Commit 26abe1437 changed sock_create_kern() so that it stopped
holding a reference to the network namespace.
The rational seemed to be 'to allow to stop it' (presumably 'be deleted').
Prior to this change some kernel paths used sk_change_net() (etc) to
change the namespace after the socket was created.
If the socket doesn't hold a reference to the namespace, what actually
happens when the namespace is deleted?
I can't help feeling there is an indirection through a stale pointer
just waiting to happen.
Clearly the driver calling sock_create_kern() could itself call get_net()
but that could still leave issues with sockets that get into TIME_WAIT
states.
Even that is easier said than done, a non-GPL driver cannot call put_net()
to drop a reference.
While I can imagine that there are some 'special' sockets that don't
need to hold the reference, it seems unlikely that it is true for all
users of sock_create_kern().
David
