| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21733: tracing/osnoise: Fix resetting of tracepoints |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| tracing/osnoise: Fix resetting of tracepoints |
| |
| If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD |
| disabled, but then that option is enabled and timerlat is removed, the |
| tracepoints that were enabled on timerlat registration do not get |
| disabled. If the option is disabled again and timelat is started, then it |
| triggers a warning in the tracepoint code due to registering the |
| tracepoint again without ever disabling it. |
| |
| Do not use the same user space defined options to know to disable the |
| tracepoints when timerlat is removed. Instead, set a global flag when it |
| is enabled and use that flag to know to disable the events. |
| |
| ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options |
| ~# echo timerlat > /sys/kernel/tracing/current_tracer |
| ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options |
| ~# echo nop > /sys/kernel/tracing/current_tracer |
| ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options |
| ~# echo timerlat > /sys/kernel/tracing/current_tracer |
| |
| Triggers: |
| |
| ------------[ cut here ]------------ |
| WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0 |
| Modules linked in: |
| CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73 |
| Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 |
| RIP: 0010:tracepoint_add_func+0x3b6/0x3f0 |
| Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b |
| RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202 |
| RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000 |
| RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410 |
| RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002 |
| R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001 |
| R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008 |
| FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000 |
| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0 |
| Call Trace: |
| <TASK> |
| ? __warn.cold+0xb7/0x14d |
| ? tracepoint_add_func+0x3b6/0x3f0 |
| ? report_bug+0xea/0x170 |
| ? handle_bug+0x58/0x90 |
| ? exc_invalid_op+0x17/0x70 |
| ? asm_exc_invalid_op+0x1a/0x20 |
| ? __pfx_trace_sched_migrate_callback+0x10/0x10 |
| ? tracepoint_add_func+0x3b6/0x3f0 |
| ? __pfx_trace_sched_migrate_callback+0x10/0x10 |
| ? __pfx_trace_sched_migrate_callback+0x10/0x10 |
| tracepoint_probe_register+0x78/0xb0 |
| ? __pfx_trace_sched_migrate_callback+0x10/0x10 |
| osnoise_workload_start+0x2b5/0x370 |
| timerlat_tracer_init+0x76/0x1b0 |
| tracing_set_tracer+0x244/0x400 |
| tracing_set_trace_write+0xa0/0xe0 |
| vfs_write+0xfc/0x570 |
| ? do_sys_openat2+0x9c/0xe0 |
| ksys_write+0x72/0xf0 |
| do_syscall_64+0x79/0x1c0 |
| entry_SYSCALL_64_after_hwframe+0x76/0x7e |
| |
| The Linux kernel CVE team has assigned CVE-2025-21733 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.6.78 with commit ee8c4c39a8f97467d63adfe03bcd45139d8c8b53 |
| Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.12.14 with commit b45707c3c0671d9c49fa7b94c197a508aa55d16f |
| Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.13.3 with commit e482cecd2305be1e3e6a8ee70c9b86c511484f7b |
| Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.14 with commit e3ff4245928f948f3eb2e852aa350b870421c358 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21733 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| kernel/trace/trace_osnoise.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/ee8c4c39a8f97467d63adfe03bcd45139d8c8b53 |
| https://git.kernel.org/stable/c/b45707c3c0671d9c49fa7b94c197a508aa55d16f |
| https://git.kernel.org/stable/c/e482cecd2305be1e3e6a8ee70c9b86c511484f7b |
| https://git.kernel.org/stable/c/e3ff4245928f948f3eb2e852aa350b870421c358 |
