[PATCH] profiling: prevent stale prof_cpu_mask access on init failure

[Tristan Madani]

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

When profiling is enabled at runtime via /sys/kernel/profiling,
profile_setup() sets prof_on and profile_init() allocates prof_cpu_mask
and attempts to allocate prof_buffer. If all prof_buffer allocations
fail, the error path frees prof_cpu_mask but leaves prof_on set.

Since profile_tick() runs from timer interrupt context and checks
cpumask_available(prof_cpu_mask) without first checking prof_on, it can
dereference the freed cpumask between the free and the next reboot.

Clear prof_on before freeing prof_cpu_mask so the profiling state remains
consistent on allocation failure. Also gate the cpumask access in
profile_tick() on prof_on to prevent accessing stale state during the
teardown window.

Fixes: 22b8ce94708f ("profiling: dynamically enable readprofile at runtime")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
 kernel/profile.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/profile.c b/kernel/profile.c
index 984f819b701c9..a166ad9512714 100644
--- a/kernel/profile.c
+++ b/kernel/profile.c
@@ -123,6 +123,7 @@ int __ref profile_init(void)
 	if (prof_buffer)
 		return 0;
 
+	prof_on = 0;
 	free_cpumask_var(prof_cpu_mask);
 	return -ENOMEM;
 }
@@ -325,7 +326,7 @@ void profile_tick(int type)
 {
 	struct pt_regs *regs = get_irq_regs();
 
-	if (!user_mode(regs) && cpumask_available(prof_cpu_mask) &&
+	if (!user_mode(regs) && prof_on && cpumask_available(prof_cpu_mask) &&
 	    cpumask_test_cpu(smp_processor_id(), prof_cpu_mask))
 		profile_hit(type, (void *)profile_pc(regs));
 }
-- 
2.47.3