Actually I confirm that Kernel Panic on 4.19 version. But I couldn't check main line not yet. Below is the one of the panic log what i've experienced Internal error: Oops: 96000004 [#1] SMP 2020-03-14T15:35 Modules linked in: hsl_linux_helper(O) saswifmod(O) asrim(O) linux_bcm_knet(O) linux_user_bde(O) linux_kernel_bde(O) ds_peripheral(O) m_vlog(O) m_scontrol(O) CPU: 2 PID: 5966 Comm: c.EQMD_ASYNC Tainted: G W O 4.19.26 NOS Hardware name: LS1046A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO) :44 pc : sock_prot_inuse_add+0x10/0x20 lr : netlink_release+0x30c/0x5a8 sp : ffff0000244c3b20 x29: ffff0000244c3b20 x28: ffff8008774ea000 x27: ffff800865b093d0 x26: ffff800865b09000 x25: ffff800863580c00 x24: ffff00001892f000 x23: ffff80086514ba00 x22: ffff000018acd000 x21: ffff0000189ae000 x20: ffff00001892a000 x19: ffff0000088bfb2c x18: 0000000000000400 x16: 0000000000000000 x15: 0000000000000400 x14: 0000000000000400 x13: 0000000000000000 x12: 0000000000000001 x11: 000000000000a949 x10: 0000000000062d05 x9 : 0000000000000027 x8 : ffff800877120280 x7 : 0000000000000200 x6 : ffff800865b092e8 x5 : ffff0000244c3ae0 x4 : 0000000000000000 x3 : 0000800866e9a000 x2 : 00000000ffffffff x1 : 0000000000000000 x0 : 0000000000000000 Process c.EQMD_ASYNC (pid: 5966, stack limit = 0x0000000088e20a05) Call trace: sock_prot_inuse_add+0x10/0x20 __sock_release+0x44/0xc0 sock_close+0x14/0x20 __fput+0x8c/0x1b8 ____fput+0xc/0x18 task_work_run+0xa8/0xd8 do_exit+0x2e4/0xa50 do_group_exit+0x34/0xc8 get_signal+0xd4/0x600 do_signal+0x174/0x268 do_notify_resume+0xcc/0x110 work_pending+0x8/0x10 Code: b940c821 f940c000 d538d083 8b010800 (b8606861) ---[ end trace 0b98c9ccbfd9f6fd ]--- Date/Time : 02-14-0120 06:35:47 Kernel panic - not syncing: Fatal exception in interrupt SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x0,21806000 Memory Limit: none What I saw is when I try to bind on some mount point to /proc/{pid}/ns/net which made by child process, That's doesn't increase the netns' refcnt. And when the child process's going to exit, it frees the netns But Still bind mount point's inode's private data point to netns which was freed by child when it exits. Thank you for your reviewing But I also confirm that problem on mainline too. And sorry to my fault. On Tue, Apr 7, 2020 at 12:13 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > On Tue, Apr 07, 2020 at 04:05:04AM +0100, Al Viro wrote: > > > Could you post a reproducer, preferably one that would trigger an oops > > on mainline? > > BTW, just to make sure - are we talking about analysis of existing > oops, or is it "never seen it happen, but looks like it should be > triggerable" kind of situation?