On Thu, Apr 04, 2019 at 12:35:28PM +0200, Michal Hocko wrote: > On Thu 04-04-19 13:02:19, Dan Carpenter wrote: > > There have been two cases recently where we pass user a controlled "cpu" > > to possible_cpus(). That's not allowed. If it's invalid, it will > > trigger a WARN_ONCE() and an out of bounds read which could result in an > > Oops. > > > > This patch introduces possible_cpu_safe() which first checks to see if > > the cpu is valid, turns off speculation and then checks if the cpu is > > possible. > > Why cannot we do the check in possible_cpu directly? Is it used from any > hot path? I am quite skeptical people will use the new helper > consistently. Why only possible? What is to say stop anyone from using garbage (aka. user input) in any other of the cpumask APIs. I'd much rather have the explicit validate call and keep assuming @cpu as used in the rest of the API is sane.