[Devel] [PATCH RH7 11/32] ms: common object embedded into various struct ....ns

From: Al Viro for now - just move corresponding ->proc_inum instances over there Acked-by: "Eric W. Biederman" Signed-off-by: Al Viro (cherry picked from VZ8 commit 435d5f4bb2ccba3b791d9ef61d2590e30b8e806e) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/mount

[Devel] [PATCH RH7 15/32] make proc_ns_operations work with struct ns_common * instead of void *

From: Al Viro We can do that now. And kill ->inum(), while we are at it - all instances are identical. Signed-off-by: Al Viro (cherry picked from VZ8 commit 64964528b24ea390824f0e5ce9d34b8d39b28cde) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/namespace.c

[Devel] [PATCH RH7 28/32] net: Export open_related_ns()

From: Kirill Tkhai This function will be used to obtain net of tun device. Signed-off-by: Kirill Tkhai Signed-off-by: David S. Miller (cherry picked from commit 24dce0800baaa508b1a8ccf01ae0a9c8e600a5aa) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/nsfs.c |

[Devel] [PATCH RH7 02/32] Revert "ms/tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device"

This reverts commit b823f8df2fcbc936ef228d5eeb419d06df4cc4f7. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- drivers/net/tun.c | 10 -- include/uapi/lin

[Devel] [PATCH RH7 24/32] net: add an ioctl to get a socket network namespace

From: Andrey Vagin Each socket operates in a network namespace where it has been created, so if we want to dump and restore a socket, we have to know its network namespace. We have a socket_diag to get information about sockets, it doesn't report sockets which are not bound or connected. This p

[Devel] [PATCH RH7 06/32] Revert "nsfs: add ioctl to get an owning user namespace for ns file descriptor"

This reverts commit a8e0dd94d5cd9e0efefdd928a55d669eff176723. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/proc/namespaces.c | 81 ---

[Devel] [PATCH RH7 32/32] nsfs: mark dentry with DCACHE_RCUACCESS

From: Cong Wang Andrey reported a use-after-free in __ns_get_path(): spin_lock include/linux/spinlock.h:299 [inline] lockref_get_not_dead+0x19/0x80 lib/lockref.c:179 __ns_get_path+0x197/0x860 fs/nsfs.c:66 open_related_ns+0xda/0x200 fs/nsfs.c:143 sock_ioctl+0x39d/0x440 net/socket.c:1001

[Devel] [PATCH RH7 26/32] pidns: expose task pid_ns_for_children to userspace

From: Kirill Tkhai pid_ns_for_children set by a task is known only to the task itself, and it's impossible to identify it from outside. It's a big problem for checkpoint/restore software like CRIU, because it can't correctly handle tasks, that do setns(CLONE_NEWPID) in proccess of their work. T

[Devel] [PATCH RH7 04/32] Revert "ms/tun: Add ioctl() SIOCGSKNS cmd to allow obtaining net ns of tun device"

This reverts commit 7cb9e7ae7041f348f2be384ea17352e117f3d00d. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- drivers/net/tun.c | 11 +-- 1 file changed, 1 inserti

devel@openvz.org

From: Al Viro Signed-off-by: Al Viro (cherry picked from VZ8 commit 3c0411846118a578de3a979faf2da3ab5fb81179) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- ipc/namespace.c | 15 +-- kernel/pid_namespace.c | 14 +- kernel/user_name

[Devel] [PATCH RH7 25/32] ns: allow ns_entries to have custom symlink content

From: Kirill Tkhai Patch series "Expose task pid_ns_for_children to userspace". pid_ns_for_children set by a task is known only to the task itself, and it's impossible to identify it from outside. It's a big problem for checkpoint/restore software like CRIU, because it can't correctly handle ta

devel@openvz.org

From: Al Viro Acked-by: "Eric W. Biederman" Signed-off-by: Al Viro (cherry picked from VZ8 commit 58be28256d98a6b996b20f49130ea11afb8de75a) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/namespace.c | 21 + 1 file changed, 13 insertions(+),

[Devel] [PATCH RH7 10/32] userns: move EXPORT_SYMBOL closer to current_in_userns

Looks like it was accidentally moved far away from where it has to be. Moving it back helps to apply next patches cleaner. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- kernel/user_namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel

[Devel] [PATCH RH7 19/32] dcache.c: call ->d_prune() regardless of d_unhashed()

From: Al Viro the only in-tree instance checks d_unhashed() anyway, out-of-tree code can preserve the current behaviour by adding such check if they want it and we get an ability to use it in cases where we *want* to be notified of killing being inevitable before ->d_lock is dropped, whether it's

devel@openvz.org

From: Al Viro Signed-off-by: Al Viro (cherry picked from VZ8 commit ff24870f46d51d79fc74a241fd7c12ccb933c69f) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- net/core/net_namespace.c | 16 ++-- 1 file changed, 10 insertions(+), 6 deletions(-) diff --gi

[Devel] [PATCH RH7 20/32] take the targets of /proc/*/ns/* symlinks to separate fs

From: Al Viro New pseudo-filesystem: nsfs. Targets of /proc/*/ns/* live there now. It's not mountable (not even registered, so it's not in /proc/filesystems, etc.). Files on it *are* bindable - we explicitly permit that in do_loopback(). This stuff lives in fs/nsfs.c now; proc_ns_fget() moved

[Devel] [PATCH RH7 31/32] tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device

From: Kirill Tkhai In commit f2780d6d7475 "tun: Add ioctl() SIOCGSKNS cmd to allow obtaining net ns of tun device" it was missed that tun may change its net ns, while net ns of socket remains the same as it was created initially. SIOCGSKNS returns net ns of socket, so it is not suitable for obtai

[Devel] [PATCH RH7 29/32] net: Make extern and export get_net_ns()

From: Kirill Tkhai This function will be used to obtain net of tun device. Signed-off-by: Kirill Tkhai Signed-off-by: David S. Miller (cherry picked from commit d8d211a2a0c37755a8660dc69f97b7c70bf210b1) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- include/linu

[Devel] [PATCH RH7 27/32] nsfs: Add a show_path method to fix mountinfo

From: "Eric W. Biederman" Today mountinfo displays a very unhelpful "/" for nsfs files. Add a show_path method returning the same string as ns_dname. This results in a bind mount of /proc//ns/net showing up in /proc//mountinfo as "net:[1234...]" instead of "/". Signed-off-by: "Eric W. Biederma

[Devel] [PATCH RH7 16/32] new helpers: ns_alloc_inum/ns_free_inum

From: Al Viro take struct ns_common *, for now simply wrappers around proc_{alloc,free}_inum() (cherry picked from VZ8 commit 6344c433a452b1a05d03a61a6a85d89f793bb7b8) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Al Viro Signed-off-by: Pavel Tikhomirov --- fs/namespace.c |

[Devel] [PATCH RH7 05/32] Revert "nsfs: add ioctl to get a parent namespace"

This reverts commit ac08c64138ac52eaba5a451801a931181e845359. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/proc/namespaces.c| 6 -- include/linux/proc_ns.h

[Devel] [PATCH RH7 30/32] tun: Add ioctl() SIOCGSKNS cmd to allow obtaining net ns of tun device

From: Kirill Tkhai This patch adds possibility to get tun device's net namespace fd in the same way we allow to do that for sockets. Socket ioctl numbers do not intersect with tun-specific, and there is already SIOCSIFHWADDR used in tun code. So, SIOCGSKNS number is choosen instead of custom-mad

[Devel] [PATCH RH7 17/32] copy address of proc_ns_ops into ns_common

From: Al Viro Signed-off-by: Al Viro (cherry picked from VZ8 commit 33c429405a2c8d9e42afb9fee88a63cfb2de1e98) https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/namespace.c| 1 + fs/proc/inode.c | 6 ++ include/linux/ns_common.h | 3 +++ i

[Devel] [PATCH RH7 09/32] Revert "ms/ns: allow ns_entries to have custom symlink content"

This reverts commit 2b151c3f890947af0f9ad091cfc00e74cfdfcdce. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/proc/namespaces.c| 4 +--- include/linux/proc_ns.h | 1

[Devel] [PATCH RH7 07/32] Revert "kernel: add a helper to get an owning user namespace for a namespace"

This reverts commit 93dca538d184c711212f44ac92791772a56a6617. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/namespace.c | 7 --- include/linux/pr

[Devel] [PATCH RH7 01/32] Revert "proc: add a proc_show_path method to fix mountinfo"

This reverts commit 8782a0069f1b31dc9550e98e351a43eb20b9887a. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/proc/inode.c | 17 - 1 file changed, 17 de

[Devel] [PATCH RH7 03/32] Revert "ms/net: add an ioctl to get a socket network namespace"

This reverts commit 302889fa2e3d0b9a36f118efa56c3378d63e0d94. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/proc/namespaces.c | 2 +- include/linux/proc_ns.h

[Devel] [PATCH RH7 21/32] kernel: add a helper to get an owning user namespace for a namespace

From: Andrey Vagin Return -EPERM if an owning user namespace is outside of a process current user namespace. v2: In a first version ns_get_owner returned ENOENT for init_user_ns. This special cases was removed from this version. There is nothing outside of init_user_ns, so we can return

[Devel] [PATCH RH7 22/32] nsfs: add ioctl to get an owning user namespace for ns file descriptor

From: Andrey Vagin Each namespace has an owning user namespace and now there is not way to discover these relationships. Understending namespaces relationships allows to answer the question: what capability does process X have to perform operations on a resource governed by namespace Y? After a

[Devel] [PATCH RH7 08/32] Revert "ms/pidns: expose task pid_ns_for_children to userspace"

This reverts commit edaecdb8adac2871e9d5afa0dd127d4a92a34162. We switch from procfs ns-files to nsfs ones, so we will apply nsfs version of the patch instead. https://jira.sw.ru/browse/PSBM-102357 Signed-off-by: Pavel Tikhomirov --- fs/proc/namespaces.c| 1 - include/linux/proc_ns.h | 1

[Devel] [PATCH RH7 00/32] port nsfs from vz8

We have problems with /proc/pid/ns/name bind-mounts in CRIU 1) Currently (without nsfs) such a bind mount have same superblock with /proc mount, but in case of nested pid-namespaces container can have multiple different /proc mounts and for ns-bind-mount we need to bind it from the right pidns. So

[Devel] [PATCH RH7 23/32] nsfs: add ioctl to get a parent namespace

From: Andrey Vagin Pid and user namepaces are hierarchical. There is no way to discover parent-child relationships. In a future we will use this interface to dump and restore nested namespaces. Acked-by: Serge Hallyn Signed-off-by: Andrei Vagin Signed-off-by: Eric W. Biederman (cherry picke

[Devel] [PATCH RH7 18/32] bury struct proc_ns in fs/proc

From: Al Viro a) make get_proc_ns() return a pointer to struct ns_common b) mirror ns_ops in dentry->d_fsdata of ns dentries, so that is_mnt_ns_file() could get away with fewer dereferences. That way struct proc_ns becomes invisible outside of fs/proc/*.c Signed-off-by: Al Viro (cherry picked

[Devel] [PATCH RHEL8 COMMIT] ve/binfmt_misc: destroy all nodes on ve stop

The commit is pushed to "branch-rh8-4.18.0-80.1.2.vz8.3.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh8-4.18.0-80.1.2.vz8.3.11 --> commit c11a2463a01f78a90bb42d0e3b20506474af3ac5 Author: Valeriy Vdovin Date: Mon Jun 8 19:07:29 2020 +0300 ve/binfmt_misc:

[Devel] [PATCH RHEL7 COMMIT] kernel/cgroup: Fix cgroups leaking

The commit is pushed to "branch-rh7-3.10.0-1127.8.2.vz7.151.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-1127.8.2.vz7.151.11 --> commit 52b6f16dcbefd7acc150c0f8573b4813c1398c87 Author: Andrey Ryabinin Date: Mon Jun 8 13:49:10 2020 +0300 kernel/

Re: [Devel] [PATCH] kernel/cgroup: Fix cgroups leaking

On 08.06.2020 13:04, Andrey Ryabinin wrote: > There are cgroups with several css'es like, e.g. cpu,cpuacct. > The increment of the cgroup->online_cnt counter happens in the online_css() > which is called per each css on cgroup onlining. This leads to leaking such > cgroups as ->online_cnt can't bec

[Devel] [PATCH] kernel/cgroup: Fix cgroups leaking

There are cgroups with several css'es like, e.g. cpu,cpuacct. The increment of the cgroup->online_cnt counter happens in the online_css() which is called per each css on cgroup onlining. This leads to leaking such cgroups as ->online_cnt can't become zero. Move refcount increments to the upper lev