Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756808Ab1EKVm4 (ORCPT ); Wed, 11 May 2011 17:42:56 -0400 Received: from a-pb-sasl-sd.pobox.com ([64.74.157.62]:40902 "EHLO sasl.smtp.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756239Ab1EKVmy (ORCPT ); Wed, 11 May 2011 17:42:54 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=subject:from:to :cc:date:in-reply-to:references:content-type :content-transfer-encoding:message-id:mime-version; q=dns; s= sasl; b=PjgYuLaZHUFFpxvIYVClZ14HXdjmRTiISoCtgRlhFCdF9j3xJRsntedJ r5wGeOqEkCY+Y4uHDT6nVB4eTLsqWhA2kqjeQf7yXsi5Owq7ti3ZlZ/BsJvbw6il MiPBL8eYbZliedXiUjNAxo2kVwISZdLtgMu6QwC1yd6vJ31r5HA= Subject: Re: [PATCH 3/7] ns proc: Add support for the network namespace. From: Nathan Lynch To: "Eric W. Biederman" Cc: linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, jamal , Daniel Lezcano , Linux Containers , Renato Westphal Date: Wed, 11 May 2011 16:42:33 -0500 In-Reply-To: References: <1304735101-1824-1-git-send-email-ebiederm@xmission.com> <1304735101-1824-3-git-send-email-ebiederm@xmission.com> <1305141705.1236.49.camel@orca.stoopid.dyndns.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.0.1 (3.0.1-1.fc15) Content-Transfer-Encoding: 7bit Message-ID: <1305150164.1236.51.camel@orca.stoopid.dyndns.org> Mime-Version: 1.0 X-Pobox-Relay-ID: E5A3E4EE-7C17-11E0-9391-BBB7F5B2FB1A-04752483!a-pb-sasl-sd.pobox.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3209 Lines: 98 On Wed, 2011-05-11 at 14:34 -0700, Eric W. Biederman wrote: > Nathan Lynch writes: > > > On Fri, 2011-05-06 at 19:24 -0700, Eric W. Biederman wrote: > >> diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c > >> index 3f86026..bf7707e 100644 > >> --- a/net/core/net_namespace.c > >> +++ b/net/core/net_namespace.c > >> @@ -573,3 +573,34 @@ void unregister_pernet_device(struct pernet_operations *ops) > >> mutex_unlock(&net_mutex); > >> } > >> EXPORT_SYMBOL_GPL(unregister_pernet_device); > >> + > >> +#ifdef CONFIG_NET_NS > >> +static void *netns_get(struct task_struct *task) > >> +{ > >> + struct net *net; > >> + rcu_read_lock(); > >> + net = get_net(task->nsproxy->net_ns); > > > > This should use task_nsproxy() and check the result before grabbing the > > net_ns, but I think you fix that in a later patch. > > > > Regardless, it looks as if all the proc_ns_ops->get() implementations > > really just want the nsproxy, so maybe the get() methods should take > > that instead of the task_struct, and proc_ns_instantiate() should do > > something like: > > > > struct nsproxy *nsproxy; > > ... > > > > ei->ns_ops = ns_ops; > > error = -ESRCH; > > rcu_read_lock(); > > nsproxy = task_nsproxy(task); > > rcu_read_unlock(); > > if (!nsproxy) > > got out; > > ei->ns = ns_ops->get(nsproxy); > > > > > > So then the zombie check is consolidated in one place instead of having > > to do it in every get() method. > > For the pid namespace at least I want the task not the nsproxy, > so I can use task_active_pid_namespace(). > > I admit that is a little asymmetrical with the install, but at > least until the details of getting the pid namespace working in > this context are worked out I don't want to reconsider the > current design. > > There is also the user namespace that does not even exist in > nsproxy to consider. I will worry about that namespace when > it happens. > > Ultimately nsproxy is an space/time optimization that not all > namespaces use so forcing it in the design is probably not > what we want. Okay. > >> + rcu_read_unlock(); > >> + return net; > >> +} > >> + > >> +static void netns_put(void *ns) > >> +{ > >> + put_net(ns); > >> +} > >> + > >> +static int netns_install(struct nsproxy *nsproxy, void *ns) > >> +{ > >> + put_net(nsproxy->net_ns); > >> + nsproxy->net_ns = get_net(ns); > >> + return 0; > >> +} > > > > This introduces a window where, potentially, nsproxy->net_ns is stale > > before it is updated with the namespace which is being attached, no? > > (Same concern applies to other install methods in the patch set). It > > seems possible to oops the kernel in this window by looking up > > /proc/$PID/ns/net while $PID is in the midst of setns(). > > Except the nsproxy being referred to is a brand new nsproxy, with an > extra reference count on every namespace. current->nsproxy still > contains the reference counts of the current process. Ahh, yeah. Got it. Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/