CVE-2025-22035

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix use-after-free in printgraphfunction_flags during tracer switching

Kairui reported a UAF issue in printgraphfunctionflags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutexunlock(&tracetypeslock)' in s_start(), and executing the following script:

$ echo functiongraph > currenttracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer

The root cause lies in the two calls to printgraphfunctionflags within printtraceline during each sshow():

• One through 'iter->trace->print_line()';
• Another through 'event->funcs->trace()', which is hidden in printtracefmt() before printtraceline returns.

Tracer switching only updates the former, while the latter continues to use the printline function of the old tracer, which in the script above is printgraphfunctionflags.

Moreover, when switching from the 'functiongraph' tracer to the 'timerlat' tracer, sstart only calls graphtraceclose of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'.

To fix this issue, set 'iter->private' to NULL immediately after freeing it in graphtraceclose(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers.

[1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/