kernel/linux.git/init/do_mounts.c, branch v7.0-rc7

Merge tag 'vfs-7.0-rc1.nullfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

2026-02-09T21:41:34+00:00

Pull vfs nullfs update from Christian Brauner: "Add a completely catatonic minimal pseudo filesystem called "nullfs" and make pivot_root() work in the initramfs. Currently pivot_root() does not work on the real rootfs because it cannot be unmounted. Userspace has to recursively delete initramfs contents manually before continuing boot, using the fragile switch_root sequence (overmount + chroot). Add nullfs, a minimal immutable filesystem that serves as the true root of the mount hierarchy. The mutable rootfs (tmpfs/ramfs) is mounted on top of it. This allows userspace to simply: chdir(new_root); pivot_root(".", "."); umount2(".", MNT_DETACH); without the traditional switch_root workarounds. systemd already handles this correctly. It tries pivot_root() first and falls back to MS_MOVE only when that fails. This also means rootfs mounts in unprivileged namespaces no longer need MNT_LOCKED, since the immutable nullfs guarantees nothing can be revealed by unmounting the covering mount. nullfs is a single-instance filesystem (get_tree_single()) marked SB_NOUSER | SB_I_NOEXEC | SB_I_NODEV with an immutable empty root directory. This means sooner or later it can be used to overmount other directories to hide their contents without any additional protection needed. We enable it unconditionally. If we see any real regression we'll hide it behind a boot option. nullfs has extensions beyond this in the future. It will serve as a concept to support the creation of completely empty mount namespaces - which is work coming up in the next cycle" * tag 'vfs-7.0-rc1.nullfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs: use nullfs unconditionally as the real rootfs docs: mention nullfs fs: add immutable rootfs fs: add init_pivot_root() fs: ensure that internal tmpfs mount gets mount id zero

fs: use nullfs unconditionally as the real rootfs

2026-01-14T10:23:39+00:00

Remove the "nullfs_rootfs" boot parameter and simply always use nullfs. The mutable rootfs will be mounted on top of it. Systems that don't use pivot_root() to pivot away from the real rootfs will have an additional mount stick around but that shouldn't be a problem at all. If it is we'll rever this commit. This also simplifies the boot process and removes the need for the traditional switch_root workarounds. Suggested-by: Jeff Layton Signed-off-by: Christian Brauner

initrd: remove deprecated code path (linuxrc)

2026-01-12T16:22:22+00:00

Remove linuxrc initrd code path, which was deprecated in 2020. Initramfs and (non-initial) RAM disks (i. e. brd) still work. Both built-in and bootloader-supplied initramfs still work. Non-linuxrc initrd code path (i. e. using /dev/ram as final root filesystem) still works, but I put deprecation message into it. Also I deprecate command line parameters "noinitrd" and "ramdisk_start=". Signed-off-by: Askar Safin Link: https://patch.msgid.link/20251119222407.3333257-3-safinaskar@gmail.com Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner

fs: add immutable rootfs

2026-01-12T15:52:09+00:00

Currently pivot_root() doesn't work on the real rootfs because it cannot be unmounted. Userspace has to do a recursive removal of the initramfs contents manually before continuing the boot. Really all we want from the real rootfs is to serve as the parent mount for anything that is actually useful such as the tmpfs or ramfs for initramfs unpacking or the rootfs itself. There's no need for the real rootfs to actually be anything meaningful or useful. Add a immutable rootfs called "nullfs" that can be selected via the "nullfs_rootfs" kernel command line option. The kernel will mount a tmpfs/ramfs on top of it, unpack the initramfs and fire up userspace which mounts the rootfs and can then just do: chdir(rootfs); pivot_root(".", "."); umount2(".", MNT_DETACH); and be done with it. (Ofc, userspace can also choose to retain the initramfs contents by using something like pivot_root(".", "/initramfs") without unmounting it.) Technically this also means that the rootfs mount in unprivileged namespaces doesn't need to become MNT_LOCKED anymore as it's guaranteed that the immutable rootfs remains permanently empty so there cannot be anything revealed by unmounting the covering mount. In the future this will also allow us to create completely empty mount namespaces without risking to leak anything. systemd already handles this all correctly as it tries to pivot_root() first and falls back to MS_MOVE only when that fails. This goes back to various discussion in previous years and a LPC 2024 presentation about this very topic. Link: https://patch.msgid.link/20260112-work-immutable-rootfs-v2-3-88dd1c34a204@kernel.org Signed-off-by: Christian Brauner

init: remove deprecated "load_ramdisk" and "prompt_ramdisk" command line parameters

2025-12-15T13:32:54+00:00

...which do nothing. They were deprecated (in documentation) in 6b99e6e6aa62 ("Documentation/admin-guide: blockdev/ramdisk: remove use of "rdev"") in 2020 and in kernel messages in c8376994c86c ("initrd: remove support for multiple floppies") in 2020. Signed-off-by: Askar Safin Link: https://patch.msgid.link/20251119222407.3333257-2-safinaskar@gmail.com Acked-by: Arnd Bergmann Reviewed-by: Christoph Hellwig Reviewed-by: Randy Dunlap Signed-off-by: Christian Brauner

Merge tag 'pull-persistency' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2025-12-05T22:36:21+00:00

Pull persistent dentry infrastructure and conversion from Al Viro: "Some filesystems use a kinda-sorta controlled dentry refcount leak to pin dentries of created objects in dcache (and undo it when removing those). A reference is grabbed and not released, but it's not actually _stored_ anywhere. That works, but it's hard to follow and verify; among other things, we have no way to tell _which_ of the increments is intended to be an unpaired one. Worse, on removal we need to decide whether the reference had already been dropped, which can be non-trivial if that removal is on umount and we need to figure out if this dentry is pinned due to e.g. unlink() not done. Usually that is handled by using kill_litter_super() as ->kill_sb(), but there are open-coded special cases of the same (consider e.g. /proc/self). Things get simpler if we introduce a new dentry flag (DCACHE_PERSISTENT) marking those "leaked" dentries. Having it set claims responsibility for +1 in refcount. The end result this series is aiming for: - get these unbalanced dget() and dput() replaced with new primitives that would, in addition to adjusting refcount, set and clear persistency flag. - instead of having kill_litter_super() mess with removing the remaining "leaked" references (e.g. for all tmpfs files that hadn't been removed prior to umount), have the regular shrink_dcache_for_umount() strip DCACHE_PERSISTENT of all dentries, dropping the corresponding reference if it had been set. After that kill_litter_super() becomes an equivalent of kill_anon_super(). Doing that in a single step is not feasible - it would affect too many places in too many filesystems. It has to be split into a series. This work has really started early in 2024; quite a few preliminary pieces have already gone into mainline. This chunk is finally getting to the meat of that stuff - infrastructure and most of the conversions to it. Some pieces are still sitting in the local branches, but the bulk of that stuff is here" * tag 'pull-persistency' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (54 commits) d_make_discardable(): warn if given a non-persistent dentry kill securityfs_recursive_remove() convert securityfs get rid of kill_litter_super() convert rust_binderfs convert nfsctl convert rpc_pipefs convert hypfs hypfs: swich hypfs_create_u64() to returning int hypfs: switch hypfs_create_str() to returning int hypfs: don't pin dentries twice convert gadgetfs gadgetfs: switch to simple_remove_by_name() convert functionfs functionfs: switch to simple_remove_by_name() functionfs: fix the open/removal races functionfs: need to cancel ->reset_work in ->kill_sb() functionfs: don't bother with ffs->ref in ffs_data_{opened,closed}() functionfs: don't abuse ffs_data_closed() on fs shutdown convert selinuxfs ...

convert ramfs and tmpfs

2025-11-16T06:35:02+00:00

Quite a bit is already done by infrastructure changes (simple_link(), simple_unlink()) - all that is left is replacing d_instantiate() + pinning dget() (in ->symlink() and ->mknod()) with d_make_persistent(), and, in case of shmem, using simple_unlink() and simple_link() in ->unlink() and ->link() resp., instead of open-coding those there. Since d_make_persistent() accepts (and hashes) unhashed ones, shmem situation gets simpler - we no longer care whether ->lookup() has hashed the sucker. With that done, we don't need kill_litter_super() for these filesystems anymore - by the umount time all remaining dentries will be marked persistent and kill_litter_super() will boil down to call of kill_anon_super(). The same goes for devtmpfs and rootfs - they are handled by ramfs or by shmem, depending upon config. NB: strictly speaking, both devtmpfs and rootfs ought to use ramfs_kill_sb() if they end up using ramfs; that's a separate story and the only impact of "just use kill_{litter,anon}_super()" is that we fail to free their sb->s_fs_info... on reboot. That's orthogonal to the changes in this series - kill_litter_super() is identical to kill_anon_super() for those at this point. Signed-off-by: Al Viro

init: Replace simple_strtoul() with kstrtouint() in root_delay_setup()

2025-11-05T11:49:38+00:00

Replace deprecated simple_strtoul() with kstrtouint() for better error handling and input validation. Return 0 on parsing failure to indicate invalid parameter, maintaining existing behavior for valid inputs. The simple_strtoul() function is deprecated in favor of kstrtoint() family functions which provide better error handling and are recommended for new code and replacements. Signed-off-by: Kaushlendra Kumar Link: https://patch.msgid.link/20251103080627.1844645-1-kaushlendra.kumar@intel.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner

init: replace deprecated strncpy with strscpy_pad

2024-04-30T17:34:29+00:00

strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. data_page wants to be NUL-terminated and NUL-padded, use strscpy_pad to provide both of these. data_page no longer awkwardly relies on init_mount to perform its NUL-termination, although that sanity check is left unchanged. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: Signed-off-by: Justin Stitt Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20240402-strncpy-init-do_mounts-c-v1-1-e16d7bc20974@google.com Signed-off-by: Kees Cook

init: flush async file closing

2024-02-08T17:41:03+00:00

When unpacking the initramfs or when mounting block devices we need to ensure that any delayed fput() finished to prevent spurious errors. The init process can be a proper kernel thread or a user mode helper. In the latter case PF_KTHREAD isn't set. So we need to do both flush_delayed_work() and task_work_run(). Since we'll port block device opening and closing to regular file open and closing we need to ensure the same as for the initramfs. So just make that a little helper. Tested-by: Marek Szyprowski Tested-by: Srikanth Aithal Link: https://lore.kernel.org/r/CA+G9fYttTwsbFuVq10igbSvP5xC6bf_XijM=mpUqrJV=uvUirQ@mail.gmail.com Signed-off-by: Christian Brauner