Re: [PATCH 8/8] nfsd: hold net namespace reference in nfsd_file

[Jeff Layton]

On Mon, 2026-06-01 at 18:50 +0100, Al Viro wrote:
> On Mon, Jun 01, 2026 at 01:31:11PM -0400, Jeff Layton wrote:
> > Take a net-namespace reference in nfsd_file_alloc() (get_net) and
> > release it in nfsd_file_free() (put_net), so that nf_net is always
> > valid for files that the GC or shrinker has isolated from the hash
> > table and LRU -- which __nfsd_file_cache_purge() cannot see.
> > 
> > Without this, nf_net can dangle for in-flight files whose net namespace
> > is torn down concurrently, causing a use-after-free when
> > nfsd_file_dispose_list_delayed() calls net_generic(nf->nf_net, ...).
> > 
> > Because nfsd_file_free() now calls put_net(nf->nf_net), the old
> > nfsd_file_put_local() pattern of returning nf->nf_net after
> > nfsd_file_put() is unsafe -- put_net() could theoretically drop the
> > last net namespace reference, leaving the returned pointer stale.
> > Fix this by moving the nfsd_net_put() call into nfsd_file_put_local()
> > itself, before the nfsd_file_put() that may trigger nfsd_file_free().
> > The function now returns void and the caller no longer needs to handle
> > the net reference.
> 
> That means that each nfsd_file_alloc()/nfsd_file_free() is now touching
> the same cacheline on kernels with netns enabled.  Scalability implications
> might be interesting...

That's definitely a valid concern. I looked at a couple of alternatives
but they turned out to be pretty nasty.

One thing we can do is only take a net reference for GC'ed files, since
we don't need a reference for the others. That would cut down some of
the get/put_net activity, but it's still likely to be substantial. I'll
plan to implement that for v2.

I'll keep thinking about other ways to do this, but I think we're stuck
taking net references for at least some of these for now.
-- 
Jeff Layton <jlayton@xxxxxxxxxx>