CVE-2026-23088

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix crash on synthetic stacktrace field usage<br /> <br /> When creating a synthetic event based on an existing synthetic event that<br /> had a stacktrace field and the new synthetic event used that field a<br /> kernel crash occurred:<br /> <br /> ~# cd /sys/kernel/tracing<br /> ~# echo &amp;#39;s:stack unsigned long stack[];&amp;#39; &gt; dynamic_events<br /> ~# echo &amp;#39;hist:keys=prev_pid:s0=common_stacktrace if prev_state &amp; 3&amp;#39; &gt;&gt; events/sched/sched_switch/trigger<br /> ~# echo &amp;#39;hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)&amp;#39; &gt;&gt; events/sched/sched_switch/trigger<br /> <br /> The above creates a synthetic event that takes a stacktrace when a task<br /> schedules out in a non-running state and passes that stacktrace to the<br /> sched_switch event when that task schedules back in. It triggers the<br /> "stack" synthetic event that has a stacktrace as its field (called "stack").<br /> <br /> ~# echo &amp;#39;s:syscall_stack s64 id; unsigned long stack[];&amp;#39; &gt;&gt; dynamic_events<br /> ~# echo &amp;#39;hist:keys=common_pid:s2=stack&amp;#39; &gt;&gt; events/synthetic/stack/trigger<br /> ~# echo &amp;#39;hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)&amp;#39; &gt;&gt; events/raw_syscalls/sys_exit/trigger<br /> <br /> The above makes another synthetic event called "syscall_stack" that<br /> attaches the first synthetic event (stack) to the sys_exit trace event and<br /> records the stacktrace from the stack event with the id of the system call<br /> that is exiting.<br /> <br /> When enabling this event (or using it in a historgram):<br /> <br /> ~# echo 1 &gt; events/synthetic/syscall_stack/enable<br /> <br /> Produces a kernel crash!<br /> <br /> BUG: unable to handle page fault for address: 0000000000400010<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP PTI<br /> CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014<br /> RIP: 0010:trace_event_raw_event_synth+0x90/0x380<br /> Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f<br /> RSP: 0018:ffffd2670388f958 EFLAGS: 00010202<br /> RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0<br /> RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50<br /> R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010<br /> R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90<br /> FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0<br /> Call Trace:<br /> <br /> ? __tracing_map_insert+0x208/0x3a0<br /> action_trace+0x67/0x70<br /> event_hist_trigger+0x633/0x6d0<br /> event_triggers_call+0x82/0x130<br /> trace_event_buffer_commit+0x19d/0x250<br /> trace_event_raw_event_sys_exit+0x62/0xb0<br /> syscall_exit_work+0x9d/0x140<br /> do_syscall_64+0x20a/0x2f0<br /> ? trace_event_raw_event_sched_switch+0x12b/0x170<br /> ? save_fpregs_to_fpstate+0x3e/0x90<br /> ? _raw_spin_unlock+0xe/0x30<br /> ? finish_task_switch.isra.0+0x97/0x2c0<br /> ? __rseq_handle_notify_resume+0xad/0x4c0<br /> ? __schedule+0x4b8/0xd00<br /> ? restore_fpregs_from_fpstate+0x3c/0x90<br /> ? switch_fpu_return+0x5b/0xe0<br /> ? do_syscall_64+0x1ef/0x2f0<br /> ? do_fault+0x2e9/0x540<br /> ? __handle_mm_fault+0x7d1/0xf70<br /> ? count_memcg_events+0x167/0x1d0<br /> ? handle_mm_fault+0x1d7/0x2e0<br /> ? do_user_addr_fault+0x2c3/0x7f0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The reason is that the stacktrace field is not labeled as such, and is<br /> treated as a normal field and not as a dynamic event that it is.<br /> <br /> In trace_event_raw_event_synth() the event is field is still treated as a<br /> dynamic array, but the retrieval of the data is considered a normal field,<br /> and the reference is just the meta data:<br /> <br /> // Meta data is retrieved instead of a dynamic array<br /> ---truncated---