On April 28, 2025 3:46:06 AM PDT, Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx> wrote:
>On Mon, Apr 28, 2025 at 09:53:05AM +0100, Lorenzo Stoakes wrote:
>> On Fri, Apr 25, 2025 at 10:09:34AM -0700, Kees Cook wrote:
>> > On Fri, Apr 25, 2025 at 03:54:34PM +0100, Lorenzo Stoakes wrote:
>> > > There are peculiarities within the kernel where what is very clearly mm
>> > > code is performed elsewhere arbitrarily.
>> > >
>> > > This violates separation of concerns and makes it harder to refactor code
>> > > to make changes to how fundamental initialisation and operation of mm logic
>> > > is performed.
>> > >
>> > > One such case is the creation of the VMA containing the initial stack upon
>> > > execve()'ing a new process. This is currently performed in __bprm_mm_init()
>> > > in fs/exec.c.
>> > >
>> > > Abstract this operation to create_init_stack_vma(). This allows us to limit
>> > > use of vma allocation and free code to fork and mm only.
>> > >
>> > > We previously did the same for the step at which we relocate the initial
>> > > stack VMA downwards via relocate_vma_down(), now we move the initial VMA
>> > > establishment too.
>> > >
>> > > Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx>
>> > > Acked-by: David Hildenbrand <david@xxxxxxxxxx>
>> > > Reviewed-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
>> > > ---
>> > > fs/exec.c | 51 +---------------------------------
>> >
>> > I'm kind of on the fence about this. On the one hand, yes, it's all vma
>> > goo, and should live with the rest of vma code, as you suggest. On the
>> > other had, exec is the only consumer of this behavior, and moving it
>> > out of fs/exec.c means that changes to the code that specifically only
>> > impacts exec are now in a separate file, and will no longer get exec
>> > maintainer/reviewer CCs (based on MAINTAINERS file matching). Exec is
>> > notoriously fragile, so I'm kind of generally paranoid about changes to
>> > its behaviors going unnoticed.
>> >
>> > In defense of moving it, yes, this routine has gotten updates over the
>> > many years, but it's relatively stable. But at least one thing has gone in
>> > without exec maintainer review recently (I would have Acked it, but the
>> > point is review): 9e567ca45f ("mm/ksm: fix ksm exec support for prctl")
>> > Everything else was before I took on the role officially (Nov 2022).
>> >
>> > So I guess I'm asking, how do we make sure stuff pulled out of exec
>> > still gets exec maintainer review?
>>
>> I think we have two options here:
>>
>> 1. Separate out this code into mm/vma_exec.c and treat it like
>> mm/vma_init.c, then add you as a reviewer, so you have visibility on
>> everything that happens there.
>>
>
>Actually, (off-list) Vlastimil made the very good suggestion that we can
>just add this new file to both exec and memory mapping sections, have
>tested it and it works!
>
>So I think this should cover off your concerns?
>
>[snip]
Yes, this is brilliant! Totally works for me; thank you (and Vlastimil) for finding a good way to do it.
-Kees
--
Kees Cook
