On Thu, Feb 06, 2025 at 03:24:06PM +0800, Xingrui Yi wrote:
> [free]
> profiling_store()
> --> profile_init()
> --> free_cpumask_var(prof_cpu_mask) <-- freed
>
> [use]
> tick_sched_timer()
> --> profile_tick()
> --> cpumask_available(prof_cpu_mask) <-- prof_cpu_mask is not NULL
> if cpumask offstack
> --> cpumask_test_cpu(smp_processor_id(), prof_cpu_mask) <-- use after free
>
> When profile_init() failed if prof_buffer is not allocated,
> prof_cpu_mask will be kfreed by free_cpumask_var() but not set
> to NULL when CONFIG_CPUMASK_OFFSTACK=y, thus profile_tick() will
> use prof_cpu_mask after free.
>
> Signed-off-by: Xingrui Yi <yixingrui@xxxxxxxxxxxxxxxxx>
> ---
> kernel/profile.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/profile.c b/kernel/profile.c
> index 0db1122855c0..b5e85193cb02 100644
> --- a/kernel/profile.c
> +++ b/kernel/profile.c
> @@ -137,6 +137,9 @@ int __ref profile_init(void)
> return 0;
>
> free_cpumask_var(prof_cpu_mask);
> +#ifdef CONFIG_CPUMASK_OFFSTACK
> + prof_cpu_mask = NULL;
> +#endif
> return -ENOMEM;
> }
>
> --
> 2.43.5
>
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
