Perhaps something like:

If the user-supplied set is not large enough to fit all of the matching CPUs,
.Fn cpusetgetaffinity
fails with
.Er ERANGE .

(I do think "matching CPUs" might be slightly better than "active CPUs" here)

I think you still want this check? That is, if userland specifies a non-existent CPU we should reject it with an error?

That would probably work overall, if you s/cpusetgetaffinity/cpuset_getaffinity/. What do "matching" and or "active" mean here, though? I took "active" to mean "an existing CPU the scheduling object - process, userland thread, interrupt handler, or whatever - is willing and able to run on, but now that you introduced a different term, I no longer know.

Note that cpusetsize * NBBY can overflow. In this case this seems to be innocent due to the later cap of the size with min(cpusetsize, sizeof(cpuset_t)) but it misses to return ERANGE in some situations.

'matching CPUs' is a bit confusing to me also, may be 'existing'?

I guess I mean matching in terms of the CPUs that match the qualifiers (CPU_WHICH_*, a specific pid or tid, etc.). The difference is suppose you had a system with enough CPUs that you needed a set of two words to express all of them, but you were to query the set for a thread that was bound to just CPU 0. The set for that thread can be described by a smaller set containing just the single bit 0 (since only CPU 0 "matches" the query of "set of CPUs for thread X") vs if the size check is always done against what is required to hold the the set of all CPUs (so always requiring two words in this case).

To me, active implies "an active CPU in the system" and thus means you always require the two words for the case above.

So this also fails in the case I mention that you are querying the per-thread mask that fits in a smaller set than the thing being returned. I think instead you want to not do a check here but instead wait until just before the copyout() and then check to see if the highest set bit is too large to fit in the user's mask and fail with ERANGE if so.

This should be using mp_maxid, not smp_cpus to account for sparse CPU IDs. However, all this really needs to verify is what the old check was doing. Other code will catch if we have bits set that can fit into a cpuset_t that are > mp_maxid. What this check needs to verify instead is that userland hasn't set bits that don't fit into the kernel's cpuset_t. In that case, the existing code that used sizeof(cpuset_t) directly in place of factsize is correct. However, since the malloc above now (correctly) is capped to only cpuset_t, you can't check the extra bits directly from mask. Instead, you need to be fetching the words from userland explicitly via fueword() or the like, so something like:

if (cpusetsize > sizeof(cpuset_t)) {
    char *end;
    char *cp;
    int val;

    end = cp = (char *)&maskp->__bits;
    end += cpusetsize;
    cp += sizeof(cpuset_t);
    while (cp  != end) {
        val = fubyte(cp);
        if (val == -1) {
            error = EFAULT;
            goto out;
        } else if (val != 0) {
            error = EINVAL;
            goto out;
        }
        cp++;
    }
}

(It may be worth trying to fetch words first if possible rather than fetching bytes by adding a second loop before the first one that uses while (cp + sizeof(long) < end) and using fueword instead of fubyte.)

This can overflow. loadsize needs to be max, not min so that it is capped at sizeof(cpuset_t).

This test assumes that CPU IDs are dense which we do not guarantee (hence the use of mp_maxid in the kernel everywhere rather than mp_ncpus). Perhaps more correct would be to write a helper routine that fetches the root cpuset and returns the highest bit set instead (so equivalent of mp_maxid) and use that in place of _SC_NPROCESSORS_CONF in these tests.

"all CPUs" or "all of the CPUs" (I prefer the former).

Maybe s/on/in/ too? Not 100% sure.

Check I didn't change your intended meaning.

"all CPUs" or "all of the CPUs" (I prefer the former)

Maybe s/on/in/ here too? (See above.)

Again, checks it means what you intended.

whoops, I missed that (mp_maxid),
it turns out that the getaffinity() is wrong too. I'll try to fix it all, thank you!

Yep, this code can be optimized. However, the API does not require that cpusetsize should be a multiple of a word.
Therefore, a more sophisticated method is needed. I'll try))

we copyin at least cpusetsize, maximum sizeof(cpuset_t) bytes, it should be min().

I propose to agree with John's 'definition', it fully describes getaffinity behavior.

Still would go for the definite article here.

And here.