Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.22 2026-03-25T10:10:33+00:00 2026-03-25T10:10:33+00:00 Christian Brauner brauner@kernel.org 2026-03-17T20:02:24+00:00 urn:sha1:2f3dea284c761c890d676f77d5e55c0c496b4ef4 [ Upstream commit e6b899f08066e744f89df16ceb782e06868bd148 ] Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-1-d2c2853313bd@kernel.org Fixes: a1d220d9dafa ("nsfs: iterate through mount namespaces") Reviewed-by: Jeff Layton <jlayton@kernel.org> Cc: stable@kernel.org # v6.12+ Signed-off-by: Christian Brauner <brauner@kernel.org> [ context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-10-07T10:48:33+00:00 Deepanshu Kartikey kartikey406@gmail.com 2025-09-29T09:02:05+00:00 urn:sha1:15623c860c93aac71d22e7bedb7661ff2d3418de Replace VFS_WARN_ON_ONCE() with graceful error handling when file handles contain inode numbers that don't match the actual namespace inode. This prevents userspace from triggering kernel warnings by providing malformed file handles to open_by_handle_at(). The issue occurs when userspace provides a file handle with valid namespace type and ID that successfully locates a namespace, but specifies an incorrect inode number. Previously, this would trigger VFS_WARN_ON_ONCE() when comparing the real inode number against the provided value. Since file handle data is user-controllable, inode number mismatches should be treated as invalid input rather than kernel consistency errors. Handle this case by returning NULL to indicate the file handle is invalid, rather than warning about what is essentially user input validation. Reported-by: syzbot+9eefe09bedd093f156c2@syzkaller.appspotmail.com Suggested-by: Jan Kara <jack@suse.cz> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-10-03T23:32:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-03T23:32:36+00:00 urn:sha1:50647a1176b7abd1b4ae55b491eb2fbbeef89db9 Pull file->f_path constification from Al Viro: "Only one thing was modifying ->f_path of an opened file - acct(2). Massaging that away and constifying a bunch of struct path * arguments in functions that might be given &file->f_path ends up with the situation where we can turn ->f_path into an anon union of const struct path f_path and struct path __f_path, the latter modified only in a few places in fs/{file_table,open,namei}.c, all for struct file instances that are yet to be opened" * tag 'pull-f_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (23 commits) Have cc(1) catch attempts to modify ->f_path kernel/acct.c: saner struct file treatment configfs:get_target() - release path as soon as we grab configfs_item reference apparmor/af_unix: constify struct path * arguments ovl_is_real_file: constify realpath argument ovl_sync_file(): constify path argument ovl_lower_dir(): constify path argument ovl_get_verity_digest(): constify path argument ovl_validate_verity(): constify {meta,data}path arguments ovl_ensure_verity_loaded(): constify datapath argument ksmbd_vfs_set_init_posix_acl(): constify path argument ksmbd_vfs_inherit_posix_acl(): constify path argument ksmbd_vfs_kern_path_unlock(): constify path argument ksmbd_vfs_path_lookup_locked(): root_share_path can be const struct path * check_export(): constify path argument export_operations->open(): constify path argument rqst_exp_get_by_name(): constify path argument nfs: constify path argument of __vfs_getattr() bpf...d_path(): constify path argument done_path_create(): constify path argument ... 2025-09-25T07:23:54+00:00 Christian Brauner brauner@kernel.org 2025-09-24T11:33:59+00:00 urn:sha1:4055526d35746ce8b04bfa5e14e14f28bb163186 It's misplaced in struct proc_ns_operations and ns->ops might be NULL if the namespace is compiled out but we still want to know the type of the namespace for the initial namespace struct. Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-09-19T14:22:38+00:00 Christian Brauner brauner@kernel.org 2025-09-18T10:11:58+00:00 urn:sha1:b3d8ff0679507a21c1917f6ae0b56ed9b9c625f6 Stop accessing ns.count directly. Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-09-19T12:26:16+00:00 Christian Brauner brauner@kernel.org 2025-09-12T11:52:53+00:00 urn:sha1:f861225b9ee9cb2da1c7b2f5f921856cb8ca86bb The mount namespace has supported id retrieval for a while already. Add support for the other types as well. Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-09-19T12:26:16+00:00 Christian Brauner brauner@kernel.org 2025-09-12T11:52:52+00:00 urn:sha1:e83f0b5d10dcf62833008327cb661c7d118bca85 Pidfd file handles are exhaustive meaning they don't require a handle on another pidfd to pass to open_by_handle_at() so it can derive the filesystem to decode in. Instead it can be derived from the file handle itself. The same is possible for namespace file handles. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-09-19T12:26:16+00:00 Christian Brauner brauner@kernel.org 2025-09-12T11:52:51+00:00 urn:sha1:5222470b2fbb3740f931f189db33dd1367b1ae75 A while ago we added support for file handles to pidfs so pidfds can be encoded and decoded as file handles. Userspace has adopted this quickly and it's proven very useful. Implement file handles for namespaces as well. A process is not always able to open /proc/self/ns/. That requires procfs to be mounted and for /proc/self/ or /proc/self/ns/ to not be overmounted. However, userspace can always derive a namespace fd from a pidfd. And that always works for a task's own namespace. There's no need to introduce unnecessary behavioral differences between /proc/self/ns/ fds, pidfd-derived namespace fds, and file-handle-derived namespace fds. So namespace file handles are always decodable if the caller is located in the namespace the file handle refers to. This also allows a task to e.g., store a set of file handles to its namespaces in a file on-disk so it can verify when it gets rexeced that they're still valid and so on. This is akin to the pidfd use-case. Or just plainly for namespace comparison reasons where a file handle to the task's own namespace can be easily compared against others. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-09-19T12:26:15+00:00 Christian Brauner brauner@kernel.org 2025-09-12T11:52:41+00:00 urn:sha1:7d7d164989586c0ad61934975c40ca795dc134c7 Move the mount namespace to the generic ns lookup infrastructure. This allows us to drop a bunch of members from struct mnt_namespace. Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-09-15T11:45:27+00:00 Christian Brauner brauner@kernel.org 2025-09-12T11:52:26+00:00 urn:sha1:f8527a29f4619f74bc30a9845ea87abb9a6faa1e Validate extensible ioctls stricter than we do now. Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org>