CVE-2025-37878 (GCVE-0-2025-37878)
Vulnerability from cvelistv5
Published
2025-05-09 06:45
Modified
2025-05-26 05:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init Move the get_ctx(child_ctx) call and the child_event->ctx assignment to occur immediately after the child event is allocated. Ensure that child_event->ctx is non-NULL before any subsequent error path within inherit_event calls free_event(), satisfying the assumptions of the cleanup code. Details: There's no clear Fixes tag, because this bug is a side-effect of multiple interacting commits over time (up to 15 years old), not a single regression. The code initially incremented refcount then assigned context immediately after the child_event was created. Later, an early validity check for child_event was added before the refcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was added, assuming event->ctx is valid if the pmu_ctx is valid. The problem is that the WARN_ON_ONCE() could trigger after the initial check passed but before child_event->ctx was assigned, violating its precondition. The solution is to assign child_event->ctx right after its initial validation. This ensures the context exists for any subsequent checks or cleanup routines, resolving the WARN_ON_ONCE(). To resolve it, defer the refcount update and child_event->ctx assignment directly after child_event->pmu_ctx is set but before checking if the parent event is orphaned. The cleanup routine depends on event->pmu_ctx being non-NULL before it verifies event->ctx is non-NULL. This also maintains the author's original intent of passing in child_ctx to find_get_pmu_context before its refcount/assignment. [ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]
References
Impacted products
Vendor Product Version
Linux Linux Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1fe9b92eede32574dbe05b5bdb6ad666b350bed0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "90dc6c1e3b200812da8d0aa030e1b7fda8226d0e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cb56cd11feabf99e08bc18960700a53322ffcea7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0ba3a4ab76fd3367b9cb680cad70182c896c795c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix WARN_ON(!ctx) in __free_event() for partial init\n\nMove the get_ctx(child_ctx) call and the child_event-\u003ectx assignment to\noccur immediately after the child event is allocated. Ensure that\nchild_event-\u003ectx is non-NULL before any subsequent error path within\ninherit_event calls free_event(), satisfying the assumptions of the\ncleanup code.\n\nDetails:\n\nThere\u0027s no clear Fixes tag, because this bug is a side-effect of\nmultiple interacting commits over time (up to 15 years old), not\na single regression.\n\nThe code initially incremented refcount then assigned context\nimmediately after the child_event was created. Later, an early\nvalidity check for child_event was added before the\nrefcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was\nadded, assuming event-\u003ectx is valid if the pmu_ctx is valid.\nThe problem is that the WARN_ON_ONCE() could trigger after the initial\ncheck passed but before child_event-\u003ectx was assigned, violating its\nprecondition. The solution is to assign child_event-\u003ectx right after\nits initial validation. This ensures the context exists for any\nsubsequent checks or cleanup routines, resolving the WARN_ON_ONCE().\n\nTo resolve it, defer the refcount update and child_event-\u003ectx assignment\ndirectly after child_event-\u003epmu_ctx is set but before checking if the\nparent event is orphaned. The cleanup routine depends on\nevent-\u003epmu_ctx being non-NULL before it verifies event-\u003ectx is\nnon-NULL. This also maintains the author\u0027s original intent of passing\nin child_ctx to find_get_pmu_context before its refcount/assignment.\n\n[ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:52.562Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1fe9b92eede32574dbe05b5bdb6ad666b350bed0"
        },
        {
          "url": "https://git.kernel.org/stable/c/90dc6c1e3b200812da8d0aa030e1b7fda8226d0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb56cd11feabf99e08bc18960700a53322ffcea7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ba3a4ab76fd3367b9cb680cad70182c896c795c"
        }
      ],
      "title": "perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37878",
    "datePublished": "2025-05-09T06:45:42.459Z",
    "dateReserved": "2025-04-16T04:51:23.960Z",
    "dateUpdated": "2025-05-26T05:22:52.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-37878\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-09T07:16:09.020\",\"lastModified\":\"2025-05-12T17:32:32.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/core: Fix WARN_ON(!ctx) in __free_event() for partial init\\n\\nMove the get_ctx(child_ctx) call and the child_event-\u003ectx assignment to\\noccur immediately after the child event is allocated. Ensure that\\nchild_event-\u003ectx is non-NULL before any subsequent error path within\\ninherit_event calls free_event(), satisfying the assumptions of the\\ncleanup code.\\n\\nDetails:\\n\\nThere\u0027s no clear Fixes tag, because this bug is a side-effect of\\nmultiple interacting commits over time (up to 15 years old), not\\na single regression.\\n\\nThe code initially incremented refcount then assigned context\\nimmediately after the child_event was created. Later, an early\\nvalidity check for child_event was added before the\\nrefcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was\\nadded, assuming event-\u003ectx is valid if the pmu_ctx is valid.\\nThe problem is that the WARN_ON_ONCE() could trigger after the initial\\ncheck passed but before child_event-\u003ectx was assigned, violating its\\nprecondition. The solution is to assign child_event-\u003ectx right after\\nits initial validation. This ensures the context exists for any\\nsubsequent checks or cleanup routines, resolving the WARN_ON_ONCE().\\n\\nTo resolve it, defer the refcount update and child_event-\u003ectx assignment\\ndirectly after child_event-\u003epmu_ctx is set but before checking if the\\nparent event is orphaned. The cleanup routine depends on\\nevent-\u003epmu_ctx being non-NULL before it verifies event-\u003ectx is\\nnon-NULL. This also maintains the author\u0027s original intent of passing\\nin child_ctx to find_get_pmu_context before its refcount/assignment.\\n\\n[ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/core: Arregla WARN_ON(!ctx) en __free_event() para init parcial Mueve la llamada get_ctx(child_ctx) y la asignaci\u00f3n child_event-\u0026gt;ctx para que ocurran inmediatamente despu\u00e9s de que se asigne el evento secundario. Aseg\u00farate de que child_event-\u0026gt;ctx no sea NULL antes de cualquier ruta de error posterior dentro de las llamadas heritage_event a free_event(), satisfaciendo las suposiciones del c\u00f3digo de limpieza. Detalles: No hay una etiqueta Fixes clara, porque este error es un efecto secundario de m\u00faltiples confirmaciones interactivas a lo largo del tiempo (hasta 15 a\u00f1os de antig\u00fcedad), no una sola regresi\u00f3n. El c\u00f3digo inicialmente increment\u00f3 refcount y luego asign\u00f3 contexto inmediatamente despu\u00e9s de que se creara child_event. M\u00e1s tarde, se agreg\u00f3 una comprobaci\u00f3n de validez temprana para child_event antes de refcount/assignment. Incluso m\u00e1s tarde, se agreg\u00f3 una comprobaci\u00f3n de limpieza WARN_ON_ONCE(), asumiendo que event-\u0026gt;ctx es v\u00e1lido si pmu_ctx es v\u00e1lido. El problema radica en que WARN_ON_ONCE() podr\u00eda activarse despu\u00e9s de que se supere la comprobaci\u00f3n inicial, pero antes de que se asignara child_event-\u0026gt;ctx, incumpliendo su precondici\u00f3n. La soluci\u00f3n es asignar child_event-\u0026gt;ctx justo despu\u00e9s de su validaci\u00f3n inicial. Esto garantiza la existencia del contexto para cualquier comprobaci\u00f3n o rutina de limpieza posterior, resolviendo WARN_ON_ONCE(). Para solucionarlo, posponga la actualizaci\u00f3n del recuento de referencias y la asignaci\u00f3n de child_event-\u0026gt;ctx justo despu\u00e9s de que se configure child_event-\u0026gt;pmu_ctx, pero antes de comprobar si el evento principal est\u00e1 hu\u00e9rfano. La rutina de limpieza depende de que event-\u0026gt;pmu_ctx no sea NULL antes de verificar que event-\u0026gt;ctx no sea NULL. Esto tambi\u00e9n mantiene la intenci\u00f3n original del autor de pasar child_ctx a find_get_pmu_context antes de su recuento de referencias/asignaci\u00f3n. [mingo: Registro de cambios ampliado de otro correo electr\u00f3nico de Gabriel Shahrouzi].\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0ba3a4ab76fd3367b9cb680cad70182c896c795c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1fe9b92eede32574dbe05b5bdb6ad666b350bed0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/90dc6c1e3b200812da8d0aa030e1b7fda8226d0e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb56cd11feabf99e08bc18960700a53322ffcea7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.