{"id":"CVE-2025-21899","summary":"tracing: Fix bad hist from corrupting named_triggers list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix bad hist from corrupting named_triggers list\n\nThe following commands causes a crash:\n\n ~# cd /sys/kernel/tracing/events/rcu/rcu_callback\n ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' \u003e trigger\n bash: echo: write error: Invalid argument\n ~# echo 'hist:name=bad:keys=common_pid' \u003e trigger\n\nBecause the following occurs:\n\nevent_trigger_write() {\n  trigger_process_regex() {\n    event_hist_trigger_parse() {\n\n      data = event_trigger_alloc(..);\n\n      event_trigger_register(.., data) {\n        cmd_ops-\u003ereg(.., data, ..) [hist_register_trigger()] {\n          data-\u003eops-\u003einit() [event_hist_trigger_init()] {\n            save_named_trigger(name, data) {\n              list_add(&data-\u003enamed_list, &named_triggers);\n            }\n          }\n        }\n      }\n\n      ret = create_actions(); (return -EINVAL)\n      if (ret)\n        goto out_unreg;\n[..]\n      ret = hist_trigger_enable(data, ...) {\n        list_add_tail_rcu(&data-\u003elist, &file-\u003etriggers); \u003c\u003c\u003c---- SKIPPED!!! (this is important!)\n[..]\n out_unreg:\n      event_hist_unregister(.., data) {\n        cmd_ops-\u003eunreg(.., data, ..) [hist_unregister_trigger()] {\n          list_for_each_entry(iter, &file-\u003etriggers, list) {\n            if (!hist_trigger_match(data, iter, named_data, false))   \u003c- never matches\n                continue;\n            [..]\n            test = iter;\n          }\n          if (test && test-\u003eops-\u003efree) \u003c\u003c\u003c-- test is NULL\n\n            test-\u003eops-\u003efree(test) [event_hist_trigger_free()] {\n              [..]\n              if (data-\u003ename)\n                del_named_trigger(data) {\n                  list_del(&data-\u003enamed_list);  \u003c\u003c\u003c\u003c-- NEVER gets removed!\n                }\n              }\n           }\n         }\n\n         [..]\n         kfree(data); \u003c\u003c\u003c-- frees item but it is still on list\n\nThe next time a hist with name is registered, it causes an u-a-f bug and\nthe kernel can crash.\n\nMove the code around such that if event_trigger_register() succeeds, the\nnext thing called is hist_trigger_enable() which adds it to the list.\n\nA bunch of actions is called if get_named_trigger_data() returns false.\nBut that doesn't need to be called after event_trigger_register(), so it\ncan be moved up, allowing event_trigger_register() to be called just\nbefore hist_trigger_enable() keeping them together and allowing the\nfile-\u003etriggers to be properly populated.","modified":"2026-04-02T12:45:16.420236Z","published":"2025-04-01T15:26:50.791Z","related":["SUSE-SU-2025:02249-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02335-1","SUSE-SU-2025:02538-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:20475-1","SUSE-SU-2025:20483-1","SUSE-SU-2025:20493-1","SUSE-SU-2025:20498-1","USN-7521-2"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21899.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/435d2964af815aae456db554c62963b4515f19d0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/43b254d46c740bf9dbe65709afa021dd726dfa99"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f1ae50cfb818ce1ac7a674406dfadb7653e2552d"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21899.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21899"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"067fe038e70f6e64960d26a79c4df5f1413d0f13"},{"fixed":"5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77"},{"fixed":"43b254d46c740bf9dbe65709afa021dd726dfa99"},{"fixed":"435d2964af815aae456db554c62963b4515f19d0"},{"fixed":"f1ae50cfb818ce1ac7a674406dfadb7653e2552d"},{"fixed":"6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21899.json"}}],"schema_version":"1.7.5"}