Acknowledged
Created: Oct 29, 2025
Updated: Oct 30, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]tracing: Fix race condition in kprobe initialization causing NULL pointer dereference[EOL][EOL]There is a critical race condition in kprobe initialization that can lead to[EOL]NULL pointer dereference and kernel crash.[EOL][EOL][1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000[EOL]...[EOL][1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)[EOL][1135630.269239] pc : kprobe_perf_func+0x30/0x260[EOL][1135630.277643] lr : kprobe_dispatcher+0x44/0x60[EOL][1135630.286041] sp : ffffaeff4977fa40[EOL][1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400[EOL][1135630.302837] x27: 0000000000000000 x26: 0000000000000000[EOL][1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528[EOL][1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50[EOL][1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50[EOL][1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000[EOL][1135630.349985] x17: 0000000000000000 x16: 0000000000000000[EOL][1135630.359285] x15: 0000000000000000 x14: 0000000000000000[EOL][1135630.368445] x13: 0000000000000000 x12: 0000000000000000[EOL][1135630.377473] x11: 0000000000000000 x10: 0000000000000000[EOL][1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000[EOL][1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000[EOL][1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000[EOL][1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006[EOL][1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000[EOL][1135630.429410] Call trace:[EOL][1135630.434828] kprobe_perf_func+0x30/0x260[EOL][1135630.441661] kprobe_dispatcher+0x44/0x60[EOL][1135630.448396] aggr_pre_handler+0x70/0xc8[EOL][1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0[EOL][1135630.462435] brk_handler+0xbc/0xd8[EOL][1135630.468437] do_debug_exception+0x84/0x138[EOL][1135630.475074] el1_dbg+0x18/0x8c[EOL][1135630.480582] security_file_permission+0x0/0xd0[EOL][1135630.487426] vfs_write+0x70/0x1c0[EOL][1135630.493059] ksys_write+0x5c/0xc8[EOL][1135630.498638] __arm64_sys_write+0x24/0x30[EOL][1135630.504821] el0_svc_common+0x78/0x130[EOL][1135630.510838] el0_svc_handler+0x38/0x78[EOL][1135630.516834] el0_svc+0x8/0x1b0[EOL][EOL]kernel/trace/trace_kprobe.c: 1308[EOL]0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120][EOL]include/linux/compiler.h: 294[EOL]0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0][EOL][EOL]kernel/trace/trace_kprobe.c[EOL]1308: head = this_cpu_ptr(call->perf_events);[EOL]1309: if (hlist_empty(head))[EOL]1310: \treturn 0;[EOL][EOL]crash> struct trace_event_call -o[EOL]struct trace_event_call {[EOL] ...[EOL] [120] struct hlist_head *perf_events; //(call->perf_event)[EOL] ...[EOL]}[EOL][EOL]crash> struct trace_event_call ffffaf015340e528[EOL]struct trace_event_call {[EOL] ...[EOL] perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0[EOL] ...[EOL]}[EOL][EOL]Race Condition Analysis:[EOL][EOL]The race occurs between kprobe activation and perf_events initialization:[EOL][EOL] CPU0 CPU1[EOL] ==== ====[EOL] perf_kprobe_init[EOL] perf_trace_event_init[EOL] tp_event->perf_events = list;(1)[EOL] tp_event->class->reg (2)â\x86\x90 KPROBE ACTIVE[EOL] Debug exception triggers[EOL] ...[EOL] kprobe_dispatcher[EOL] kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)[EOL] head = this_cpu_ptr(call->perf_events)(3)[EOL] (perf_events is still NULL)[EOL][EOL]Problem:[EOL]1. CPU0 executes (1) assigning tp_event->perf_events = list[EOL]2. CPU0 executes (2) enabling kprobe functionality via class->reg()[EOL]3. CPU1 triggers and reaches kprobe_dispatcher[EOL]4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)[EOL]5. CPU1 calls kprobe_perf_func() and crashes at (3) because[EOL] call->perf_events is still NULL[EOL][EOL]CPU1 sees that kprobe functionality is enabled but does not see that[EOL]perf_events has been assigned.[EOL][EOL]Add pairing read an[EOL]---truncated---
