Re: [PATCH] mm/migrate: find_mm_struct: fix race between security checks and suid exec

Next message: Sean Christopherson: "Re: [PATCH v5 1/1] KVM: x86: Introduce has_protected_pmu state for TDX VMs"
Previous message: Danilo Krummrich: "Re: [PATCH] rust: devres: add 'static bound to Devres&lt;T&gt;"
In reply to: Oleg Nesterov: "Re: [PATCH] mm/migrate: find_mm_struct: fix race between security checks and suid exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gregory Price

Date: Wed May 27 2026 - 14:27:32 EST

On Tue, May 26, 2026 at 04:42:11PM +0200, Oleg Nesterov wrote:
> The target task can execute a setuid binary between ptrace_may_access()
> and get_task_mm(). Protect this critical section with exec_update_lock.
>
> I don't think cpuset_mems_allowed(task) should be called under
> exec_update_lock, but this patch just tries to add the minimal fix.
>

Claude suggests this is at least safe and the correct ordering, for
which there already exists code that does the same thing:

This ordering already exists in the exec path itself: exec_mmap()
write-locks exec_update_lock, and subsequent memory allocations
during exec can reach callback_lock through the page allocator's
cpuset checks (cpuset_zone_allowed etc.).

This is inline with my experience hacking on page_alloc.c and cgroups,
the callback lock is always the inner-most lock - so lgtm.

> Perhaps we can later add a common helper which can be used by
> find_mm_struct() and kernel_migrate_pages().
>
> Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>

Reviewed-by: Gregory Price <gourry@xxxxxxxxxx>

~Gregory