On Mon, Dec 05, 2022 at 11:48:32AM -0500, Waiman Long wrote:I believe a task A can call sched_setaffinity() to modify the cpu affinity of a different task, say B, which can be under fork() at the same time. So we need to use the pi_lock to synchronize the access of user_cpus_ptr to avoid the kind of race that can cause double-free.
Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to beHow? the task cannot be in migrate_enable() and fork() at the same time,
restricted on asymmetric systems"), the setting and clearing of
user_cpus_ptr are done under pi_lock for arm64 architecture. However,
dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
protection. When racing with the clearing of user_cpus_ptr in
__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
double-free in arm64 kernel.
no?