On Thu, Feb 06, 2025 at 03:24:06PM +0800, Xingrui Yi wrote:
[free] profiling_store() --> profile_init() --> free_cpumask_var(prof_cpu_mask) <-- freed
[use] tick_sched_timer() --> profile_tick() --> cpumask_available(prof_cpu_mask) <-- prof_cpu_mask is not NULL if cpumask offstack --> cpumask_test_cpu(smp_processor_id(), prof_cpu_mask) <-- use after free
When profile_init() failed if prof_buffer is not allocated, prof_cpu_mask will be kfreed by free_cpumask_var() but not set to NULL when CONFIG_CPUMASK_OFFSTACK=y, thus profile_tick() will use prof_cpu_mask after free.
Signed-off-by: Xingrui Yi yixingrui@linux.alibaba.com
kernel/profile.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/kernel/profile.c b/kernel/profile.c index 0db1122855c0..b5e85193cb02 100644 --- a/kernel/profile.c +++ b/kernel/profile.c @@ -137,6 +137,9 @@ int __ref profile_init(void) return 0; free_cpumask_var(prof_cpu_mask); +#ifdef CONFIG_CPUMASK_OFFSTACK
- prof_cpu_mask = NULL;
+#endif return -ENOMEM; } -- 2.43.5
<formletter>
This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
</formletter>