Re: PID namespace init releases its file locks before its children die

Next message: Jocelyn Falempe: "Re: [PATCH] drm/draw: fix color truncation in drm_draw_fill24"
Previous message: Jonathan Cameron: "Re: [RFC PATCH v2 8/8] mm: sched: Move hot page promotion from NUMAB=2 to kpromoted"
In reply to: Demi Marie Obenour: "PID namespace init releases its file locks before its children die"
Next in thread: Demi Marie Obenour: "Re: PID namespace init releases its file locks before its children die"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Oleg Nesterov

Date: Fri Oct 03 2025 - 08:40:07 EST

Add CCs.

I can't really help, just my 2 cents...

I don't think we can change do_exit() to call exit_files() after
exit_notify().

At first glance, technically it is possible to change do_exit() so
that the exiting reaper does zap_pid_ns_processes() earlier... But
even if this is possible, I think that this complication needs more
justification.

Oleg.

On 10/02, Demi Marie Obenour wrote:
>
> I noticed that PID 1 in a PID namespace can release file locks (due
> to exiting) while its children are still running for a bit. If the
> locks held by PID 1 were relied to serialize the execution of its
> child processes, this could result in data corruption.
>
> Specifically, the child processes are killed via exit_notify() ->
> forget_original_parent() -> find_child_reaper() ->
> zap_pid_ns_processes(). That comes *after* exit_files(), which
> releases the file locks.
>
> While it is possible to implement this with cgroups, cgroups
> are quite a bit more complicated to use, at least compared to
> a single call to unshare() before fork().
>
> Is this intentional? Changing the behavior would make supervision
> trees significantly easier to properly implement.
> --
> Sincerely,
> Demi Marie Obenour (she/her/hers)