Commit e117ff11 authored Sep 02, 2025 by Waiman Long Committed by Tejun Heo Sep 03, 2025

cgroup/cpuset: Prevent NULL pointer access in free_tmpmasks()

Commit 5806b3d0 ("cpuset: decouple tmpmasks and cpumasks freeing in
cgroup") separates out the freeing of tmpmasks into a new free_tmpmask()
helper but removes the NULL pointer check in the process. Unfortunately a
NULL pointer can be passed to free_tmpmasks() in cpuset_handle_hotplug()
if cpuset v1 is active. This can cause segmentation fault and crash
the kernel.

Fix that by adding the NULL pointer check to free_tmpmasks().

Fixes: 5806b3d0 ("cpuset: decouple tmpmasks and cpumasks freeing in cgroup")
Reported-by: Ashay Jaiswal <quic_ashayj@quicinc.com>
Closes: https://lore.kernel.org/lkml/20250902-cpuset-free-on-condition-v1-1-f46ffab53eac@quicinc.com/

Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

parent 3b0dec68

kernel/cgroup/cpuset.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -484,6 +484,9 @@ static inline int alloc_tmpmasks(struct tmpmasks *tmp)
		*/
		static inline void free_tmpmasks(struct tmpmasks *tmp)
		{
		if (!tmp)
		return;

		free_cpumask_var(tmp->new_cpus);
		free_cpumask_var(tmp->addmask);
		free_cpumask_var(tmp->delmask);