CVE-2025-39813
EUVD-2025-2960116.09.2025, 13:15
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
When calling ftrace_dump_one() concurrently with reading trace_pipe,
a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race
condition.
The issue occurs because:
CPU0 (ftrace_dump) CPU1 (reader)
echo z > /proc/sysrq-trigger
!trace_empty(&iter)
trace_iterator_reset(&iter) <- len = size = 0
cat /sys/kernel/tracing/trace_pipe
trace_find_next_entry_inc(&iter)
__find_next_entry
ring_buffer_empty_cpu <- all empty
return NULL
trace_printk_seq(&iter.seq)
WARN_ON_ONCE(s->seq.len >= s->seq.size)
In the context between trace_empty() and trace_find_next_entry_inc()
during ftrace_dump, the ring buffer data was consumed by other readers.
This caused trace_find_next_entry_inc to return NULL, failing to populate
`iter.seq`. At this point, due to the prior trace_iterator_reset, both
`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,
the WARN_ON_ONCE condition is triggered.
Move the trace_printk_seq() into the if block that checks to make sure the
return value of trace_find_next_entry_inc() is non-NULL in
ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before
subsequent operations.Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 2.6.28 ≤ 𝑥 < 5.4.298 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.242 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.191 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.150 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.104 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.45 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.16.5 |
| linux | linux_kernel | 6.17:rc1 |
| linux | linux_kernel | 6.17:rc2 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
References