Merge tag 'namespace-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Pull namespace updates from Christian Brauner:
 "This contains substantial namespace infrastructure changes including a new
  system call, active reference counting, and extensive header cleanups.
  The branch depends on the shared kbuild branch for -fms-extensions support.

  Features:

   - listns() system call

     Add a new listns() system call that allows userspace to iterate
     through namespaces in the system. This provides a programmatic
     interface to discover and inspect namespaces, addressing
     longstanding limitations:

     Currently, there is no direct way for userspace to enumerate
     namespaces. Applications must resort to scanning /proc/*/ns/ across
     all processes, which is:
      - Inefficient - requires iterating over all processes
      - Incomplete - misses namespaces not attached to any running
        process but kept alive by file descriptors, bind mounts, or
        parent references
      - Permission-heavy - requires access to /proc for many processes
      - No ordering or ownership information
      - No filtering per namespace type

     The listns() system call solves these problems:

       ssize_t listns(const struct ns_id_req *req, u64 *ns_ids,
                      size_t nr_ns_ids, unsigned int flags);

       struct ns_id_req {
             __u32 size;
             __u32 spare;
             __u64 ns_id;
             struct /* listns */ {
                     __u32 ns_type;
                     __u32 spare2;
                     __u64 user_ns_id;
             };
       };

     Features include:
      - Pagination support for large namespace sets
      - Filtering by namespace type (MNT_NS, NET_NS, USER_NS, etc.)
      - Filtering by owning user namespace
      - Permission checks respecting namespace isolation

   - Active Reference Counting

     Introduce an active reference count that tracks namespace
     visibility to userspace. A namespace is visible in the following
     cases:
      - The namespace is in use by a task
      - The namespace is persisted through a VFS object (namespace file
        descriptor or bind-mount)
      - The namespace is a hierarchical type and is the parent of child
        namespaces

     The active reference count does not regulate lifetime (that's still
     done by the normal reference count) - it only regulates visibility
     to namespace file handles and listns().

     This prevents resurrection of namespaces that are pinned only for
     internal kernel reasons (e.g., user namespaces held by
     file->f_cred, lazy TLB references on idle CPUs, etc.) which should
     not be accessible via (1)-(3).

   - Unified Namespace Tree

     Introduce a unified tree structure for all namespaces with:
      - Fixed IDs assigned to initial namespaces
      - Lookup based solely on inode number
      - Maintained list of owned namespaces per user namespace
      - Simplified rbtree comparison helpers

   Cleanups

    - Header Reorganization:
      - Move namespace types into separate header (ns_common_types.h)
      - Decouple nstree from ns_common header
      - Move nstree types into separate header
      - Switch to new ns_tree_{node,root} structures with helper functions
      - Use guards for ns_tree_lock

   - Initial Namespace Reference Count Optimization
      - Make all reference counts on initial namespaces a nop to avoid
        pointless cacheline ping-pong for namespaces that can never go
        away
      - Drop custom reference count initialization for initial namespaces
      - Add NS_COMMON_INIT() macro and use it for all namespaces
      - pid: rely on common reference count behavior

   - Miscellaneous Cleanups
      - Rename exit_task_namespaces() to exit_nsproxy_namespaces()
      - Rename is_initial_namespace() and make argument const
      - Use boolean to indicate anonymous mount namespace
      - Simplify owner list iteration in nstree
      - nsfs: raise SB_I_NODEV, SB_I_NOEXEC, and DCACHE_DONTCACHE explicitly
      - nsfs: use inode_just_drop()
      - pidfs: raise DCACHE_DONTCACHE explicitly
      - pidfs: simplify PIDFD_GET__NAMESPACE ioctls
      - libfs: allow to specify s_d_flags
      - cgroup: add cgroup namespace to tree after owner is set
      - nsproxy: fix free_nsproxy() and simplify create_new_namespaces()

  Fixes:

   - setns(pidfd, ...) race condition

     Fix a subtle race when using pidfds with setns(). When the target
     task exits after prepare_nsset() but before commit_nsset(), the
     namespace's active reference count might have been dropped. If
     setns() then installs the namespaces, it would bump the active
     reference count from zero without taking the required reference on
     the owner namespace, leading to underflow when later decremented.

     The fix resurrects the ownership chain if necessary - if the caller
     succeeded in grabbing passive references, the setns() should
     succeed even if the target task exits or gets reaped.

   - Return EFAULT on put_user() error instead of success

   - Make sure references are dropped outside of RCU lock (some
     namespaces like mount namespace sleep when putting the last
     reference)

   - Don't skip active reference count initialization for network
     namespace

   - Add asserts for active refcount underflow

   - Add asserts for initial namespace reference counts (both passive
     and active)

   - ipc: enable is_ns_init_id() assertions

   - Fix kernel-doc comments for internal nstree functions

   - Selftests
      - 15 active reference count tests
      - 9 listns() functionality tests
      - 7 listns() permission tests
      - 12 inactive namespace resurrection tests
      - 3 threaded active reference count tests
      - commit_creds() active reference tests
      - Pagination and stress tests
      - EFAULT handling test
      - nsid tests fixes"

* tag 'namespace-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (103 commits)
  pidfs: simplify PIDFD_GET_<type>_NAMESPACE ioctls
  nstree: fix kernel-doc comments for internal functions
  nsproxy: fix free_nsproxy() and simplify create_new_namespaces()
  selftests/namespaces: fix nsid tests
  ns: drop custom reference count initialization for initial namespaces
  pid: rely on common reference count behavior
  ns: add asserts for initial namespace active reference counts
  ns: add asserts for initial namespace reference counts
  ns: make all reference counts on initial namespace a nop
  ipc: enable is_ns_init_id() assertions
  fs: use boolean to indicate anonymous mount namespace
  ns: rename is_initial_namespace()
  ns: make is_initial_namespace() argument const
  nstree: use guards for ns_tree_lock
  nstree: simplify owner list iteration
  nstree: switch to new structures
  nstree: add helper to operate on struct ns_tree_{node,root}
  nstree: move nstree types into separate header
  nstree: decouple from ns_common header
  ns: move namespace types into separate header
  ...

1 files changed, 814 insertions, 0 deletions

diff --git a/tools/testing/selftests/namespaces/cred_change_test.c b/tools/testing/selftests/namespaces/cred_change_test.c
new file mode 100644
index 000000000000..7b4f5ad3f725
--- /dev/null
+++ b/tools/testing/selftests/namespaces/cred_change_test.c
@@ -0,0 +1,814 @@
+// SPDX-License-Identifier: GPL-2.0
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/capability.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <linux/nsfs.h>
+#include "../kselftest_harness.h"
+#include "../filesystems/utils.h"
+#include "wrappers.h"
+
+/*
+ * Test credential changes and their impact on namespace active references.
+ */
+
+/*
+ * Test setuid() in a user namespace properly swaps active references.
+ * Create a user namespace with multiple UIDs mapped, then setuid() between them.
+ * Verify that the user namespace remains active throughout.
+ */
+TEST(setuid_preserves_active_refs)
+{
+	pid_t pid;
+	int status;
+	__u64 userns_id;
+	struct ns_id_req req = {
+		.size = sizeof(req),
+		.spare = 0,
+		.ns_id = 0,
+		.ns_type = CLONE_NEWUSER,
+		.spare2 = 0,
+		.user_ns_id = 0,
+	};
+	__u64 ns_ids[256];
+	ssize_t ret;
+	int i;
+	bool found = false;
+	int pipefd[2];
+
+	ASSERT_EQ(pipe(pipefd), 0);
+
+	pid = fork();
+	ASSERT_GE(pid, 0);
+
+	if (pid == 0) {
+		/* Child process */
+		int fd, userns_fd;
+		__u64 child_userns_id;
+		uid_t orig_uid = getuid();
+		int setuid_count;
+
+		close(pipefd[0]);
+
+		/* Create new user namespace with multiple UIDs mapped (0-9) */
+		userns_fd = get_userns_fd(0, orig_uid, 10);
+		if (userns_fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (setns(userns_fd, CLONE_NEWUSER) < 0) {
+			close(userns_fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(userns_fd);
+
+		/* Get user namespace ID */
+		fd = open("/proc/self/ns/user", O_RDONLY);
+		if (fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (ioctl(fd, NS_GET_ID, &child_userns_id) < 0) {
+			close(fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(fd);
+
+		/* Send namespace ID to parent */
+		write(pipefd[1], &child_userns_id, sizeof(child_userns_id));
+
+		/*
+		 * Perform multiple setuid() calls.
+		 * Each setuid() triggers commit_creds() which should properly
+		 * swap active references via switch_cred_namespaces().
+		 */
+		for (setuid_count = 0; setuid_count < 50; setuid_count++) {
+			uid_t target_uid = (setuid_count % 10);
+			if (setuid(target_uid) < 0) {
+				if (errno != EPERM) {
+					close(pipefd[1]);
+					exit(1);
+				}
+			}
+		}
+
+		close(pipefd[1]);
+		exit(0);
+	}
+
+	/* Parent process */
+	close(pipefd[1]);
+
+	if (read(pipefd[0], &userns_id, sizeof(userns_id)) != sizeof(userns_id)) {
+		close(pipefd[0]);
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		SKIP(return, "Failed to get namespace ID from child");
+	}
+	close(pipefd[0]);
+
+	TH_LOG("Child user namespace ID: %llu", (unsigned long long)userns_id);
+
+	/* Verify namespace is active while child is running */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	if (ret < 0) {
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		if (errno == ENOSYS)
+			SKIP(return, "listns() not supported");
+		ASSERT_GE(ret, 0);
+	}
+
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == userns_id) {
+			found = true;
+			break;
+		}
+	}
+	ASSERT_TRUE(found);
+
+	waitpid(pid, &status, 0);
+	ASSERT_TRUE(WIFEXITED(status));
+	ASSERT_EQ(WEXITSTATUS(status), 0);
+
+	/* Verify namespace becomes inactive after child exits */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	ASSERT_GE(ret, 0);
+
+	found = false;
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == userns_id) {
+			found = true;
+			break;
+		}
+	}
+
+	ASSERT_FALSE(found);
+	TH_LOG("setuid() correctly preserved active references (no leak)");
+}
+
+/*
+ * Test setgid() in a user namespace properly handles active references.
+ */
+TEST(setgid_preserves_active_refs)
+{
+	pid_t pid;
+	int status;
+	__u64 userns_id;
+	struct ns_id_req req = {
+		.size = sizeof(req),
+		.spare = 0,
+		.ns_id = 0,
+		.ns_type = CLONE_NEWUSER,
+		.spare2 = 0,
+		.user_ns_id = 0,
+	};
+	__u64 ns_ids[256];
+	ssize_t ret;
+	int i;
+	bool found = false;
+	int pipefd[2];
+
+	ASSERT_EQ(pipe(pipefd), 0);
+
+	pid = fork();
+	ASSERT_GE(pid, 0);
+
+	if (pid == 0) {
+		/* Child process */
+		int fd, userns_fd;
+		__u64 child_userns_id;
+		uid_t orig_uid = getuid();
+		int setgid_count;
+
+		close(pipefd[0]);
+
+		/* Create new user namespace with multiple GIDs mapped */
+		userns_fd = get_userns_fd(0, orig_uid, 10);
+		if (userns_fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (setns(userns_fd, CLONE_NEWUSER) < 0) {
+			close(userns_fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(userns_fd);
+
+		/* Get user namespace ID */
+		fd = open("/proc/self/ns/user", O_RDONLY);
+		if (fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (ioctl(fd, NS_GET_ID, &child_userns_id) < 0) {
+			close(fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(fd);
+
+		write(pipefd[1], &child_userns_id, sizeof(child_userns_id));
+
+		/* Perform multiple setgid() calls */
+		for (setgid_count = 0; setgid_count < 50; setgid_count++) {
+			gid_t target_gid = (setgid_count % 10);
+			if (setgid(target_gid) < 0) {
+				if (errno != EPERM) {
+					close(pipefd[1]);
+					exit(1);
+				}
+			}
+		}
+
+		close(pipefd[1]);
+		exit(0);
+	}
+
+	/* Parent process */
+	close(pipefd[1]);
+
+	if (read(pipefd[0], &userns_id, sizeof(userns_id)) != sizeof(userns_id)) {
+		close(pipefd[0]);
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		SKIP(return, "Failed to get namespace ID from child");
+	}
+	close(pipefd[0]);
+
+	waitpid(pid, &status, 0);
+	ASSERT_TRUE(WIFEXITED(status));
+	ASSERT_EQ(WEXITSTATUS(status), 0);
+
+	/* Verify namespace becomes inactive */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	if (ret < 0) {
+		if (errno == ENOSYS)
+			SKIP(return, "listns() not supported");
+		ASSERT_GE(ret, 0);
+	}
+
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == userns_id) {
+			found = true;
+			break;
+		}
+	}
+
+	ASSERT_FALSE(found);
+	TH_LOG("setgid() correctly preserved active references (no leak)");
+}
+
+/*
+ * Test setresuid() which changes real, effective, and saved UIDs.
+ * This should properly swap active references via commit_creds().
+ */
+TEST(setresuid_preserves_active_refs)
+{
+	pid_t pid;
+	int status;
+	__u64 userns_id;
+	struct ns_id_req req = {
+		.size = sizeof(req),
+		.spare = 0,
+		.ns_id = 0,
+		.ns_type = CLONE_NEWUSER,
+		.spare2 = 0,
+		.user_ns_id = 0,
+	};
+	__u64 ns_ids[256];
+	ssize_t ret;
+	int i;
+	bool found = false;
+	int pipefd[2];
+
+	ASSERT_EQ(pipe(pipefd), 0);
+
+	pid = fork();
+	ASSERT_GE(pid, 0);
+
+	if (pid == 0) {
+		/* Child process */
+		int fd, userns_fd;
+		__u64 child_userns_id;
+		uid_t orig_uid = getuid();
+		int setres_count;
+
+		close(pipefd[0]);
+
+		/* Create new user namespace */
+		userns_fd = get_userns_fd(0, orig_uid, 10);
+		if (userns_fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (setns(userns_fd, CLONE_NEWUSER) < 0) {
+			close(userns_fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(userns_fd);
+
+		/* Get user namespace ID */
+		fd = open("/proc/self/ns/user", O_RDONLY);
+		if (fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (ioctl(fd, NS_GET_ID, &child_userns_id) < 0) {
+			close(fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(fd);
+
+		write(pipefd[1], &child_userns_id, sizeof(child_userns_id));
+
+		/* Perform multiple setresuid() calls */
+		for (setres_count = 0; setres_count < 30; setres_count++) {
+			uid_t uid1 = (setres_count % 5);
+			uid_t uid2 = ((setres_count + 1) % 5);
+			uid_t uid3 = ((setres_count + 2) % 5);
+
+			if (setresuid(uid1, uid2, uid3) < 0) {
+				if (errno != EPERM) {
+					close(pipefd[1]);
+					exit(1);
+				}
+			}
+		}
+
+		close(pipefd[1]);
+		exit(0);
+	}
+
+	/* Parent process */
+	close(pipefd[1]);
+
+	if (read(pipefd[0], &userns_id, sizeof(userns_id)) != sizeof(userns_id)) {
+		close(pipefd[0]);
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		SKIP(return, "Failed to get namespace ID from child");
+	}
+	close(pipefd[0]);
+
+	waitpid(pid, &status, 0);
+	ASSERT_TRUE(WIFEXITED(status));
+	ASSERT_EQ(WEXITSTATUS(status), 0);
+
+	/* Verify namespace becomes inactive */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	if (ret < 0) {
+		if (errno == ENOSYS)
+			SKIP(return, "listns() not supported");
+		ASSERT_GE(ret, 0);
+	}
+
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == userns_id) {
+			found = true;
+			break;
+		}
+	}
+
+	ASSERT_FALSE(found);
+	TH_LOG("setresuid() correctly preserved active references (no leak)");
+}
+
+/*
+ * Test credential changes across multiple user namespaces.
+ * Create nested user namespaces and verify active reference tracking.
+ */
+TEST(cred_change_nested_userns)
+{
+	pid_t pid;
+	int status;
+	__u64 parent_userns_id, child_userns_id;
+	struct ns_id_req req = {
+		.size = sizeof(req),
+		.spare = 0,
+		.ns_id = 0,
+		.ns_type = CLONE_NEWUSER,
+		.spare2 = 0,
+		.user_ns_id = 0,
+	};
+	__u64 ns_ids[256];
+	ssize_t ret;
+	int i;
+	bool found_parent = false, found_child = false;
+	int pipefd[2];
+
+	ASSERT_EQ(pipe(pipefd), 0);
+
+	pid = fork();
+	ASSERT_GE(pid, 0);
+
+	if (pid == 0) {
+		/* Child process */
+		int fd, userns_fd;
+		__u64 parent_id, child_id;
+		uid_t orig_uid = getuid();
+
+		close(pipefd[0]);
+
+		/* Create first user namespace */
+		userns_fd = get_userns_fd(0, orig_uid, 1);
+		if (userns_fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (setns(userns_fd, CLONE_NEWUSER) < 0) {
+			close(userns_fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(userns_fd);
+
+		/* Get first namespace ID */
+		fd = open("/proc/self/ns/user", O_RDONLY);
+		if (fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (ioctl(fd, NS_GET_ID, &parent_id) < 0) {
+			close(fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(fd);
+
+		/* Create nested user namespace */
+		userns_fd = get_userns_fd(0, 0, 1);
+		if (userns_fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (setns(userns_fd, CLONE_NEWUSER) < 0) {
+			close(userns_fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(userns_fd);
+
+		/* Get nested namespace ID */
+		fd = open("/proc/self/ns/user", O_RDONLY);
+		if (fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (ioctl(fd, NS_GET_ID, &child_id) < 0) {
+			close(fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(fd);
+
+		/* Send both IDs to parent */
+		write(pipefd[1], &parent_id, sizeof(parent_id));
+		write(pipefd[1], &child_id, sizeof(child_id));
+
+		/* Perform some credential changes in nested namespace */
+		setuid(0);
+		setgid(0);
+
+		close(pipefd[1]);
+		exit(0);
+	}
+
+	/* Parent process */
+	close(pipefd[1]);
+
+	/* Read both namespace IDs */
+	if (read(pipefd[0], &parent_userns_id, sizeof(parent_userns_id)) != sizeof(parent_userns_id)) {
+		close(pipefd[0]);
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		SKIP(return, "Failed to get parent namespace ID");
+	}
+
+	if (read(pipefd[0], &child_userns_id, sizeof(child_userns_id)) != sizeof(child_userns_id)) {
+		close(pipefd[0]);
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		SKIP(return, "Failed to get child namespace ID");
+	}
+	close(pipefd[0]);
+
+	TH_LOG("Parent userns: %llu, Child userns: %llu",
+	       (unsigned long long)parent_userns_id,
+	       (unsigned long long)child_userns_id);
+
+	/* Verify both namespaces are active */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	if (ret < 0) {
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		if (errno == ENOSYS)
+			SKIP(return, "listns() not supported");
+		ASSERT_GE(ret, 0);
+	}
+
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == parent_userns_id)
+			found_parent = true;
+		if (ns_ids[i] == child_userns_id)
+			found_child = true;
+	}
+
+	ASSERT_TRUE(found_parent);
+	ASSERT_TRUE(found_child);
+
+	/* Wait for child */
+	waitpid(pid, &status, 0);
+	ASSERT_TRUE(WIFEXITED(status));
+	ASSERT_EQ(WEXITSTATUS(status), 0);
+
+	/* Verify both namespaces become inactive */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	ASSERT_GE(ret, 0);
+
+	found_parent = false;
+	found_child = false;
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == parent_userns_id)
+			found_parent = true;
+		if (ns_ids[i] == child_userns_id)
+			found_child = true;
+	}
+
+	ASSERT_FALSE(found_parent);
+	ASSERT_FALSE(found_child);
+	TH_LOG("Nested user namespace credential changes preserved active refs (no leak)");
+}
+
+/*
+ * Test rapid credential changes don't cause refcount imbalances.
+ * This stress-tests the switch_cred_namespaces() logic.
+ */
+TEST(rapid_cred_changes_no_leak)
+{
+	pid_t pid;
+	int status;
+	__u64 userns_id;
+	struct ns_id_req req = {
+		.size = sizeof(req),
+		.spare = 0,
+		.ns_id = 0,
+		.ns_type = CLONE_NEWUSER,
+		.spare2 = 0,
+		.user_ns_id = 0,
+	};
+	__u64 ns_ids[256];
+	ssize_t ret;
+	int i;
+	bool found = false;
+	int pipefd[2];
+
+	ASSERT_EQ(pipe(pipefd), 0);
+
+	pid = fork();
+	ASSERT_GE(pid, 0);
+
+	if (pid == 0) {
+		/* Child process */
+		int fd, userns_fd;
+		__u64 child_userns_id;
+		uid_t orig_uid = getuid();
+		int change_count;
+
+		close(pipefd[0]);
+
+		/* Create new user namespace with wider range of UIDs/GIDs */
+		userns_fd = get_userns_fd(0, orig_uid, 100);
+		if (userns_fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (setns(userns_fd, CLONE_NEWUSER) < 0) {
+			close(userns_fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(userns_fd);
+
+		/* Get user namespace ID */
+		fd = open("/proc/self/ns/user", O_RDONLY);
+		if (fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (ioctl(fd, NS_GET_ID, &child_userns_id) < 0) {
+			close(fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(fd);
+
+		write(pipefd[1], &child_userns_id, sizeof(child_userns_id));
+
+		/*
+		 * Perform many rapid credential changes.
+		 * Mix setuid, setgid, setreuid, setregid, setresuid, setresgid.
+		 */
+		for (change_count = 0; change_count < 200; change_count++) {
+			switch (change_count % 6) {
+			case 0:
+				setuid(change_count % 50);
+				break;
+			case 1:
+				setgid(change_count % 50);
+				break;
+			case 2:
+				setreuid(change_count % 50, (change_count + 1) % 50);
+				break;
+			case 3:
+				setregid(change_count % 50, (change_count + 1) % 50);
+				break;
+			case 4:
+				setresuid(change_count % 50, (change_count + 1) % 50, (change_count + 2) % 50);
+				break;
+			case 5:
+				setresgid(change_count % 50, (change_count + 1) % 50, (change_count + 2) % 50);
+				break;
+			}
+		}
+
+		close(pipefd[1]);
+		exit(0);
+	}
+
+	/* Parent process */
+	close(pipefd[1]);
+
+	if (read(pipefd[0], &userns_id, sizeof(userns_id)) != sizeof(userns_id)) {
+		close(pipefd[0]);
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		SKIP(return, "Failed to get namespace ID from child");
+	}
+	close(pipefd[0]);
+
+	TH_LOG("Testing with user namespace ID: %llu", (unsigned long long)userns_id);
+
+	waitpid(pid, &status, 0);
+	ASSERT_TRUE(WIFEXITED(status));
+	ASSERT_EQ(WEXITSTATUS(status), 0);
+
+	/* Verify namespace becomes inactive (no leaked active refs) */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	if (ret < 0) {
+		if (errno == ENOSYS)
+			SKIP(return, "listns() not supported");
+		ASSERT_GE(ret, 0);
+	}
+
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == userns_id) {
+			found = true;
+			break;
+		}
+	}
+
+	ASSERT_FALSE(found);
+	TH_LOG("200 rapid credential changes completed with no active ref leak");
+}
+
+/*
+ * Test setfsuid/setfsgid which change filesystem UID/GID.
+ * These also trigger credential changes but may have different code paths.
+ */
+TEST(setfsuid_preserves_active_refs)
+{
+	pid_t pid;
+	int status;
+	__u64 userns_id;
+	struct ns_id_req req = {
+		.size = sizeof(req),
+		.spare = 0,
+		.ns_id = 0,
+		.ns_type = CLONE_NEWUSER,
+		.spare2 = 0,
+		.user_ns_id = 0,
+	};
+	__u64 ns_ids[256];
+	ssize_t ret;
+	int i;
+	bool found = false;
+	int pipefd[2];
+
+	ASSERT_EQ(pipe(pipefd), 0);
+
+	pid = fork();
+	ASSERT_GE(pid, 0);
+
+	if (pid == 0) {
+		/* Child process */
+		int fd, userns_fd;
+		__u64 child_userns_id;
+		uid_t orig_uid = getuid();
+		int change_count;
+
+		close(pipefd[0]);
+
+		/* Create new user namespace */
+		userns_fd = get_userns_fd(0, orig_uid, 10);
+		if (userns_fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (setns(userns_fd, CLONE_NEWUSER) < 0) {
+			close(userns_fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(userns_fd);
+
+		/* Get user namespace ID */
+		fd = open("/proc/self/ns/user", O_RDONLY);
+		if (fd < 0) {
+			close(pipefd[1]);
+			exit(1);
+		}
+
+		if (ioctl(fd, NS_GET_ID, &child_userns_id) < 0) {
+			close(fd);
+			close(pipefd[1]);
+			exit(1);
+		}
+		close(fd);
+
+		write(pipefd[1], &child_userns_id, sizeof(child_userns_id));
+
+		/* Perform multiple setfsuid/setfsgid calls */
+		for (change_count = 0; change_count < 50; change_count++) {
+			setfsuid(change_count % 10);
+			setfsgid(change_count % 10);
+		}
+
+		close(pipefd[1]);
+		exit(0);
+	}
+
+	/* Parent process */
+	close(pipefd[1]);
+
+	if (read(pipefd[0], &userns_id, sizeof(userns_id)) != sizeof(userns_id)) {
+		close(pipefd[0]);
+		kill(pid, SIGKILL);
+		waitpid(pid, NULL, 0);
+		SKIP(return, "Failed to get namespace ID from child");
+	}
+	close(pipefd[0]);
+
+	waitpid(pid, &status, 0);
+	ASSERT_TRUE(WIFEXITED(status));
+	ASSERT_EQ(WEXITSTATUS(status), 0);
+
+	/* Verify namespace becomes inactive */
+	ret = sys_listns(&req, ns_ids, ARRAY_SIZE(ns_ids), 0);
+	if (ret < 0) {
+		if (errno == ENOSYS)
+			SKIP(return, "listns() not supported");
+		ASSERT_GE(ret, 0);
+	}
+
+	for (i = 0; i < ret; i++) {
+		if (ns_ids[i] == userns_id) {
+			found = true;
+			break;
+		}
+	}
+
+	ASSERT_FALSE(found);
+	TH_LOG("setfsuid/setfsgid correctly preserved active references (no leak)");
+}
+
+TEST_HARNESS_MAIN