{"id":"AZL-69527","summary":"CVE-2025-21899 affecting package kernel 5.15.200.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix bad hist from corrupting named_triggers list\n\nThe following commands causes a crash:\n\n ~# cd /sys/kernel/tracing/events/rcu/rcu_callback\n ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' \u003e trigger\n bash: echo: write error: Invalid argument\n ~# echo 'hist:name=bad:keys=common_pid' \u003e trigger\n\nBecause the following occurs:\n\nevent_trigger_write() {\n  trigger_process_regex() {\n    event_hist_trigger_parse() {\n\n      data = event_trigger_alloc(..);\n\n      event_trigger_register(.., data) {\n        cmd_ops-\u003ereg(.., data, ..) [hist_register_trigger()] {\n          data-\u003eops-\u003einit() [event_hist_trigger_init()] {\n            save_named_trigger(name, data) {\n              list_add(&data-\u003enamed_list, &named_triggers);\n            }\n          }\n        }\n      }\n\n      ret = create_actions(); (return -EINVAL)\n      if (ret)\n        goto out_unreg;\n[..]\n      ret = hist_trigger_enable(data, ...) {\n        list_add_tail_rcu(&data-\u003elist, &file-\u003etriggers); \u003c\u003c\u003c---- SKIPPED!!! (this is important!)\n[..]\n out_unreg:\n      event_hist_unregister(.., data) {\n        cmd_ops-\u003eunreg(.., data, ..) [hist_unregister_trigger()] {\n          list_for_each_entry(iter, &file-\u003etriggers, list) {\n            if (!hist_trigger_match(data, iter, named_data, false))   \u003c- never matches\n                continue;\n            [..]\n            test = iter;\n          }\n          if (test && test-\u003eops-\u003efree) \u003c\u003c\u003c-- test is NULL\n\n            test-\u003eops-\u003efree(test) [event_hist_trigger_free()] {\n              [..]\n              if (data-\u003ename)\n                del_named_trigger(data) {\n                  list_del(&data-\u003enamed_list);  \u003c\u003c\u003c\u003c-- NEVER gets removed!\n                }\n              }\n           }\n         }\n\n         [..]\n         kfree(data); \u003c\u003c\u003c-- frees item but it is still on list\n\nThe next time a hist with name is registered, it causes an u-a-f bug and\nthe kernel can crash.\n\nMove the code around such that if event_trigger_register() succeeds, the\nnext thing called is hist_trigger_enable() which adds it to the list.\n\nA bunch of actions is called if get_named_trigger_data() returns false.\nBut that doesn't need to be called after event_trigger_register(), so it\ncan be moved up, allowing event_trigger_register() to be called just\nbefore hist_trigger_enable() keeping them together and allowing the\nfile-\u003etriggers to be properly populated.","modified":"2026-04-01T05:21:35.530589Z","published":"2025-04-01T16:15:20Z","upstream":["CVE-2025-21899"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21899"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.15.200.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69527.json"}}],"schema_version":"1.7.5"}