[Devel] [PATCH VZ10 0/8] ve: fix owner_ve of net/mnt namespaces created together with CLONE_NEWVE

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Wed Apr 29 16:41:34 MSK 2026 

When CLONE_NEWVE is combined with CLONE_NEWNET and/or CLONE_NEWNS in a
single clone3() or unshare(), copy_net_ns() and copy_mnt_ns() resolve
the owning ve via get_exec_env(), which still points at the parent ve
at that point. The freshly created net/mnt namespaces end up wired to
the wrong ve, and unshare(CLONE_NEWVE | CLONE_NEW{NS,NET}) is rejected
outright by check_unshare_flags().

Fix it by threading the new ve from copy_namespaces() and
unshare_nsproxy_namespaces() down into copy_net_ns() and copy_mnt_ns(),
so the correct ve is charged for the new netns and for every mount in
the new mntns.

Patches 1-4 are pure plumbing (signature changes, no behaviour change).
Patch 5 is the actual fix that forwards the new ve. Patch 6 drops the
now-redundant CLONE_NEWVE-alone restriction in check_unshare_flags().
Patch 7 exposes ve.mnt_nr via cgroupfs to make per-ve mount accounting
observable from userspace. Patch 8 adds a selftest covering both the
clone3() and unshare() paths.

Verified with crash on a vzctl-started container: task_ve,
nsproxy->net_ns->owner_ve, nsproxy->mnt_ns->ve_owner and
nsproxy->mnt_ns->root.ve_owner all resolve to the new ve. The new
selftest passes both cases.

https://virtuozzo.atlassian.net/browse/VSTOR-129744
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Pavel Tikhomirov (8):
  ve/mntns: add ve_owner to struct mnt_namespace
  ve/mount: thread owning ve through alloc_vfsmnt/clone_mnt/copy_tree
  ve/mntns: thread owning ve through alloc_mnt_ns/copy_mnt_ns
  ve/net: thread owning ve through copy_net_ns
  ve/nsproxy: forward new ve from copy_namespaces and ksys_unshare
  ve/unshare: allow CLONE_NEWVE with other namespace flags
  ve/cgroup: expose ve.mnt_nr cgroup file
  selftests/ve: regression test for CLONE_NEWVE owner correctness

 fs/mount.h                                    |   6 +
 fs/namespace.c                                |  70 +--
 fs/pnode.c                                    |   2 +-
 fs/pnode.h                                    |   5 +-
 include/linux/mnt_namespace.h                 |   4 +-
 include/linux/nsproxy.h                       |   3 +-
 include/net/net_namespace.h                   |   7 +-
 kernel/fork.c                                 |  16 +-
 kernel/nsproxy.c                              |  47 +-
 kernel/ve/ve.c                                |   9 +
 net/core/net_namespace.c                      |  33 +-
 tools/testing/selftests/Makefile              |   1 +
 tools/testing/selftests/ve/.gitignore         |   1 +
 tools/testing/selftests/ve/Makefile           |   7 +
 tools/testing/selftests/ve/ve_ns_owner_test.c | 425 ++++++++++++++++++
 15 files changed, 571 insertions(+), 65 deletions(-)
 create mode 100644 tools/testing/selftests/ve/.gitignore
 create mode 100644 tools/testing/selftests/ve/Makefile
 create mode 100644 tools/testing/selftests/ve/ve_ns_owner_test.c

-- 
2.53.0

More information about the Devel mailing list