Re: [PATCH v2] profiling: don't free prof_cpu_mask on init failure

From: Tetsuo Handa

Date: Mon Jun 22 2026 - 07:37:04 EST


On 2026/06/22 9:00, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> When profiling is enabled at runtime via /sys/kernel/profiling,
> profile_setup() sets prof_on and profile_init() allocates prof_cpu_mask
> then attempts to allocate prof_buffer. If all prof_buffer allocations
> fail, the error path frees prof_cpu_mask but leaves prof_on set.
>
> Since profile_tick() runs from timer interrupt context and checks
> cpumask_available(prof_cpu_mask), it can access the freed cpumask
> between the free and the next reboot.
>
> Remove the free_cpumask_var() call from the error path. The cpumask
> allocation already succeeded and is small; keeping it on this rare
> failure path is harmless.
>
> Fixes: 22b8ce94708f ("profiling: dynamically enable readprofile at runtime")

Why 22b8ce94708f ? That commit did not add free_cpumask_var().
Since free_cpumask_var() was removed by 7c51f7bbf057, your patch might want
explanation about why you choose to only avoid UAF-read for stable kernels
instead of try to apply 7c51f7bbf057.

> Cc: stable@xxxxxxxxxxxxxxx
> Suggested-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> Changes in v2:
> - Remove the free_cpumask_var() call instead of adding a prof_on
> guard in profile_tick(), which still raced with the free (Tetsuo Handa)
> kernel/profile.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/kernel/profile.c b/kernel/profile.c
> index 984f819b701c9..93180f9d21467 100644
> --- a/kernel/profile.c
> +++ b/kernel/profile.c
> @@ -123,7 +123,6 @@ int __ref profile_init(void)
> if (prof_buffer)
> return 0;
>
> - free_cpumask_var(prof_cpu_mask);
> return -ENOMEM;
> }
>