On Tue, Oct 28, 2025 at 10:30:06AM +0000, Simon Horman wrote:

On Fri, Oct 24, 2025 at 12:52:40PM +0200, Christian Brauner wrote:

...

quoted

diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c

...

quoted

+void get_cred_namespaces(struct task_struct *tsk)
+{
+	ns_ref_active_get(tsk->real_cred->user_ns);

Hi Christian,

real_cred is protected by RCU, but this code doesn't seem to take
that into account. Or, at least Sparse doesn't think so:

.../nsproxy.c:264:9: error: no generic selection for 'struct user_namespace *const [noderef] __rcu user_ns'
.../nsproxy.c:264:9: warning: dereference of noderef expression

quoted

+}
+
+void exit_cred_namespaces(struct task_struct *tsk)
+{
+	ns_ref_active_put(tsk->real_cred->user_ns);

Likewise here.

get_cred_namespaces() is called during copy_creds() which is called
during process creation aka from copy_process(). So copy_creds() always
takes the creds of current (the parent process in this case) which can't
change in any way.

Simplifying a bit:
Either we created a thread via CLONE_THREAD in which case we can't
specify CLONE_NEWUSER (little know fact, I guess) and so we just bump
the reference count on the existing user namespace from the parent's
creds, or we're creating a new set of credentials that no one has ever
seen before possibly even a new user namespace if CLONE_NEWUSER has been
specified.

In both case the credentials are completely stable. The call to
exit_cred_namespaces() has similar reasoning when called from the
cleanup/failure path of copy_process().

The other callsite is release_task() which is called - simplifying -
after the task has been reaped. That thing is deader than dead and
nothing can mess with its creds anymore.

In other words, the get/put patterns for namespace management generally
happens at edges where the relevant structures are stable and can't be
changed by anyone other than the calling thread. And at no point are we
putting references on creds themselves.

Let me know if I missed something obvious.