APPLIED: [SRU][N/Q][PATCH 0/1] namespace: fix proc mount iteration

Mehmet Basaran mehmet.basaran at canonical.com
Tue Apr 7 12:12:05 UTC 2026 

Applied to noble:linux, questing:linux master-next branches. Thanks.

-------------- next part --------------
Zachary Raines <zachary.raines at canonical.com> writes:

> BugLink: https://bugs.launchpad.net/bugs/2143083
>
> SRU Justification:
>
> [ Impact ]
>
> Sometimes on a system that is mounting and unmounting filesystems frequently,
> for example running lots of docker containers, the size of /proc/1/mountinfo,
> can become very large -- 100s, to 1000s of entries or more -- with the vast
> majority being a single entry duplicated many times.
>
> This causes other problems on the system, due to systemd parsing the mount table
> whenever it changes, and eating up a lot of memory, for example [0]. Waiting
> long enough there are rare events where the length of mountinfo can go into the
> millions of lines and lead to OOM and kernel panics.
>
> [Fix]
>
> Christian Brauner submitted a patch on the mailing list[1] (now merged upstream [2])
> which fixes the issue by
> a) using the unique mount ID as the pos for iterating the mounts
> b) updating to the pos of the iterator before returning
>
> [ Test Plan ]
>
> To test whether this issue occurs, it is sufficient to rapidly mount and unmount
> tmpfs rapidly and poll for duplicates in `/proc/1/mountinfo` this can be done
> for example by the following pair of scripts:
>
> repro.sh
> --------
> #!/bin/bash
> counter=0
> while true; do
>     echo -n "."
>     unique_name="tmpfs_$$_$counter"
>     mkdir -p "/tmp/$unique_name"
>     sudo mount -t tmpfs "$unique_name" "/tmp/$unique_name"
>     sudo umount "/tmp/$unique_name"
>     rmdir "/tmp/$unique_name"
>     ((counter++))
>     sleep 0.1
> done
> -------
>
> has-bug.sh
> --------
> #!/bin/bash
> THRESHOLD=100
> WAIT_MIN=30
> WAIT_SECONDS=$((WAIT_MIN * 60))
> SECONDS=0
> while ((SECONDS < WAIT_SECONDS)); do
>     # Get mountinfo entries and count total
>     mountinfo="$(cat /proc/1/mountinfo)"
>     mountinfo_count=$(echo "$mountinfo" | wc -l)
>
>     if ((mountinfo_count > THRESHOLD)); then
>         echo "$(date): Mount count ($mountinfo_count) exceeds threshold ($THRESHOLD)"
>
>         # Find and log duplicate mount points with their counts
>         duplicates=$(echo "$mountinfo" | sort | uniq -cd)
>
>         if [[ -n "$duplicates" ]]; then
>             echo "Duplicate mounts :"
>             echo "$duplicates" | while read -r count mountpoint; do
>                 echo " $mountpoint: $count occurrences"
>             done
>         fi
>         exit 0
>     fi
>
>     sleep 0.1
> done
> exit 1
> ------
>
> In my testing, about 5 minutes is sufficient time for the bug to occur, so I've
> set the timeout to 30min in the test plan out of an abundance of caution.
>
> If the bug is present in the running kernel, `has-bug.sh` will print a message
> about duplicate entries and exit success, otherwise it will time out and exit
> with return code 1.
>
> The high level test plan is:
>
> 1. Run `has-bug.sh` and `repro.sh` on unpatched kernel.
> 2. Observe that bug is present
> 3. Upgrade to patched kernel and restart
> 4. Run `has-bug.sh` and `repro.sh` on unpatched kernel.
> 5. Observe that bug is no longer present
>
> [ Where problems could occur ]
>
> * The patch to fix this modifies how iterator position is tracked when iterating
> mounts. It therefore potentially affects anything that iterates through the mounts.
>
> [ Other Info ]
>
> [0]: https://github.com/systemd/systemd/issues/37939
> [1]: https://lore.kernel.org/lkml/20260129-geleckt-treuhand-4bb940acacd9@brauner/
> [2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4a403d7aa9074f527f064ef0806aaab38d14b07c
>
> Christian Brauner (1):
>   namespace: fix proc mount iteration
>
>  fs/namespace.c | 20 +++++++++++++++-----
>  1 file changed, 15 insertions(+), 5 deletions(-)
>
> --
> 2.51.0
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260407/7c53a5df/attachment.sig>

More information about the kernel-team mailing list