On Mon, Feb 23, 2026 at 04:24:07PM -0800, Bobby Eshleman wrote:
On Mon, Feb 23, 2026 at 02:38:33PM -0800, Bobby Eshleman wrote:
From: Bobby Eshleman <[email protected]>
Two administrator processes may race when setting child_ns_mode as one
process sets child_ns_mode to "local" and then creates a namespace, but
another process changes child_ns_mode to "global" between the write and
the namespace creation. The first process ends up with a namespace in
"global" mode instead of "local". While this can be detected after the
fact by reading ns_mode and retrying, it is fragile and error-prone.
Make child_ns_mode write-once so that a namespace manager can set it
once and be sure it won't change. Writing a different value after the
first write returns -EBUSY. This applies to all namespaces, including
init_net, where an init process can write "local" to lock all future
namespaces into local mode.
Fixes: eafb64f40ca4 ("vsock: add netns to vsock core")
Suggested-by: Daan De Meyer <[email protected]>
Suggested-by: Stefano Garzarella <[email protected]>
Co-developed-by: Stefano Garzarella <[email protected]>
Signed-off-by: Stefano Garzarella <[email protected]>
Stefano, I wasn't sure if you wanted the Co-developed-by and S-o-b on
this iteration, but I added it just in case. Please let me know, if that
wasn't what you intended.
It's fine, thanks for that!
Stefano
