CVE-2026-23374

In the Linux kernel, the following vulnerability has been resolved:

blktrace: fix this cpu read/write in preemptible context

tracing record cmdline() internally uses this cpu read() and this cpu write() on the per-CPU variable trace cmdline save, and trace save cmdline() explicitly asserts preemption is disabled via lockdep assert preemption disabled(). These operations are only safe when preemption is off, as they were designed to be called from the scheduler context (probe wakeup sched switch() / probe wakeup()).

blk add trace() was calling tracing record cmdline(current) early in the blk tracer path, before ring buffer reservation, from process context where preemption is fully enabled. This triggers the following using blktests/blktrace/002:

blktrace/002 (blktrace ftrace corruption with sysfs trace) [failed] runtime 0.367s ... 0.437s something found in dmesg: [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null blk: disk nullb1 created [ 81.357294] BUG: using this cpu read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing record cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] [ 81.362886] dump stack lvl+0x8d/0xb0 ... (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)

[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null blk: disk nullb1 created [ 81.357294] BUG: using this cpu read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing record cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] [ 81.362886] dump stack lvl+0x8d/0xb0 [ 81.362895] check preemption disabled+0xce/0xe0 [ 81.362902] tracing record cmdline+0x10/0x40 [ 81.362923] blk add trace+0x307/0x5d0 [ 81.362934] ? lock acquire+0xe0/0x300 [ 81.362940] ? iov iter extract pages+0x101/0xa30 [ 81.362959] blk add trace bio+0x106/0x1e0 [ 81.362968] submit bio noacct nocheck+0x24b/0x3a0 [ 81.362979] ? lockdep init map type+0x58/0x260 [ 81.362988] submit bio wait+0x56/0x90 [ 81.363009] blkdev direct IO simple+0x16c/0x250 [ 81.363026] ? pfx submit bio wait endio+0x10/0x10 [ 81.363038] ? rcu read lock any held+0x73/0xa0 [ 81.363051] blkdev read iter+0xc1/0x140 [ 81.363059] vfs read+0x20b/0x330 [ 81.363083] ksys read+0x67/0xe0 [ 81.363090] do syscall 64+0xbf/0xf00 [ 81.363102] entry SYSCALL 64 after hwframe+0x76/0x7e [ 81.363106] RIP: 0033:0x7f281906029d [ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec [ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG RAX: 0000000000000000 [ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d [ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000 [ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000 [ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000 [ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a [ 81.363142]

The same BUG fires from blk add trace plug(), blk add trace unplug(), and blk add trace rq() paths as well.

The purpose of tracin ---truncated---