ghsa-76hj-mcwf-qj3w
Vulnerability from github
Published
2025-05-01 15:31
Modified
2025-05-01 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/amd: Fix crash due to race between amd_pmu_enable_all, perf NMI and throttling

amd_pmu_enable_all() does:

  if (!test_bit(idx, cpuc->active_mask))
          continue;

  amd_pmu_enable_event(cpuc->events[idx]);

A perf NMI of another event can come between these two steps. Perf NMI handler internally disables and enables all events, including the one which nmi-intercepted amd_pmu_enable_all() was in process of enabling. If that unintentionally enabled event has very low sampling period and causes immediate successive NMI, causing the event to be throttled, cpuc->events[idx] and cpuc->active_mask gets cleared by x86_pmu_stop(). This will result in amd_pmu_enable_event() getting called with event=NULL when amd_pmu_enable_all() resumes after handling the NMIs. This causes a kernel crash:

BUG: kernel NULL pointer dereference, address: 0000000000000198 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page [...] Call Trace: amd_pmu_enable_all+0x68/0xb0 ctx_resched+0xd9/0x150 event_function+0xb8/0x130 ? hrtimer_start_range_ns+0x141/0x4a0 ? perf_duration_warn+0x30/0x30 remote_function+0x4d/0x60 __flush_smp_call_function_queue+0xc4/0x500 flush_smp_call_function_queue+0x11d/0x1b0 do_idle+0x18f/0x2d0 cpu_startup_entry+0x19/0x20 start_secondary+0x121/0x160 secondary_startup_64_no_verify+0xe5/0xeb

amd_pmu_disable_all()/amd_pmu_enable_all() calls inside perf NMI handler were recently added as part of BRS enablement but I'm not sure whether we really need them. We can just disable BRS in the beginning and enable it back while returning from NMI. This will solve the issue by not enabling those events whose active_masks are set but are not yet enabled in hw pmu.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49781"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:01Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Fix crash due to race between amd_pmu_enable_all, perf NMI and throttling\n\namd_pmu_enable_all() does:\n\n      if (!test_bit(idx, cpuc-\u003eactive_mask))\n              continue;\n\n      amd_pmu_enable_event(cpuc-\u003eevents[idx]);\n\nA perf NMI of another event can come between these two steps. Perf NMI\nhandler internally disables and enables _all_ events, including the one\nwhich nmi-intercepted amd_pmu_enable_all() was in process of enabling.\nIf that unintentionally enabled event has very low sampling period and\ncauses immediate successive NMI, causing the event to be throttled,\ncpuc-\u003eevents[idx] and cpuc-\u003eactive_mask gets cleared by x86_pmu_stop().\nThis will result in amd_pmu_enable_event() getting called with event=NULL\nwhen amd_pmu_enable_all() resumes after handling the NMIs. This causes a\nkernel crash:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000198\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   amd_pmu_enable_all+0x68/0xb0\n   ctx_resched+0xd9/0x150\n   event_function+0xb8/0x130\n   ? hrtimer_start_range_ns+0x141/0x4a0\n   ? perf_duration_warn+0x30/0x30\n   remote_function+0x4d/0x60\n   __flush_smp_call_function_queue+0xc4/0x500\n   flush_smp_call_function_queue+0x11d/0x1b0\n   do_idle+0x18f/0x2d0\n   cpu_startup_entry+0x19/0x20\n   start_secondary+0x121/0x160\n   secondary_startup_64_no_verify+0xe5/0xeb\n   \u003c/TASK\u003e\n\namd_pmu_disable_all()/amd_pmu_enable_all() calls inside perf NMI handler\nwere recently added as part of BRS enablement but I\u0027m not sure whether\nwe really need them. We can just disable BRS in the beginning and enable\nit back while returning from NMI. This will solve the issue by not\nenabling those events whose active_masks are set but are not yet enabled\nin hw pmu.",
  "id": "GHSA-76hj-mcwf-qj3w",
  "modified": "2025-05-01T15:31:46Z",
  "published": "2025-05-01T15:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49781"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/baa014b9543c8e5e94f5d15b66abfe60750b8284"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd5e454b856ed86b090336e269695d9908609b71"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.