Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

syzbot has bisected this issue to:

commit 3a18f809184bc5a1cfad7cde5b8b026e2ff61587
Author: Christian Brauner <brauner@kernel.org>
Date:   Wed Oct 29 12:20:24 2025 +0000

    ns: add active reference count

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11a350b4580000
start commit:   9c0826a5d9aa Add linux-next specific files for 20251107
git tree:       linux-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=13a350b4580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15a350b4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f2ebeee52bf052b8
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1639d084580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1625aa92580000

Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
Fixes: 3a18f809184b ("ns: add active reference count")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Sun, Nov 09, 2025 at 12:24:02AM -0800, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 3a18f809184bc5a1cfad7cde5b8b026e2ff61587
> Author: Christian Brauner <brauner@kernel.org>
> Date:   Wed Oct 29 12:20:24 2025 +0000
> 
>     ns: add active reference count
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11a350b4580000
> start commit:   9c0826a5d9aa Add linux-next specific files for 20251107
> git tree:       linux-next
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=13a350b4580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=15a350b4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f2ebeee52bf052b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1639d084580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1625aa92580000
> 
> Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
> Fixes: 3a18f809184b ("ns: add active reference count")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

#syz test: https://github.com/brauner/linux.git namespace-6.19

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __ns_ref_active_put

------------[ cut here ]------------
WARNING: CPU: 0 PID: 6489 at kernel/nscommon.c:171 __ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Modules linked in:
CPU: 0 UID: 0 PID: 6489 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Code: 4d 8b 3e e9 1b fd ff ff e8 b6 61 32 00 90 0f 0b 90 e9 29 fd ff ff e8 a8 61 32 00 90 0f 0b 90 e9 59 fd ff ff e8 9a 61 32 00 90 <0f> 0b 90 e9 72 ff ff ff e8 8c 61 32 00 90 0f 0b 90 e9 64 ff ff ff
RSP: 0018:ffffc90003457d50 EFLAGS: 00010293
RAX: ffffffff818e5b86 RBX: 00000000ffffffff RCX: ffff88802cc69e40
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
RBP: ffffc90003457e00 R08: ffff8880320be42b R09: 1ffff11006417c85
R10: dffffc0000000000 R11: ffffed1006417c86 R12: dffffc0000000000
R13: 1ffff11006417c84 R14: ffff8880320be420 R15: ffff8880320be428
FS:  00007fe11c3746c0(0000) GS:ffff888125cf3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d863fff CR3: 000000007798c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 nsproxy_ns_active_put+0x4a/0x200 fs/nsfs.c:701
 free_nsproxy+0x21/0x140 kernel/nsproxy.c:190
 put_nsset kernel/nsproxy.c:341 [inline]
 __do_sys_setns kernel/nsproxy.c:594 [inline]
 __se_sys_setns+0x1459/0x1c60 kernel/nsproxy.c:559
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe11b590ef7
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 34 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe11c373fd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000134
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe11b590ef7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c9
RBP: 00007fe11b611f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe11b7e6038 R14: 00007fe11b7e5fa0 R15: 00007ffcd9b83d18
 </TASK>


Tested on:

commit:         18b5c400 Merge patch series "ns: header cleanups and i..
git tree:       https://github.com/brauner/linux.git namespace-6.19
console output: https://syzkaller.appspot.com/x/log.txt?x=12c08658580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59952e73920025e4
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 01:46:03AM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in __ns_ref_active_put

#syz test: https://github.com/brauner/linux.git namespace-6.19.fixes

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

SYZFAIL: failed to recv rpc

SYZFAIL: failed to recv rpc


Warning: Permanently added '10.128.1.29' (ED25519) to the list of known hosts.
2025/11/11 11:01:12 parsed 1 programs
[   92.366829][  T894] cfg80211: failed to load regulatory.db
[   94.101317][ T5831] cgroup: Unknown subsys name 'net'
[   94.208868][ T5831] cgroup: Unknown subsys name 'cpuset'
[   94.218695][ T5831] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   95.913996][ T5831] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   99.210494][ T5845] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   99.368014][   T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   99.376801][   T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   99.385991][   T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   99.394090][   T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   99.403295][   T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   99.760048][   T67] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   99.769465][   T67] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   99.812956][   T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   99.820978][   T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  101.094305][ T5880] chnl_net:caif_netlink_parms(): no params data found
[  101.244059][ T5880] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.252746][ T5880] bridge0: port 1(bridge_slave_0) entered disabled state
[  101.261818][ T5880] bridge_slave_0: entered allmulticast mode
[  101.270392][ T5880] bridge_slave_0: entered promiscuous mode
[  101.283473][ T5880] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.291198][ T5880] bridge0: port 2(bridge_slave_1) entered disabled state
[  101.298667][ T5880] bridge_slave_1: entered allmulticast mode
[  101.307108][ T5880] bridge_slave_1: entered promiscuous mode
[  101.360560][ T5880] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  101.373330][ T5880] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  101.413565][ T5880] team0: Port device team_slave_0 added
[  101.422832][ T5880] team0: Port device team_slave_1 added
[  101.463069][ T5880] batman_adv: batadv0: Adding interface: batadv_slave_0
[  101.470261][ T5880] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.497282][ T5880] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  101.511788][ T5880] batman_adv: batadv0: Adding interface: batadv_slave_1
[  101.518889][ T5880] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  101.545058][ T5880] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  101.590841][ T5880] hsr_slave_0: entered promiscuous mode
[  101.597434][ T5880] hsr_slave_1: entered promiscuous mode
[  101.741572][ T5880] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  101.754163][ T5880] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  101.764799][ T5880] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  101.774770][ T5880] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  101.805511][ T5880] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.812788][ T5880] bridge0: port 2(bridge_slave_1) entered forwarding state
[  101.820983][ T5880] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.828371][ T5880] bridge0: port 1(bridge_slave_0) entered forwarding state
[  101.843110][   T13] bridge0: port 1(bridge_slave_0) entered disabled state
[  101.851795][   T13] bridge0: port 2(bridge_slave_1) entered disabled state
[  101.904027][ T5880] 8021q: adding VLAN 0 to HW filter on device bond0
[  101.928006][ T5880] 8021q: adding VLAN 0 to HW filter on device team0
[  101.942529][ T3448] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.950392][ T3448] bridge0: port 1(bridge_slave_0) entered forwarding state
[  101.964563][   T13] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.971799][   T13] bridge0: port 2(bridge_slave_1) entered forwarding state
[  102.152983][ T5880] 8021q: adding VLAN 0 to HW filter on device batadv0
[  102.197805][ T5880] veth0_vlan: entered promiscuous mode
[  102.210102][ T5880] veth1_vlan: entered promiscuous mode
[  102.244663][ T5880] veth0_macvtap: entered promiscuous mode
[  102.254634][ T5880] veth1_macvtap: entered promiscuous mode
[  102.273656][ T5880] batman_adv: batadv0: Interface activated: batadv_slave_0
[  102.289496][ T5880] batman_adv: batadv0: Interface activated: batadv_slave_1
[  102.304731][   T67] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  102.314238][   T67] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  102.324278][   T67] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  102.334159][   T67] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  102.469673][   T67] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  102.543054][   T67] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  102.622429][   T67] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  102.698368][   T67] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/11/11 11:01:26 executed programs: 0
[  104.788606][   T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[  104.799432][   T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[  104.807512][   T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[  104.816410][   T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[  104.824560][   T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[  104.982601][ T5940] chnl_net:caif_netlink_parms(): no params data found
[  105.059249][ T5940] bridge0: port 1(bridge_slave_0) entered blocking state
[  105.066542][ T5940] bridge0: port 1(bridge_slave_0) entered disabled state
[  105.073685][ T5940] bridge_slave_0: entered allmulticast mode
[  105.081124][ T5940] bridge_slave_0: entered promiscuous mode
[  105.089124][ T5940] bridge0: port 2(bridge_slave_1) entered blocking state
[  105.096583][ T5940] bridge0: port 2(bridge_slave_1) entered disabled state
[  105.104018][ T5940] bridge_slave_1: entered allmulticast mode
[  105.111771][ T5940] bridge_slave_1: entered promiscuous mode
[  105.143334][ T5940] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  105.155734][ T5940] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  105.191407][ T5940] team0: Port device team_slave_0 added
[  105.201031][ T5940] team0: Port device team_slave_1 added
[  105.235802][ T5940] batman_adv: batadv0: Adding interface: batadv_slave_0
[  105.242802][ T5940] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  105.269608][ T5940] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  105.296300][ T5940] batman_adv: batadv0: Adding interface: batadv_slave_1
[  105.303516][ T5940] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[  105.331738][ T5940] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  105.417552][ T5940] hsr_slave_0: entered promiscuous mode
[  105.424204][ T5940] hsr_slave_1: entered promiscuous mode
[  105.430828][ T5940] debugfs: 'hsr0' already exists in 'hsr'
[  105.437317][ T5940] Cannot create hsr debugfs directory
[  105.454873][   T67] bridge_slave_1: left allmulticast mode
[  105.460813][   T67] bridge_slave_1: left promiscuous mode
[  105.467853][   T67] bridge0: port 2(bridge_slave_1) entered disabled state
[  105.479304][   T67] bridge_slave_0: left allmulticast mode
[  105.485065][   T67] bridge_slave_0: left promiscuous mode
[  105.491001][   T67] bridge0: port 1(bridge_slave_0) entered disabled state
[  105.729562][   T67] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[  105.741503][   T67] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  105.752583][   T67] bond0 (unregistering): Released all slaves
[  105.835828][   T67] hsr_slave_0: left promiscuous mode
[  105.842862][   T67] hsr_slave_1: left promiscuous mode
[  105.849433][   T67] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  105.857469][   T67] batman_adv: batadv0: Removing interface: batadv_slave_0
[  105.865850][   T67] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  105.873344][   T67] batman_adv: batadv0: Removing interface: batadv_slave_1
[  105.890846][   T67] veth1_macvtap: left promiscuous mode
[  105.897610][   T67] veth0_macvtap: left promiscuous mode
[  105.903553][   T67] veth1_vlan: left promiscuous mode
[  105.910171][   T67] veth0_vlan: left promiscuous mode
[  106.222498][   T67] team0 (unregistering): Port device team_slave_1 removed
[  106.255035][   T67] team0 (unregistering): Port device team_slave_0 removed
[  106.849861][   T52] Bluetooth: hci0: command tx timeout
[  107.366951][ T5940] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  107.390747][ T5940] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  107.409101][ T5940] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  107.429220][ T5940] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  107.687917][ T5940] 8021q: adding VLAN 0 to HW filter on device bond0
[  107.729157][ T5940] 8021q: adding VLAN 0 to HW filter on device team0
[  107.757652][ T1309] bridge0: port 1(bridge_slave_0) entered blocking state
[  107.764863][ T1309] bridge0: port 1(bridge_slave_0) entered forwarding state
[  107.814393][ T1309] bridge0: port 2(bridge_slave_1) entered blocking state
[  107.821819][ T1309] bridge0: port 2(bridge_slave_1) entered forwarding state
[  108.188295][ T5940] 8021q: adding VLAN 0 to HW filter on device batadv0
[  108.234481][ T5940] veth0_vlan: entered promiscuous mode
[  108.246943][ T5940] veth1_vlan: entered promiscuous mode
[  108.277479][ T5940] veth0_macvtap: entered promiscuous mode
[  108.288108][ T5940] veth1_macvtap: entered promiscuous mode
[  108.306578][ T5940] batman_adv: batadv0: Interface activated: batadv_slave_0
[  108.321859][ T5940] batman_adv: batadv0: Interface activated: batadv_slave_1
[  108.336901][ T1322] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  108.346834][ T1322] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  108.358941][ T1322] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  108.368475][ T1322] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  108.430497][ T1309] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  108.438794][ T1309] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  108.474331][   T67] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  108.484170][   T67] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3388558029=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 4e1406b4def
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
/usr/bin/ld: /tmp/ccimHo7N.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         ae901e5e Merge patch series "ns: fixes for namespace i..
git tree:       https://github.com/brauner/linux.git namespace-6.19.fixes
kernel config:  https://syzkaller.appspot.com/x/.config?x=7b0bf36f88602817
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 03:02:03AM -0800, syzbot wrote:
> Hello,
> 
> syzbot tried to test the proposed patch but the build/boot failed:

I think that's unrelated. Anyway, I managed to point this to the wrong
branch. I'll send another test request in a bit.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 12:23:18PM +0100, Christian Brauner wrote:
> On Tue, Nov 11, 2025 at 03:02:03AM -0800, syzbot wrote:
> > Hello,
> > 
> > syzbot tried to test the proposed patch but the build/boot failed:
> 
> I think that's unrelated. Anyway, I managed to point this to the wrong
> branch. I'll send another test request in a bit.

#syz test: https://github.com/brauner/linux.git namespace-6.19

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __ns_ref_active_put

------------[ cut here ]------------
WARNING: CPU: 0 PID: 6581 at kernel/nscommon.c:171 __ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Modules linked in:
CPU: 0 UID: 0 PID: 6581 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_active_put+0x3d7/0x450 kernel/nscommon.c:171
Code: 4d 8b 3e e9 1b fd ff ff e8 76 62 32 00 90 0f 0b 90 e9 29 fd ff ff e8 68 62 32 00 90 0f 0b 90 e9 59 fd ff ff e8 5a 62 32 00 90 <0f> 0b 90 e9 72 ff ff ff e8 4c 62 32 00 90 0f 0b 90 e9 64 ff ff ff
RSP: 0018:ffffc9000238fd68 EFLAGS: 00010293
RAX: ffffffff818e5946 RBX: 00000000ffffffff RCX: ffff8880302ebc80
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
RBP: ffffc9000238fe00 R08: ffff888078968c2b R09: 1ffff1100f12d185
R10: dffffc0000000000 R11: ffffed100f12d186 R12: dffffc0000000000
R13: 1ffff1100f12d184 R14: ffff888078968c20 R15: ffff888078968c28
FS:  00007efc0fd536c0(0000) GS:ffff888125cf3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33263fff CR3: 0000000030876000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 nsproxy_ns_active_put+0x4a/0x200 fs/nsfs.c:701
 free_nsproxy kernel/nsproxy.c:80 [inline]
 put_nsset kernel/nsproxy.c:316 [inline]
 __do_sys_setns kernel/nsproxy.c:-1 [inline]
 __se_sys_setns+0x1349/0x1b60 kernel/nsproxy.c:534
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efc0ef90ef7
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 34 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efc0fd52fd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000134
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007efc0ef90ef7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c9
RBP: 00007efc0f011f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efc0f1e6038 R14: 00007efc0f1e5fa0 R15: 00007fff5692b648
 </TASK>


Tested on:

commit:         cc719c88 nsproxy: fix free_nsproxy() and simplify crea..
git tree:       https://github.com/brauner/linux.git namespace-6.19
console output: https://syzkaller.appspot.com/x/log.txt?x=1613f17c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59952e73920025e4
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[Christian Brauner]

On Tue, Nov 11, 2025 at 05:03:03AM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in __ns_ref_active_put

#syz test: https://github.com/brauner/linux.git namespace-6.19

Groan, forgot the actual important bit after the cleanup:

  * Called from unshare. Unshare all the namespaces part of nsproxy.
  * On success, returns the new nsproxy.
@@ -338,7 +313,7 @@ static void put_nsset(struct nsset *nsset)
        if (nsset->fs && (flags & CLONE_NEWNS) && (flags & ~CLONE_NEWNS))
                free_fs_struct(nsset->fs);
        if (nsset->nsproxy)
-               free_nsproxy(nsset->nsproxy);
+               nsproxy_free(nsset->nsproxy);
 }

Re: [syzbot] [fs?] WARNING in nsproxy_ns_active_put

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
Tested-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com

Tested on:

commit:         d2bab7f2 nsproxy: fix free_nsproxy() and simplify crea..
git tree:       https://github.com/brauner/linux.git namespace-6.19
console output: https://syzkaller.appspot.com/x/log.txt?x=123a8658580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59952e73920025e4
dashboard link: https://syzkaller.appspot.com/bug?extid=0b2e79f91ff6579bfa5b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[PATCH] nsproxy: fix free_nsproxy() and simplify create_new_namespaces()

[Christian Brauner]

Make it possible to handle NULL being passed to the reference count
helpers instead of forcing the caller to handle this. Afterwards we can
nicely allow a cleanup guard to handle nsproxy freeing.

Active reference count handling is not done in nsproxy_free() but rather
in free_nsproxy() as nsproxy_free() is also called from setns() failure
paths where a new nsproxy has been prepared but has not been marked as
active via switch_task_namespaces().

Fixes: 3c9820d5c64a ("ns: add active reference count")
Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
Reported-by: syzbot+0a8655a80e189278487e@syzkaller.appspotmail.com
Link: https://lore.kernel.org/690bfb9e.050a0220.2e3c35.0013.GAE@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 include/linux/ns_common.h |  11 ++--
 kernel/nsproxy.c          | 107 +++++++++++++++-----------------------
 2 files changed, 48 insertions(+), 70 deletions(-)

diff --git a/include/linux/ns_common.h b/include/linux/ns_common.h
index 136f6a322e53..825f5865bfc5 100644
--- a/include/linux/ns_common.h
+++ b/include/linux/ns_common.h
@@ -114,11 +114,14 @@ static __always_inline __must_check bool __ns_ref_dec_and_lock(struct ns_common
 }
 
 #define ns_ref_read(__ns) __ns_ref_read(to_ns_common((__ns)))
-#define ns_ref_inc(__ns) __ns_ref_inc(to_ns_common((__ns)))
-#define ns_ref_get(__ns) __ns_ref_get(to_ns_common((__ns)))
-#define ns_ref_put(__ns) __ns_ref_put(to_ns_common((__ns)))
+#define ns_ref_inc(__ns) \
+	do { if (__ns) __ns_ref_inc(to_ns_common((__ns))); } while (0)
+#define ns_ref_get(__ns) \
+	((__ns) ? __ns_ref_get(to_ns_common((__ns))) : false)
+#define ns_ref_put(__ns) \
+	((__ns) ? __ns_ref_put(to_ns_common((__ns))) : false)
 #define ns_ref_put_and_lock(__ns, __ns_lock) \
-	__ns_ref_dec_and_lock(to_ns_common((__ns)), __ns_lock)
+	((__ns) ? __ns_ref_dec_and_lock(to_ns_common((__ns)), __ns_lock) : false)
 
 #define ns_ref_active_read(__ns) \
 	((__ns) ? __ns_ref_active_read(to_ns_common(__ns)) : 0)
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 94c2cfe0afa1..2c94452dc793 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -60,6 +60,27 @@ static inline struct nsproxy *create_nsproxy(void)
 	return nsproxy;
 }
 
+static inline void nsproxy_free(struct nsproxy *ns)
+{
+	put_mnt_ns(ns->mnt_ns);
+	put_uts_ns(ns->uts_ns);
+	put_ipc_ns(ns->ipc_ns);
+	put_pid_ns(ns->pid_ns_for_children);
+	put_time_ns(ns->time_ns);
+	put_time_ns(ns->time_ns_for_children);
+	put_cgroup_ns(ns->cgroup_ns);
+	put_net(ns->net_ns);
+	kmem_cache_free(nsproxy_cachep, ns);
+}
+
+DEFINE_FREE(nsproxy_free, struct nsproxy *, if (_T) nsproxy_free(_T))
+
+void free_nsproxy(struct nsproxy *ns)
+{
+	nsproxy_ns_active_put(ns);
+	nsproxy_free(ns);
+}
+
 /*
  * Create new nsproxy and all of its the associated namespaces.
  * Return the newly created nsproxy.  Do not attach this to the task,
@@ -69,76 +90,45 @@ static struct nsproxy *create_new_namespaces(u64 flags,
 	struct task_struct *tsk, struct user_namespace *user_ns,
 	struct fs_struct *new_fs)
 {
-	struct nsproxy *new_nsp;
-	int err;
+	struct nsproxy *new_nsp __free(nsproxy_free) = NULL;
 
 	new_nsp = create_nsproxy();
 	if (!new_nsp)
 		return ERR_PTR(-ENOMEM);
 
 	new_nsp->mnt_ns = copy_mnt_ns(flags, tsk->nsproxy->mnt_ns, user_ns, new_fs);
-	if (IS_ERR(new_nsp->mnt_ns)) {
-		err = PTR_ERR(new_nsp->mnt_ns);
-		goto out_ns;
-	}
+	if (IS_ERR(new_nsp->mnt_ns))
+		return ERR_CAST(new_nsp->mnt_ns);
 
 	new_nsp->uts_ns = copy_utsname(flags, user_ns, tsk->nsproxy->uts_ns);
-	if (IS_ERR(new_nsp->uts_ns)) {
-		err = PTR_ERR(new_nsp->uts_ns);
-		goto out_uts;
-	}
+	if (IS_ERR(new_nsp->uts_ns))
+		return ERR_CAST(new_nsp->uts_ns);
 
 	new_nsp->ipc_ns = copy_ipcs(flags, user_ns, tsk->nsproxy->ipc_ns);
-	if (IS_ERR(new_nsp->ipc_ns)) {
-		err = PTR_ERR(new_nsp->ipc_ns);
-		goto out_ipc;
-	}
+	if (IS_ERR(new_nsp->ipc_ns))
+		return ERR_CAST(new_nsp->ipc_ns);
 
-	new_nsp->pid_ns_for_children =
-		copy_pid_ns(flags, user_ns, tsk->nsproxy->pid_ns_for_children);
-	if (IS_ERR(new_nsp->pid_ns_for_children)) {
-		err = PTR_ERR(new_nsp->pid_ns_for_children);
-		goto out_pid;
-	}
+	new_nsp->pid_ns_for_children = copy_pid_ns(flags, user_ns,
+						   tsk->nsproxy->pid_ns_for_children);
+	if (IS_ERR(new_nsp->pid_ns_for_children))
+		return ERR_CAST(new_nsp->pid_ns_for_children);
 
 	new_nsp->cgroup_ns = copy_cgroup_ns(flags, user_ns,
 					    tsk->nsproxy->cgroup_ns);
-	if (IS_ERR(new_nsp->cgroup_ns)) {
-		err = PTR_ERR(new_nsp->cgroup_ns);
-		goto out_cgroup;
-	}
+	if (IS_ERR(new_nsp->cgroup_ns))
+		return ERR_CAST(new_nsp->cgroup_ns);
 
 	new_nsp->net_ns = copy_net_ns(flags, user_ns, tsk->nsproxy->net_ns);
-	if (IS_ERR(new_nsp->net_ns)) {
-		err = PTR_ERR(new_nsp->net_ns);
-		goto out_net;
-	}
+	if (IS_ERR(new_nsp->net_ns))
+		return ERR_CAST(new_nsp->net_ns);
 
 	new_nsp->time_ns_for_children = copy_time_ns(flags, user_ns,
-					tsk->nsproxy->time_ns_for_children);
-	if (IS_ERR(new_nsp->time_ns_for_children)) {
-		err = PTR_ERR(new_nsp->time_ns_for_children);
-		goto out_time;
-	}
+						     tsk->nsproxy->time_ns_for_children);
+	if (IS_ERR(new_nsp->time_ns_for_children))
+		return ERR_CAST(new_nsp->time_ns_for_children);
 	new_nsp->time_ns = get_time_ns(tsk->nsproxy->time_ns);
 
-	return new_nsp;
-
-out_time:
-	put_net(new_nsp->net_ns);
-out_net:
-	put_cgroup_ns(new_nsp->cgroup_ns);
-out_cgroup:
-	put_pid_ns(new_nsp->pid_ns_for_children);
-out_pid:
-	put_ipc_ns(new_nsp->ipc_ns);
-out_ipc:
-	put_uts_ns(new_nsp->uts_ns);
-out_uts:
-	put_mnt_ns(new_nsp->mnt_ns);
-out_ns:
-	kmem_cache_free(nsproxy_cachep, new_nsp);
-	return ERR_PTR(err);
+	return no_free_ptr(new_nsp);
 }
 
 /*
@@ -185,21 +175,6 @@ int copy_namespaces(u64 flags, struct task_struct *tsk)
 	return 0;
 }
 
-void free_nsproxy(struct nsproxy *ns)
-{
-	nsproxy_ns_active_put(ns);
-
-	put_mnt_ns(ns->mnt_ns);
-	put_uts_ns(ns->uts_ns);
-	put_ipc_ns(ns->ipc_ns);
-	put_pid_ns(ns->pid_ns_for_children);
-	put_time_ns(ns->time_ns);
-	put_time_ns(ns->time_ns_for_children);
-	put_cgroup_ns(ns->cgroup_ns);
-	put_net(ns->net_ns);
-	kmem_cache_free(nsproxy_cachep, ns);
-}
-
 /*
  * Called from unshare. Unshare all the namespaces part of nsproxy.
  * On success, returns the new nsproxy.
@@ -338,7 +313,7 @@ static void put_nsset(struct nsset *nsset)
 	if (nsset->fs && (flags & CLONE_NEWNS) && (flags & ~CLONE_NEWNS))
 		free_fs_struct(nsset->fs);
 	if (nsset->nsproxy)
-		free_nsproxy(nsset->nsproxy);
+		nsproxy_free(nsset->nsproxy);
 }
 
 static int prepare_nsset(unsigned flags, struct nsset *nsset)
-- 
2.47.3

Re: [PATCH] nsproxy: fix free_nsproxy() and simplify create_new_namespaces()

[Jan Kara]

On Tue 11-11-25 22:29:44, Christian Brauner wrote:
> Make it possible to handle NULL being passed to the reference count
> helpers instead of forcing the caller to handle this. Afterwards we can
> nicely allow a cleanup guard to handle nsproxy freeing.
> 
> Active reference count handling is not done in nsproxy_free() but rather
> in free_nsproxy() as nsproxy_free() is also called from setns() failure
> paths where a new nsproxy has been prepared but has not been marked as
> active via switch_task_namespaces().
> 
> Fixes: 3c9820d5c64a ("ns: add active reference count")
> Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
> Reported-by: syzbot+0a8655a80e189278487e@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/690bfb9e.050a0220.2e3c35.0013.GAE@google.com
> Signed-off-by: Christian Brauner <brauner@kernel.org>

I believe having free_nsproxy() and nsproxy_free() functions with
the same signature and slightly different semantics is making things too
easy to get wrong. Maybe call free_nsproxy() say deactivate_nsproxy()?

Otherwise the patch looks correct to me. Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> ---
>  include/linux/ns_common.h |  11 ++--
>  kernel/nsproxy.c          | 107 +++++++++++++++-----------------------
>  2 files changed, 48 insertions(+), 70 deletions(-)
> 
> diff --git a/include/linux/ns_common.h b/include/linux/ns_common.h
> index 136f6a322e53..825f5865bfc5 100644
> --- a/include/linux/ns_common.h
> +++ b/include/linux/ns_common.h
> @@ -114,11 +114,14 @@ static __always_inline __must_check bool __ns_ref_dec_and_lock(struct ns_common
>  }
>  
>  #define ns_ref_read(__ns) __ns_ref_read(to_ns_common((__ns)))
> -#define ns_ref_inc(__ns) __ns_ref_inc(to_ns_common((__ns)))
> -#define ns_ref_get(__ns) __ns_ref_get(to_ns_common((__ns)))
> -#define ns_ref_put(__ns) __ns_ref_put(to_ns_common((__ns)))
> +#define ns_ref_inc(__ns) \
> +	do { if (__ns) __ns_ref_inc(to_ns_common((__ns))); } while (0)
> +#define ns_ref_get(__ns) \
> +	((__ns) ? __ns_ref_get(to_ns_common((__ns))) : false)
> +#define ns_ref_put(__ns) \
> +	((__ns) ? __ns_ref_put(to_ns_common((__ns))) : false)
>  #define ns_ref_put_and_lock(__ns, __ns_lock) \
> -	__ns_ref_dec_and_lock(to_ns_common((__ns)), __ns_lock)
> +	((__ns) ? __ns_ref_dec_and_lock(to_ns_common((__ns)), __ns_lock) : false)
>  
>  #define ns_ref_active_read(__ns) \
>  	((__ns) ? __ns_ref_active_read(to_ns_common(__ns)) : 0)
> diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> index 94c2cfe0afa1..2c94452dc793 100644
> --- a/kernel/nsproxy.c
> +++ b/kernel/nsproxy.c
> @@ -60,6 +60,27 @@ static inline struct nsproxy *create_nsproxy(void)
>  	return nsproxy;
>  }
>  
> +static inline void nsproxy_free(struct nsproxy *ns)
> +{
> +	put_mnt_ns(ns->mnt_ns);
> +	put_uts_ns(ns->uts_ns);
> +	put_ipc_ns(ns->ipc_ns);
> +	put_pid_ns(ns->pid_ns_for_children);
> +	put_time_ns(ns->time_ns);
> +	put_time_ns(ns->time_ns_for_children);
> +	put_cgroup_ns(ns->cgroup_ns);
> +	put_net(ns->net_ns);
> +	kmem_cache_free(nsproxy_cachep, ns);
> +}
> +
> +DEFINE_FREE(nsproxy_free, struct nsproxy *, if (_T) nsproxy_free(_T))
> +
> +void free_nsproxy(struct nsproxy *ns)
> +{
> +	nsproxy_ns_active_put(ns);
> +	nsproxy_free(ns);
> +}
> +
>  /*
>   * Create new nsproxy and all of its the associated namespaces.
>   * Return the newly created nsproxy.  Do not attach this to the task,
> @@ -69,76 +90,45 @@ static struct nsproxy *create_new_namespaces(u64 flags,
>  	struct task_struct *tsk, struct user_namespace *user_ns,
>  	struct fs_struct *new_fs)
>  {
> -	struct nsproxy *new_nsp;
> -	int err;
> +	struct nsproxy *new_nsp __free(nsproxy_free) = NULL;
>  
>  	new_nsp = create_nsproxy();
>  	if (!new_nsp)
>  		return ERR_PTR(-ENOMEM);
>  
>  	new_nsp->mnt_ns = copy_mnt_ns(flags, tsk->nsproxy->mnt_ns, user_ns, new_fs);
> -	if (IS_ERR(new_nsp->mnt_ns)) {
> -		err = PTR_ERR(new_nsp->mnt_ns);
> -		goto out_ns;
> -	}
> +	if (IS_ERR(new_nsp->mnt_ns))
> +		return ERR_CAST(new_nsp->mnt_ns);
>  
>  	new_nsp->uts_ns = copy_utsname(flags, user_ns, tsk->nsproxy->uts_ns);
> -	if (IS_ERR(new_nsp->uts_ns)) {
> -		err = PTR_ERR(new_nsp->uts_ns);
> -		goto out_uts;
> -	}
> +	if (IS_ERR(new_nsp->uts_ns))
> +		return ERR_CAST(new_nsp->uts_ns);
>  
>  	new_nsp->ipc_ns = copy_ipcs(flags, user_ns, tsk->nsproxy->ipc_ns);
> -	if (IS_ERR(new_nsp->ipc_ns)) {
> -		err = PTR_ERR(new_nsp->ipc_ns);
> -		goto out_ipc;
> -	}
> +	if (IS_ERR(new_nsp->ipc_ns))
> +		return ERR_CAST(new_nsp->ipc_ns);
>  
> -	new_nsp->pid_ns_for_children =
> -		copy_pid_ns(flags, user_ns, tsk->nsproxy->pid_ns_for_children);
> -	if (IS_ERR(new_nsp->pid_ns_for_children)) {
> -		err = PTR_ERR(new_nsp->pid_ns_for_children);
> -		goto out_pid;
> -	}
> +	new_nsp->pid_ns_for_children = copy_pid_ns(flags, user_ns,
> +						   tsk->nsproxy->pid_ns_for_children);
> +	if (IS_ERR(new_nsp->pid_ns_for_children))
> +		return ERR_CAST(new_nsp->pid_ns_for_children);
>  
>  	new_nsp->cgroup_ns = copy_cgroup_ns(flags, user_ns,
>  					    tsk->nsproxy->cgroup_ns);
> -	if (IS_ERR(new_nsp->cgroup_ns)) {
> -		err = PTR_ERR(new_nsp->cgroup_ns);
> -		goto out_cgroup;
> -	}
> +	if (IS_ERR(new_nsp->cgroup_ns))
> +		return ERR_CAST(new_nsp->cgroup_ns);
>  
>  	new_nsp->net_ns = copy_net_ns(flags, user_ns, tsk->nsproxy->net_ns);
> -	if (IS_ERR(new_nsp->net_ns)) {
> -		err = PTR_ERR(new_nsp->net_ns);
> -		goto out_net;
> -	}
> +	if (IS_ERR(new_nsp->net_ns))
> +		return ERR_CAST(new_nsp->net_ns);
>  
>  	new_nsp->time_ns_for_children = copy_time_ns(flags, user_ns,
> -					tsk->nsproxy->time_ns_for_children);
> -	if (IS_ERR(new_nsp->time_ns_for_children)) {
> -		err = PTR_ERR(new_nsp->time_ns_for_children);
> -		goto out_time;
> -	}
> +						     tsk->nsproxy->time_ns_for_children);
> +	if (IS_ERR(new_nsp->time_ns_for_children))
> +		return ERR_CAST(new_nsp->time_ns_for_children);
>  	new_nsp->time_ns = get_time_ns(tsk->nsproxy->time_ns);
>  
> -	return new_nsp;
> -
> -out_time:
> -	put_net(new_nsp->net_ns);
> -out_net:
> -	put_cgroup_ns(new_nsp->cgroup_ns);
> -out_cgroup:
> -	put_pid_ns(new_nsp->pid_ns_for_children);
> -out_pid:
> -	put_ipc_ns(new_nsp->ipc_ns);
> -out_ipc:
> -	put_uts_ns(new_nsp->uts_ns);
> -out_uts:
> -	put_mnt_ns(new_nsp->mnt_ns);
> -out_ns:
> -	kmem_cache_free(nsproxy_cachep, new_nsp);
> -	return ERR_PTR(err);
> +	return no_free_ptr(new_nsp);
>  }
>  
>  /*
> @@ -185,21 +175,6 @@ int copy_namespaces(u64 flags, struct task_struct *tsk)
>  	return 0;
>  }
>  
> -void free_nsproxy(struct nsproxy *ns)
> -{
> -	nsproxy_ns_active_put(ns);
> -
> -	put_mnt_ns(ns->mnt_ns);
> -	put_uts_ns(ns->uts_ns);
> -	put_ipc_ns(ns->ipc_ns);
> -	put_pid_ns(ns->pid_ns_for_children);
> -	put_time_ns(ns->time_ns);
> -	put_time_ns(ns->time_ns_for_children);
> -	put_cgroup_ns(ns->cgroup_ns);
> -	put_net(ns->net_ns);
> -	kmem_cache_free(nsproxy_cachep, ns);
> -}
> -
>  /*
>   * Called from unshare. Unshare all the namespaces part of nsproxy.
>   * On success, returns the new nsproxy.
> @@ -338,7 +313,7 @@ static void put_nsset(struct nsset *nsset)
>  	if (nsset->fs && (flags & CLONE_NEWNS) && (flags & ~CLONE_NEWNS))
>  		free_fs_struct(nsset->fs);
>  	if (nsset->nsproxy)
> -		free_nsproxy(nsset->nsproxy);
> +		nsproxy_free(nsset->nsproxy);
>  }
>  
>  static int prepare_nsset(unsigned flags, struct nsset *nsset)
> -- 
> 2.47.3
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Re: [PATCH] nsproxy: fix free_nsproxy() and simplify create_new_namespaces()

[Christian Brauner]

On Thu, Nov 13, 2025 at 12:19:40PM +0100, Jan Kara wrote:
> On Tue 11-11-25 22:29:44, Christian Brauner wrote:
> > Make it possible to handle NULL being passed to the reference count
> > helpers instead of forcing the caller to handle this. Afterwards we can
> > nicely allow a cleanup guard to handle nsproxy freeing.
> > 
> > Active reference count handling is not done in nsproxy_free() but rather
> > in free_nsproxy() as nsproxy_free() is also called from setns() failure
> > paths where a new nsproxy has been prepared but has not been marked as
> > active via switch_task_namespaces().
> > 
> > Fixes: 3c9820d5c64a ("ns: add active reference count")
> > Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.com
> > Reported-by: syzbot+0a8655a80e189278487e@syzkaller.appspotmail.com
> > Link: https://lore.kernel.org/690bfb9e.050a0220.2e3c35.0013.GAE@google.com
> > Signed-off-by: Christian Brauner <brauner@kernel.org>
> 
> I believe having free_nsproxy() and nsproxy_free() functions with
> the same signature and slightly different semantics is making things too
> easy to get wrong. Maybe call free_nsproxy() say deactivate_nsproxy()?

Good idea, I'll rename to that!

> 
> Otherwise the patch looks correct to me. Feel free to add:
> 
> Reviewed-by: Jan Kara <jack@suse.cz>
> 
> 								Honza
> 
> > ---
> >  include/linux/ns_common.h |  11 ++--
> >  kernel/nsproxy.c          | 107 +++++++++++++++-----------------------
> >  2 files changed, 48 insertions(+), 70 deletions(-)
> > 
> > diff --git a/include/linux/ns_common.h b/include/linux/ns_common.h
> > index 136f6a322e53..825f5865bfc5 100644
> > --- a/include/linux/ns_common.h
> > +++ b/include/linux/ns_common.h
> > @@ -114,11 +114,14 @@ static __always_inline __must_check bool __ns_ref_dec_and_lock(struct ns_common
> >  }
> >  
> >  #define ns_ref_read(__ns) __ns_ref_read(to_ns_common((__ns)))
> > -#define ns_ref_inc(__ns) __ns_ref_inc(to_ns_common((__ns)))
> > -#define ns_ref_get(__ns) __ns_ref_get(to_ns_common((__ns)))
> > -#define ns_ref_put(__ns) __ns_ref_put(to_ns_common((__ns)))
> > +#define ns_ref_inc(__ns) \
> > +	do { if (__ns) __ns_ref_inc(to_ns_common((__ns))); } while (0)
> > +#define ns_ref_get(__ns) \
> > +	((__ns) ? __ns_ref_get(to_ns_common((__ns))) : false)
> > +#define ns_ref_put(__ns) \
> > +	((__ns) ? __ns_ref_put(to_ns_common((__ns))) : false)
> >  #define ns_ref_put_and_lock(__ns, __ns_lock) \
> > -	__ns_ref_dec_and_lock(to_ns_common((__ns)), __ns_lock)
> > +	((__ns) ? __ns_ref_dec_and_lock(to_ns_common((__ns)), __ns_lock) : false)
> >  
> >  #define ns_ref_active_read(__ns) \
> >  	((__ns) ? __ns_ref_active_read(to_ns_common(__ns)) : 0)
> > diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> > index 94c2cfe0afa1..2c94452dc793 100644
> > --- a/kernel/nsproxy.c
> > +++ b/kernel/nsproxy.c
> > @@ -60,6 +60,27 @@ static inline struct nsproxy *create_nsproxy(void)
> >  	return nsproxy;
> >  }
> >  
> > +static inline void nsproxy_free(struct nsproxy *ns)
> > +{
> > +	put_mnt_ns(ns->mnt_ns);
> > +	put_uts_ns(ns->uts_ns);
> > +	put_ipc_ns(ns->ipc_ns);
> > +	put_pid_ns(ns->pid_ns_for_children);
> > +	put_time_ns(ns->time_ns);
> > +	put_time_ns(ns->time_ns_for_children);
> > +	put_cgroup_ns(ns->cgroup_ns);
> > +	put_net(ns->net_ns);
> > +	kmem_cache_free(nsproxy_cachep, ns);
> > +}
> > +
> > +DEFINE_FREE(nsproxy_free, struct nsproxy *, if (_T) nsproxy_free(_T))
> > +
> > +void free_nsproxy(struct nsproxy *ns)
> > +{
> > +	nsproxy_ns_active_put(ns);
> > +	nsproxy_free(ns);
> > +}
> > +
> >  /*
> >   * Create new nsproxy and all of its the associated namespaces.
> >   * Return the newly created nsproxy.  Do not attach this to the task,
> > @@ -69,76 +90,45 @@ static struct nsproxy *create_new_namespaces(u64 flags,
> >  	struct task_struct *tsk, struct user_namespace *user_ns,
> >  	struct fs_struct *new_fs)
> >  {
> > -	struct nsproxy *new_nsp;
> > -	int err;
> > +	struct nsproxy *new_nsp __free(nsproxy_free) = NULL;
> >  
> >  	new_nsp = create_nsproxy();
> >  	if (!new_nsp)
> >  		return ERR_PTR(-ENOMEM);
> >  
> >  	new_nsp->mnt_ns = copy_mnt_ns(flags, tsk->nsproxy->mnt_ns, user_ns, new_fs);
> > -	if (IS_ERR(new_nsp->mnt_ns)) {
> > -		err = PTR_ERR(new_nsp->mnt_ns);
> > -		goto out_ns;
> > -	}
> > +	if (IS_ERR(new_nsp->mnt_ns))
> > +		return ERR_CAST(new_nsp->mnt_ns);
> >  
> >  	new_nsp->uts_ns = copy_utsname(flags, user_ns, tsk->nsproxy->uts_ns);
> > -	if (IS_ERR(new_nsp->uts_ns)) {
> > -		err = PTR_ERR(new_nsp->uts_ns);
> > -		goto out_uts;
> > -	}
> > +	if (IS_ERR(new_nsp->uts_ns))
> > +		return ERR_CAST(new_nsp->uts_ns);
> >  
> >  	new_nsp->ipc_ns = copy_ipcs(flags, user_ns, tsk->nsproxy->ipc_ns);
> > -	if (IS_ERR(new_nsp->ipc_ns)) {
> > -		err = PTR_ERR(new_nsp->ipc_ns);
> > -		goto out_ipc;
> > -	}
> > +	if (IS_ERR(new_nsp->ipc_ns))
> > +		return ERR_CAST(new_nsp->ipc_ns);
> >  
> > -	new_nsp->pid_ns_for_children =
> > -		copy_pid_ns(flags, user_ns, tsk->nsproxy->pid_ns_for_children);
> > -	if (IS_ERR(new_nsp->pid_ns_for_children)) {
> > -		err = PTR_ERR(new_nsp->pid_ns_for_children);
> > -		goto out_pid;
> > -	}
> > +	new_nsp->pid_ns_for_children = copy_pid_ns(flags, user_ns,
> > +						   tsk->nsproxy->pid_ns_for_children);
> > +	if (IS_ERR(new_nsp->pid_ns_for_children))
> > +		return ERR_CAST(new_nsp->pid_ns_for_children);
> >  
> >  	new_nsp->cgroup_ns = copy_cgroup_ns(flags, user_ns,
> >  					    tsk->nsproxy->cgroup_ns);
> > -	if (IS_ERR(new_nsp->cgroup_ns)) {
> > -		err = PTR_ERR(new_nsp->cgroup_ns);
> > -		goto out_cgroup;
> > -	}
> > +	if (IS_ERR(new_nsp->cgroup_ns))
> > +		return ERR_CAST(new_nsp->cgroup_ns);
> >  
> >  	new_nsp->net_ns = copy_net_ns(flags, user_ns, tsk->nsproxy->net_ns);
> > -	if (IS_ERR(new_nsp->net_ns)) {
> > -		err = PTR_ERR(new_nsp->net_ns);
> > -		goto out_net;
> > -	}
> > +	if (IS_ERR(new_nsp->net_ns))
> > +		return ERR_CAST(new_nsp->net_ns);
> >  
> >  	new_nsp->time_ns_for_children = copy_time_ns(flags, user_ns,
> > -					tsk->nsproxy->time_ns_for_children);
> > -	if (IS_ERR(new_nsp->time_ns_for_children)) {
> > -		err = PTR_ERR(new_nsp->time_ns_for_children);
> > -		goto out_time;
> > -	}
> > +						     tsk->nsproxy->time_ns_for_children);
> > +	if (IS_ERR(new_nsp->time_ns_for_children))
> > +		return ERR_CAST(new_nsp->time_ns_for_children);
> >  	new_nsp->time_ns = get_time_ns(tsk->nsproxy->time_ns);
> >  
> > -	return new_nsp;
> > -
> > -out_time:
> > -	put_net(new_nsp->net_ns);
> > -out_net:
> > -	put_cgroup_ns(new_nsp->cgroup_ns);
> > -out_cgroup:
> > -	put_pid_ns(new_nsp->pid_ns_for_children);
> > -out_pid:
> > -	put_ipc_ns(new_nsp->ipc_ns);
> > -out_ipc:
> > -	put_uts_ns(new_nsp->uts_ns);
> > -out_uts:
> > -	put_mnt_ns(new_nsp->mnt_ns);
> > -out_ns:
> > -	kmem_cache_free(nsproxy_cachep, new_nsp);
> > -	return ERR_PTR(err);
> > +	return no_free_ptr(new_nsp);
> >  }
> >  
> >  /*
> > @@ -185,21 +175,6 @@ int copy_namespaces(u64 flags, struct task_struct *tsk)
> >  	return 0;
> >  }
> >  
> > -void free_nsproxy(struct nsproxy *ns)
> > -{
> > -	nsproxy_ns_active_put(ns);
> > -
> > -	put_mnt_ns(ns->mnt_ns);
> > -	put_uts_ns(ns->uts_ns);
> > -	put_ipc_ns(ns->ipc_ns);
> > -	put_pid_ns(ns->pid_ns_for_children);
> > -	put_time_ns(ns->time_ns);
> > -	put_time_ns(ns->time_ns_for_children);
> > -	put_cgroup_ns(ns->cgroup_ns);
> > -	put_net(ns->net_ns);
> > -	kmem_cache_free(nsproxy_cachep, ns);
> > -}
> > -
> >  /*
> >   * Called from unshare. Unshare all the namespaces part of nsproxy.
> >   * On success, returns the new nsproxy.
> > @@ -338,7 +313,7 @@ static void put_nsset(struct nsset *nsset)
> >  	if (nsset->fs && (flags & CLONE_NEWNS) && (flags & ~CLONE_NEWNS))
> >  		free_fs_struct(nsset->fs);
> >  	if (nsset->nsproxy)
> > -		free_nsproxy(nsset->nsproxy);
> > +		nsproxy_free(nsset->nsproxy);
> >  }
> >  
> >  static int prepare_nsset(unsigned flags, struct nsset *nsset)
> > -- 
> > 2.47.3
> > 
> -- 
> Jan Kara <jack@suse.com>
> SUSE Labs, CR