Re: [PATCH net v3 2/3] vsock: lock down child_ns_mode as write-once

Next message: Linus Torvalds: "Re: [BISECTED]: Black screen on 7.0-rc1"
Previous message: Andrew Lunn: "Re: [PATCH 23/62] net: phy: mxl-86110: Fix locking in an error path"
In reply to: Bobby Eshleman: "[PATCH net v3 2/3] vsock: lock down child_ns_mode as write-once"
Next in thread: Bobby Eshleman: "[PATCH net v3 1/3] selftests/vsock: change tests to respect write-once child ns mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bobby Eshleman

Date: Mon Feb 23 2026 - 19:24:54 EST

On Mon, Feb 23, 2026 at 02:38:33PM -0800, Bobby Eshleman wrote:
> From: Bobby Eshleman <bobbyeshleman@xxxxxxxx>
>
> Two administrator processes may race when setting child_ns_mode as one
> process sets child_ns_mode to "local" and then creates a namespace, but
> another process changes child_ns_mode to "global" between the write and
> the namespace creation. The first process ends up with a namespace in
> "global" mode instead of "local". While this can be detected after the
> fact by reading ns_mode and retrying, it is fragile and error-prone.
>
> Make child_ns_mode write-once so that a namespace manager can set it
> once and be sure it won't change. Writing a different value after the
> first write returns -EBUSY. This applies to all namespaces, including
> init_net, where an init process can write "local" to lock all future
> namespaces into local mode.
>
> Fixes: eafb64f40ca4 ("vsock: add netns to vsock core")
> Suggested-by: Daan De Meyer <daan.j.demeyer@xxxxxxxxx>
> Suggested-by: Stefano Garzarella <sgarzare@xxxxxxxxxx>
> Co-developed-by: Stefano Garzarella <sgarzare@xxxxxxxxxx>
> Signed-off-by: Stefano Garzarella <sgarzare@xxxxxxxxxx>

Stefano, I wasn't sure if you wanted the Co-developed-by and S-o-b on
this iteration, but I added it just in case. Please let me know, if that
wasn't what you intended.

Best,
Bobby