Re: [PATCH v3] mips: sched: Fix CPUMASK_OFFSTACK memory corruption

[Thomas Bogendoerfer]

On Tue, May 26, 2026 at 10:16:51AM -0400, Aaron Tomlin wrote:
> This patch addresses a critical memory management flaw. When
> CONFIG_CPUMASK_OFFSTACK is enabled, cpumask_var_t is a pointer.
> Consequently, sizeof(new_mask) evaluates to the pointer size, causing
> copy_from_user() to clobber the mask pointer. Furthermore, the old
> logic performed copy_from_user() before allocating the mask.
> 
> Fix this by allocating new_mask first. To handle variable-sized user
> masks correctly, use cpumask_size() to truncate overly large user masks
> or pad undersized masks with zeros before copying the data directly into
> the allocated buffer.
> 
> Fixes: 295cbf6d63165 ("[MIPS] Move FPU affinity code into separate file.")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Aaron Tomlin <atomlin@xxxxxxxxxxx>
> ---
> Changes since v2 [1]:
>  - Dropped patch 1. This is to be addressed by the cgroup cpuset
>    maintainer (Waiman Long)
> 
>  - Dropped patch 3. Will be submitted as a separate patch (Paul Moore)
> 
> Changes since v1 [2]:
>  - Reordered the allocation and user-copy of new_mask in the MIPS
>    architecture's mipsmt_sys_sched_setaffinity() to occur before the
>    LSM hook is invoked. This ensures the security modules evaluate a fully
>    populated mask rather than uninitialised memory, while cleanly handling
>    error unwinding
> 
>  - Updated cpuset_can_fork() to pass the destination cpuset's effective CPU
>    mask instead of NULL
> 
> [1]: https://lore.kernel.org/lkml/20260509213803.968464-1-atomlin@xxxxxxxxxxx/
> [2]: https://lore.kernel.org/lkml/20260509164847.939294-1-atomlin@xxxxxxxxxxx/
> ---
>  arch/mips/kernel/mips-mt-fpaff.c | 28 +++++++++++++++-------------
>  1 file changed, 15 insertions(+), 13 deletions(-)

applied to mips-next

Thomas.

-- 
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea.                                                [ RFC1925, 2.3 ]