This patch series fixes an auth_gss bug that results in netns refcount leaks when use-gss-proxy is set to 1.
The problem was found in privileged docker containers with gssproxy service enabled and /proc/net/rpc/use-gss-proxy set to 1, the corresponding struct net->count ends up at 2 after container gets killed, the consequence is that the struct net cannot be freed.
It turns out that write_gssp() called gssp_rpc_create() to create a rpc client, this increases net->count by 2; rpcsec_gss_exit_net() is supposed to decrease net->count but it never gets called because its call-path is:
net->count==0 -> cleanup_net -> ops_exit_list -> rpcsec_gss_exit_net
Before rpcsec_gss_exit_net() gets called, net->count cannot reach 0, this is a deadlock situation.
To fix the problem, we must break the deadlock, rpcsec_gss_exit_net() should move out of the put() path and find another chance to get called, I think nsfs_evict() is a good place to go, when netns inode gets evicted we call rpcsec_gss_exit_net() to free the rpc client, this requires a new callback i.e. evict to be added in struct proc_ns_operations, and add netns_evict() as one of netns_operations as well.
Wenbin Zeng (3):
nsfs: add evict callback into struct proc_ns_operations
netns: add netns_evict into netns_operations
auth_gss: fix deadlock that blocks rpcsec_gss_exit_net when
use-gss-proxy==1
fs/nsfs.c | 2 ++
include/linux/proc_ns.h | 1 +
include/net/net_namespace.h | 1 +
net/core/net_namespace.c | 12 ++++++++++++
net/sunrpc/auth_gss/auth_gss.c | 9 ++++++---
5 files changed, 22 insertions(+), 3 deletions(-)
--
1.8.3.1
