Fix exit race by splitting the nsproxy putting into two pieces. First
piece reduces the nsproxy refcount. If we dropped the last reference, then
it puts the mnt_ns, and returns the nsproxy as a hint to the caller. Else
it returns NULL. The second piece of exiting task namespaces sets
tsk->nsproxy to NULL, and drops the references to other namespaces and
frees the nsproxy only if an nsproxy was passed in.
A little awkward and should probably be reworked, but hopefully it fixes
the NFS oops.
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Herbert Poetzl <herbert@13thfloor.at>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Cedric Le Goater <clg@fr.ibm.com>
Cc: Daniel Hokka Zakrisson <daniel@hozac.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
int copy_namespaces(int flags, struct task_struct *tsk);
void get_task_namespaces(struct task_struct *tsk);
void free_nsproxy(struct nsproxy *ns);
int copy_namespaces(int flags, struct task_struct *tsk);
void get_task_namespaces(struct task_struct *tsk);
void free_nsproxy(struct nsproxy *ns);
+struct nsproxy *put_nsproxy(struct nsproxy *ns);
-static inline void put_nsproxy(struct nsproxy *ns)
+static inline void finalize_put_nsproxy(struct nsproxy *ns)
- if (atomic_dec_and_test(&ns->count)) {
-static inline void exit_task_namespaces(struct task_struct *p)
+static inline void put_and_finalize_nsproxy(struct nsproxy *ns)
- struct nsproxy *ns = p->nsproxy;
- if (ns) {
- task_lock(p);
- p->nsproxy = NULL;
- task_unlock(p);
- put_nsproxy(ns);
- }
+ finalize_put_nsproxy(put_nsproxy(ns));
+}
+
+static inline struct nsproxy *preexit_task_namespaces(struct task_struct *p)
+{
+ return put_nsproxy(p->nsproxy);
+}
+
+static inline void exit_task_namespaces(struct task_struct *p,
+ struct nsproxy *ns)
+{
+ task_lock(p);
+ p->nsproxy = NULL;
+ task_unlock(p);
+ finalize_put_nsproxy(ns);
current->fs = fs;
atomic_inc(&fs->count);
current->fs = fs;
atomic_inc(&fs->count);
- exit_task_namespaces(current);
+ put_and_finalize_nsproxy(current->nsproxy);
current->nsproxy = init_task.nsproxy;
get_task_namespaces(current);
current->nsproxy = init_task.nsproxy;
get_task_namespaces(current);
fastcall NORET_TYPE void do_exit(long code)
{
struct task_struct *tsk = current;
fastcall NORET_TYPE void do_exit(long code)
{
struct task_struct *tsk = current;
int group_dead;
profile_task_exit(tsk);
int group_dead;
profile_task_exit(tsk);
tsk->exit_code = code;
proc_exit_connector(tsk);
tsk->exit_code = code;
proc_exit_connector(tsk);
+ ns = preexit_task_namespaces(tsk);
- exit_task_namespaces(tsk);
+ exit_task_namespaces(tsk, ns);
#ifdef CONFIG_NUMA
mpol_free(tsk->mempolicy);
tsk->mempolicy = NULL;
#ifdef CONFIG_NUMA
mpol_free(tsk->mempolicy);
tsk->mempolicy = NULL;
return p;
bad_fork_cleanup_namespaces:
return p;
bad_fork_cleanup_namespaces:
- exit_task_namespaces(p);
+ put_and_finalize_nsproxy(p->nsproxy);
bad_fork_cleanup_keys:
exit_keys(p);
bad_fork_cleanup_mm:
bad_fork_cleanup_keys:
exit_keys(p);
bad_fork_cleanup_mm:
- put_nsproxy(new_nsproxy);
+ put_and_finalize_nsproxy(new_nsproxy);
bad_unshare_cleanup_ipc:
if (new_ipc)
bad_unshare_cleanup_ipc:
if (new_ipc)
+ put_and_finalize_nsproxy(old_ns);
+struct nsproxy *put_nsproxy(struct nsproxy *ns)
+{
+ if (ns) {
+ if (atomic_dec_and_test(&ns->count)) {
+ if (ns->mnt_ns) {
+ put_mnt_ns(ns->mnt_ns);
+ ns->mnt_ns = NULL;
+ }
+ return ns;
+ }
+ }
+ return NULL;
+}
+
void free_nsproxy(struct nsproxy *ns)
{
if (ns->mnt_ns)
void free_nsproxy(struct nsproxy *ns)
{
if (ns->mnt_ns)