On Mon, Feb 09, 2026 at 07:06:04PM +0000, Andrei Vagin wrote: > The mm->saved_auxv array stores the auxiliary vector, which can be > modified via prctl(PR_SET_MM_AUXV) or prctl(PR_SET_MM_MAP). Previously, > accesses to saved_auxv were not synchronized. This was a intentional > trade-off, as the vector was only used to provide information to > userspace via /proc/PID/auxv or prctl(PR_GET_AUXV), and consistency > between the auxv values left to userspace. > > With the introduction of hardware capability (HWCAP) inheritance during > execve, the kernel now relies on the contents of saved_auxv to configure > the execution environment of new processes. An unsynchronized read > during execve could result in a new process inheriting an inconsistent > set of capabilities if the parent process updates its auxiliary vector > concurrently. > > While it is still not strictly required to guarantee the consistency of > auxv values on the kernel side, doing so is relatively straightforward. > This change implements synchronization using arg_lock. (For the clarification, I didn't consider the lack of synchronization a blocker after your previous explanation. Nevertheless) Thanks for explicit sync. One little nit is a missing hunk like below. --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -1205,11 +1205,10 @@ struct mm_struct { spinlock_t arg_lock; /* protect the below fields */ unsigned long start_code, end_code, start_data, end_data; unsigned long start_brk, brk, start_stack; unsigned long arg_start, arg_end, env_start, env_end; - unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ #ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS /* the ABI-related flags from the ELF header. Used for core dump */ unsigned long saved_e_flags; > > Signed-off-by: Andrei Vagin > --- > fs/exec.c | 8 ++++++-- > fs/proc/base.c | 12 +++++++++--- > kernel/fork.c | 7 ++++++- > kernel/sys.c | 29 ++++++++++++++--------------- > 4 files changed, 35 insertions(+), 21 deletions(-) I can say Reviewed-by: Michal Koutný