CVE-2022-48892

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/core: Fix use-after-free bug in dup_user_cpus_ptr()<br /> <br /> Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be<br /> restricted on asymmetric systems"), the setting and clearing of<br /> user_cpus_ptr are done under pi_lock for arm64 architecture. However,<br /> dup_user_cpus_ptr() accesses user_cpus_ptr without any lock<br /> protection. Since sched_setaffinity() can be invoked from another<br /> process, the process being modified may be undergoing fork() at<br /> the same time. When racing with the clearing of user_cpus_ptr in<br /> __set_cpus_allowed_ptr_locked(), it can lead to user-after-free and<br /> possibly double-free in arm64 kernel.<br /> <br /> Commit 8f9ea86fdf99 ("sched: Always preserve the user requested<br /> cpumask") fixes this problem as user_cpus_ptr, once set, will never<br /> be cleared in a task&amp;#39;s lifetime. However, this bug was re-introduced<br /> in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in<br /> do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in<br /> do_set_cpus_allowed(). This time, it will affect all arches.<br /> <br /> Fix this bug by always clearing the user_cpus_ptr of the newly<br /> cloned/forked task before the copying process starts and check the<br /> user_cpus_ptr state of the source task under pi_lock.<br /> <br /> Note to stable, this patch won&amp;#39;t be applicable to stable releases.<br /> Just copy the new dup_user_cpus_ptr() function over.