[Devel] [PATCH RHEL10 COMMIT] ve/mntns: add ve_owner to struct mnt_namespace
Konstantin Khorenko
khorenko at virtuozzo.com
Thu May 14 18:50:25 MSK 2026
The commit is pushed to "branch-rh10-6.12.0-55.52.1.5.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-55.52.1.5.24.vz10
------>
commit f07a52b3f1959048b965ad793d6d14937acff4ea
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Wed Apr 29 15:41:35 2026 +0200
ve/mntns: add ve_owner to struct mnt_namespace
Introduce a ve_owner field on struct mnt_namespace pointing at the ve
that owns the namespace.
This will be used to derive correct ownership of newly created mounts in
case of simultaneous creation of new ve namespace and mount namespace,
where we would like new mounts to have the new ve as an owner.
There is no change in behaviour yet: alloc_mnt_ns() still resolves the
owner from current ve via get_exec_env().
To ensure the pointer is valid, alloc_mnt_ns takes and free_mnt_ns()
drops the reference.
https://virtuozzo.atlassian.net/browse/VSTOR-129744
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Vasileios Almpanis <vasileios.almpanis at virtuozzo.com>
Feature: ve: ve generic structures
======
Patchset description:
ve: fix owner_ve of net/mnt namespaces created together with CLONE_NEWVE
When CLONE_NEWVE is combined with CLONE_NEWNET and/or CLONE_NEWNS in a
single clone3() or unshare(), copy_net_ns() and copy_mnt_ns() resolve
the owning ve via get_exec_env(), which still points at the parent ve
at that point. The freshly created net/mnt namespaces end up wired to
the wrong ve, and unshare(CLONE_NEWVE | CLONE_NEW{NS,NET}) is rejected
outright by check_unshare_flags().
Fix it by threading the new ve from copy_namespaces() and
unshare_nsproxy_namespaces() down into copy_net_ns() and copy_mnt_ns(),
so the correct ve is charged for the new netns and for every mount in
the new mntns.
Patches 1-4 are pure plumbing (signature changes, no behaviour change).
Patch 5 is the actual fix that forwards the new ve. Patch 6 drops the
now-redundant CLONE_NEWVE-alone restriction in check_unshare_flags().
Patch 7 exposes ve.mnt_nr via cgroupfs to make per-ve mount accounting
observable from userspace. Patch 8 adds a selftest covering both the
clone3() and unshare() paths.
Verified with crash on a vzctl-started container: task_ve,
nsproxy->net_ns->owner_ve, nsproxy->mnt_ns->ve_owner and
nsproxy->mnt_ns->root.ve_owner all resolve to the new ve.
The new selftest passes both cases.
---
fs/mount.h | 4 ++++
fs/namespace.c | 8 ++++++++
2 files changed, 12 insertions(+)
diff --git a/fs/mount.h b/fs/mount.h
index 8e8fa47f54fd4..aea2dc4c082be 100644
--- a/fs/mount.h
+++ b/fs/mount.h
@@ -4,6 +4,7 @@
#include <linux/poll.h>
#include <linux/ns_common.h>
#include <linux/fs_pin.h>
+#include <linux/ve.h>
struct mnt_namespace {
struct ns_common ns;
@@ -19,6 +20,9 @@ struct mnt_namespace {
struct rb_node mnt_ns_tree_node; /* node in the mnt_ns_tree */
refcount_t passive; /* number references not pinning @mounts */
struct list_head mntns_list;
+#ifdef CONFIG_VE
+ struct ve_struct *ve_owner;
+#endif
} __randomize_layout;
struct mnt_pcp {
diff --git a/fs/namespace.c b/fs/namespace.c
index d18aaba941312..dd10ed5007ea2 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -4143,6 +4143,11 @@ static void free_mnt_ns(struct mnt_namespace *ns)
list_del(&ns->mntns_list);
spin_unlock(&all_mntns_list_lock);
+#ifdef CONFIG_VE
+ if (ns->ve_owner)
+ put_ve(ns->ve_owner);
+#endif
+
mnt_ns_tree_remove(ns);
}
@@ -4194,6 +4199,9 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns, bool a
init_waitqueue_head(&new_ns->poll);
new_ns->user_ns = get_user_ns(user_ns);
new_ns->ucounts = ucounts;
+#ifdef CONFIG_VE
+ new_ns->ve_owner = get_ve(get_exec_env());
+#endif
return new_ns;
}
More information about the Devel
mailing list