From: "Lorenzo Stoakes (ARM)" <ljs@kernel.org>
To: Pedro Falcato <pfalcato@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Liam R. Howlett" <liam@infradead.org>,
Vlastimil Babka <vbabka@kernel.org>,
Jann Horn <jannh@google.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Kees Cook <kees@kernel.org>,
David Hildenbrand <david@kernel.org>,
Mike Rapoport <rppt@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 2/3] mm/mseal: limit scope of mseal address zero to address zero
Date: Thu, 16 Jul 2026 16:38:12 +0100 [thread overview]
Message-ID: <alj1Cyt4JvbVM7tB@lucifer> (raw)
In-Reply-To: <aljyYdgzRZW1kIhs@pedro-suse.lan>
On Thu, Jul 16, 2026 at 04:06:20PM +0100, Pedro Falcato wrote:
> On Thu, Jul 16, 2026 at 02:43:10PM +0100, Lorenzo Stoakes (ARM) wrote:
> > Commit 44f65d900698 ("binfmt_elf: mseal address zero") unconditionally
> > provided do_mseal() to any internal kernel caller in order to address a
> > corner case slated for possible removal.
> >
> > It also incorrectly attempts to mseal() without checking to see whether the
> > mapping even succeeded.
> >
> > Restrict the scope to the corner case by providing mseal_mmap_page_zero()
> > which asserts the MMAP_PAGE_ZERO personality.
> >
> > Avoid unnecessary checks in the start, end range by abstracting the actual
> > mseal()'ing to mseal() and have mseal_mmap_page_zero() call that instead.
> >
> > Only try to seal the VMA if we mapped the VMA.
> >
> > Signed-off-by: Lorenzo Stoakes (ARM) <ljs@kernel.org>
> > ---
> > fs/binfmt_elf.c | 7 ++-----
> > include/linux/mm.h | 8 ++------
> > mm/mseal.c | 48 +++++++++++++++++++++++++++++++++++-------------
> > 3 files changed, 39 insertions(+), 24 deletions(-)
> >
> > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> > index 16a56b6b3f6c..e3131a311995 100644
> > --- a/fs/binfmt_elf.c
> > +++ b/fs/binfmt_elf.c
> > @@ -1353,11 +1353,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
> > emulate the SVr4 behavior. Sigh. */
> > error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
> > MAP_FIXED | MAP_PRIVATE, 0);
>
> I think pedantically load_elf_binary() should error out on mmap error, no?
> Not that this personality is used in the big 2026 however...
I'm not sure I implied otherwise?
But yes I'm aware, the point is to not try to mseal() an unmapped range knowingly.
The fact we 'get away with it' now is irrelevant.
I can update the commit message if a respin is necessary to spell this out (I
thought it was obvious).
>
> > -
> > - retval = do_mseal(0, PAGE_SIZE, 0);
> > - if (retval)
> > - pr_warn_ratelimited("pid=%d, couldn't seal address 0, ret=%d.\n",
> > - task_pid_nr(current), retval);
> > + if (!error)
> > + mseal_mmap_page_zero();
> > }
> >
> > regs = current_pt_regs();
> > diff --git a/include/linux/mm.h b/include/linux/mm.h
> > index 550fb92957d1..87feaa5a2b78 100644
> > --- a/include/linux/mm.h
> > +++ b/include/linux/mm.h
> > @@ -5291,13 +5291,9 @@ int reserve_mem_find_by_name(const char *name, phys_addr_t *start, phys_addr_t *
> > int reserve_mem_release_by_name(const char *name);
> >
> > #ifdef CONFIG_64BIT
> > -int do_mseal(unsigned long start, size_t len_in, unsigned long flags);
> > +void mseal_mmap_page_zero(void);
> > #else
> > -static inline int do_mseal(unsigned long start, size_t len_in, unsigned long flags)
> > -{
> > - /* noop on 32 bit */
> > - return 0;
> > -}
> > +static inline void mseal_mmap_page_zero(void) {}
> > #endif
> >
> > /*
> > diff --git a/mm/mseal.c b/mm/mseal.c
> > index 207fea89c61e..5930551d84f2 100644
> > --- a/mm/mseal.c
> > +++ b/mm/mseal.c
> > @@ -32,7 +32,7 @@ static bool range_contains_unmapped(unsigned long start, unsigned long end)
> > return prev_end < end;
> > }
> >
> > -static int mseal_apply(unsigned long start, unsigned long end)
> > +static int __mseal(unsigned long start, unsigned long end)
>
> Why? I think the previous name is perfectly cromulent.
Because this is what actually mseal()'s, the _apply is not really useful.
The __ is because it's unlocked.
The point here is to eliminate useless indirection, so calling the function that
mseals, 'mseal' seems sensible.
>
> > {
> > struct vm_area_struct *vma, *prev;
> > VMA_ITERATOR(vmi, current->mm, start);
> > @@ -66,6 +66,38 @@ static int mseal_apply(unsigned long start, unsigned long end)
> > return 0;
> > }
> >
> > +static int mseal(unsigned long start, unsigned long end)
>
> I don't like that you go start - end on a function called "mseal". The actual
> system call goes start - len. It just looks confusing :) So either rename it
> to mseal_range(), or make it take a start, length pair.
I'm not sure I really understand the confusion (I suppose you're equally
confused by the lack of flags parameter?),
I find it silly that we avoid function names because a system call of the same
name exists.
But I guess I can rename it to mseal_range() since I don't want the series
blocked on silly naming issues.
The reason for passing end (which was already the case) is that the syscall
already calculates it and we need it to do the actual mseal.
>
> The overall spirit of the change LGTM however.
OK.
>
> --
> Pedro
Thanks, Lorenzo
next prev parent reply other threads:[~2026-07-16 15:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-16 13:43 [PATCH 0/3] mm/mseal: further cleanups Lorenzo Stoakes (ARM)
2026-07-16 13:43 ` [PATCH 1/3] mm/mseal: remove superfluous comments, fix confusion around mm Lorenzo Stoakes (ARM)
2026-07-16 15:00 ` Pedro Falcato
2026-07-16 13:43 ` [PATCH 2/3] mm/mseal: limit scope of mseal address zero to address zero Lorenzo Stoakes (ARM)
2026-07-16 15:06 ` Pedro Falcato
2026-07-16 15:38 ` Lorenzo Stoakes (ARM) [this message]
2026-07-16 13:43 ` [PATCH 3/3] mm/mseal: remove further superfluous comments, do_mseal() Lorenzo Stoakes (ARM)
2026-07-16 15:09 ` Pedro Falcato
2026-07-16 15:13 ` Lorenzo Stoakes (ARM)
2026-07-16 13:48 ` [PATCH 0/3] mm/mseal: further cleanups Lorenzo Stoakes (ARM)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alj1Cyt4JvbVM7tB@lucifer \
--to=ljs@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=david@kernel.org \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=kees@kernel.org \
--cc=liam@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=pfalcato@suse.de \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox