CVE-2024-41004 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
tracing: Build event generation tests only as modules
The kprobes and synth event generation test modules add events and lock (get a reference) those event file reference in module init function, and unlock and delete it in module exit function. This is because those are designed for playing as modules.
If we make those modules as built-in, those events are left locked in the kernel, and never be removed. This causes kprobe event self-test failure as below.
[ 97.349708] ------------[ cut here ]------------
[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.357106] Modules linked in:
[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14
[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90
[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286
[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000
[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68
[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000
[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000
[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000
[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0
[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 97.391196] Call Trace:
[ 97.391967]
[ 97.392647] ? __warn+0xcc/0x180
[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.395181] ? report_bug+0xbd/0x150
[ 97.396234] ? handle_bug+0x3e/0x60
[ 97.397311] ? exc_invalid_op+0x1a/0x50
[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20
[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20
[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90
[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.403773] ? init_kprobe_trace+0x50/0x50
[ 97.404972] do_one_initcall+0x112/0x240
[ 97.406113] do_initcall_level+0x95/0xb0
[ 97.407286] ? kernel_init+0x1a/0x1a0
[ 97.408401] do_initcalls+0x3f/0x70
[ 97.409452] kernel_init_freeable+0x16f/0x1e0
[ 97.410662] ? rest_init+0x1f0/0x1f0
[ 97.411738] kernel_init+0x1a/0x1a0
[ 97.412788] ret_from_fork+0x39/0x50
[ 97.413817] ? rest_init+0x1f0/0x1f0
[ 97.414844] ret_from_fork_asm+0x11/0x20
[ 97.416285]
[ 97.417134] irq event stamp: 13437323
[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150
[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150
[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0
[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0
[ 97.428850] ---[ end trace 0000000000000000 ]---
And also, since we can not cleanup dynamic_event file, ftracetest are failed too.
To avoid these issues, build these tests only as modules.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/07/2025
The vulnerability CVE-2024-41004 resides within the Linux kernel's tracing subsystem and specifically affects how kprobes and synthetic event generation tests are compiled and executed. These tests are designed to operate as loadable kernel modules, which allows them to properly acquire and release references to event files during their initialization and cleanup phases. When these modules are instead built directly into the kernel as built-in components, the expected lifecycle management is disrupted. During kernel initialization, the test modules lock event file references in their init functions, but since there is no corresponding exit function execution for built-in modules, these locks persist indefinitely. This leads to resource leaks and prevents proper cleanup of event files, ultimately causing kernel warnings and test failures.
The technical flaw manifests as a failure in the kprobe trace self-test initialization function, where the kernel generates a warning indicating that a reference to a kprobe event remains locked and unreleased. This occurs because the built-in modules do not execute their module exit handlers, which are responsible for unlocking and removing event file references. The error trace points to the function kprobe_trace_self_tests_init located in trace_kprobe.c at line 2133, where the kernel detects that an event is already locked and cannot be properly managed. This behavior violates fundamental kernel resource management principles and results in a persistent lock state that interferes with subsequent kernel operations. The issue is further compounded by the fact that dynamic event files cannot be cleaned up properly, which also breaks ftracetest functionality.
The operational impact of this vulnerability extends beyond simple test failures to potentially destabilize kernel operations and compromise system reliability. When these built-in tests fail to clean up properly, they leave behind locked resources that can interfere with other kernel subsystems that rely on similar event management mechanisms. The failure of kprobe event self-tests can mask underlying issues in kernel tracing capabilities and prevent proper validation of kernel debugging features. Additionally, the inability to properly clean up dynamic event files may lead to resource exhaustion over time, particularly in systems where kernel tracing is heavily utilized. This vulnerability effectively undermines the integrity of kernel tracing infrastructure and can cause cascading failures in systems that depend on kernel-level event monitoring and debugging capabilities.
The recommended mitigation for CVE-2024-41004 involves ensuring that the kprobes and synthetic event generation test modules are compiled as loadable kernel modules rather than being built directly into the kernel. This approach restores the proper module lifecycle management that includes both initialization and cleanup phases, allowing event file references to be properly acquired and released. This solution aligns with the principle of least privilege and proper resource management as outlined in the Common Weakness Enumeration (CWE) category CWE-404, which deals with improper resource release or unbalanced resource management. From an ATT&CK framework perspective, this vulnerability relates to privilege escalation and system stability compromise through improper kernel module handling. The fix essentially prevents the execution of code paths that violate kernel resource management protocols, thereby maintaining system integrity and preventing the accumulation of stale references that could lead to system instability or denial of service conditions.
This vulnerability demonstrates a classic case of improper module lifecycle handling in kernel space, where the assumptions made during module development do not translate properly when modules are compiled as built-ins. The issue highlights the importance of considering all possible compilation modes when developing kernel subsystems, particularly those that manage shared resources. The solution reinforces the principle that kernel subsystems should maintain consistent behavior regardless of whether they are loaded as modules or built-in components, which is a fundamental requirement for kernel stability and security. The fix also emphasizes the critical role of proper resource cleanup in preventing long-term system degradation and maintaining the reliability of kernel tracing mechanisms.