From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50AE5347BD4;
	Fri, 15 May 2026 13:06:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778850362; cv=none; b=pCcnpmZBcv8lJClnGcDg4daGKtz733kYosQ0ZWa3Sx65O0x9bIjbRWmCgGkeclvyLtmJq4RwOmxNw8AmopaVxhJMjO+Tp64f3BnXFSOavHW/RFpVc8djWI3eoCjCpERy7dZQ3A3Jbtx6aZGwY8XXTfcGK5e0zHW8vBKbMzMY6Ss=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778850362; c=relaxed/simple;
	bh=ZKrcaIAqjbq6qgO8wyxf1kRFGEzD63LyW5DFComrd8U=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=oJCgYHCEtln+jquSDIsdXZXwRDiUO8/PXc+JP84L4RajLAOc5c4nEv6+J0E06FR1tjd7dQcM/rgbxMEBrX8njR53+oa3j3HZj4PcjAPg1lvbB8++wFqtHBt+VIQ3NgkVvmDQ6zI9AM/916q2MxVQlTBb0C96BaLnB0I7iL3WjwI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=zrnaedGR; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="zrnaedGR"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B11BFC2BCB0;
	Fri, 15 May 2026 13:06:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1778850362;
	bh=ZKrcaIAqjbq6qgO8wyxf1kRFGEzD63LyW5DFComrd8U=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=zrnaedGR0U8ynqMWxt5Zw77174eeWYVXZNdxZFsQ7ZC6pfMe3KWIB8WFF+B2t1SEL
	 HpZZvIjhwRwS2RRQaY2dSG0sbVqg53tAPcbkGp4F5oavKQmMxL/yEok/O7iHJF/AVZ
	 PFCv+dbkho89vdohPHspAPd8yJaaf6T3/c4fdDoI=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org,
	akpm@linux-foundation.org,
	torvalds@linux-foundation.org,
	stable@vger.kernel.org
Cc: lwn@lwn.net,
	jslaby@suse.cz,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: Linux 6.12.89
Date: Fri, 15 May 2026 15:05:58 +0200
Message-ID: <2026051558-flounder-duplicate-a3d3@gregkh>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <2026051558-squishy-rubbing-7ac1@gregkh>
References: <2026051558-squishy-rubbing-7ac1@gregkh>
Precedence: bulk
X-Mailing-List: stable@vger.kernel.org
List-Id: <stable.vger.kernel.org>
List-Subscribe: <mailto:stable+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:stable+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

diff --git a/Makefile b/Makefile
index 9dbf9983e0e3..51f2e428364b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 12
-SUBLEVEL = 88
+SUBLEVEL = 89
 EXTRAVERSION =
 NAME = Baby Opossum Posse
 
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 321e088f9ee7..2e4c437c7c90 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -969,6 +969,9 @@ struct task_struct {
 	unsigned			sched_rt_mutex:1;
 #endif
 
+	/* Save user-dumpable when mm goes away */
+	unsigned			user_dumpable:1;
+
 	/* Bit to tell TOMOYO we're in execve(): */
 	unsigned			in_execve:1;
 	unsigned			in_iowait:1;
diff --git a/kernel/exit.c b/kernel/exit.c
index 021403fc756a..b91124b2d334 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -561,6 +561,7 @@ static void exit_mm(void)
 	 */
 	smp_mb__after_spinlock();
 	local_irq_disable();
+	current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
 	current->mm = NULL;
 	membarrier_update_current_mm(NULL);
 	enter_lazy_tlb(mm, current);
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index d5f89f9ef29f..75bcc152606c 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 	return ns_capable(ns, CAP_SYS_PTRACE);
 }
 
+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
+{
+	struct mm_struct *mm = task->mm;
+	if (mm) {
+		if (get_dumpable(mm) == SUID_DUMP_USER)
+			return true;
+		return ptrace_has_cap(mm->user_ns, mode);
+	}
+
+	if (task->user_dumpable)
+		return true;
+	return ptrace_has_cap(&init_user_ns, mode);
+}
+
 /* Returns 0 on success, -errno on denial. */
 static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 {
 	const struct cred *cred = current_cred(), *tcred;
-	struct mm_struct *mm;
 	kuid_t caller_uid;
 	kgid_t caller_gid;
 
@@ -337,11 +350,8 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 	 * Pairs with a write barrier in commit_creds().
 	 */
 	smp_rmb();
-	mm = task->mm;
-	if (mm &&
-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
-	     !ptrace_has_cap(mm->user_ns, mode)))
-	    return -EPERM;
+	if (!task_still_dumpable(task, mode))
+		return -EPERM;
 
 	return security_ptrace_access_check(task, mode);
 }