Re: [PATCH v3] sched/mmcid: fix OOB clear_bit when CID is MM_CID_UNSET in fixup path

Next message: Moksh Panicker: "[PATCH] media: rc: igorplugusb: Fix wrong pointer passed to usb_fill_control_urb()"
Previous message: Pranjal Shrivastava: "Re: [PATCH v9 4/6] iommufd: Add an ioctl to query PA from IOVA for noiommu mode"
In reply to: Rik van Riel: "[PATCH v3] sched/mmcid: fix OOB clear_bit when CID is MM_CID_UNSET in fixup path"
Next in thread: Thomas Gleixner: "Re: [PATCH v3] sched/mmcid: fix OOB clear_bit when CID is MM_CID_UNSET in fixup path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mathieu Desnoyers

Date: Tue Jun 16 2026 - 17:40:57 EST

On 2026-06-16 16:38, Rik van Riel wrote:

In mm_cid_fixup_cpus_to_tasks(), when rq->curr has the target mm and
mm_cid.active is set, the CID is checked with cid_in_transit() before
setting the transition bit. In per-CPU mode a newly forked or exec'd
task can be running with mm_cid.cid == MM_CID_UNSET because CIDs are
assigned lazily on schedule-in. With cid_in_transit() the guard passes
for MM_CID_UNSET (no transit bit), converts it to MM_CID_UNSET |
MM_CID_TRANSIT and stores it back; later mm_cid_schedout() feeds this
to clear_bit() with MM_CID_UNSET as the bit number, triggering an
out-of-bounds write.

Thomas, can you have a look as well in case we missed something
subtle ?

Rik, did you check whether there are other instances of that
MM_CID_UNSET issue lurking in the code, or was your analysis
focused on the reproduced bug ?

Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>

Thanks,

Mathieu

--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com