CVE-2025-38424

Summary

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix sample vs do_exit()

Baisheng Gao reported an ARM64 crash, which Mark decoded as being a synchronous external abort – most likely due to trying to access MMIO in bad ways.

The crash further shows perf trying to do a user stack sample while in exit_mmap()'s tlb_finish_mmu() – i.e. while tearing down the address space it is trying to access.

It turns out that we stop perf after we tear down the userspace mm; a receipie for disaster, since perf likes to access userspace for various reasons.

Flip this order by moving up where we stop perf in do_exit().

Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER to abort when the current task does not have an mm (exit_mm() makes sure to set current->mm = NULL; before commencing with the actual teardown). Such that CPU wide events don't trip on this same problem.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < 7b8f3c72175c6a63a95cf2e219f8b78e2baad34eaffected
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < 507c9a595bad3abd107c6a8857d7fd125d89f386affected
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < a9f6aab7910a0ef2895797f15c947f6d1053160faffected
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < 975ffddfa2e19823c719459d2364fcaa17673964affected
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < 2ee6044a693735396bb47eeaba1ac3ae26c1c99baffected
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < 456019adaa2f5366b89c868dea9b483179bece54affected
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < 7311970d07c4606362081250da95f2c7901fc0dbaffected
LinuxLinuxc5ebcedb566ef17bda7b02686e0d658a7bb42ee7 < 4f6fc782128355931527cefe3eb45338abd8ab39affected
LinuxLinux3.7affected
LinuxLinux0 < 3.7unaffected
LinuxLinux5.4.295 <= 5.4.*unaffected
LinuxLinux5.10.239 <= 5.10.*unaffected
LinuxLinux5.15.186 <= 5.15.*unaffected
LinuxLinux6.1.142 <= 6.1.*unaffected
LinuxLinux6.6.95 <= 6.6.*unaffected
LinuxLinux6.12.35 <= 6.12.*unaffected
LinuxLinux6.15.4 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References