Re: [PATCH] mm: do file ownership checks with the proper mount idmap
From: Pedro Falcato
Date: Fri Jun 26 2026 - 05:30:45 EST
On Thu, Jun 25, 2026 at 11:29:03AM -0700, Andrew Morton wrote:
> On Thu, 25 Jun 2026 16:38:53 +0100 Pedro Falcato <pfalcato@xxxxxxx> wrote:
>
> > Ever since idmapped mounts were introduced, inode ownership checks
> > (for side-channel protection) in mincore() and madvise(MADV_PAGEOUT) were
> > done against the nop_mnt_idmap, which completely ignores the file's mount's
> > idmap. This results in odd edgecases like:
> >
> > 1) mount/bind-mount with an idmap userA:userB:1
> > 2) userB runs an owner_or_capable() check on file that is owned by userA
> > on-disk/in-memory, but owned by userB after idmap translation
> > 3) owner_or_capable() mysteriously fails as the correct idmap wasn't supplied
> >
> > In the case of mincore/madvise MADV_PAGEOUT, this is usually benign, because
> > file_permission(file, MAY_WRITE) will probably succeed, as it uses the proper
> > idmap internally, but it does not need to be the case on e.g a 0444 file
> > where even the owner itself doesn't have permissions to write to it.
> >
> > Since this is clearly not trivial to get right, introduce a
> > file_owner_or_capable() that can carry the correct semantics, and switch
> > the various users in mm to it.
> >
> > The issue was found by manual code inspection & an off-list discussion with
> > Jan Kara.
>
> Do our idmap selftests tickle these issues? If not, is it hard to add?
In theory we could add this to tools/testing/selftests/mount_setattr/mount_setattr_test.c, but
that seems like the wrong place for an mm regression test. And if we add it
somewhere else, we'll have to deal with the bureaucracy of setting up an idmapped
mount (including setting up a filesystem image!). I'm taking suggestions :)
>
> > I noticed there are a couple of call sites in fs/ that could perhaps be
> > cleaned up with the added helper, but I'm skipping that for now for brevity's
> > sake.
>
> You could do this as a 2-patch series, because:
>
> > include/linux/fs.h | 5 +++++
> > mm/filemap.c | 2 +-
> > mm/madvise.c | 3 +--
> > mm/mincore.c | 3 +--
> > 4 files changed, 8 insertions(+), 5 deletions(-)
>
> it touches mm/ but ->Christian, please.
>
> (or I can queue it with Christian's ack, of course)
Understood.
--
Pedro