From nobody Mon Jun 8 09:48:03 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 289992F7F03 for ; Sat, 30 May 2026 14:12:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780150365; cv=none; b=upRlYjRJYbVkD2qB63W3EGHaY/x1ap0PpCvo0th4t6ppNil7XvyLOWl/QsdXe9IzLdEwxsEP7XE/3DHwZREIyosoZAuR5OkajtELk4naM+PWwFpftszPibBA6hR7LoLURsaIPpoq3pa9zHXXZGDDKQa9/8Jynz1Kv37eR4cVDTY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780150365; c=relaxed/simple; bh=9JQ7plQcSgLEP6AZ8mTfzPwzB63mPz57JzXwlm3N8F0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Ba576h2J5LpdS/Oz36IIPSCA1wNUsKndcXEvEM34BjcK3wEaDl/bTtCXA243GeBRwwir+NGgxD6M5iSCl16xipdXNjjW7iLiA6mzWPcDdqwwrzLM48xi4wWljvZfDSK6+Pefr0u1wQ6JkykDFqwd2hS1+EoXTypr93GpYG+ZmiQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=h8UFbbcF; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="h8UFbbcF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780150363; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4T59/uglHamDOIexbZb00j6qdA4rH0lNQTHPsHuJ4ZE=; b=h8UFbbcFYikBGbfyN3N7+xeLrgyHlnKQ85BeAUpRlc6e2fKo/kP1h9InphXji97WFJ+3cz qVhGgwWikDF4nD8YEbwvFGnp/3bznNxZaaUbLKwTanNyQMBRgsgX+A9ZH91zoIlV1jhOhS AA/3bYi1K2eEVy0NNbS0ItznLMs2bys= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-39-uhd7VoB3PmOUkdAVWvY-jQ-1; Sat, 30 May 2026 10:12:39 -0400 X-MC-Unique: uhd7VoB3PmOUkdAVWvY-jQ-1 X-Mimecast-MFC-AGG-ID: uhd7VoB3PmOUkdAVWvY-jQ_1780150357 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5B50518005B2; Sat, 30 May 2026 14:12:37 +0000 (UTC) Received: from fedora (unknown [10.44.33.166]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id 233321955F22; Sat, 30 May 2026 14:12:33 +0000 (UTC) Received: by fedora (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Sat, 30 May 2026 16:12:36 +0200 (CEST) Date: Sat, 30 May 2026 16:12:32 +0200 From: Oleg Nesterov To: Andrew Morton Cc: Christian Brauner , David Hildenbrand , Jann Horn , Kees Cook , Lorenzo Stoakes , Michal Hocko , linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v2] mm_access: simplify the security checks Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" 1. Shift the fast-path "mm =3D=3D current->mm" check from may_access_mm() to mm_access(), and do it locklessly. task->mm is not stable but we do not care. We can race with exec, but in this case we pin/return current->mm. This doesn't differ from the case where the target execs after we drop exec_update_lock. All we need for correctness is READ_ONCE() to ensure the compiler won't reload task->mm. This is not enough for KCSAN, but we already have other lockless ->mm LOAD's. We should probably change exec_mmap/ exit_mm to use WRITE_ONCE(). 2. With the change above, may_access_mm() doesn't need the "mm" argument, so we do not need to call get_task_mm() beforehand. We can call it only if may_access_mm() succeeds. Signed-off-by: Oleg Nesterov --- kernel/fork.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index b8b651abce8b..3239380ab93b 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1381,10 +1381,8 @@ struct mm_struct *get_task_mm(struct task_struct *ta= sk) } EXPORT_SYMBOL_GPL(get_task_mm); =20 -static bool may_access_mm(struct mm_struct *mm, struct task_struct *task, = unsigned int mode) +static bool may_access_mm(struct task_struct *task, unsigned int mode) { - if (mm =3D=3D current->mm) - return true; if (ptrace_may_access(task, mode)) return true; if ((mode & PTRACE_MODE_READ) && perfmon_capable()) @@ -1394,20 +1392,24 @@ static bool may_access_mm(struct mm_struct *mm, str= uct task_struct *task, unsign =20 struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) { - struct mm_struct *mm; - int err; + struct mm_struct *mm =3D READ_ONCE(task->mm); =20 - err =3D down_read_killable(&task->signal->exec_update_lock); - if (err) - return ERR_PTR(err); + if (!mm || (task->flags & PF_KTHREAD)) + return ERR_PTR(-ESRCH); =20 - mm =3D get_task_mm(task); - if (!mm) { - mm =3D ERR_PTR(-ESRCH); - } else if (!may_access_mm(mm, task, mode)) { - mmput(mm); - mm =3D ERR_PTR(-EACCES); + if (mm =3D=3D current->mm) { + mmget(mm); + return mm; } + + if (down_read_killable(&task->signal->exec_update_lock)) + return ERR_PTR(-EINTR); + + if (may_access_mm(task, mode)) + mm =3D get_task_mm(task) ?: ERR_PTR(-ESRCH); + else + mm =3D ERR_PTR(-EACCES); + up_read(&task->signal->exec_update_lock); =20 return mm; --=20 2.52.0