CVE-2025-38285

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix WARN() in get_bpf_raw_tp_regs<br /> <br /> syzkaller reported an issue:<br /> <br /> WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861<br /> Modules linked in:<br /> CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861<br /> RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c<br /> RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005<br /> RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003<br /> R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004<br /> R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900<br /> FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]<br /> bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931<br /> bpf_prog_ec3b2eefa702d8d3+0x43/0x47<br /> bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]<br /> __bpf_prog_run include/linux/filter.h:718 [inline]<br /> bpf_prog_run include/linux/filter.h:725 [inline]<br /> __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]<br /> bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405<br /> __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47<br /> __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47<br /> __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]<br /> trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]<br /> __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35<br /> __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]<br /> mmap_read_trylock include/linux/mmap_lock.h:204 [inline]<br /> stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157<br /> __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483<br /> ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]<br /> bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496<br /> ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]<br /> bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931<br /> bpf_prog_ec3b2eefa702d8d3+0x43/0x47<br /> <br /> Tracepoint like trace_mmap_lock_acquire_returned may cause nested call<br /> as the corner case show above, which will be resolved with more general<br /> method in the future. As a result, WARN_ON_ONCE will be triggered. As<br /> Alexei suggested, remove the WARN_ON_ONCE first.