Re: [PATCH] vfs: document locking for mnt_notify_add()

[Christian Brauner]

On Fri, May 29, 2026 at 09:38:08PM +0200, Jann Horn wrote:
> The locking in mnt_notify_add(), which was introduced in commit
> bf630c401641 ("vfs: add notifications for mount attach and detach"), is a
> bit gnarly.
> notify_list is protected by namespace_lock, but there are cases where
> mnt_notify_add() is called without holding namespace_lock, for example:
> 
>     __do_sys_fsmount -> mnt_add_to_ns -> mnt_notify_add
> 
> Luckily, in cases where the namespace_lock isn't held, the namespace is
> always freshly created and can't have any fsnotify marks yet, which means
> the notify_list isn't actually accessed.

When fsmount() is called it creates an anonymous mount namespace. Such
anonymous mount namespaces are pure containers for a mount trees. They
can never actually appear as namespaces to userspace. Nothing can be
registered on them and they can't be setns()'d into. So it is impossible
to ever register any mount notification watch on them.

In general modifying mount notification objects require namespace_sem to
be held (read-side - we downgrade when possible).

> 
> The existing comment claims that not accessing the notify_list in these
> cases is merely an optimization, which is wrong. Fix the comment, and add a
> locking assertion.

I don't think this is what the comment intended to communicate but I
guess it can be misread.

> 
> To allow mnt_notify_add() to reference the namespace_sem, move it into
> fs/namespace.c.
> 
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
> ---
> I'm sending this patch because I spent some time staring at this
> trying to figure out if this was buggy or not.
> 
> I don't know if this is working as intended or working by accident,
> and it might be nice if this was cleaned up to have simpler locking;

The locking is rather simple: namespace_sem. But maybe I misunderstand.
It just piggy-backs on the same logic as mnt_add_to_ns() in that
mnt_add_to_ns() may be called to add mount into a newly allocated
namespaces without namespace semaphore held. So the locking context is
guaranteed by mnt_add_to_ns(). To put another way: if you have quarrels
with mnt_notify_add() you likely also have quarrels with the contextual
locking of mnt_add_to_ns().