[free]
profiling_store()
--> profile_init()
--> free_cpumask_var(prof_cpu_mask) <-- freed
[use]
tick_sched_timer()
--> profile_tick()
--> cpumask_available(prof_cpu_mask) <-- prof_cpu_mask is not NULL
if cpumask offstack
--> cpumask_test_cpu(smp_processor_id(), prof_cpu_mask) <-- use after free
When profile_init() failed if prof_buffer is not allocated,
prof_cpu_mask will be kfreed by free_cpumask_var() but not set
to NULL when CONFIG_CPUMASK_OFFSTACK=y, thus profile_tick() will
use prof_cpu_mask after free.
Signed-off-by: Xingrui Yi <yixingrui@xxxxxxxxxxxxxxxxx>
---
kernel/profile.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/profile.c b/kernel/profile.c
index 0db1122855c0..b5e85193cb02 100644
--- a/kernel/profile.c
+++ b/kernel/profile.c
@@ -137,6 +137,9 @@ int __ref profile_init(void)
return 0;
free_cpumask_var(prof_cpu_mask);
+#ifdef CONFIG_CPUMASK_OFFSTACK
+ prof_cpu_mask = NULL;
+#endif
return -ENOMEM;
}
--
2.43.5
