CVE-2025-39914 (GCVE-0-2025-39914)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Silence warning when chunk allocation fails in trace_pid_write
Syzkaller trigger a fault injection warning:
WARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0
Modules linked in:
CPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0
Tainted: [U]=USER
Hardware name: Google Compute Engine/Google Compute Engine
RIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294
Code: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff
RSP: 0018:ffffc9000414fb48 EFLAGS: 00010283
RAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000
RDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef
R13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0
FS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464
register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]
register_pid_events kernel/trace/trace_events.c:2354 [inline]
event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
We can reproduce the warning by following the steps below:
1. echo 8 >> set_event_notrace_pid. Let tr->filtered_pids owns one pid
and register sched_switch tracepoint.
2. echo ' ' >> set_event_pid, and perform fault injection during chunk
allocation of trace_pid_list_alloc. Let pid_list with no pid and
assign to tr->filtered_pids.
3. echo ' ' >> set_event_pid. Let pid_list is NULL and assign to
tr->filtered_pids.
4. echo 9 >> set_event_pid, will trigger the double register
sched_switch tracepoint warning.
The reason is that syzkaller injects a fault into the chunk allocation
in trace_pid_list_alloc, causing a failure in trace_pid_list_set, which
may trigger double register of the same tracepoint. This only occurs
when the system is about to crash, but to suppress this warning, let's
add failure handling logic to trace_pid_list_set.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7583a73c53f1d1ae7a39b130eb7190a11f0a902f",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "1262bda871dace8c6efae25f3b6a2d34f6f06d54",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "88525accf16947ab459f8e91c27c8c53e1d612d7",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "793338906ff57d8c683f44fe48ca99d49c8782a7",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "cd4453c5e983cf1fd5757e9acb915adb1e4602b6",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Silence warning when chunk allocation fails in trace_pid_write\n\nSyzkaller trigger a fault injection warning:\n\nWARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0\nModules linked in:\nCPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0\nTainted: [U]=USER\nHardware name: Google Compute Engine/Google Compute Engine\nRIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294\nCode: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff\nRSP: 0018:ffffc9000414fb48 EFLAGS: 00010283\nRAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000\nRDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef\nR13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0\nFS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464\n register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]\n register_pid_events kernel/trace/trace_events.c:2354 [inline]\n event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425\n vfs_write+0x24c/0x1150 fs/read_write.c:677\n ksys_write+0x12b/0x250 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe can reproduce the warning by following the steps below:\n1. echo 8 \u003e\u003e set_event_notrace_pid. Let tr-\u003efiltered_pids owns one pid\n and register sched_switch tracepoint.\n2. echo \u0027 \u0027 \u003e\u003e set_event_pid, and perform fault injection during chunk\n allocation of trace_pid_list_alloc. Let pid_list with no pid and\nassign to tr-\u003efiltered_pids.\n3. echo \u0027 \u0027 \u003e\u003e set_event_pid. Let pid_list is NULL and assign to\n tr-\u003efiltered_pids.\n4. echo 9 \u003e\u003e set_event_pid, will trigger the double register\n sched_switch tracepoint warning.\n\nThe reason is that syzkaller injects a fault into the chunk allocation\nin trace_pid_list_alloc, causing a failure in trace_pid_list_set, which\nmay trigger double register of the same tracepoint. This only occurs\nwhen the system is about to crash, but to suppress this warning, let\u0027s\nadd failure handling logic to trace_pid_list_set."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:37.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7583a73c53f1d1ae7a39b130eb7190a11f0a902f"
},
{
"url": "https://git.kernel.org/stable/c/1262bda871dace8c6efae25f3b6a2d34f6f06d54"
},
{
"url": "https://git.kernel.org/stable/c/88525accf16947ab459f8e91c27c8c53e1d612d7"
},
{
"url": "https://git.kernel.org/stable/c/793338906ff57d8c683f44fe48ca99d49c8782a7"
},
{
"url": "https://git.kernel.org/stable/c/cd4453c5e983cf1fd5757e9acb915adb1e4602b6"
}
],
"title": "tracing: Silence warning when chunk allocation fails in trace_pid_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39914",
"datePublished": "2025-10-01T07:44:37.018Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:37.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-39914\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-01T08:15:34.520\",\"lastModified\":\"2025-10-02T19:12:17.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Silence warning when chunk allocation fails in trace_pid_write\\n\\nSyzkaller trigger a fault injection warning:\\n\\nWARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0\\nModules linked in:\\nCPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0\\nTainted: [U]=USER\\nHardware name: Google Compute Engine/Google Compute Engine\\nRIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294\\nCode: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff\\nRSP: 0018:ffffc9000414fb48 EFLAGS: 00010283\\nRAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000\\nRDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001\\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef\\nR13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0\\nFS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \u003cTASK\u003e\\n tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464\\n register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]\\n register_pid_events kernel/trace/trace_events.c:2354 [inline]\\n event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425\\n vfs_write+0x24c/0x1150 fs/read_write.c:677\\n ksys_write+0x12b/0x250 fs/read_write.c:731\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nWe can reproduce the warning by following the steps below:\\n1. echo 8 \u003e\u003e set_event_notrace_pid. Let tr-\u003efiltered_pids owns one pid\\n and register sched_switch tracepoint.\\n2. echo \u0027 \u0027 \u003e\u003e set_event_pid, and perform fault injection during chunk\\n allocation of trace_pid_list_alloc. Let pid_list with no pid and\\nassign to tr-\u003efiltered_pids.\\n3. echo \u0027 \u0027 \u003e\u003e set_event_pid. Let pid_list is NULL and assign to\\n tr-\u003efiltered_pids.\\n4. echo 9 \u003e\u003e set_event_pid, will trigger the double register\\n sched_switch tracepoint warning.\\n\\nThe reason is that syzkaller injects a fault into the chunk allocation\\nin trace_pid_list_alloc, causing a failure in trace_pid_list_set, which\\nmay trigger double register of the same tracepoint. This only occurs\\nwhen the system is about to crash, but to suppress this warning, let\u0027s\\nadd failure handling logic to trace_pid_list_set.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1262bda871dace8c6efae25f3b6a2d34f6f06d54\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7583a73c53f1d1ae7a39b130eb7190a11f0a902f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/793338906ff57d8c683f44fe48ca99d49c8782a7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/88525accf16947ab459f8e91c27c8c53e1d612d7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cd4453c5e983cf1fd5757e9acb915adb1e4602b6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…