This patch series fixes an auth_gss bug that results in netns refcount leaks when use-gss-proxy is set to 1. The problem was found in privileged docker containers with gssproxy service enabled and /proc/net/rpc/use-gss-proxy set to 1, the corresponding struct net->count ends up at 2 after container gets killed, the consequence is that the struct net cannot be freed. It turns out that write_gssp() called gssp_rpc_create() to create a rpc client, this increases net->count by 2; rpcsec_gss_exit_net() is supposed to decrease net->count but it never gets called because its call-path is: net->count==0 -> cleanup_net -> ops_exit_list -> rpcsec_gss_exit_net Before rpcsec_gss_exit_net() gets called, net->count cannot reach 0, this is a deadlock situation. To fix the problem, we must break the deadlock, rpcsec_gss_exit_net() should move out of the put() path and find another chance to get called, I think nsfs_evict() is a good place to go, when netns inode gets evicted we call rpcsec_gss_exit_net() to free the rpc client, this requires a new callback i.e. evict to be added in struct proc_ns_operations, and add netns_evict() as one of netns_operations as well. Wenbin Zeng (3): nsfs: add evict callback into struct proc_ns_operations netns: add netns_evict into netns_operations auth_gss: fix deadlock that blocks rpcsec_gss_exit_net when use-gss-proxy==1 fs/nsfs.c | 2 ++ include/linux/proc_ns.h | 1 + include/net/net_namespace.h | 1 + net/core/net_namespace.c | 12 ++++++++++++ net/sunrpc/auth_gss/auth_gss.c | 9 ++++++--- 5 files changed, 22 insertions(+), 3 deletions(-) -- 1.8.3.1