CVE-2025-22069 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler
Naresh Kamboju reported a "Bad frame pointer" kernel warning while running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the same issue with the following command:
``` $ cd /sys/kernel/debug/tracing $ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events $ echo 1 > events/fprobes/enable $ echo 1 > tracing_on $ sleep 1 ```
And we can get the following kernel warning:
[ 127.692888] ------------[ cut here ]------------
[ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000
[ 127.693755] from func do_nanosleep return to ffffffff800ccb16
[ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be
[ 127.699894] Modules linked in:
[ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32
[ 127.701453] Hardware name: riscv-virtio,qemu (DT)
[ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be
[ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be
[ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10
[ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000
[ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80
[ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20
[ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000
[ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038
[ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0
[ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068
[ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001
[ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e
[ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18
[ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
[ 127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be
[ 127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26
[ 127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26
[ 127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54
[ 127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a
[ 127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218
[ 127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156
[ 127.705436] ---[ end trace 0000000000000000 ]---
The reason is that the stack layout for constructing argument for the ftrace_return_to_handler in the return_to_handler does not match the __arch_ftrace_regs structure of riscv, leading to unexpected results.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability CVE-2025-22069 addresses a critical stack layout inconsistency in the Linux kernel's ftrace implementation specifically affecting the RISC-V architecture. This issue manifests as a "Bad frame pointer" kernel warning during ftrace stress testing, indicating a fundamental mismatch between expected and actual stack frame structures during function trace return handling. The problem originates from the riscv architecture's specific requirements for the __arch_ftrace_regs structure, which must align precisely with the stack layout constructed in the return_to_handler function. When this alignment fails, the kernel's tracing subsystem encounters corrupted frame pointer values, leading to kernel warnings and potential system instability during debugging or profiling operations.
The technical flaw stems from improper stack frame construction when the return_to_handler function attempts to prepare arguments for ftrace_return_to_handler. The stack layout used in the RISC-V implementation does not match the expected __arch_ftrace_regs structure, causing frame pointer validation to fail. The kernel's ftrace subsystem relies on consistent stack frame layouts to properly track function calls and returns, particularly in the context of dynamic tracing events like the ftrace_stress_test.sh test case. This mismatch results in the expected frame pointer value ff2000000065be50 not matching the actual received value ba34c141e9594000, triggering the kernel's integrity checking mechanism.
The operational impact of this vulnerability extends beyond simple kernel warnings to potentially compromise system stability during intensive tracing operations. When running stress tests or profiling workloads that heavily utilize ftrace functionality, the kernel may experience unexpected behavior, including potential crashes or corrupted trace data. The vulnerability affects all RISC-V systems running Linux kernels that implement ftrace functionality, particularly those using the dynamic events mechanism for tracing specific functions like do_nanosleep. The issue is exacerbated when multiple tracing events are active simultaneously, as the stack corruption becomes more likely to occur during complex function call sequences.
Mitigation strategies for CVE-2025-22069 involve ensuring proper stack layout alignment between the return_to_handler and ftrace_return_to_handler functions in the RISC-V architecture implementation. The fix requires modifying the stack frame construction logic to match the exact requirements of the __arch_ftrace_regs structure for RISC-V, ensuring that frame pointer values remain consistent throughout the tracing process. System administrators should update to kernel versions that include this fix, particularly those incorporating the specific stack layout corrections for RISC-V ftrace operations. Organizations using RISC-V based systems for debugging, profiling, or monitoring should verify their kernel versions and apply patches promptly to prevent potential system instability during trace operations. This vulnerability aligns with CWE-264, which covers permissions, privileges, and access control issues related to improper stack handling, and may be categorized under ATT&CK technique T1059 for system execution through kernel-level tracing mechanisms.