On Fri, Oct 24, 2025 at 12:52:46PM +0200, Christian Brauner wrote:

...

...

+static ssize_t do_listns(struct klistns *kls)
+{
+	u64 *ns_ids = kls->kns_ids;
+	size_t nr_ns_ids = kls->nr_ns_ids;
+	struct ns_common *ns, *first_ns = NULL;
+	struct ns_tree *ns_tree = NULL;
+	const struct list_head *head;
+	struct user_namespace *user_ns;
+	u32 ns_type;
+	ssize_t ret;
+
+	if (hweight32(kls->ns_type) == 1)
+		ns_type = kls->ns_type;
+	else
+		ns_type = 0;
+
+	if (ns_type) {
+		ns_tree = ns_tree_from_type(ns_type);
+		if (!ns_tree)
+			return -EINVAL;
+	}
+
+	if (kls->last_ns_id) {
+		kls->first_ns = lookup_ns_id_at(kls->last_ns_id + 1, ns_type);
+		if (!kls->first_ns)
+			return -ENOENT;
+		first_ns = kls->first_ns;
+	}
+
+	ret = 0;
+	if (ns_tree)
+		head = &ns_tree->ns_list;
+	else
+		head = &ns_unified_list;
+
+	guard(rcu)();
+	if (!first_ns)
+		first_ns = first_ns_common(head, ns_tree);
+
+	for (ns = first_ns; !ns_common_is_head(ns, head, ns_tree) && nr_ns_ids;
+	     ns = next_ns_common(ns, ns_tree)) {
+		if (kls->ns_type && !(kls->ns_type & ns->ns_type))
+			continue;
+		if (!ns_get_unless_inactive(ns))
+			continue;
+		/* Check permissions */
+		if (!ns->ops)
+			user_ns = NULL;

Hi Christian,

Here it is assumed that ns->ops may be NULL.

+		else
+			user_ns = ns->ops->owner(ns);
+		if (!user_ns)
+			user_ns = &init_user_ns;
+		if (ns_capable_noaudit(user_ns, CAP_SYS_ADMIN) ||
+		    is_current_namespace(ns) ||
+		    ((ns->ns_type == CLONE_NEWUSER) && ns_capable_noaudit(to_user_ns(ns), CAP_SYS_ADMIN))) {
+			*ns_ids++ = ns->ns_id;
+			nr_ns_ids--;
+			ret++;
+		}
+		if (need_resched())
+			cond_resched_rcu();
+		/* doesn't sleep */
+		ns->ops->put(ns);

And, if so, it isn't clear to me why that wouldn't also be the case here.

Flagged by Smatch.

+	}
+
+	return ret;
+}

...