From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 26 Aug 2025 20:35:55 +0000 (-0400)
Subject: mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38f4885088fc5ad41b8b0a2a2cfc73d01e709e5c;p=thirdparty%2Fkernel%2Fstable.git

mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list

Actual removal is done under the lock, but for checking if need to bother
the lockless RB_EMPTY_NODE() is safe - either that namespace had never
been added to mnt_ns_tree, in which case the the node will stay empty, or
whoever had allocated it has called mnt_ns_tree_add() and it has already
run to completion.  After that point RB_EMPTY_NODE() will become false and
will remain false, no matter what we do with other nodes in the tree.

Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---

diff --git a/fs/namespace.c b/fs/namespace.c
index ae6d1312b1849..39afeb521a80c 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -187,7 +187,7 @@ static void mnt_ns_release_rcu(struct rcu_head *rcu)
 static void mnt_ns_tree_remove(struct mnt_namespace *ns)
 {
 	/* remove from global mount namespace list */
-	if (!is_anon_ns(ns)) {
+	if (!RB_EMPTY_NODE(&ns->mnt_ns_tree_node)) {
 		mnt_ns_tree_write_lock();
 		rb_erase(&ns->mnt_ns_tree_node, &mnt_ns_tree);
 		list_bidir_del_rcu(&ns->mnt_ns_list);