From: Kees Cook <kees@kernel.org>
To: Andrei Vagin <avagin@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Mike Rapoport <rppt@kernel.org>,
Alexander Mikhalitsyn <alexander@mihalicyn.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, criu@lists.linux.dev,
Chen Ridong <chenridong@huawei.com>,
Christian Brauner <brauner@kernel.org>,
David Hildenbrand <david@kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Michal Koutny <mkoutny@suse.com>
Subject: Re: [PATCH 3/4] mm: synchronize saved_auxv access with arg_lock
Date: Thu, 12 Feb 2026 15:53:35 -0800 [thread overview]
Message-ID: <202602121552.C2AFE712@keescook> (raw)
In-Reply-To: <20260209190605.1564597-4-avagin@google.com>
On Mon, Feb 09, 2026 at 07:06:04PM +0000, Andrei Vagin wrote:
> The mm->saved_auxv array stores the auxiliary vector, which can be
> modified via prctl(PR_SET_MM_AUXV) or prctl(PR_SET_MM_MAP). Previously,
> accesses to saved_auxv were not synchronized. This was a intentional
> trade-off, as the vector was only used to provide information to
> userspace via /proc/PID/auxv or prctl(PR_GET_AUXV), and consistency
> between the auxv values left to userspace.
>
> With the introduction of hardware capability (HWCAP) inheritance during
> execve, the kernel now relies on the contents of saved_auxv to configure
> the execution environment of new processes. An unsynchronized read
> during execve could result in a new process inheriting an inconsistent
> set of capabilities if the parent process updates its auxiliary vector
> concurrently.
>
> While it is still not strictly required to guarantee the consistency of
> auxv values on the kernel side, doing so is relatively straightforward.
> This change implements synchronization using arg_lock.
>
> Signed-off-by: Andrei Vagin <avagin@google.com>
> ---
> fs/exec.c | 8 ++++++--
> fs/proc/base.c | 12 +++++++++---
> kernel/fork.c | 7 ++++++-
> kernel/sys.c | 29 ++++++++++++++---------------
> 4 files changed, 35 insertions(+), 21 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 7401efbe4ba0..d7e3ad8c8051 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1793,6 +1793,7 @@ static int bprm_execve(struct linux_binprm *bprm)
>
> static void inherit_hwcap(struct linux_binprm *bprm)
> {
> + struct mm_struct *mm = current->mm;
> int i, n;
>
> #ifdef ELF_HWCAP4
> @@ -1805,10 +1806,12 @@ static void inherit_hwcap(struct linux_binprm *bprm)
> n = 1;
> #endif
>
> + spin_lock(&mm->arg_lock);
> for (i = 0; n && i < AT_VECTOR_SIZE; i += 2) {
> - long val = current->mm->saved_auxv[i + 1];
> + unsigned long type = mm->saved_auxv[i];
> + unsigned long val = mm->saved_auxv[i + 1];
Ah, I see the signed/unsigned is fixed here. :)
I don't see anything in here that is fast-path, so the locking seems
fine to me.
--
Kees Cook
next prev parent reply other threads:[~2026-02-12 23:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 19:06 [PATCH 0/4 v3] exec: inherit HWCAPs from the parent process Andrei Vagin
2026-02-09 19:06 ` [PATCH 1/4] binfmt_elf_fdpic: fix AUXV size calculation for ELF_HWCAP3 and ELF_HWCAP4 Andrei Vagin
2026-02-10 19:59 ` Alexander Mikhalitsyn
2026-02-09 19:06 ` [PATCH 2/4] exec: inherit HWCAPs from the parent process Andrei Vagin
2026-02-10 20:13 ` Alexander Mikhalitsyn
2026-02-12 23:49 ` Kees Cook
2026-02-09 19:06 ` [PATCH 3/4] mm: synchronize saved_auxv access with arg_lock Andrei Vagin
2026-02-10 9:48 ` Michal Koutný
2026-02-10 20:36 ` Alexander Mikhalitsyn
2026-02-11 1:08 ` Andrei Vagin
2026-02-12 23:53 ` Kees Cook [this message]
2026-02-09 19:06 ` [PATCH 4/4] selftests/exec: add test for HWCAP inheritance Andrei Vagin
2026-02-10 20:37 ` Alexander Mikhalitsyn
2026-02-12 23:57 ` Kees Cook
2026-02-10 19:28 ` [PATCH 0/4 v3] exec: inherit HWCAPs from the parent process Cyrill Gorcunov
-- strict thread matches above, loose matches on Subject: below --
2026-02-17 18:01 [PATCH 0/4 v4] " Andrei Vagin
2026-02-17 18:01 ` [PATCH 3/4] mm: synchronize saved_auxv access with arg_lock Andrei Vagin
2026-03-23 17:53 [PATCH 0/4 v5] exec: inherit HWCAPs from the parent process Andrei Vagin
2026-03-23 17:53 ` [PATCH 3/4] mm: synchronize saved_auxv access with arg_lock Andrei Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202602121552.C2AFE712@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alexander@mihalicyn.com \
--cc=avagin@google.com \
--cc=brauner@kernel.org \
--cc=chenridong@huawei.com \
--cc=criu@lists.linux.dev \
--cc=david@kernel.org \
--cc=ebiederm@xmission.com \
--cc=gorcunov@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mkoutny@suse.com \
--cc=rppt@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.