pidns: Don't allow new processes in a dead pid namespace.

Set nr_hashed to -1 just before we schedule the work to cleanup proc.
Test nr_hashed just before we hash a new pid and if nr_hashed is < 0
fail.

This guaranteees that processes never enter a pid namespaces after we
have cleaned up the state to support processes in a pid namespace.

Currently sending SIGKILL to all of the process in a pid namespace as
init exists gives us this guarantee but we need something a little
stronger to support unsharing and joining a pid namespace.

Acked-by: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/kernel/pid.c b/kernel/pid.c
index e957f8b09136..9c219117af36 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -274,8 +274,10 @@ void free_pid(struct pid *pid)
         for (i = 0; i <= pid->level; i++) {
                 struct upid *upid = pid->numbers + i;
                 hlist_del_rcu(&upid->pid_chain);
-                if (--upid->ns->nr_hashed == 0)
+                if (--upid->ns->nr_hashed == 0) {
+                        upid->ns->nr_hashed = -1;
                         schedule_work(&upid->ns->proc_work);
+                }
         }
         spin_unlock_irqrestore(&pidmap_lock, flags);
 
@@ -321,6 +323,8 @@ struct pid *alloc_pid(struct pid_namespace *ns)
 
         upid = pid->numbers + ns->level;
         spin_lock_irq(&pidmap_lock);
+        if (ns->nr_hashed < 0)
+                goto out_unlock;
         for ( ; upid >= pid->numbers; --upid) {
                 hlist_add_head_rcu(&upid->pid_chain,
                                 &pid_hash[pid_hashfn(upid->nr, upid->ns)]);
@@ -331,6 +335,8 @@ struct pid *alloc_pid(struct pid_namespace *ns)
 out:
         return pid;
 
+out_unlock:
+        spin_unlock(&pidmap_lock);
 out_free:
         while (++i <= ns->level)
                 free_pidmap(pid->numbers + i);