ghsa-pp9f-hhc8-x68x
Vulnerability from github
Published
2025-11-12 12:30
Modified
2025-11-12 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error

When running perf_fuzzer on PTL, sometimes the below "unchecked MSR access error" is seen when accessing IA32_PMC_x_CFG_B MSRs.

[ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30) [ 55.611280] Call Trace: [ 55.611282] [ 55.611284] ? intel_pmu_config_acr+0x87/0x160 [ 55.611289] intel_pmu_enable_acr+0x6d/0x80 [ 55.611291] intel_pmu_enable_event+0xce/0x460 [ 55.611293] x86_pmu_start+0x78/0xb0 [ 55.611297] x86_pmu_enable+0x218/0x3a0 [ 55.611300] ? x86_pmu_enable+0x121/0x3a0 [ 55.611302] perf_pmu_enable+0x40/0x50 [ 55.611307] ctx_resched+0x19d/0x220 [ 55.611309] __perf_install_in_context+0x284/0x2f0 [ 55.611311] ? __pfx_remote_function+0x10/0x10 [ 55.611314] remote_function+0x52/0x70 [ 55.611317] ? __pfx_remote_function+0x10/0x10 [ 55.611319] generic_exec_single+0x84/0x150 [ 55.611323] smp_call_function_single+0xc5/0x1a0 [ 55.611326] ? __pfx_remote_function+0x10/0x10 [ 55.611329] perf_install_in_context+0xd1/0x1e0 [ 55.611331] ? __pfxperfinstall_in_context+0x10/0x10 [ 55.611333] do_sys_perf_event_open+0xa76/0x1040 [ 55.611336] __x64_sys_perf_event_open+0x26/0x30 [ 55.611337] x64_sys_call+0x1d8e/0x20c0 [ 55.611339] do_syscall_64+0x4f/0x120 [ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e

On PTL, GP counter 0 and 1 doesn't support auto counter reload feature, thus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR which requires to enable auto counter reload on GP counter 0.

The root cause of causing this issue is the check for auto counter reload (ACR) counter mask from user space is incorrect in intel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter mask from user space could be set into hw.config1 and then written into CFG_B MSRs and trigger the MSR access warning.

e.g., User may create a perf event with ACR counter mask (config2=0xcb), and there is only 1 event created, so "cpuc->n_events" is 1.

The correct check condition should be "i + idx >= cpuc->n_events" instead of "i + idx > cpuc->n_events" (it looks a typo). Otherwise, the counter mask would traverse twice and an invalid "cpuc->assign[1]" bit (bit 0) is set into hw.config1 and cause MSR accessing error.

Besides, also check if the ACR counter mask corresponding events are ACR events. If not, filter out these counter mask. If a event is not a ACR event, it could be scheduled to an HW counter which doesn't support ACR. It's invalid to add their counter index in ACR counter mask.

Furthermore, remove the WARN_ON_ONCE() since it's easily triggered as user could set any invalid ACR counter mask and the warning message could mislead users.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40122"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T11:15:41Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error\n\nWhen running perf_fuzzer on PTL, sometimes the below \"unchecked MSR\n access error\" is seen when accessing IA32_PMC_x_CFG_B MSRs.\n\n[   55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30)\n[   55.611280] Call Trace:\n[   55.611282]  \u003cTASK\u003e\n[   55.611284]  ? intel_pmu_config_acr+0x87/0x160\n[   55.611289]  intel_pmu_enable_acr+0x6d/0x80\n[   55.611291]  intel_pmu_enable_event+0xce/0x460\n[   55.611293]  x86_pmu_start+0x78/0xb0\n[   55.611297]  x86_pmu_enable+0x218/0x3a0\n[   55.611300]  ? x86_pmu_enable+0x121/0x3a0\n[   55.611302]  perf_pmu_enable+0x40/0x50\n[   55.611307]  ctx_resched+0x19d/0x220\n[   55.611309]  __perf_install_in_context+0x284/0x2f0\n[   55.611311]  ? __pfx_remote_function+0x10/0x10\n[   55.611314]  remote_function+0x52/0x70\n[   55.611317]  ? __pfx_remote_function+0x10/0x10\n[   55.611319]  generic_exec_single+0x84/0x150\n[   55.611323]  smp_call_function_single+0xc5/0x1a0\n[   55.611326]  ? __pfx_remote_function+0x10/0x10\n[   55.611329]  perf_install_in_context+0xd1/0x1e0\n[   55.611331]  ? __pfx___perf_install_in_context+0x10/0x10\n[   55.611333]  __do_sys_perf_event_open+0xa76/0x1040\n[   55.611336]  __x64_sys_perf_event_open+0x26/0x30\n[   55.611337]  x64_sys_call+0x1d8e/0x20c0\n[   55.611339]  do_syscall_64+0x4f/0x120\n[   55.611343]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nOn PTL, GP counter 0 and 1 doesn\u0027t support auto counter reload feature,\nthus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR\nwhich requires to enable auto counter reload on GP counter 0.\n\nThe root cause of causing this issue is the check for auto counter\nreload (ACR) counter mask from user space is incorrect in\nintel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter\nmask from user space could be set into hw.config1 and then written into\nCFG_B MSRs and trigger the MSR access warning.\n\ne.g., User may create a perf event with ACR counter mask (config2=0xcb),\nand there is only 1 event created, so \"cpuc-\u003en_events\" is 1.\n\nThe correct check condition should be \"i + idx \u003e= cpuc-\u003en_events\"\ninstead of \"i + idx \u003e cpuc-\u003en_events\" (it looks a typo). Otherwise,\nthe counter mask would traverse twice and an invalid \"cpuc-\u003eassign[1]\"\nbit (bit 0) is set into hw.config1 and cause MSR accessing error.\n\nBesides, also check if the ACR counter mask corresponding events are\nACR events. If not, filter out these counter mask. If a event is not a\nACR event, it could be scheduled to an HW counter which doesn\u0027t support\nACR. It\u0027s invalid to add their counter index in ACR counter mask.\n\nFurthermore, remove the WARN_ON_ONCE() since it\u0027s easily triggered as\nuser could set any invalid ACR counter mask and the warning message\ncould mislead users.",
  "id": "GHSA-pp9f-hhc8-x68x",
  "modified": "2025-11-12T12:30:27Z",
  "published": "2025-11-12T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40122"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43796f30507802d93ead2dc44fc9637f34671a89"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6cca4213b618c92e4972919ee568f0fb87313b1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.