DqjSDk1W/iJ4+16nEFhRbviiQ9bUleYRGpTfIwBrn93J4f2TV2hrynmslTlMZazTiwoQ+2SdYzs4F3J/LXYiGxoFWMkegg0dNIMqCpPOMU5DryXwyYbSsDlWmgOtKHs0poo4HfKe6U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322227; c=relaxed/simple; bh=AKYRjOqMRK/wG9j9r/7wmXSlPiTMO8Vc+f+BjxObbm4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=WkJO0gDL7DrlxVgmacdTdvX4CqUvXc6cUPq2txtd0PJoz8QBJ6Z1P86ERxVyXJAJiYBIwn6oSlNlzsN5HAXYns3GfZ2Jn8FwSg3sxcm1vRTMGHi6kkpx+i0wy5FBiZRuPinWzdbYHm69vEhiHhVB6PSJx0LiD9PNwyoOG2Ipp1Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=BSp8kMOt; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="BSp8kMOt" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EFDCB1F00893; Mon, 1 Jun 2026 13:57:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322225; bh=LQJF7BixTWRY2HuYf9e2bI/X2zgv8m+tTTBh7WEfjkI=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=BSp8kMOtfvnNyrAZuJX12OH2rrlpcanCBrhpAXgvTSuiql86nx9EofsgN9it77WfF L6VixZQtZR2y7qpzy4HMkmhlbqfWZEOOdA1+IXc1B3GkmF6G9aDc0qbO2Y4YmCUeRh eeMaB10LYpap/JYsE++xDDzyV+MkeOIg3LGDOCKdaCGWYweZV2JJxEdQMl0ga2X46w /skZlvkNBR6US4JVqie8aA5xlPZGYzavJ+PF2Nu6dzVAvcAW9ukew/Xg0KSLUg6JcD I+2t7Jf36WQvNfMYFSAnPugEs5HhJkAcm1VcCrJJV7zUiUjCpsiz/MSNTYN/S9fyJg UzDlNiEROOQbg== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:37 +0200 Subject: [PATCH RFC v4 04/25] fs: add real_fs to track task's actual fs_struct Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-4-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=6829; i=brauner@kernel.org; h=from:subject:message-id; bh=AKYRjOqMRK/wG9j9r/7wmXSlPiTMO8Vc+f+BjxObbm4=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i9jeL3eUGO5yJc0y9zSkwku28+8Mb3unqlirVVxR jR+yibtjlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQ3h4hSAiRy9wciw4eCViydcHwmdKA39 VeB/fIqs+aP+Mx7N1a/LKyVjjgglMPwPKp3lbXZ2vsI3oY7Te4Lso3hv+Fscz/Woufbl5aufYS9 5AQ== X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add a real_fs field to task_struct that always mirrors the fs field. This lays the groundwork for distinguishing between a task's permanent fs_struct and one that is temporarily overridden via scoped_with_init_fs(). When a kthread temporarily overrides current->fs for path lookup, we need to know the original fs_struct for operations like exit_fs() and unshare_fs_struct() that must operate on the real, permanent fs. For now real_fs is always equal to fs. It is maintained alongside fs in all the relevant paths: exit_fs(), unshare_fs_struct(), switch_fs_struct(), and copy_fs(). Signed-off-by: Christian Brauner (Amutable) --- fs/fs_struct.c | 11 ++++++++--- fs/proc/array.c | 4 ++-- fs/proc/base.c | 8 ++++---- fs/proc_namespace.c | 4 ++-- include/linux/sched.h | 1 + init/init_task.c | 1 + kernel/fork.c | 8 +++++++- kernel/kcmp.c | 2 +- 8 files changed, 26 insertions(+), 13 deletions(-) diff --git a/fs/fs_struct.c b/fs/fs_struct.c index fcecf209f1a9..c03a574ed65a 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -61,7 +61,7 @@ void chroot_fs_refs(const struct path *old_root, const st= ruct path *new_root) read_lock(&tasklist_lock); for_each_process_thread(g, p) { task_lock(p); - fs =3D p->fs; + fs =3D p->real_fs; if (fs) { int hits =3D 0; write_seqlock(&fs->seq); @@ -89,12 +89,13 @@ void free_fs_struct(struct fs_struct *fs) =20 void exit_fs(struct task_struct *tsk) { - struct fs_struct *fs =3D tsk->fs; + struct fs_struct *fs =3D tsk->real_fs; =20 if (fs) { int kill; task_lock(tsk); read_seqlock_excl(&fs->seq); + tsk->real_fs =3D NULL; tsk->fs =3D NULL; kill =3D !--fs->users; read_sequnlock_excl(&fs->seq); @@ -126,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) =20 int unshare_fs_struct(void) { - struct fs_struct *fs =3D current->fs; + struct fs_struct *fs =3D current->real_fs; struct fs_struct *new_fs =3D copy_fs_struct(fs); int kill; =20 @@ -135,8 +136,10 @@ int unshare_fs_struct(void) =20 task_lock(current); read_seqlock_excl(&fs->seq); + VFS_WARN_ON_ONCE(fs !=3D current->fs); kill =3D !--fs->users; current->fs =3D new_fs; + current->real_fs =3D new_fs; read_sequnlock_excl(&fs->seq); task_unlock(current); =20 @@ -177,8 +180,10 @@ struct fs_struct *switch_fs_struct(struct fs_struct *n= ew_fs) =20 scoped_guard(task_lock, current) { fs =3D current->fs; + VFS_WARN_ON_ONCE(fs !=3D current->real_fs); read_seqlock_excl(&fs->seq); current->fs =3D new_fs; + current->real_fs =3D new_fs; if (--fs->users) new_fs =3D NULL; else diff --git a/fs/proc/array.c b/fs/proc/array.c index 90fb0c6b5f99..109bc49f0a80 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -168,8 +168,8 @@ static inline void task_state(struct seq_file *m, struc= t pid_namespace *ns, cred =3D get_task_cred(p); =20 task_lock(p); - if (p->fs) - umask =3D p->fs->umask; + if (p->real_fs) + umask =3D p->real_fs->umask; if (p->files) max_fds =3D files_fdtable(p->files)->max_fds; task_unlock(p); diff --git a/fs/proc/base.c b/fs/proc/base.c index d9acfa89c894..d756f977cb89 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -210,8 +210,8 @@ static int get_task_root(struct task_struct *task, stru= ct path *root) int result =3D -ENOENT; =20 task_lock(task); - if (task->fs) { - get_fs_root(task->fs, root); + if (task->real_fs) { + get_fs_root(task->real_fs, root); result =3D 0; } task_unlock(task); @@ -225,8 +225,8 @@ static int proc_cwd_link(struct dentry *dentry, struct = path *path) =20 if (task) { task_lock(task); - if (task->fs) { - get_fs_pwd(task->fs, path); + if (task->real_fs) { + get_fs_pwd(task->real_fs, path); result =3D 0; } task_unlock(task); diff --git a/fs/proc_namespace.c b/fs/proc_namespace.c index 5c555db68aa2..036356c0a55b 100644 --- a/fs/proc_namespace.c +++ b/fs/proc_namespace.c @@ -254,13 +254,13 @@ static int mounts_open_common(struct inode *inode, st= ruct file *file, } ns =3D nsp->mnt_ns; get_mnt_ns(ns); - if (!task->fs) { + if (!task->real_fs) { task_unlock(task); put_task_struct(task); ret =3D -ENOENT; goto err_put_ns; } - get_fs_root(task->fs, &root); + get_fs_root(task->real_fs, &root); task_unlock(task); put_task_struct(task); =20 diff --git a/include/linux/sched.h b/include/linux/sched.h index 368c7b4d7cb5..c82b3b47121b 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,7 @@ struct task_struct { unsigned long last_switch_time; #endif /* Filesystem information: */ + struct fs_struct *real_fs; struct fs_struct *fs; =20 /* Open file information: */ diff --git a/init/init_task.c b/init/init_task.c index b5f48ebdc2b6..2a7789dc2464 100644 --- a/init/init_task.c +++ b/init/init_task.c @@ -152,6 +152,7 @@ struct task_struct init_task __aligned(L1_CACHE_BYTES) = =3D { RCU_POINTER_INITIALIZER(cred, &init_cred), .comm =3D INIT_TASK_COMM, .thread =3D INIT_THREAD, + .real_fs =3D &init_fs, .fs =3D &init_fs, .files =3D &init_files, #ifdef CONFIG_IO_URING diff --git a/kernel/fork.c b/kernel/fork.c index 846a49088fae..bf153b2929d4 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1596,6 +1596,8 @@ static int copy_mm(u64 clone_flags, struct task_struc= t *tsk) static int copy_fs(u64 clone_flags, struct task_struct *tsk) { struct fs_struct *fs =3D current->fs; + + VFS_WARN_ON_ONCE(current->fs !=3D current->real_fs); if (clone_flags & CLONE_FS) { /* tsk->fs is already what we want */ read_seqlock_excl(&fs->seq); @@ -1608,7 +1610,7 @@ static int copy_fs(u64 clone_flags, struct task_struc= t *tsk) read_sequnlock_excl(&fs->seq); return 0; } - tsk->fs =3D copy_fs_struct(fs); + tsk->real_fs =3D tsk->fs =3D copy_fs_struct(fs); if (!tsk->fs) return -ENOMEM; return 0; @@ -3223,6 +3225,10 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |=3D CLONE_FS; =20 + /* No unsharing with overriden fs state */ + VFS_WARN_ON_ONCE(unshare_flags & (CLONE_NEWNS | CLONE_FS) && + current->fs !=3D current->real_fs); + err =3D check_unshare_flags(unshare_flags); if (err) goto bad_unshare_out; diff --git a/kernel/kcmp.c b/kernel/kcmp.c index 7c1a65bd5f8d..76476aeee067 100644 --- a/kernel/kcmp.c +++ b/kernel/kcmp.c @@ -186,7 +186,7 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, ty= pe, ret =3D kcmp_ptr(task1->files, task2->files, KCMP_FILES); break; case KCMP_FS: - ret =3D kcmp_ptr(task1->fs, task2->fs, KCMP_FS); + ret =3D kcmp_ptr(task1->real_fs, task2->real_fs, KCMP_FS); break; case KCMP_SIGHAND: ret =3D kcmp_ptr(task1->sighand, task2->sighand, KCMP_SIGHAND); --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13E0A3B4EA2; Mon, 1 Jun 2026 13:57:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322229; cv=none; b=OExVovO9Mr+PyrbJmO3wkXEalXM2Y7EPRQd4TIf1inSQvIDoqgrKmU0lWWdQfaTg/YZ6iZ6fw/49Yzg/1WvN0ElWGtx3H3+3KJXbvy8Eh4KIdLKC595NEOV9aKdKbUc/P0n5YjMPrpJx5kkTtyWMK5dQFm2f/BxYKUET+V7wd/0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322229; c=relaxed/simple; bh=GXmZmaDyqvbsZCl8E2dHZtc+jpNESyMGkrgouGyxzIg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=i4mA4pF6NVvNwGHrZB7SvwT/Pl77XedNUdj1BREJZBbPQG3scnyl4j/YxPXuuTGlO5ErCcWu2JNv66zT9mFD2U3aKt5rVTiQTd8Zg9x0M9m68+IHFYrMB1qU8JIxqwmadcYiE4DBgjRqoxkT8zOF3EYrZYVxf6KVmbcwyO1aqXg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AWgXWXHC; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AWgXWXHC" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0FA951F00898; Mon, 1 Jun 2026 13:57:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322227; bh=F7kDxB3UIe0bG5dRVUn0Tz7gBFB3O3e9kA0wc1UNjjU=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=AWgXWXHC7mt+iKQBL2fjuDlpV4oPX/DJWSn3udSlgdInBTrCpvxHZ/4NVpm9PDXzJ AM4l5DaVjIM5EYazj5D7XTx+0PcyGA6cDBx2BwL4K/XjkRiISBcVCl9PatLkTu+XZD h5mA79tdvf6G+wBZFHl5mmSqFuFMkUiPQXT1K5IiG5QMJmmssG4IMtTtNpCZY/QIwT IqO68nhPJLg7ZyevJXKpDvxu/3oVyCXPvJjUJzh3FrLKg30C+6BukiSZb+5p43dOgL I3NoZ6zqDouyLTsVE7je4puXzW1HSdtN7ORgO/qse1/iEo0Z+TleZUa5E+n69XTa3/ gccLJz8deOLfw== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:38 +0200 Subject: [PATCH RFC v4 05/25] fs: make userspace_init_fs a dynamically-initialized pointer Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-5-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=6011; i=brauner@kernel.org; h=from:subject:message-id; bh=GXmZmaDyqvbsZCl8E2dHZtc+jpNESyMGkrgouGyxzIg=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i8LD0rjuLlMYVp4beYaS93YuJd52xOlln262xF6I Nup9uCWjlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQxh4OIUgIkkf2Vk6JvFM+tB8Ba9Xdl7 y5/s7mmTmSPMxxHVxm2xIO/E7fDdCowMa5Zv7jldc8T/bnvGprQlh+8+4XXcbf7Sr+VUg8NrfbH pLAA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Change userspace_init_fs from a declared-but-unused extern struct to a dynamically initialized pointer. Add init_userspace_fs() which is called early in kernel_init() (PID 1) to record PID 1's fs_struct as the canonical userspace filesystem state. Wire up __override_init_fs() and __revert_init_fs() to actually swap current->fs to/from userspace_init_fs. Previously these were no-ops that stored current->fs back to itself. Fix nullfs_userspace_init() to compare against userspace_init_fs instead of &init_fs. When PID 1 unshares its filesystem state, revert userspace_init_fs to init_fs's root (nullfs) so that stale filesystem state is not silently inherited by kworkers and usermodehelpers. At this stage PID 1's fs still points to rootfs (set by init_mount_tree), so userspace_init_fs points to rootfs and scoped_with_init_fs() is functionally equivalent to its previous no-op behavior. Signed-off-by: Christian Brauner (Amutable) --- fs/fs_struct.c | 48 +++++++++++++++++++++++++++++++++++++++++++= +++- include/linux/fs_struct.h | 15 ++++++++------- include/linux/init_task.h | 1 + init/main.c | 3 +++ 4 files changed, 59 insertions(+), 8 deletions(-) diff --git a/fs/fs_struct.c b/fs/fs_struct.c index c03a574ed65a..f44e43ce6d93 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -8,6 +8,7 @@ #include #include #include "internal.h" +#include "mount.h" =20 /* * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values. @@ -163,15 +164,34 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); * fs_struct state. Breaking that contract sucks for both sides. * So just don't bother with extra work for this. No sane init * system should ever do this. + * + * On older kernels if PID 1 unshared its filesystem state with us the + * kernel simply used the stale fs_struct state implicitly pinning + * anything that PID 1 had last used. Even if PID 1 might've moved on to + * some completely different fs_struct state and might've even unmounted + * the old root. + * + * This has hilarious consequences: Think continuing to dump coredump + * state into an implicitly pinned directory somewhere. Calling random + * binaries in the old rootfs via usermodehelpers. + * + * Be aggressive about this: We simply reject operating on stale + * fs_struct state by reverting to nullfs. Every kworker that does + * lookups after this point will fail. Every usermodehelper call will + * fail. Tough luck but let's be kind and emit a warning to userspace. */ static inline void validate_fs_switch(struct fs_struct *old_fs) { + might_sleep(); + if (likely(current->pid !=3D 1)) return; /* @old_fs may be dangling but for comparison it's fine */ - if (old_fs !=3D &init_fs) + if (old_fs !=3D userspace_init_fs) return; pr_warn("VFS: Pid 1 stopped sharing filesystem state\n"); + set_fs_root(userspace_init_fs, &init_fs.root); + set_fs_pwd(userspace_init_fs, &init_fs.root); } =20 struct fs_struct *switch_fs_struct(struct fs_struct *new_fs) @@ -201,3 +221,29 @@ struct fs_struct init_fs =3D { .seq =3D __SEQLOCK_UNLOCKED(init_fs.seq), .umask =3D 0022, }; + +struct fs_struct *userspace_init_fs __ro_after_init; +EXPORT_SYMBOL_GPL(userspace_init_fs); + +void __init init_userspace_fs(void) +{ + struct mount *m; + struct path root; + + /* Move PID 1 from nullfs into the initramfs. */ + m =3D topmost_overmount(current->nsproxy->mnt_ns->root); + root.mnt =3D &m->mnt; + root.dentry =3D root.mnt->mnt_root; + + VFS_WARN_ON_ONCE(current->pid !=3D 1); + + set_fs_root(current->fs, &root); + set_fs_pwd(current->fs, &root); + + /* Hold a reference for the global pointer. */ + read_seqlock_excl(¤t->fs->seq); + current->fs->users++; + read_sequnlock_excl(¤t->fs->seq); + + userspace_init_fs =3D current->fs; +} diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h index e11d0e57168f..97eef8d3863d 100644 --- a/include/linux/fs_struct.h +++ b/include/linux/fs_struct.h @@ -17,6 +17,7 @@ struct fs_struct { } __randomize_layout; =20 extern struct kmem_cache *fs_cachep; +extern struct fs_struct *userspace_init_fs; =20 extern void exit_fs(struct task_struct *); extern void set_fs_root(struct fs_struct *, const struct path *); @@ -57,17 +58,17 @@ static inline int current_umask(void) */ static inline struct fs_struct *__override_init_fs(void) { - struct fs_struct *fs; + struct fs_struct *old_fs; =20 - fs =3D current->fs; - WRITE_ONCE(current->fs, fs); - return fs; + old_fs =3D current->fs; + WRITE_ONCE(current->fs, userspace_init_fs); + return old_fs; } =20 -static inline void __revert_init_fs(struct fs_struct *revert_fs) +static inline void __revert_init_fs(struct fs_struct *old_fs) { - VFS_WARN_ON_ONCE(current->fs !=3D revert_fs); - WRITE_ONCE(current->fs, revert_fs); + VFS_WARN_ON_ONCE(current->fs !=3D userspace_init_fs); + WRITE_ONCE(current->fs, old_fs); } =20 DEFINE_CLASS(__override_init_fs, diff --git a/include/linux/init_task.h b/include/linux/init_task.h index a6cb241ea00c..61536be773f5 100644 --- a/include/linux/init_task.h +++ b/include/linux/init_task.h @@ -24,6 +24,7 @@ =20 extern struct files_struct init_files; extern struct fs_struct init_fs; +extern struct fs_struct *userspace_init_fs; extern struct nsproxy init_nsproxy; =20 #ifndef CONFIG_VIRT_CPU_ACCOUNTING_NATIVE diff --git a/init/main.c b/init/main.c index 96f93bb06c49..decfb0e03663 100644 --- a/init/main.c +++ b/init/main.c @@ -103,6 +103,7 @@ #include #include #include +#include #include #include #include @@ -1585,6 +1586,8 @@ static int __ref kernel_init(void *unused) { int ret; =20 + init_userspace_fs(); + /* * Wait until kthreadd is all set-up. */ --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2AC103B635E; Mon, 1 Jun 2026 13:57:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322231; cv=none; b=kxiFsMwgvhOaPFlajl9rW1W+fhGlPwMa28OvVpD+T5/dheBd+fJv+AvvJahjqqDCB5K5KN6f4JIqgBevwWlSmIJ8i4zj1hukBodLv7SeR5g8STmLtsHLRYeYTCy1pGqAERGd757ZIemZvYnV0w1dfoHEjKTjLBVNTblTM7eAuZg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322231; c=relaxed/simple; bh=by/+C59iwgehFw6nC4+2iHaRyiPP2fQCQhRwmRZjg10=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=j/jnrYmalaHAYRiQqAq271ezoibMaytdMxNIFjdrdSXGa6RoqAIQ93GYL61MJWgsOQGJ4ujH5M0aRb34zU8fL4c7u0DayeEy0r6ggDwBKfIACYmxprsvhx+MLYdfJony8bVAwQOwxIHslNQTJLmXTyz2mfx5MVB6nMqe+qjCklY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZQUdEeGZ; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZQUdEeGZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3AAE61F00893; Mon, 1 Jun 2026 13:57:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322229; bh=x9Lc58HTpsAv/uPV2t8po/QIleDWlE/poupA2lhMO+M=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=ZQUdEeGZ6o247TrjqL33dKounGqna8TQ/s8npGh4vWAwv+e2oMb9wHY0759wAbnIy Ef6RR38m9AfhfIsDcPFy/EPBJpGwxCMSL3ZlXQT4pA0sC1HdU4qibhc+tHfU1B+7jp 099YMxTKeMhYdmNzRdUgPvNCHETHgIAHzq0nMriBMUftdFLiOhLYjEjmCikSi8lFuP DSS7yRy0+wis+0Qbjz5ifSYOTETEjWfZ0IbKnVqfC2tNkk/XAAWbn9W9lmOTzXEJ/C oaGsWPHi6O7l/Y70pmjxleFf9k12udQq4kpyu2pyjy+NRv5LW2rhqB8AdsWFtZQ3Y0 mKa1I1w8UbbHQ== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:39 +0200 Subject: [PATCH RFC v4 06/25] rnbd: use scoped_with_init_fs() for block device open Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-6-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1281; i=brauner@kernel.org; h=from:subject:message-id; bh=by/+C59iwgehFw6nC4+2iHaRyiPP2fQCQhRwmRZjg10=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i9bsnMGI3vTzdrzyy7vf6Bh2mY1c5nXLKNoh4xFf OydvzJFOkpZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACYySZzhN4uJ5eEdkx/JRZyr vJGqVaTge3mFaMKDczva9Vapr5f778vwz1pX6ejLd/HBk+ZZqkq96rjs2/dOMSV72/q3G1d3Wn6 zYgUA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Use scoped_with_init_fs() to temporarily override current->fs for the bdev_file_open_by_path() call so the path lookup happens in init's filesystem context. process_msg_open() =E2=86=90 rnbd_srv_rdma_ev() =E2=86=90 RDMA completion c= allback =E2=86=90 ib_cq_poll_work() =E2=86=90 kworker (InfiniBand completion workqueue) Signed-off-by: Christian Brauner (Amutable) --- drivers/block/rnbd/rnbd-srv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/rnbd/rnbd-srv.c b/drivers/block/rnbd/rnbd-srv.c index 10e8c438bb43..79c9a5fb418f 100644 --- a/drivers/block/rnbd/rnbd-srv.c +++ b/drivers/block/rnbd/rnbd-srv.c @@ -11,6 +11,7 @@ =20 #include #include +#include =20 #include "rnbd-srv.h" #include "rnbd-srv-trace.h" @@ -734,7 +735,8 @@ static int process_msg_open(struct rnbd_srv_session *sr= v_sess, goto reject; } =20 - bdev_file =3D bdev_file_open_by_path(full_path, open_flags, NULL, NULL); + scoped_with_init_fs() + bdev_file =3D bdev_file_open_by_path(full_path, open_flags, NULL, NULL); if (IS_ERR(bdev_file)) { ret =3D PTR_ERR(bdev_file); pr_err("Opening device '%s' on session %s failed, failed to open the blo= ck device, err: %pe\n", --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F001F3B83E1; Mon, 1 Jun 2026 13:57:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322233; cv=none; b=XAmAIilkuKJonm4ysFEfKDnH90gHApi7n2gz+NZtm7nM/rwBeJ5c1F6ygWLA8f7D2xQUkLF5XCij/ILB4Dy09oeJcExWC6nCkK+KHxLvPGB5Y8PPr1xiaLE+sYCUOkCnzWxCF6jNMnXr3aiUhhHto/+hbcoatOw6OFlPFCDA5ZQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322233; c=relaxed/simple; bh=g07l1VDUtYdbYl2ugEK+WnxyfY/aNCNWhYVLFZn/gZ4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=P41DPHnmrn8z+cYbUmYogOrZouh25rn1NXigxYZBag4t/3Dqv0U/A7oBLk+Rb724/DU0IqKNffabOqT1kB26UMRV69JJuNrExDQe46rHzLwNKrX6PwIPBATVJcXjss5GFOrCMvWeuScn6Vc7Jx3ux6ni7ppN42k9oA+V7I5+2jg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bxNlstUw; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bxNlstUw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B6741F00898; Mon, 1 Jun 2026 13:57:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322231; bh=Zjpyh39ryQoJz0hyLzbwn2P4A3zfjWjOuGIPTVd4GA8=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=bxNlstUwrGHB5lxg9dXndvZ+4swJRRka9x1lOZ7UA1AS/e4zyJasXLisNeiH6ktKw LYAa5htnsqizjTJ1WzmnWwXnmPrNlRf3Oukpw5WRxSXRhZY5ThqlD91EMn9j9pIVmq Lma0o9oGJKLjQZR2Atiof0+jy4qMgWDWaWZJpoOBSUpkvENW3ti5nCzdmaSwrFd0+7 LeVK+s2IJZ9jVzQ0LKE0wG089JIHRu6XvLKgLPuJndWpe5CcWr/jt6osIxjnHDg/ir F+28HF0DCbFfOEaOIwQ/Wg4b3czNEFfCLumCybvdKN8/yjHziFgxsFLOJ/zNkMRCGa sS6obLnSuWOGw== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:40 +0200 Subject: [PATCH RFC v4 07/25] crypto: ccp: use scoped_with_init_fs() for SEV file access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-7-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1518; i=brauner@kernel.org; h=from:subject:message-id; bh=g07l1VDUtYdbYl2ugEK+WnxyfY/aNCNWhYVLFZn/gZ4=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i8TdQh7kWuvManMZvb9xTWcnx50SaQkfLCVu6R18 KFERjNXRykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwERMXjP8D2wzb3JTMln/9/rJ B23sGb2vVl89apofWGjkf4srYa3PA0aGJU+vd8t65rjbya0Jut/u+VLo9av3vBXXjDaK/yjkNkj mAgA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Replace the manual init_task root retrieval with scoped_with_init_fs() to temporarily override current->fs. This allows using the simpler filp_open() instead of the init_root() + file_open_root() pattern. open_file_as_root() =E2=86=90 sev_read_init_ex_file() / sev_write_init_ex_f= ile() =E2=86=90 sev_platform_init() =E2=86=90 __sev_guest_init() =E2=86=90 KVM io= ctl =E2=80=94 user process context Needs init's root because the SEV init_ex file path should resolve against the real root, not a KVM user's chroot. Signed-off-by: Christian Brauner (Amutable) --- drivers/crypto/ccp/sev-dev.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index d1e9e0ac63b6..b99737f7f571 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -260,20 +260,16 @@ static int sev_cmd_buffer_len(int cmd) =20 static struct file *open_file_as_root(const char *filename, int flags, umo= de_t mode) { - struct path root __free(path_put) =3D {}; - - task_lock(&init_task); - get_fs_root(init_task.fs, &root); - task_unlock(&init_task); - CLASS(prepare_creds, cred)(); if (!cred) return ERR_PTR(-ENOMEM); =20 cred->fsuid =3D GLOBAL_ROOT_UID; =20 - scoped_with_creds(cred) - return file_open_root(&root, filename, flags, mode); + scoped_with_init_fs() { + scoped_with_creds(cred) + return filp_open(filename, flags, mode); + } } =20 static int sev_read_init_ex_file(void) --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56E813B95EC; Mon, 1 Jun 2026 13:57:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322235; cv=none; b=Eiksa7HYwICXH+I6YP2sl8XylC6x100zW+uO9rNJabd3BvJepYMFCiQ7VOrkUC/urS7ivcLHpkfEXzr+RUAxCQlkIEh9SHYr743Xt2T7sxD0sP/n8On8DeJMQpJUHj3qkcYgJVFUNs8IMb5MEvPMEYs5lkpxmnBgpBId9vPGEJw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322235; c=relaxed/simple; bh=28cTtoRZ91x0UobuBzcDuTy88XofJSyJRzGUK8il5ks=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=K/2HFJrU5d1r+HLcW9Uj/yi8j2xruyIY1JI8sTvd+PKlHshus2s5hZdDtk4pHNEC6jnEUQVcBuCyOlZG/GpolK0EE1/lZynK8rgj/Wb/9yc1nu1M08vSqJGF4p5KFmMDUnHGfEavW8YN7k61jzVGLWsO4DGnczJzQ6hDD+OwBjY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=luHnu9RB; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="luHnu9RB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6605D1F00893; Mon, 1 Jun 2026 13:57:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322234; bh=giKY8JuX3BnC+v3+mCwSxvb1yY79yldA0LrSALkMRIg=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=luHnu9RBuLVp9DPZ6KFuaeaGlOoxBQtxZtzDtxyt/MxbABLmiitL7ffSmZMZ3arnV AOBV2bmp5jXOWq7UnN9GX3xIfbtngJvtALan7kY9wTObsqm8eiR9bvLiU5zXuGRkX7 g/tte6hJVUttVaWB3c8pY83+VRZHCe32vMBuNdZ8RLTWmyEASnN7gtEGeX9gQWt9yo lT4PkT+vQwpuOa8M/0TaM/ZV7XIfA2XuIk82YIbwP4DnOuZ6nLR+LTWC/Y3sdT9WkJ ypoqqN5cofrQLMwFX9/UZYh7PwLjD1S4i+ZLiOeGQ1pOD9/mQcgyv4BRaBBdrssRHG f727xSia1UB/Q== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:41 +0200 Subject: [PATCH RFC v4 08/25] scsi: target: use scoped_with_init_fs() for ALUA metadata Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-8-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=2077; i=brauner@kernel.org; h=from:subject:message-id; bh=28cTtoRZ91x0UobuBzcDuTy88XofJSyJRzGUK8il5ks=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i/LkwzqLl3NcCJLklFuRYtm4GvJ+W/nRG4WjyzgN +xczMXeUcrCIMbFICumyOLQbhIut5ynYrNRpgbMHFYmkCEMXJwCMJHHwYwMnxikf045ufnhP3cT 9bjsXtnYX/GSG095rmH5ppm/ecuVAoa/4vLbRH98UawOrWVt5PiWzBLL/1buQ8m2PSeUS0/bXtF mBwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 core_alua_write_tpg_metadata() can be called from both kthread and user process context. Use scoped_with_init_fs() to temporarily override current->fs for the filp_open() call when running in kthread context so the path lookup happens in init's filesystem context. core_alua_write_tpg_metadata() =E2=86=90 core_alua_update_tpg_primary_metad= ata() =E2=86=90 core_alua_do_transition_tg_pt() =E2=86=90 target_queued_submit_wo= rk() =E2=86=90 kworker (target submission workqueue) Also reached synchronously from configfs (user process) via the alua_access_state and alua_tg_pt_offline attributes: core_alua_write_tpg_metadata() =E2=86=90 core_alua_update_tpg_primary_metad= ata() =E2=86=90 core_alua_do_transition_tg_pt() =E2=86=90 core_alua_do_port_trans= ition() =E2=86=90 target_tg_pt_gp_alua_access_state_store() In that case current->fs must not be overridden as the path should resolve against the calling process's filesystem root. Signed-off-by: Christian Brauner (Amutable) --- drivers/target/target_core_alua.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core= _alua.c index 10250aca5a81..140154d93c43 100644 --- a/drivers/target/target_core_alua.c +++ b/drivers/target/target_core_alua.c @@ -18,6 +18,8 @@ #include #include #include +#include +#include #include #include =20 @@ -856,10 +858,17 @@ static int core_alua_write_tpg_metadata( unsigned char *md_buf, u32 md_buf_len) { - struct file *file =3D filp_open(path, O_RDWR | O_CREAT | O_TRUNC, 0600); + struct file *file; loff_t pos =3D 0; int ret; =20 + if (tsk_is_kthread(current)) { + scoped_with_init_fs() + file =3D filp_open(path, O_RDWR | O_CREAT | O_TRUNC, 0600); + } else { + file =3D filp_open(path, O_RDWR | O_CREAT | O_TRUNC, 0600); + } + if (IS_ERR(file)) { pr_err("filp_open(%s) for ALUA metadata failed\n", path); return -ENODEV; --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 363B03B9D99; Mon, 1 Jun 2026 13:57:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322237; cv=none; b=ff34z4pbgTQkj3LCi1wD5aLvsiSePW3+CWO7Q5rPEZUbdQ4fsI/4y3FcqN0hSfBzl0bBoNBkOafhaNilpay8xgYYQlvOrCS33nQzn2vxDw777g5+HAoWg5+FmTG4JJALmkhcBY8Wzq6gD1Lq+afSmj9Fk5KEx4lhVNnpPmVKlqo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322237; c=relaxed/simple; bh=tiQzRYTzrap/7+7fUVwKS26HiHi+4R0kpQPA215DbkI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=SlR13+cdZUhEnt3EK+5MwIUbSMko5bgTgE+U2nBz84eVeJNsgfhUZg02y/YO/swyza6Leq922KJ1y/Nhh30O2gLGCQNCuKer06qSqcu+IRL1vaimHvpCNpZFyqHg6Vb3PnIqBiq4mvWH/nQfeyummKSfOJWoeIJzvGRdHIUXwXU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VcTjZILA; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VcTjZILA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 791731F00898; Mon, 1 Jun 2026 13:57:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322236; bh=ZDUB9cWFMbzzGx0q1kg2mHoWerfNpvgnOShY0yeONws=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=VcTjZILADWd/2SiJynkVrerv+zmRMuRM6AxUqTRB03bZRlR+MlxyODxMcQ4pLJ4l6 pyI6qR8nfoxFJFGmWmPVtcMDG7T84UboaZZTgdZIqnNmoJ1UOF8fFHFk9UOLs6bWNP ERYbN9XnIYna/cxz/4nzPmnT5asTcZKUz0Dk2ScWrA5WOdtHDjPEPJlHGYct+20wxh HT0gjxP/pW7cuOmMEjzHNlQxG+3WaG0pDRpcFQQxn1q8OXBmagcNDveINoUG+KZAJo Jn6xMyv3lIZDMEONjYnzKrrVnstYLpjU3foaJA7FZdlS0F0enxz84yJSL3xUDW4A8y 5q8yo4AdPhEpQ== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:42 +0200 Subject: [PATCH RFC v4 09/25] scsi: target: use scoped_with_init_fs() for APTPL metadata Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-9-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1210; i=brauner@kernel.org; h=from:subject:message-id; bh=tiQzRYTzrap/7+7fUVwKS26HiHi+4R0kpQPA215DbkI=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i/zsIqX/LAxK2zLaV5pkdTLF/Ti9vW/lJNZYrf4T 5rgr16rjlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQxh4OIUgIk8u83wv/jTrGPRVvLigq9W 7w7cN/2b7wmLmkDZUh/VU7O/Me9/fJrhn/qSVTnnXzzO37Po//UVLm4R93gzl/a0CHmxn3q9mXu 1Pj8A X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Use scoped_with_init_fs() to temporarily override current->fs for the filp_open() call in __core_scsi3_write_aptpl_to_file() so the path lookup happens in init's filesystem context. __core_scsi3_write_aptpl_to_file() =E2=86=90 core_scsi3_update_and_write_ap= tpl() =E2=86=90 PR command handlers =E2=86=90 target_queued_submit_work() =E2=86= =90 kworker Signed-off-by: Christian Brauner (Amutable) --- drivers/target/target_core_pr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_p= r.c index 11790f2c5d80..cfd949e7a095 100644 --- a/drivers/target/target_core_pr.c +++ b/drivers/target/target_core_pr.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include =20 @@ -1969,7 +1970,8 @@ static int __core_scsi3_write_aptpl_to_file( if (!path) return -ENOMEM; =20 - file =3D filp_open(path, flags, 0600); + scoped_with_init_fs() + file =3D filp_open(path, flags, 0600); if (IS_ERR(file)) { pr_err("filp_open(%s) for APTPL metadata" " failed\n", path); --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E9A43BADA5; Mon, 1 Jun 2026 13:57:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322239; cv=none; b=iD4W1FvvOUyEm+s5rpHA2TaMzbq96SFEPkwkG9V/h6iuO8uL0vA9G/85o/Ib8v9L8bjEuvgMvOxGIgOYbz7YKJ9VfLuYtXZK9jPACbGe2PwO7fTdT4RIXlCUDbm91iVJqjLLw0KmsI4cR9Mc8DfUZZxOrTfxvx63k19QDzN7UpM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322239; c=relaxed/simple; bh=piQMn1e6FaWg5N5YyNpDLQ+CLvrL1afyXNBbQ5NJvPc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=jodfAZBfZNsfee2sS7A5HQ7PjeZl5svbKM1rv5DgRZXvqMi1NgNyrvFXolyNnVZbLarPd6q8tC0Z7Q/KU9ZlA6XdZ2FOXBqBEnqW3k9jFsF2BoSzb65uXVHDq9h5dRmXi3QjEa8QqC54/yipm0uEDTQCi0dEkGa+hFhIIirMuCc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dBO+ATgg; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dBO+ATgg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8F5051F00893; Mon, 1 Jun 2026 13:57:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322238; bh=lP8OEgQM5WpZ3TOFDqqMlVW2UDNnbc/Kdkkhd8jbQeM=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=dBO+ATggiG7i6Gqbs4BC2koSaI34cjBXvAaePvMFxmzJDmwclb3yQlmZtV13NuEKq rravWdbKT3aYxi0/kkJX9p7MDQXSMOu5F+ViO81FATVMmdQhqBfxtD/vgKP4FtAooU KIJlgWE9ysv75AqLQ7SENGy4cHS5B9icRHNqkZo0e07g2KeoZcT9vUmKGitQCbTghv l0pW0zF5Fr60q2Zlb5GwgSajNc4shHrzCpybbo35z0MCemyTKmSkzyuqwKqNbzNyxp XYm4qxV4KJvaJxm/BApCsMShaH4IQiSnwk8ZhsxaJIp5TSCCIDyi905rMZZ5/3KiZ0 Or3a92+NzjDFw== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:43 +0200 Subject: [PATCH RFC v4 10/25] btrfs: use scoped_with_init_fs() for update_dev_time() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-10-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1471; i=brauner@kernel.org; h=from:subject:message-id; bh=piQMn1e6FaWg5N5YyNpDLQ+CLvrL1afyXNBbQ5NJvPc=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i8zPL7G/nBPgmPz5Y+37+lJ21duublV8pVQwrXt7 EHORcmrO0pZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACYyOYLhn13SnR398sf7K3W1 C3jKd2XP87eX0un8lymTsvtQ7BoeY0aGid6ryjklZ87geH/5BZfKGd55Z/avf1PWfnfTyrTcRW4 nmAA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 update_dev_time() can be called from both kthread and process context. Use scoped_with_init_fs() to temporarily override current->fs for the kern_path() call when running in kthread context so the path lookup happens in init's filesystem context. update_dev_time() =E2=86=90 btrfs_scratch_superblocks() =E2=86=90 btrfs_dev_replace_finishing() =E2=86=90 btrfs_dev_replace_kthread() =E2=86=90 kthread (kthread_run) Also called from ioctl (user process). Signed-off-by: Christian Brauner (Amutable) --- fs/btrfs/volumes.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index a88e68f90564..967a1fab5c96 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "misc.h" #include "disk-io.h" #include "extent-tree.h" @@ -2120,8 +2121,16 @@ static int btrfs_add_dev_item(struct btrfs_trans_han= dle *trans, static void update_dev_time(const char *device_path) { struct path path; + int err; =20 - if (!kern_path(device_path, LOOKUP_FOLLOW, &path)) { + if (tsk_is_kthread(current)) { + scoped_with_init_fs() + err =3D kern_path(device_path, LOOKUP_FOLLOW, &path); + } else { + err =3D kern_path(device_path, LOOKUP_FOLLOW, &path); + } + + if (!err) { vfs_utimes(&path, NULL); path_put(&path); } --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75A6D3BB12A; Mon, 1 Jun 2026 13:57:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322241; cv=none; b=HJNuMdxumMROftBmEOpps2HJtoN7W14GNL4ltY/84+PuRbWFd+AEOR85rpE3NF2yLZSMYjJsP9ihZoXAyMI+vFcvyDMiGt2LcuLr/7F22Pm+3yFLXkE/fTTga5yB0ESu0wZDhpnerTfbDU5G6MPcxpkUHeex1MQ3f56LhjT0E+g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322241; c=relaxed/simple; bh=jZu8M0n+dKdGzUCCyIpPQrmaPkWMSz/q9u6Z1w7pxx4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=BOsy8XGPBlLAjjgbOfPuBjvae7Q0g1l+W9aHSokWKyS6LZh3ZwP2P2tR5R5/b87NHu8R93nuGNC2bqLm0AR+SeOCYNhcN7JPhD15E7tD4zrFVSe1x9bANqr7KZnqZETFa9PhHpELBdsBQztY0FFuO625B/14T7CyoZbGuqkb0BQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SCKwB2a2; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SCKwB2a2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A1C7F1F00898; Mon, 1 Jun 2026 13:57:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322240; bh=RxyI8sQQsQSUFxhc5pSDtl0L207LrmPXq24mekBd1vM=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=SCKwB2a2NLyvNiI9El9yu+kZJGYPxViY/PBpnwuUuwhqb6XiiirAGCgbAUYz1dFk4 p++Z6nZY3qKncRrMGA6ys21JOloK0StjcfoRcTeNAZMg2L3e6GnypQQxLbOIuAXAEc wFbHrmQ24qtCdzV9Ccs5i3SVZEBbjyZAmbxY0R9KXbbwzlN9gF1W4Bic2IKTpp5AnD 5Tkann5mFokEZYoQKTh9+1VfEuK3aLlBlCqythVQ8pW/qWmp4bujp7m7k32FZalJ30 M8xi3hgVMXhFe65nLJaC/xSE2LwE152sc/3UCdVJBikHjRnqxaDRfp3epFgd27ilUl H1ni7SLFbd+TA== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:44 +0200 Subject: [PATCH RFC v4 11/25] coredump: use scoped_with_init_fs() for coredump path resolution Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-11-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1550; i=brauner@kernel.org; h=from:subject:message-id; bh=jZu8M0n+dKdGzUCCyIpPQrmaPkWMSz/q9u6Z1w7pxx4=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i+bXbtYQfNQmpCcWpjur/Bv62b1+Vr0qq0u3Caen zFpml1hRykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwEQM+hn+F94o7GBnM9u2/cH8 PonQhgrFbds0XFl4/HdK67CmR7QUMvyVSa6d+dk7r/LUtq8yZgWdrZwvKz8c3Pavi9Mz48i+KTF MAA== X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Use scoped_with_init_fs() to temporarily override current->fs for the filp_open() call so the coredump path lookup happens in init's filesystem context. This replaces the init_root() + file_open_root() pattern with the simpler scoped override. coredump_file() =E2=86=90 do_coredump() =E2=86=90 vfs_coredump() =E2=86=90 = get_signal() =E2=80=94 runs as the crashing userspace process Uses init's root to prevent a chrooted/user-namespaced process from controlling where suid coredumps land. Not a kthread, but intentionally needs init's fs for security. Signed-off-by: Christian Brauner (Amutable) --- fs/coredump.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index bb6fdb1f458e..4c81182e2c63 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -922,15 +922,10 @@ static bool coredump_file(struct core_name *cn, struc= t coredump_params *cprm, * with a fully qualified path" rule is to control where * coredumps may be placed using root privileges, * current->fs->root must not be used. Instead, use the - * root directory of init_task. + * root directory of PID 1. */ - struct path root; - - task_lock(&init_task); - get_fs_root(init_task.fs, &root); - task_unlock(&init_task); - file =3D file_open_root(&root, cn->corename, open_flags, 0600); - path_put(&root); + scoped_with_init_fs() + file =3D filp_open(cn->corename, open_flags, 0600); } else { file =3D filp_open(cn->corename, open_flags, 0600); } --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8D0E3BBA0A; Mon, 1 Jun 2026 13:57:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322243; cv=none; b=E3RLh6hellOritJFM5hCOWdsjBIU1eQXfozSZrh+UK1tr8TmLghV5kYgYtHoWCwXV3g9JTOgJt5bH1qMe4HtIOXbGJfDT42PXiJa2fxDyFTKq4WB6yI1rGL+9pSouSUAP3rWP1hVbab6YwX+lqzKQlWBS9XfFQMW9S3ne4RPeLY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322243; c=relaxed/simple; bh=WbM5yrbUDi3/A+W4ocvtE04HeGFEymTz1EUeNC3DQ9E=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=tiaWekMosy15mVwS4M4KVlauwJ+Yod/XjtYDgOPcWYDU4kld4At5qQobWdef/DSsHZLs8Fugzifj7TQIz/RcrTDvSDBCYUXmqR6US5X/R0eZroez8gljvqGfQNTnfKt5POwhwPgFFUBIlDGLpYFs4VEiqwefKdiKwAtajbouWeo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=A697x/VJ; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="A697x/VJ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C4B781F00893; Mon, 1 Jun 2026 13:57:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322242; bh=d9dIeMI3yeIFwM0OgiOFJGaxPa/9AVWdbWSEQYd01rI=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=A697x/VJkMi9C2hfKl3QiVjXXBZeTe8qGULFoPJEW21rCjd+knpjKW4vyLtRkCWyR KKj9OUJHX17w/NU2DJH7S2Lv2ISbtirlGS7Y6tUtX7G6Rfp0dTztuzrnLq0di3eU19 D911DXBnSWAzkJpDvoWhLDzRxJpnp04V19Pgnhy2YioAeyFCqJlwKf8y/JIzZ+GEO+ HkRxNIaD0YGl/MjWxFNSwgf/Y9xoyCQ2fdwFESdvNJNzekdEPqq2km/dW3CVFynGuO zz+czLX0sBO2oe8z/W7j2kMsX7RyrhNQz0Hw0bfEnpUQuxPXwIsQYQdwBd0HXYWAjG otfimhqgXF0HA== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:45 +0200 Subject: [PATCH RFC v4 12/25] fs: use scoped_with_init_fs() for kernel_read_file_from_path_initns() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-12-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1336; i=brauner@kernel.org; h=from:subject:message-id; bh=WbM5yrbUDi3/A+W4ocvtE04HeGFEymTz1EUeNC3DQ9E=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i8L+6j7zPs0252GZclzOdKFt+/ir5XmEgtlMMqSt P4gNim0o5SFQYyLQVZMkcWh3SRcbjlPxWajTA2YOaxMIEMYuDgFYCKTMxj+xzp49oVpGK/UPnVz j/3mqWZBl4RSlH5ddmxldK283cLpxvCHc2PGz7A1d7zzN0hdy/rIJrI198lm1TlNdoa7T5Wn665 kAwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Replace the manual init_task root retrieval with scoped_with_init_fs() to temporarily override current->fs. This allows using the simpler filp_open() instead of the init_root() + file_open_root() pattern. kernel_read_file_from_path_initns() =E2=86=90 fw_get_filesystem_firmware() = =E2=86=90 _request_firmware() =E2=86=90 request_firmware_work_func() =E2=86=90 kworke= r (async firmware loading) Also called synchronously from request_firmware() which can be user or kthread context. Signed-off-by: Christian Brauner (Amutable) --- fs/kernel_read_file.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/fs/kernel_read_file.c b/fs/kernel_read_file.c index de32c95d823d..9c2ba9240083 100644 --- a/fs/kernel_read_file.c +++ b/fs/kernel_read_file.c @@ -150,18 +150,13 @@ ssize_t kernel_read_file_from_path_initns(const char = *path, loff_t offset, enum kernel_read_file_id id) { struct file *file; - struct path root; ssize_t ret; =20 if (!path || !*path) return -EINVAL; =20 - task_lock(&init_task); - get_fs_root(init_task.fs, &root); - task_unlock(&init_task); - - file =3D file_open_root(&root, path, O_RDONLY, 0); - path_put(&root); + scoped_with_init_fs() + file =3D filp_open(path, O_RDONLY, 0); if (IS_ERR(file)) return PTR_ERR(file); =20 --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED0483BB9E3; Mon, 1 Jun 2026 13:57:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322245; cv=none; b=jlpwpNgemUTh8O+m/S/Zm0JdCT4e5IYIkagDFSIekBCzveungyB/9O+nTMDECOW0/lJaB9F7T1NBzApwE7bOZTx+2jyVh8Jswzn8/3B/KM7NxVaU70ZRwvKq/yvCBNJTOHhrcL+uxQzr3bMFFwrUvcJipdM3CZsc1013/WnVzI8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322245; c=relaxed/simple; bh=hmspYre6B8hLxwtzedBtLGee9Mt/2dAkvKYui4zrliI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Ci+/FoXsnQsV+Dq2RdXNX666a/gPa7pVHEb0OCg6oTRG5xw+wgTXPXI6WZbIrmxomfqinHanZ7pzVPYD7pU7WMDtfm6Zjm5eUBSW80qPA4smyTPN4Bhz+wSJWg4E1g5cbM0qgyWpMbFiJzz8siNcSYjtI+oCDyr8avEi9f//qGo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gGdDBvWh; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gGdDBvWh" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9B5F1F00898; Mon, 1 Jun 2026 13:57:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322244; bh=MCWQm59ZH3b9vqMODPMumqMATKfB/FyQLnOJnFo2a6w=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=gGdDBvWhMjdQDJZIELxe6fssLShnuNL29YqvfmnWmnPnxjiyYA5A99XjLhGRENvRH D0sjxVnpuAhjtWMk24nBEO4K4jncwFxUKdlZpw9bf7E9GoclEoLyx0d1asLeeTw7IE pKh/hFNqUbeWnBR+pxU4tKQsOneHiYg5zmw3O0EUd7c1XpUYnuuWyDk4TLAMr/vAIA cyLR0v7IrHh+MBlV57c/hR0lAXbIoVCgIq9F+ut95tIKwUzaHTDvd/fj3CKP6S0O5Y 3qTJNV1fh1u4dxWDSPZlnmPOtrjZJr6rt9iQEXj2RZR4JPXxK9mRwgYmZpPyomDmYN I7JiCzboLNpnQ== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:46 +0200 Subject: [PATCH RFC v4 13/25] ksmbd: use scoped_with_init_fs() for share path resolution Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-13-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1243; i=brauner@kernel.org; h=from:subject:message-id; bh=hmspYre6B8hLxwtzedBtLGee9Mt/2dAkvKYui4zrliI=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i87PzHb6mD/8wnrIlb1xR6SeeITtc5o1aVLBkHp0 t4tH9gPdZSyMIhxMciKKbI4tJuEyy3nqdhslKkBM4eVCWQIAxenAExkVg4jwwltjp1uduK/OJWr vjPcfbq5plCs8yfPadeCL5bSMYolLQz/Xfw6Ct4t8hJwLXy7eoXZ3Pfc1wp27n7x8PJTybyUFVc YGQE= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Use scoped_with_init_fs() to temporarily override current->fs for the kern_path() call in share_config_request() so the share path lookup happens in init's filesystem context. All ksmbd paths =E2=86=90 SMB command handlers =E2=86=90 handle_ksmbd_work(= ) =E2=86=90 workqueue =E2=86=90 ksmbd_conn_handler_loop() =E2=86=90 kthread Signed-off-by: Christian Brauner (Amutable) --- fs/smb/server/mgmt/share_config.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/mgmt/share_config.c b/fs/smb/server/mgmt/share_c= onfig.c index 53f44ff4d376..4535566abef2 100644 --- a/fs/smb/server/mgmt/share_config.c +++ b/fs/smb/server/mgmt/share_config.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include =20 @@ -189,7 +190,8 @@ static struct ksmbd_share_config *share_config_request(= struct ksmbd_work *work, goto out; } =20 - ret =3D kern_path(share->path, 0, &share->vfs_path); + scoped_with_init_fs() + ret =3D kern_path(share->path, 0, &share->vfs_path); ksmbd_revert_fsids(work); if (ret) { ksmbd_debug(SMB, "failed to access '%s'\n", --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23BB93BED0C; Mon, 1 Jun 2026 13:57:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322249; cv=none; b=p84QY42IXMxCyRFmR3D5kacDkOZPpe/PUdYNwCSO5vsAmo1bf6qdRUmO6YVZ00rDpPRTzS9cGUxEuT8VhgMZjPXaQme8Nnu4Ka0q4dzZrgDdj2wfYslWNiT6xK+D+uEuom73tFJUxWdurgIxQAkeoVDDuqWDu87tS7Q0wFqnRrU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322249; c=relaxed/simple; bh=8SLXrhoIMGIaz1xqqZxoXl2iwestckttTp9nrhw8q70=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=GVsnhcVy9H0f/dDPdwL2gLrNk16fGVbAczveLAIAI2Xl/oHW70UoOeoK7j7UaluziQfERIJ6AV136PT4Wc8+JeszVdyDSmYVT/Eo7tp9nO/vKfU/YD0Evv7GlhK8Sty/rHBG2prOby6Z+j9o8XQ9MH0RREXiZiXWx9T3FcMsJjI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=YxIJ5O7x; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="YxIJ5O7x" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1CD9C1F00893; Mon, 1 Jun 2026 13:57:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322246; bh=p76gCw+S1n1N+NZo4ifCYkHbPBzsw18bGb+unwz6cmw=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=YxIJ5O7xffteISWEf7eS9K4RaVuGg3fhSyjjRur57R8RMTSHFqqmxaBu95buhDBAO l6iOw475TPOgclqJ97AjZVOQRO24w9O485wG3c3nMUKaI+DlqAvatf+IajEN8pGYB2 jU1CJs4aiDAFD4jdttiBokUhbXw0RL2PsqwIijcFsNVMhZT+q1WsD71XsIUZgTBMFR EebqM9a9FQENcWVeM5k5s5p+833Td2VC+rdcR1N1PUQ9qRDjzkuOAk/14PNIJbs7V+ tnwP62616+yxg8EFRILv6csQihiHgYwYxJiPL9J2xv7sXN0TNUjrhcOV/ojrfdlUxH 8pgre4LOezKCA== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:47 +0200 Subject: [PATCH RFC v4 14/25] ksmbd: use scoped_with_init_fs() for filesystem info path lookup Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-14-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1206; i=brauner@kernel.org; h=from:subject:message-id; bh=8SLXrhoIMGIaz1xqqZxoXl2iwestckttTp9nrhw8q70=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i+7uOWx2Iuc2ZG7zC5++zRR+ZXy7+/rX7LPkPS9v aHx7DvBnx2lLAxiXAyyYoosDu0m4XLLeSo2G2VqwMxhZQIZwsDFKQATWbmWkWHfXCVtzr+x0vkP kv823hQWfOqjYOC0nWGeoVf7v/D0J/sYGXrkr+53ynJ4tmQ/v4OHSGPYP+uwZSrmhnuenFTgr20 M5gMA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Use scoped_with_init_fs() to temporarily override current->fs for the kern_path() call in smb2_get_info_filesystem() so the share path lookup happens in init's filesystem context. All ksmbd paths =E2=86=90 SMB command handlers =E2=86=90 handle_ksmbd_work(= ) =E2=86=90 workqueue =E2=86=90 ksmbd_conn_handler_loop() =E2=86=90 kthread Signed-off-by: Christian Brauner (Amutable) --- fs/smb/server/smb2pdu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 21825a69c29a..7ef7b79867db 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -5507,7 +5508,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work= *work, if (!share->path) return -EIO; =20 - rc =3D kern_path(share->path, LOOKUP_NO_SYMLINKS, &path); + scoped_with_init_fs() + rc =3D kern_path(share->path, LOOKUP_NO_SYMLINKS, &path); if (rc) { pr_err("cannot create vfs path\n"); return -EIO; --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D7CE3B3896; Mon, 1 Jun 2026 13:57:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322250; cv=none; b=mxZpSGRYuYrYMO/aEj/Xq3CIGq5J0Gf7WgQclHIdMe6+93OOR39UtLBZKyAu78ElcaPHfBSv50Pa1qmJBq1/bSFF2q/YjXnUyC2XAoDlshrgsw4v3pD4dzajGZhE2/0jqhgvM2ukK680gTSJlDdga5J5BMvhCkp/PnJumAdipFU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322250; c=relaxed/simple; bh=Grydw4x8Ke//YE15y0WkXMklOEmweeKcNmOt4JFeLK4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XVLhkaZNuurRF7ZSBZmjUkNtbR4Hvayfgl0La4IG+ANJ2LEo304LdxwTUl9zU4san598VGP3IMT7NCyP9cfcGIefocHavkluiqqimXxRR+qJ9gv5uneyEvxTlt98289pARv8IehmiIVUCk0kPcVVWUKk3B7COt2x7NOsuJBi6jg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=g5ScqYdL; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="g5ScqYdL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 476841F00898; Mon, 1 Jun 2026 13:57:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322248; bh=8O4ZTY/NTjt4fbjh0EfsbH6niG12r7rm1DSpAxfm9TY=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=g5ScqYdLFcfhazFlX4Kz0zUOWKrVB8ee6J/urHQZvhfOLN/hZaq1p16vPnO6z30rt kP1C7dfBjg70TNCTmN++XmDhqdRJVFrlugil+SHHwSIcnlLCG5Cxr848/RIrfKTdGH q1VjN1/BJVV0dPCis73XTLLXtX3zqA3H9Aze/BES2ukmcSCwbxvC08Yy6vhmLLhMdF 2xlhXVwCLiwe730IRsEFMAINMOpe1Mgbl57X45nfCt8QwNbcBhPC2tJmEyg8O7PZNv 7nwDmYHy2cLSSXellxvuxj6jcXS0AEXpqRKwaW67Ho8DsEFQArGVSQuDwunYvl1vnu Db17twSkC/bdQ== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:48 +0200 Subject: [PATCH RFC v4 15/25] ksmbd: use scoped_with_init_fs() for VFS path operations Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-15-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=2167; i=brauner@kernel.org; h=from:subject:message-id; bh=Grydw4x8Ke//YE15y0WkXMklOEmweeKcNmOt4JFeLK4=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i+b5pDxk1PndTf39l0rdZiq5Oa8X/h0W/66/Z9v7 JsUur0guqOUhUGMi0FWTJHFod0kXG45T8Vmo0wNmDmsTCBDGLg4BWAisv6MDH9m/Vauy1Vm1LNc XZB0RVk5c+HsyitzNzkeq/nH4SDI1MfIsHHpV2E9Fu63Zw2C0pr9OoPmpF1ZeS0nb/ei9wEMnZd EeQE= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Use scoped_with_init_fs() to temporarily override current->fs for path lookups in ksmbd VFS helpers: - ksmbd_vfs_path_lookup(): wrap vfs_path_parent_lookup() - ksmbd_vfs_link(): wrap kern_path() for old path resolution - ksmbd_vfs_kern_path_create(): wrap start_creating_path() This ensures path lookups happen in init's filesystem context. All ksmbd paths =E2=86=90 SMB command handlers =E2=86=90 handle_ksmbd_work(= ) =E2=86=90 workqueue =E2=86=90 ksmbd_conn_handler_loop() =E2=86=90 kthread Signed-off-by: Christian Brauner (Amutable) --- fs/smb/server/vfs.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c index d08973b288e5..4b537e169160 100644 --- a/fs/smb/server/vfs.c +++ b/fs/smb/server/vfs.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include #include @@ -67,9 +68,10 @@ static int ksmbd_vfs_path_lookup(struct ksmbd_share_conf= ig *share_conf, } =20 CLASS(filename_kernel, filename)(pathname); - err =3D vfs_path_parent_lookup(filename, flags, - path, &last, &type, - root_share_path); + scoped_with_init_fs() + err =3D vfs_path_parent_lookup(filename, flags, + path, &last, &type, + root_share_path); if (err) return err; =20 @@ -622,7 +624,8 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char = *oldname, if (ksmbd_override_fsids(work)) return -ENOMEM; =20 - err =3D kern_path(oldname, LOOKUP_NO_SYMLINKS, &oldpath); + scoped_with_init_fs() + err =3D kern_path(oldname, LOOKUP_NO_SYMLINKS, &oldpath); if (err) { pr_err("cannot get linux path for %s, err =3D %d\n", oldname, err); @@ -1258,7 +1261,8 @@ struct dentry *ksmbd_vfs_kern_path_create(struct ksmb= d_work *work, if (!abs_name) return ERR_PTR(-ENOMEM); =20 - dent =3D start_creating_path(AT_FDCWD, abs_name, path, flags); + scoped_with_init_fs() + dent =3D start_creating_path(AT_FDCWD, abs_name, path, flags); kfree(abs_name); return dent; } --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 248683BFAFB; Mon, 1 Jun 2026 13:57:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322252; cv=none; b=ntKndbwdPi8qaID/eK3wltKh96/fYCa2EABmU50iio9zNu2+Kol48ZQiWZOZncY1c90yqRPbuJzpkMSieP0UgmwlqzMyC2vS3X2vazhbqNSG9TZ0SL6iE7A7re/uy7KJPtWXOAD8l2rU5dEPQH1rv228hvOxqc+gXHBnMKvc5PI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322252; c=relaxed/simple; bh=ufJ1YTglO5I2g9L8vVkoH6XMY3QO/wDhk+KA6W0l8mk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=o2B+sYOEyOu8woBdbEW39HpWV1DjbYcUJi9uI1QDYA5EPOCu+XsZ7tM9BunJ4+O1e0e9mX247zMRNYi+/ma1DIz8udJ4HOXPZ/oRzP6LIqCgX3mUNEo5/5k33Fb/d0PQpaPM/YNrMC3SZW4Jx/CcMmiSdhreSQZkCnTwVHUH6EA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hZI62gpl; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hZI62gpl" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 699B81F00893; Mon, 1 Jun 2026 13:57:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322251; bh=f7OKwl2EguFkoh7sinqojlFlIm4hSBh/VNQmlGFvRoA=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=hZI62gplzHTHWB5RZScyE+pOk7JvJN1b4Fid19cvJ5SfIbwMjv6kF5nbi8Ian1/Ok 9+/X/gPzr5gVOETYcqMysrZozW04UtZt+4IiHyPGrk/Tn7X9+nip3nzbW5GkHkMBaP 0XdojFuvegRwhxlZ54Msd67ypkHp3QHsoDI4glmOjMgp/KAniKve596fXiWQMYsijd 9fnSLbVCy1p8wZxSVfbx5dZ5S4RRs8ezUopOuJgb4FZ/Tp+eOzfLmbICnlBv7YNmwZ xXz9OjjEfW4Uybjyd20P7OewMHTWQS8s0oWgCzaBFB4SAt081t3Vg9emk1n2JoTNIE WAhF99h7d8f6Q== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:49 +0200 Subject: [PATCH RFC v4 16/25] pnfs/blocklayout: use scoped_with_init_fs() for SCSI device lookup Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-16-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=3378; i=brauner@kernel.org; h=from:subject:message-id; bh=ufJ1YTglO5I2g9L8vVkoH6XMY3QO/wDhk+KA6W0l8mk=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i+LCi43szvS4LJNdfbXXUJMzCWrilu3z7iVZWlYc naeYNSzjlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQxh4OIUgIksqGJk+PyVo2HrM1850+NJ 4pMfpqvpvqr5lHqxcXKc3NsyNsX254wMzyoecHkaM65Nzny9WfRy9MuUKw9Wxq8sF2HqbHnTVF7 OBwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 bl_open_path() resolves pNFS block device paths under /dev/disk/by-id/ via bdev_file_open_by_path() -> lookup_bdev() -> kern_path(). This path resolution uses current->fs->root. With kthreads now starting in nullfs, this fails when the call originates from writeback kworker context because current->fs->root points at the empty nullfs. The full callchain from kworker is: wb_workfn [kworker writeback callback] ... nfs_writepages [address_space_operations.writepag= es] nfs_do_writepage nfs_pageio_add_request ... bl_pg_init_write [nfs_pageio_ops.pg_init] pnfs_generic_pg_init_write pnfs_update_layout nfs4_proc_layoutget [synchronous RPC] pnfs_layout_process bl_alloc_lseg bl_alloc_extent bl_find_get_deviceid bl_alloc_deviceid_node bl_parse_deviceid bl_parse_scsi bl_open_path bdev_file_open_by_path lookup_bdev kern_path <- current->fs->root bl_open_path() can also be reached from userspace process context (e.g. open, read, write syscalls via pnfs_update_layout). In that case current->fs must not be overridden as the path should resolve against the calling process's filesystem root. Add a tsk_is_kthread() conditional in bl_open_path() to only apply scoped_with_init_fs() in kthread context. Signed-off-by: Christian Brauner (Amutable) --- fs/nfs/blocklayout/dev.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c index bb35f88501ce..368d20daf67b 100644 --- a/fs/nfs/blocklayout/dev.c +++ b/fs/nfs/blocklayout/dev.c @@ -4,6 +4,7 @@ */ #include #include +#include #include #include #include @@ -363,15 +364,22 @@ static struct file * bl_open_path(struct pnfs_block_volume *v, const char *prefix) { struct file *bdev_file; - const char *devname; + const char *devname __free(kfree) =3D NULL; =20 devname =3D kasprintf(GFP_KERNEL, "/dev/disk/by-id/%s%*phN", prefix, v->scsi.designator_len, v->scsi.designator); if (!devname) return ERR_PTR(-ENOMEM); =20 - bdev_file =3D bdev_file_open_by_path(devname, - BLK_OPEN_READ | BLK_OPEN_WRITE, NULL, NULL); + if (tsk_is_kthread(current)) { + scoped_with_init_fs() + bdev_file =3D bdev_file_open_by_path(devname, + BLK_OPEN_READ | BLK_OPEN_WRITE, + NULL, NULL); + } else { + bdev_file =3D bdev_file_open_by_path(devname, + BLK_OPEN_READ | BLK_OPEN_WRITE, NULL, NULL); + } if (IS_ERR(bdev_file)) { dprintk("failed to open device %s (%ld)\n", devname, PTR_ERR(bdev_file)); @@ -380,7 +388,6 @@ bl_open_path(struct pnfs_block_volume *v, const char *p= refix) file_bdev(bdev_file)->bd_disk->disk_name); } =20 - kfree(devname); return bdev_file; } =20 --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 658D63C13EE; Mon, 1 Jun 2026 13:57:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322254; cv=none; b=Xfax2wnm2a4WkrtFWLtLbNYaTVy0qf8Pm4LXRZwe0rIXtmqR4GP6G4JHqv2P/z5wpm20WU1QtkVrwC5tQQX+QFaJAhEEBdo3NbEp92bG0Tf2IdXQjv50VpA2TwsIJ3SCOpmBP7oqgAYAQ5Z6CLFFlCllj0fMf7mw1ATXqUIKp1Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322254; c=relaxed/simple; bh=sG1OnJMLGiKQamYTDNXHSLkdyPOBWMPLChw0pAcgZEc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=OVa4Psq5O9vrhc9CYF+GNYH/0gI9pu/nsl7soMmmRLAo6l8jwmKZePpEDlpDmHrhSYPExySFk96l9UWT+ncSPDm8B0FJTYNuFOi/xEhuyJKI5xNk53OkXMFDCZKgxxyjiO059bkT6QlUFs1lIGwqVW2G+BhIkCIQ9PA5Bu52WOo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gBmmLUOi; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gBmmLUOi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F8E11F00898; Mon, 1 Jun 2026 13:57:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322253; bh=05sU105TIaoDreFNJcXDcP1f6QXqRrBkOs+MREOztjE=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=gBmmLUOi6osocTxiDObVxeaw3IUvuVsQbQS9jglKi23j2YVwtWC0nsDpjpYEvVZot yun3SPPLzv7vtnsmE47f/VVvNbnCeGvNuDQ4Onsjb4MeJot69swsd9l71D0848BOkt dzEoNS3SuAzC7s1ZVPEWmabSGQMbjTQ+Lz54FnUEZPxo92Dn90m5fw2vxk4iWooTd0 RluBg/SgLAYWXzJVrUATZ4Pv2iv1FKPZqros9LopuIDJCIdVIYs8uzRlpi5kQa2BSD NqFOlxlplWhF8Dff9RS6v+E9N4TvVJWad+r4A1VohMMtntEcwNyQrFt+rcnI95CbdH ileRexGatJc6g== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:50 +0200 Subject: [PATCH RFC v4 17/25] initramfs: use scoped_with_init_fs() for rootfs unpacking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-17-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=2433; i=brauner@kernel.org; h=from:subject:message-id; bh=sG1OnJMLGiKQamYTDNXHSLkdyPOBWMPLChw0pAcgZEc=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i9re5W17H9+t3Xv1LvvymVnxueJ/tNx3/0kVPz53 3vxFkeFO0pZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACbiyMjwhyc07OSLmOdJR3kZ VmoLz82tYl15/Ost6c7VAqmpFwtkfRn+u+2q6OAs/KzwdvocmVurs/juPs3PO216gvtz1L5Ta0T WswEA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Extract the initramfs unpacking code into a separate unpack_initramfs() function and wrap its invocation from do_populate_rootfs() with scoped_with_init_fs(). This ensures all file operations during initramfs unpacking (including filp_open() calls in do_name() and populate_initrd_image()) happen in init's filesystem context. Note that security_initramfs_populated() needs the scope as well since it does use current->fs to derive the initramfs superblock. do_populate_rootfs() =E2=86=90 async_schedule_domain() =E2=86=90 kworker (a= sync workqueue) May also run synchronously from PID 1 in case async workqueue is considered full. Overriding in that case is fine as well. Signed-off-by: Christian Brauner (Amutable) --- init/initramfs.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/init/initramfs.c b/init/initramfs.c index 58db15fb18fd..f3439e8e41c4 100644 --- a/init/initramfs.c +++ b/init/initramfs.c @@ -3,6 +3,7 @@ #include #include #include +#include #include #include #include @@ -708,7 +709,7 @@ static void __init populate_initrd_image(char *err) } #endif /* CONFIG_BLK_DEV_RAM */ =20 -static void __init do_populate_rootfs(void *unused, async_cookie_t cookie) +static void __init unpack_initramfs(async_cookie_t cookie) { /* Load the built in initramfs */ char *err =3D unpack_to_rootfs(__initramfs_start, __initramfs_size); @@ -716,7 +717,7 @@ static void __init do_populate_rootfs(void *unused, asy= nc_cookie_t cookie) panic_show_mem("%s", err); /* Failed to decompress INTERNAL initramfs */ =20 if (!initrd_start || IS_ENABLED(CONFIG_INITRAMFS_FORCE)) - goto done; + return; =20 if (IS_ENABLED(CONFIG_BLK_DEV_RAM)) printk(KERN_INFO "Trying to unpack rootfs image as initramfs...\n"); @@ -731,9 +732,14 @@ static void __init do_populate_rootfs(void *unused, as= ync_cookie_t cookie) printk(KERN_EMERG "Initramfs unpacking failed: %s\n", err); #endif } +} =20 -done: - security_initramfs_populated(); +static void __init do_populate_rootfs(void *unused, async_cookie_t cookie) +{ + scoped_with_init_fs() { + unpack_initramfs(cookie); + security_initramfs_populated(); + } =20 /* * If the initrd region is overlapped with crashkernel reserved region, --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F5103C277E; Mon, 1 Jun 2026 13:57:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322256; cv=none; b=KOpvD3Jp0Jw7Q/yKHPCRPqU+cwWMtI5chER4xPVIGI/KY3gQG2Vblu+Pi89udkZQZl2c35jF6N8ONBFucX9j+B8bubwBBiMNP3w87ez5RX0rMGi+PZ0KjC+xtF57wUAQsRu9pWNclXdjs44ZvFGXHNYvDarGDWy5YQF+9lDf6g8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322256; c=relaxed/simple; bh=vFBABEnVshvWG8V1VJBzbdxjjGGsu+BBLNYaoa3dMGw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rUd7+qdak6E7BV/nFvqc9PFGfTFjOOrm+jOFGi1o8K9KzJKMPi5XYXLXAclhH3eO8I+W5JfMZFoTS2+KoKFg7bzLeWUvIlUVeY4UEDwLnrcHYbp1bjh/CXEf2vcrRawg73Unpzb7RJiukB+4fusW9To6D0rC+rtj7KNOAg+dMXw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OfzU+1GG; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OfzU+1GG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 93E401F00893; Mon, 1 Jun 2026 13:57:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322255; bh=7zpdIEG6VyeGO8+KCpOYeQe/qkva4b8ejF6f2rY5vgw=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=OfzU+1GGeFSh+rHDXm8mkoFBLOEwz06IkaIHzmCslDRJe4kDCFhZlEZvB+K3kGO5l 7bi+dUZqD94wH3Y6pX4EHadSWXmd4Hy8DJdfqZPodx1yH25WOe2RK2A/S+fhsxgAIU eat0rFnrpz3bksE6vBL6ORDiRS703Fl+yHBKD67MPs8c1vQC2FDNXDU5JD2H8SUiDm 0dJJzRcMVK4AVXLYDMulI96CaFh3StVekBSuurdOj1oIW2TORydq87h9Sp3PRl5FHf S3l9a1OxXdBCLYzPnvyJDsVi+mv4e4AKytDyQvI2avAV9MhWW22g/Cd9d2FQKd11fs 0xn+Qt2kkEpzQ== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:51 +0200 Subject: [PATCH RFC v4 18/25] af_unix: use scoped_with_init_fs() for coredump socket lookup Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-18-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1728; i=brauner@kernel.org; h=from:subject:message-id; bh=vFBABEnVshvWG8V1VJBzbdxjjGGsu+BBLNYaoa3dMGw=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i8/nb1hg1xHPi/jnI2Np3VMX/+62y//9FfzS06+t MbW9a8VOkpZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACbixcHIsFAmWFW98WBB3dLz EpJ/GO++2/uoy//uxBKt9N3X4icfdmb4Z/zjcPxZmy1tXzxOq7VaTrt+/6Lmb28Lm28/pnUrsS3 V4gAA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Use scoped_with_init_fs() to temporarily override current->fs for the coredump unix socket path resolution. This replaces the init_root() + vfs_path_lookup() pattern with scoped_with_init_fs() + kern_path(). The old code used LOOKUP_BENEATH to confine the lookup beneath init's root. This is dropped because the coredump socket path is absolute and resolved from root (where ".." is a no-op), and LOOKUP_NO_SYMLINKS already blocks any symlink-based escape. LOOKUP_BENEATH was redundant in this context. unix_find_bsd(SOCK_COREDUMP) =E2=86=90 coredump_sock_connect() =E2=86=90 do= _coredump() =E2=80=94 same crashing userspace process Same security rationale as coredump. Signed-off-by: Christian Brauner (Amutable) --- net/unix/af_unix.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index e2d787ca3e74..af719429f3b1 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1198,17 +1198,12 @@ static struct sock *unix_find_bsd(struct sockaddr_u= n *sunaddr, int addr_len, unix_mkname_bsd(sunaddr, addr_len); =20 if (flags & SOCK_COREDUMP) { - struct path root; - - task_lock(&init_task); - get_fs_root(init_task.fs, &root); - task_unlock(&init_task); - - scoped_with_kernel_creds() - err =3D vfs_path_lookup(root.dentry, root.mnt, sunaddr->sun_path, - LOOKUP_BENEATH | LOOKUP_NO_SYMLINKS | - LOOKUP_NO_MAGICLINKS, &path); - path_put(&root); + scoped_with_init_fs() { + scoped_with_kernel_creds() + err =3D kern_path(sunaddr->sun_path, + LOOKUP_NO_SYMLINKS | + LOOKUP_NO_MAGICLINKS, &path); + } if (err) goto fail; } else { --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9639B3C276E; Mon, 1 Jun 2026 13:57:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322258; cv=none; b=gnpymtUEd5jGRKyIYEBPvwZWHnevZfaLYfnJIdiirUmvwIEggAGd/ig7cIijHlbAzgQ8yaW8DT7Bp1JIGqjL26h+BU5GAsiyXKgT0d4vaV2pp3yv/t++G2a75nmVGSvDb9SwQf2c65SEeEC4mhRVTbc7jlQp7CwV5M8RXWqWraw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322258; c=relaxed/simple; bh=ouNU407PhdIIo4gSUg9hKgoIISq776guRJTLUlV/918=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bSl86yUuLmYCBiedJIOU3p3wt6aKaEtiy0QV9pmQNp8PUJj71Ai/VzYSFnyI2z+ibBz9ekXrGlOMWnT1KiSYXrfBKS+xeUBn51vKOQuuUIBEy/2nj3eo0vgAup2Lgvn4GQnOKcO4/QeB1o0Jsmkd+vbbsn3L+6+HODHTjf3kH2s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=b19pQ784; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="b19pQ784" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A7EB41F00898; Mon, 1 Jun 2026 13:57:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322257; bh=YVrJYzKiKi89cGpXusa/GFqngocxeuWdl+3cN2YlACU=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=b19pQ784V8OFqy9MyRxght8NdoRBmI+GgNjbJf95Zf0YBZ4NGqXzf8aW5TCNMdBBe 24ZSt+iCkHR0fPbVtBJ/kt10MOOmH+f5Y5CXBWIBqPheRlq/ZB0dp6jOHOQj0aNvR7 yLpPIonYxw719yLyX8DHNKf3TqnVm6cRnFd8IaRP0C70LmR/Arly6HFMHSH97jIGvQ 3KCjb1VAnYRX5t6JhUkLeLvu3IrrJqkGsBgDYkGm9Zrqb4pVTbvLBtniARqANFgLMs LFwaY/lhhzDHAxEAD19XMxNB2ycgMnEPd+jWPUsaY9YLboudvGBSuVInddRKxtH1iK 09/3mNYUg34Yg== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:52 +0200 Subject: [PATCH RFC v4 19/25] fs: stop sharing fs_struct between init_task and pid 1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-19-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1585; i=brauner@kernel.org; h=from:subject:message-id; bh=ouNU407PhdIIo4gSUg9hKgoIISq776guRJTLUlV/918=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i939t2h+S5GtOIT8xul/AWvln63ueumXJSSmnR1/ tGVYi4yHaUsDGJcDLJiiiwO7Sbhcst5KjYbZWrAzGFlAhnCwMUpADf5L8Nf4Z3OJa4PGhlT9Bq9 bbeqmV9acDSS2yx12jdnZ7NkzYf8jAxbwxanPl/GJT15g5CgzZW+5Rc3nxCI5ghesrpgqm3DCw4 OAA== X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Spawn kernel_init (PID 1) via kernel_clone() directly instead of user_mode_thread(), without CLONE_FS. This gives PID 1 its own private copy of init_task's fs_struct rather than sharing it. This is a prerequisite for isolating kthreads in nullfs: when init_task's fs is later pointed at nullfs, PID 1 must not share it or init_userspace_fs() would modify init_task's fs as well, defeating the isolation. At this stage PID 1 still gets rootfs (a private copy rather than a shared reference), so there is no functional change. Signed-off-by: Christian Brauner (Amutable) --- init/main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/init/main.c b/init/main.c index decfb0e03663..7432192b97fd 100644 --- a/init/main.c +++ b/init/main.c @@ -716,6 +716,11 @@ static __initdata DECLARE_COMPLETION(kthreadd_done); =20 static noinline void __ref __noreturn rest_init(void) { + struct kernel_clone_args init_args =3D { + .flags =3D (CLONE_VM | CLONE_UNTRACED), + .fn =3D kernel_init, + .fn_arg =3D NULL, + }; struct task_struct *tsk; int pid; =20 @@ -725,7 +730,7 @@ static noinline void __ref __noreturn rest_init(void) * the init task will end up wanting to create kthreads, which, if * we schedule it before we create kthreadd, will OOPS. */ - pid =3D user_mode_thread(kernel_init, NULL, CLONE_FS); + pid =3D kernel_clone(&init_args); /* * Pin init on the boot CPU. Task migration is not properly working * until sched_init_smp() has been run. It will set the allowed --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4F453C4155; Mon, 1 Jun 2026 13:57:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322260; cv=none; b=O9PuSipvMTWGJkO4ZY0wShVx2azdsNpKTlQ4KBJ3sOCpibnw4HBbC+x81PbfGsQQp4udtvj54fFEN+sNlhjTAfluKRCux57vkd6Al9s/13sztCN60a5FCybA/08MqZeE230jFc4LzmZyIpjg4pP4E9iYq0+dLsp9/GkcYF9+2u8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322260; c=relaxed/simple; bh=Um5qFBTonfqtToK8ivjVhOxkc2Bf9eG0Su0nAvqlLJY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=I5yN6w5NWTmwBkdrVD/V/DXm1G+s7f033Ick7w/9+TZQuze5Dj+Rq7agimbiOHO2GGbO8dqoID5YL5Mz1cmtCxRlYO8c+TLvEXG15QF6bfNrYbMhtCulGVYvkcEk63tHEfpqHFCocCCpWBLIj/crO3QgQB4NESglBiWZhiZ6PMQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Sbrrku9x; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Sbrrku9x" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C70541F00893; Mon, 1 Jun 2026 13:57:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322259; bh=ezJrg3c6vUTHy3zJ0IWV8cRNjVA2L6WwpesMAQucO4M=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=Sbrrku9xOIJMny16jvq6oAeRXrV402IT67789XF9sn2Fe7jThJBQGBFfAWIRmw0+1 TPL7q11gD2/aZxRrLIIRpTmMfyWCUdNwoiOqEIKH6tI9LIrAxooT25DSHi7PYniYFw fwOMlSkLwCiOhWf7fd++NSLF/rkh00F0PN3VlxYLpx4b6s+8dKUGX1usa4ucREKgve TUUE29eGY4muzGl5ljjusNCXMMQuywqMUEGaqSs7gHIJ6b8bExxezG6Ne5+/XcYRjG pcaZdf6ZGIM83L9VEE8lAAFqcbGtGoPALG2/REtMULGen6wLv+qBqpYyFG5TLju3UV OFTC+ZAmThj4Q== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:53 +0200 Subject: [PATCH RFC v4 20/25] fs: add umh argument to struct kernel_clone_args Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-20-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=3653; i=brauner@kernel.org; h=from:subject:message-id; bh=Um5qFBTonfqtToK8ivjVhOxkc2Bf9eG0Su0nAvqlLJY=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i/PWM9TGKy87P0Kr5MTG2Jql+ZukFwTp6xvtX/rB 8XzNn2JHaUsDGJcDLJiiiwO7Sbhcst5KjYbZWrAzGFlAhnCwMUpABP5toyRYVdBoeNUJbNvS7Qv zfwau/z88p6r1+7v3TznvW7EAesD3WoMPxnlsuL+eDpPrvCa8UbE8Ye0sf66srSbm59/WOdY/6i ymw0A X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add a umh field to struct kernel_clone_args. When set, copy_fs() copies from pid 1's fs_struct instead of the kthread's fs_struct. This ensures usermodehelper threads always get init's filesystem state regardless of their parent's (kthreadd's) fs. Usermodehelper threads are not allowed to create mount namespaces (CLONE_NEWNS), share filesystem state (CLONE_FS), or be started from a non-initial mount namespace. No usermodehelper currently does this so we don't need to worry about this restriction. Set .umh =3D 1 in user_mode_thread(). At this stage pid 1's fs points to rootfs which is the same as kthreadd's fs, so this is functionally equivalent. Signed-off-by: Christian Brauner (Amutable) --- include/linux/sched/task.h | 1 + kernel/fork.c | 25 +++++++++++++++++++++---- kernel/umh.c | 6 ++---- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h index 41ed884cffc9..e0c1ca8c6a18 100644 --- a/include/linux/sched/task.h +++ b/include/linux/sched/task.h @@ -31,6 +31,7 @@ struct kernel_clone_args { u32 io_thread:1; u32 user_worker:1; u32 no_files:1; + u32 umh:1; unsigned long stack; unsigned long stack_size; unsigned long tls; diff --git a/kernel/fork.c b/kernel/fork.c index bf153b2929d4..f1accd7a2455 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1593,11 +1593,27 @@ static int copy_mm(u64 clone_flags, struct task_str= uct *tsk) return 0; } =20 -static int copy_fs(u64 clone_flags, struct task_struct *tsk) +static int copy_fs(u64 clone_flags, struct task_struct *tsk, bool umh) { - struct fs_struct *fs =3D current->fs; + struct fs_struct *fs; + + /* + * Usermodehelper may copy userspace_init_fs filesystem state but + * they don't get to create mount namespaces, share the + * filesystem state, or be started from a non-initial mount + * namespace. + */ + if (umh) { + if (clone_flags & (CLONE_NEWNS | CLONE_FS)) + return -EINVAL; + if (current->nsproxy->mnt_ns !=3D &init_mnt_ns) + return -EINVAL; + fs =3D userspace_init_fs; + } else { + fs =3D current->fs; + VFS_WARN_ON_ONCE(current->fs !=3D current->real_fs); + } =20 - VFS_WARN_ON_ONCE(current->fs !=3D current->real_fs); if (clone_flags & CLONE_FS) { /* tsk->fs is already what we want */ read_seqlock_excl(&fs->seq); @@ -2252,7 +2268,7 @@ __latent_entropy struct task_struct *copy_process( retval =3D copy_files(clone_flags, p, args->no_files); if (retval) goto bad_fork_cleanup_semundo; - retval =3D copy_fs(clone_flags, p); + retval =3D copy_fs(clone_flags, p, args->umh); if (retval) goto bad_fork_cleanup_files; retval =3D copy_sighand(clone_flags, p); @@ -2796,6 +2812,7 @@ pid_t user_mode_thread(int (*fn)(void *), void *arg, = unsigned long flags) .exit_signal =3D (flags & CSIGNAL), .fn =3D fn, .fn_arg =3D arg, + .umh =3D 1, }; =20 return kernel_clone(&args); diff --git a/kernel/umh.c b/kernel/umh.c index cffda97d961c..d3f4b308b85d 100644 --- a/kernel/umh.c +++ b/kernel/umh.c @@ -71,10 +71,8 @@ static int call_usermodehelper_exec_async(void *data) spin_unlock_irq(¤t->sighand->siglock); =20 /* - * Initial kernel threads share ther FS with init, in order to - * get the init root directory. But we've now created a new - * thread that is going to execve a user process and has its own - * 'struct fs_struct'. Reset umask to the default. + * Usermodehelper threads get a copy of userspace init's + * fs_struct. Reset umask to the default. */ current->fs->umask =3D 0022; =20 --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5F6E3C4572; Mon, 1 Jun 2026 13:57:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322262; cv=none; b=oLSbzOFQxh/Li+TWMZRDekMZpMOX4GqFAJfdhMpVoCKSHextZkfjRe7AZlt+Yelp2aHaulp8YY1zbt2FAfST9gxkUaYsN6fNpBbQsTNL7iT/dgeeFJSad4jpYGxTlkKVhNF/c7sFTc2uUSsIoFgTarqd3Nc3TGbhgTWrmmb89/g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322262; c=relaxed/simple; bh=z7GBo2weiXPtLaPB9BVPXUk8vJr3dGQnDTEHCR8NQ6U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Rm7jppO1KaBTW2QixHzZGPAN8Tr/tVCwCMzfe5JbDFsxJtUWgYHGCbn4+xMH8JWZtv5SKsu5Apb/WAdu5wG8Z7chXOu73fXhgb9kN4yGy2+iSCNU6xpcYaHg6PI3rMJB0b/Xo/yn8EyklIO5LqYTKvCBk7zzMFPv/jX4V60Fn3o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VpHNy3ZG; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VpHNy3ZG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF0211F00899; Mon, 1 Jun 2026 13:57:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322261; bh=Nmf3Ti8FB/Rw0EAEp2RpoYeHAFdBinkz4dUeZgaGrCU=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=VpHNy3ZGPI0gap5s12INMmIn25fJZczX8We3UHZ7D6u9hutISGSVnMNd88Mv7WS+c pbIMELKWoOfA4vS7fJUYFWPxRzyzXhQ6e3yt4VyrAKelvalJ04jIKIgTkN5VNyuJM0 qUvILzY/1qKAZ6CFrfQd+T6Ld6vuQvR/J8L1sM9uwGVlRjDl4FIeeA1zwx4dYTmBgl auejHFGENLBGol+2nhH/oANKIpi3QLhl9GXtfqa0SVtQ3+6BeW9eTHts5xkXw6aqZk dALmq5rlHMI+Sx7HjOcPVulpnZmBM8iFCMoDiMYGl3x5nFUGW1NkPKH9y1zqu1Zc3q XJrSmGEFVqDJA== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:54 +0200 Subject: [PATCH RFC v4 21/25] devtmpfs: create private mount namespace Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-21-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=899; i=brauner@kernel.org; h=from:subject:message-id; bh=z7GBo2weiXPtLaPB9BVPXUk8vJr3dGQnDTEHCR8NQ6U=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i/fGm8yv551d8viJuXyFYpf8hqtl/0SPfu79Ynr9 pV+bKwvO0pZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACaSU8zwP2FuU6LhG7kaH+/m HS5rXt9hE/6qxlVvVnjt9qxU1cy+ZEaGk4rsi2uYZhU+zVNb9HuByAr32L8Lvj38Jf3lteMEycX HOAA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Kernel threads start in a completely isolated nullfs mount. Use UNSHARE_EMPTY_MNTNS to give the devtmpfsd kthread a private empty mount namespace with its root and pwd already set up, so it can mount its own devtmpfs instance instead of unsharing a copy of the initial mount namespace. Signed-off-by: Christian Brauner (Amutable) --- drivers/base/devtmpfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c index b1c4ceb65026..aef0fcc6aba1 100644 --- a/drivers/base/devtmpfs.c +++ b/drivers/base/devtmpfs.c @@ -413,7 +413,7 @@ static noinline int __init devtmpfs_setup(void *p) { int err; =20 - err =3D ksys_unshare(CLONE_NEWNS); + err =3D ksys_unshare(UNSHARE_EMPTY_MNTNS); if (err) goto out; err =3D init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL); --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD5203C583A; Mon, 1 Jun 2026 13:57:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322264; cv=none; b=UZrB1wNRmW+8UayzP8BfxFvc1yns636V1i8+ZmvL2D4ebrY59BqhTZ/VFD+4tVGXkBK+Xf2N4tQ91zt7zD4h+cWAii2f7fXmfqyX9RH+QSQjfrQD/vsrqvXAxnKip7FOoCWM3hmSjFnIlZDBILxmtadj3csieDCOqQ5lpgdgfG4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322264; c=relaxed/simple; bh=gsKo9ZxMiXDjOR4Wany4EeaBMVexcWU80GKAvzT/HwE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZxiF/zD0yRjLjCj7swpYcXSuaDnETDX68F2tWhjuNBlFhHEQ+4JSRpGFDb6lJrZtR+V1i+SawvfgX36x1Jf6MBJueC+j0/zMsP8GWDjs3KK7F3tuR8K7Mgcjp6UYwjl81PI7r4xS0EUzVrofEjdk4EDj++YyrzJ5xHqKF94hGGM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PH/tzYEZ; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PH/tzYEZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1DDC01F00893; Mon, 1 Jun 2026 13:57:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322263; bh=BKylie4bx6inTDguqDRJ0FQKs8prBhaJe9RWlZEj5vE=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=PH/tzYEZkhPoyjajAOeNzMPzy6l03vAB0s86GdqVHGeqvE1RwRwv7ieHOG+4jCbal BxGppLKr4E+28qANwhs8wEaRhQDnAbxQQByRPHYxShWAEoIQKL6oXfGN+4DQn9TMtm eVUDQhLtQ3c1b75icR+S4avrLWVQcFsWwwLi7/SjpGXUqtpIMv2UCMQ3wWIz2J4uAy sMLIbI+BF7/cjwUQfX4GOlmm3Mw+J3DRjP6uJLC0ayS4vt6wJzCG9674Ebhlm63IQE kyRuoEqhYaXHtBsZRPR6nmU/2IhuCj0+jRi0o59Dex2/1w3IZL+I7ZJMF1gc+4DuxQ J1qX5yeutm20A== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:55 +0200 Subject: [PATCH RFC v4 22/25] nullfs: make nullfs multi-instance Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-22-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1403; i=brauner@kernel.org; h=from:subject:message-id; bh=gsKo9ZxMiXDjOR4Wany4EeaBMVexcWU80GKAvzT/HwE=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i8/8P3D6jcyZbM6zyx81V/QsKSrWHab5vFfHlz+j EFft3C1dpSyMIhxMciKKbI4tJuEyy3nqdhslKkBM4eVCWQIAxenAEyE15OR4e4Tpf1CWn4br4vz 9zkmXpn0Kcy07sh8prXlrDqpLV+/tDMyrL9mPLnYNuihfn9Fx8NvVeJyy226Xc9ULmDY2WsleCW IEwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Allow multiple instances of nullfs to be created. Right now we're only going to use it for kernel-internal purposes but ultimately we can allow userspace to use it too to e.g., safely overmount stuff. Signed-off-by: Christian Brauner (Amutable) --- fs/nullfs.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/fs/nullfs.c b/fs/nullfs.c index fdbd3e5d3d71..c6f5b9493e26 100644 --- a/fs/nullfs.c +++ b/fs/nullfs.c @@ -40,14 +40,9 @@ static int nullfs_fs_fill_super(struct super_block *s, s= truct fs_context *fc) return 0; } =20 -/* - * For now this is a single global instance. If needed we can make it - * mountable by userspace at which point we will need to make it - * multi-instance. - */ static int nullfs_fs_get_tree(struct fs_context *fc) { - return get_tree_single(fc, nullfs_fs_fill_super); + return get_tree_nodev(fc, nullfs_fs_fill_super); } =20 static const struct fs_context_operations nullfs_fs_context_ops =3D { @@ -57,9 +52,8 @@ static const struct fs_context_operations nullfs_fs_conte= xt_ops =3D { static int nullfs_init_fs_context(struct fs_context *fc) { fc->ops =3D &nullfs_fs_context_ops; - fc->global =3D true; - fc->sb_flags =3D SB_NOUSER; - fc->s_iflags =3D SB_I_NOEXEC | SB_I_NODEV; + fc->sb_flags |=3D SB_NOUSER; + fc->s_iflags |=3D SB_I_NOEXEC | SB_I_NODEV; return 0; } =20 --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5177F3AFCE3; Mon, 1 Jun 2026 13:57:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322267; cv=none; b=BmK+G3gA1rBa35Y4rSLRrOTnvCQWCGQ6R8RGTqKnEBLeLgEQndlVCJNppimekAsIAOHpiV3+PdqatetQFf5nIb9q/6AxGzYnOlP017NR9XVwavAF+V7Z+YhkD0K2F5b17RlgviRJMui9Wj20YKgVy2TrpzzjnnEOOedAnvE0uf4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322267; c=relaxed/simple; bh=MYNO8igEEy4pRIGZyjYHhL4cRXiZMddZoNch1b2IC5M=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=qVXWxR1KHr292+RVJOFQ+cTNpG1bWcw2wq/rONgGTCC1cxqIG5b4Qe8Qutj02QYUdfeSRmHZwZ294YbJ8GK41diX8dmVRBnGKFt0GJumXy5WFpM/svPVrBFP7hZqPPA7TD7aAFC0TEfjYIhXENd6HwBKLsmnKZOhJ4rMznpKZ1g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=BrFSeIT7; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="BrFSeIT7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 34C661F00898; Mon, 1 Jun 2026 13:57:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322266; bh=iD6KyvqK8Yaq4jXyCOL8KAEvMvA4FfnrgOINzDSdd+Y=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=BrFSeIT7Qi9EqzIOB5Walg0i7OOZFRjE/YTKklnkV+2L+SpiGWyTRqTwuC8wizqj0 wUo5bMw2eXbAD9MNA48XANANp3bZY801LgagoX/R/E0jEovaoouP2zCNaUsBO+NWkd njmCokscYh1tVg59gp7CLWh9PMBQRUojUw4ezdl+6JsEo/+9wc3b9y9nhogUczwkhv oqUuu8hL5IhXIlUUXPmspFHjbq1KelLcKzd3/M++3uqMzH4BOcSXTI9uE6IEZtITjm g2bya+p+kcrOg4oX07h2nPTPClP8HG+MjAlNj4z+Oo7WaqQf/LS8T3qpNqCKMNjFOi /xC3+IbG27ECA== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:56 +0200 Subject: [PATCH RFC v4 23/25] fs: start all kthreads in nullfs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-23-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=2078; i=brauner@kernel.org; h=from:subject:message-id; bh=MYNO8igEEy4pRIGZyjYHhL4cRXiZMddZoNch1b2IC5M=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i8XbdE3NwqZcfz8rq87jOxP3/QwLHpTv3yze9iBJ +zHp+xp7yhlYRDjYpAVU2RxaDcJl1vOU7HZKFMDZg4rE8gQBi5OAZhItiQjw+WIg2lLTevmrstl fXGac028bN4JHibu7YZzTJwbFPes/c7IcME2ftU1+0+7Ni9d/uv1tqV7G3MePZG5bvmZ989cEXG eLdwA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Point init_task's fs_struct (root and pwd) at a private nullfs instance instead of the mutable rootfs. All kthreads now start isolated in nullfs and must use scoped_with_init_fs() for any path resolution. PID 1 is moved from nullfs into the initramfs by init_userspace_fs(). Usermodehelper threads use userspace_init_fs via the umh flag in copy_fs(). All subsystems that need init's filesystem state for path resolution already use scoped_with_init_fs() from earlier commits in this series. This isolates kthreads from userspace filesystem state and makes it hard to perform filesystem operations from kthread context. Signed-off-by: Christian Brauner (Amutable) --- fs/namespace.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index fe919abd2f01..43ca4838d451 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -6173,12 +6173,14 @@ static void __init init_mount_tree(void) struct path root; =20 /* - * We create two mounts: + * We create three mounts: * * (1) nullfs with mount id 1 * (2) mutable rootfs with mount id 2 + * (3) private nullfs for kthreads (SB_KERNMOUNT) * - * with (2) mounted on top of (1). + * with (2) mounted on top of (1). The init_task's root and pwd + * are pointed at (3) so all kthreads start isolated in nullfs. */ nullfs_mnt =3D vfs_kern_mount(&nullfs_fs_type, 0, "nullfs", NULL); if (IS_ERR(nullfs_mnt)) @@ -6218,12 +6220,14 @@ static void __init init_mount_tree(void) init_mnt_ns.nr_mounts++; } =20 + nullfs_mnt =3D kern_mount(&nullfs_fs_type); + if (IS_ERR(nullfs_mnt)) + panic("VFS: Failed to create private nullfs instance"); + root.mnt =3D nullfs_mnt; + root.dentry =3D nullfs_mnt->mnt_root; + init_task.nsproxy->mnt_ns =3D &init_mnt_ns; get_mnt_ns(&init_mnt_ns); - - /* The root and pwd always point to the mutable rootfs. */ - root.mnt =3D mnt; - root.dentry =3D mnt->mnt_root; set_fs_pwd(current->fs, &root); set_fs_root(current->fs, &root); =20 --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A91B63C76AF; Mon, 1 Jun 2026 13:57:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322269; cv=none; b=K2mO8WRnqqlovH/rvPLs5yIftiKMpq4nWJrStB12O8cYwC+rLdrRb9n3IReUvyQAMHPLVsBW66ky6pO7dt00S0k4VHX5WoczInlbpHnYTpUGsmnIfiyFrHD6pQ7TXnF68g1wVNpKpO9f8H71YkuiO1uzzShbE4AMPCh8BnPrqSA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322269; c=relaxed/simple; bh=sn8qllQ/wpBPV+ePlA052oUxAgDJSLN+73Nwsjn+gKE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=NtOQUuWrxu33BLtoNqTaXE9cCPgR4wTIQDPCyUL9/VYBDfl2ihtxGi82Lp+nKhFzcJb3T05iEOMG3hnf/DIlA/EEQOOOxVDEoFv6HbedENayxOF2a+zgPXZ7PYt/ziLXKCAw2nmw//XkahRBnYgbHF0MyNhS0UwtiUhsq5fVTlE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HAO8KSrO; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HAO8KSrO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F2841F00893; Mon, 1 Jun 2026 13:57:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322268; bh=sSGh8eNmcUD2krYJq0u8p/Vp1I9djexDviu6/d8OQPY=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=HAO8KSrOroOAFcf1eVVsSlipnqrxT2P0MdLc8k6BIjnFf8DZyZkPRyN+zhqgkZW95 XrC3vO/LHgbX9FGBLS+meQyBRXMDLJtT9d4hPqnPnF8VwsaUT/D78WNTzA9klUypHw d9y4lFH+R5PMtQa6fa+BSDV1mvUKz12jMAqC2juMWzpFUYnGACwp/h4vYdfIUelFkg D7Yr+99gvrQMZjFnG8fBJYgOR/ToUgLBU5px+fH+K0klt8Wh/fYOm39cKKb3j78RIH DhhYCJcj9ippmqPfBxFEDKMFMXQe8nEGsdHvQwmPWpaCVLYHehnLKG4jSHhTM/bGWc jZnS2mRQObqSw== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:57 +0200 Subject: [PATCH RFC v4 24/25] fs: stop rewriting kthread fs structs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-24-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=683; i=brauner@kernel.org; h=from:subject:message-id; bh=sn8qllQ/wpBPV+ePlA052oUxAgDJSLN+73Nwsjn+gKE=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWTJ9i9nW9d18yTv1HDtvUXb5FIv3CnafDrRyVmMoSPNT 5z/6B35jlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQxh4OIUgInYxjL803W3XvI4ouQtT36G KvfbeYtmrxBe2iGflfD4X+Tl9a1uFowM1x+arRP8aW2m8vrbAoNyiQf7Ga6+rmUL4mp15wnU4tn NDwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Now that we isolated kthreads filesystem state completely from userspace stop rewriting their state. Signed-off-by: Christian Brauner (Amutable) --- fs/fs_struct.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/fs_struct.c b/fs/fs_struct.c index f44e43ce6d93..2a98cfbedd32 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -61,6 +61,10 @@ void chroot_fs_refs(const struct path *old_root, const s= truct path *new_root) =20 read_lock(&tasklist_lock); for_each_process_thread(g, p) { + /* leave kthreads alone */ + if (p->flags & PF_KTHREAD) + continue; + task_lock(p); fs =3D p->real_fs; if (fs) { --=20 2.47.3 From nobody Mon Jun 8 06:35:45 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E43DA3AE1A8; Mon, 1 Jun 2026 13:57:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322271; cv=none; b=g8013DjkVeZfzCEigcL4KfCQaSpGbq+7rwLBvW24W1Px1OFgWufggGkzAw3FkZpAN1YQOPdD2F0DKN/jHOMmxSIjxd9T/ocP/MFnkYGMLfMn0y+lt3nM3jj2/H1ECoQY4J4cnas7SrXUAQ2pUsgS0YmhJkelM1gsOixHIo2gnSI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780322271; c=relaxed/simple; bh=wtNqwKWnZJr0D4OXCu8J+GZQVfY9knPrP4KsxbNHpCE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=WUdaBWQA4UqkAUTwPCsvnDDuY1i2gEzBdINFqm8sW9tmfbj8PrtcIaEKisxUnA3G5Zf6hYn9DbftIU5ho7rl2Y276gqEeyGB+/ilHNcAGubSX2GPsJr02NE6B3KaHKM7SLZCzWAtEgp1bK3FbJlJjupWe2XrrEzsY1VOC9eHkdo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=cW3ur3PL; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="cW3ur3PL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D355B1F0089A; Mon, 1 Jun 2026 13:57:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780322270; bh=VWYb/02ev4/1SjJ5CdnuW7B22eOglG9wau3YZ8JnIlw=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=cW3ur3PLb+hcj4knw+U2F9gOYMiwPla9mSKJhfnu1lTT6gbGbQ7dDTGBuOxLbZSna EzGIiKdidfvxN+sFPV3mOMMUOeL/VoS9OO1w/iVzw6iB8Y/D4Z58mnuob5E83osW8F FN9eqa9HarwNy0wTjdgeERG0nMEE6Ex+efZFMDXPtnPPQr3+zvRvFfl5xQJIMAlpW+ 0Dy5oxAHWR3gIZVtzZnW7Hf+i2FT0GhYdhud+9dGn0W2fxm28iQD7TKfeB9Z9CtoC3 9MkMkaMDxhsF2JzBx8/l6Zni9Clz6cJJn2EL4h5iW1ddbmN2sMnmCbL0q3liGePclu nNizNrWDvCk1Q== From: Christian Brauner Date: Mon, 01 Jun 2026 15:56:58 +0200 Subject: [PATCH RFC v4 25/25] fs: stop rewriting paths for PF_EXITING | PF_DUMPCORE Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-work-kthread-nullfs-v4-25-77ee053060e0@kernel.org> References: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> In-Reply-To: <20260601-work-kthread-nullfs-v4-0-77ee053060e0@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Alexander Viro , Jan Kara , Jann Horn , "Christian Brauner (Amutable)" X-Mailer: b4 0.16-dev-fffa9 X-Developer-Signature: v=1; a=openpgp-sha256; l=1342; i=brauner@kernel.org; h=from:subject:message-id; bh=wtNqwKWnZJr0D4OXCu8J+GZQVfY9knPrP4KsxbNHpCE=; b=kA0DAAoWkcYbwGV43KIByyZiAGodj6fI42SEyZ1r8p8zLd/OjXFAjGC15pkRF7NaTpoyLfFdo Ih1BAAWCgAdFiEEQIc0Vx6nDHizMmkokcYbwGV43KIFAmodj6cACgkQkcYbwGV43KIXjQD/cUAO NTf0JolTYPB3HRHkpkRBF7J17yZ7aOCZx8222tIA/jaeUp8rsOq5HqsqLUaTfEGBVjH7pHUKXrX a+7niYugO X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Skip exiting and core-dumping tasks when rewriting fs_struct paths in chroot_fs_refs(). Such a task is about to release its fs_struct via exit_fs() anyway, so the worst case is that it lingers on a stale root/pwd until it does. This isn't entirely free: a skipped task keeps its reference on the old root, so after a pivot_root() the old root can't be torn down until the task is gone. With umount2(MNT_DETACH) that only defers destruction of the old rootfs; a plain umount() could in principle fail with -EBUSY. In practice this doesn't matter -- pivot_root(2) is meant to be paired with MNT_DETACH and isn't issued while other tasks are actively using the mount namespace -- so the transient pin is harmless. Signed-off-by: Christian Brauner (Amutable) --- fs/fs_struct.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/fs_struct.c b/fs/fs_struct.c index 2a98cfbedd32..34699f3b6f88 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -61,8 +61,7 @@ void chroot_fs_refs(const struct path *old_root, const st= ruct path *new_root) =20 read_lock(&tasklist_lock); for_each_process_thread(g, p) { - /* leave kthreads alone */ - if (p->flags & PF_KTHREAD) + if (p->flags & (PF_KTHREAD | PF_EXITING | PF_DUMPCORE)) continue; =20 task_lock(p); --=20 2.47.3