Re: [PATCH] profiling: prevent stale prof_cpu_mask access on init failure

Next message: Linus Torvalds: "Re: [PATCH v4 0/2] mm: improve folio refcount scalability"
Previous message: Marek Vasut: "Re: [PATCH v2 3/4] irqchip/gic-v3: Add Renesas R-Car Gen4 erratum workaround"
In reply to: Tristan Madani: "[PATCH] profiling: prevent stale prof_cpu_mask access on init failure"
Next in thread: Tristan Madani: " Re: [PATCH] profiling: prevent stale prof_cpu_mask access on init failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tetsuo Handa

Date: Sun Jun 21 2026 - 18:49:49 EST

On 2026/06/22 4:23, Tristan Madani wrote:
> diff --git a/kernel/profile.c b/kernel/profile.c
> index 984f819b701c9..a166ad9512714 100644
> --- a/kernel/profile.c
> +++ b/kernel/profile.c
> @@ -123,6 +123,7 @@ int __ref profile_init(void)
> if (prof_buffer)
> return 0;
>
> + prof_on = 0;
> free_cpumask_var(prof_cpu_mask);

Which tree are you talking about?

> return -ENOMEM;
> }
> @@ -325,7 +326,7 @@ void profile_tick(int type)
> {
> struct pt_regs *regs = get_irq_regs();
>
> - if (!user_mode(regs) && cpumask_available(prof_cpu_mask) &&
> + if (!user_mode(regs) && prof_on && cpumask_available(prof_cpu_mask) &&
> cpumask_test_cpu(smp_processor_id(), prof_cpu_mask))

NAK. This is a use-after-free read bug.

CPU0 CPU1

if (!user_mode(regs) && prof_on && cpumask_available(prof_cpu_mask) &&
prof_on = 0;
free_cpumask_var(prof_cpu_mask);
cpumask_test_cpu(smp_processor_id(), prof_cpu_mask)) // <= prof_cpu_mask was already freed.

Correct fix is to remove a commit which adds "free_cpumask_var(prof_cpu_mask);".

> profile_hit(type, (void *)profile_pc(regs));
> }