CVE-2022-50579
Description
In the Linux kernel, the following vulnerability has been resolved:
arm64: ftrace: fix module PLTs with mcount
Li Huafei reports that mcount-based ftrace with module PLTs was broken by commit:
a6253579977e4c6f ("arm64: ftrace: consistently handle PLTs.")
When a module PLTs are used and a module is loaded sufficiently far away from the kernel, we'll create PLTs for any branches which are out-of-range. These are separate from the special ftrace trampoline PLTs, which the module PLT code doesn't directly manipulate.
When mcount is in use this is a problem, as each mcount callsite in a module will be initialized to point to a module PLT, but since commit a6253579977e4c6f ftrace_make_nop() will assume that the callsite has been initialized to point to the special ftrace trampoline PLT, and ftrace_find_callable_addr() rejects other cases.
This means that when ftrace tries to initialize a callsite via ftrace_make_nop(), the call to ftrace_find_callable_addr() will find that the _mcount stub is out-of-range and is not handled by the ftrace PLT, resulting in a splat:
| ftrace_test: loading out-of-tree module taints kernel. | ftrace: no module PLT for _mcount | ------------[ ftrace bug ]------------ | ftrace failed to modify | [] 0xffff800029180014 | actual: 44:00:00:94 | Initializing ftrace call sites | ftrace record flags: 2000000 | (0) | expected tramp: ffff80000802eb3c | ------------[ cut here ]------------ | WARNING: CPU: 3 PID: 157 at kernel/trace/ftrace.c:2120 ftrace_bug+0x94/0x270 | Modules linked in: | CPU: 3 PID: 157 Comm: insmod Tainted: G O 6.0.0-rc6-00151-gcd722513a189-dirty #22 | Hardware name: linux,dummy-virt (DT) | pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : ftrace_bug+0x94/0x270 | lr : ftrace_bug+0x21c/0x270 | sp : ffff80000b2bbaf0 | x29: ffff80000b2bbaf0 x28: 0000000000000000 x27: ffff0000c4d38000 | x26: 0000000000000001 x25: ffff800009d7e000 x24: ffff0000c4d86e00 | x23: 0000000002000000 x22: ffff80000a62b000 x21: ffff8000098ebea8 | x20: ffff0000c4d38000 x19: ffff80000aa24158 x18: ffffffffffffffff | x17: 0000000000000000 x16: 0a0d2d2d2d2d2d2d x15: ffff800009aa9118 | x14: 0000000000000000 x13: 6333626532303830 x12: 3030303866666666 | x11: 203a706d61727420 x10: 6465746365707865 x9 : 3362653230383030 | x8 : c0000000ffffefff x7 : 0000000000017fe8 x6 : 000000000000bff4 | x5 : 0000000000057fa8 x4 : 0000000000000000 x3 : 0000000000000001 | x2 : ad2cb14bb5438900 x1 : 0000000000000000 x0 : 0000000000000022 | Call trace: | ftrace_bug+0x94/0x270 | ftrace_process_locs+0x308/0x430 | ftrace_module_init+0x44/0x60 | load_module+0x15b4/0x1ce8 | __do_sys_init_module+0x1ec/0x238 | __arm64_sys_init_module+0x24/0x30 | invoke_syscall+0x54/0x118 | el0_svc_common.constprop.4+0x84/0x100 | do_el0_svc+0x3c/0xd0 | el0_svc+0x1c/0x50 | el0t_64_sync_handler+0x90/0xb8 | el0t_64_sync+0x15c/0x160 | ---[ end trace 0000000000000000 ]--- | ---------test_init-----------
Fix this by reverting to the old behaviour of ignoring the old instruction when initialising an mcount callsite in a module, which was the behaviour prior to commit a6253579977e4c6f.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in arm64 ftrace with mcount and module PLTs causes ftrace to fail when modules are loaded far from the kernel, leading to a kernel splat.
Vulnerability
In the Linux kernel, a flaw was introduced by commit a6253579977e4c6f ("arm64: ftrace: consistently handle PLTs.") that affects mcount-based ftrace when module PLTs are in use. When a kernel module is loaded sufficiently far from the kernel image, the kernel creates PLTs for any out-of-range branches. However, the ftrace code, specifically ftrace_make_nop(), incorrectly assumes that each mcount callsite in a module has been initialized to point to the special ftrace trampoline PLT, rather than the module PLT. This mismatch causes ftrace_find_callable_addr() function rejects other cases, causing a failure [1].
Exploitation
An attacker with the ability to load a kernel module (requiring root privileges or a signed module) can trigger this bug by loading a module that is placed far from the kernel in memory. The ftrace initialization for that module will then fail, leading to a kernel warning and splat. No special network access or user interaction is needed beyond loading the module.
Impact
The primary impact is a denial of service: the kernel triggers a WARNING and prints a splat, which can disruptively affecting system stability. The ftrace subsystem becomes unable to modify the module's callsites, which may prevent proper tracing or dynamic patching. The bug does not directly allow arbitrary code execution or privilege escalation, but it can be used to crash the system or cause instability.
Mitigation
The fix is included in Linux kernel stable releases. Patches are available in commits 0f77b6b2ba70 and 985432303cf7 [1][2]. Users should update their kernel to a version containing the fix. No workaround is provided; the issue is resolved by applying the kernel patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
5657de36c72f56c93b683ceda0f77b6b2ba70985432303cf78cfb08575c6dVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0f77b6b2ba70d7c9d69ef39694e283ded9f8b5f2nvd
- git.kernel.org/stable/c/657de36c72f57fa172a66b06f826b3f5bc56f42envd
- git.kernel.org/stable/c/6c93b683cedaef745884cb9d554d02ed6266b897nvd
- git.kernel.org/stable/c/8cfb08575c6d4585f1ce0deeb189e5c824776b04nvd
- git.kernel.org/stable/c/985432303cf7d4804fb2c2fdfbf0466a796d68c3nvd
News mentions
0No linked articles in our index yet.