Re: [PATCH] mm: do file ownership checks with the proper mount idmap
From: Andrew Morton
Date: Thu Jun 25 2026 - 14:30:19 EST
On Thu, 25 Jun 2026 16:38:53 +0100 Pedro Falcato <pfalcato@xxxxxxx> wrote:
> Ever since idmapped mounts were introduced, inode ownership checks
> (for side-channel protection) in mincore() and madvise(MADV_PAGEOUT) were
> done against the nop_mnt_idmap, which completely ignores the file's mount's
> idmap. This results in odd edgecases like:
>
> 1) mount/bind-mount with an idmap userA:userB:1
> 2) userB runs an owner_or_capable() check on file that is owned by userA
> on-disk/in-memory, but owned by userB after idmap translation
> 3) owner_or_capable() mysteriously fails as the correct idmap wasn't supplied
>
> In the case of mincore/madvise MADV_PAGEOUT, this is usually benign, because
> file_permission(file, MAY_WRITE) will probably succeed, as it uses the proper
> idmap internally, but it does not need to be the case on e.g a 0444 file
> where even the owner itself doesn't have permissions to write to it.
>
> Since this is clearly not trivial to get right, introduce a
> file_owner_or_capable() that can carry the correct semantics, and switch
> the various users in mm to it.
>
> The issue was found by manual code inspection & an off-list discussion with
> Jan Kara.
Do our idmap selftests tickle these issues? If not, is it hard to add?
> I noticed there are a couple of call sites in fs/ that could perhaps be
> cleaned up with the added helper, but I'm skipping that for now for brevity's
> sake.
You could do this as a 2-patch series, because:
> include/linux/fs.h | 5 +++++
> mm/filemap.c | 2 +-
> mm/madvise.c | 3 +--
> mm/mincore.c | 3 +--
> 4 files changed, 8 insertions(+), 5 deletions(-)
it touches mm/ but ->Christian, please.
(or I can queue it with Christian's ack, of course)