In sched_copy_attr(), attr->size was fetched twice in get_user() and copy_from_user().
If change it between two fetches may cause security problems or unexpected behaivor. We can apply the same pattern used in perf_copy_attr(). That is, use value fetched first time to overwrite it after second fetch. Signed-off-by: JingYi Hou <houjingyi...@gmail.com> --- kernel/sched/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 2b037f195473..60088b907ef4 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -4945,6 +4945,8 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a ret = copy_from_user(attr, uattr, size); if (ret) return -EFAULT; + + attr->size = size; if ((attr->sched_flags & SCHED_FLAG_UTIL_CLAMP) && size < SCHED_ATTR_SIZE_VER1) -- 2.20.1