CVE-2025-68375

Summary

In the Linux kernel, the following vulnerability has been resolved:

perf/x86: Fix NULL event access and potential PEBS record loss

When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the perf_event_overflow() could be called to process the last PEBS record.

While perf_event_overflow() could trigger the interrupt throttle and stop all events of the group, like what the below call-chain shows.

perf_event_overflow() -> __perf_event_overflow() ->__perf_event_account_interrupt() -> perf_event_throttle_group() -> perf_event_throttle() -> event->pmu->stop() -> x86_pmu_stop()

The side effect of stopping the events is that all corresponding event pointers in cpuc->events[] array are cleared to NULL.

Assume there are two PEBS events (event a and event b) in a group. When intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the last PEBS record of PEBS event a, interrupt throttle is triggered and all pointers of event a and event b are cleared to NULL. Then intel_pmu_drain_pebs_icl() tries to process the last PEBS record of event b and encounters NULL pointer access.

To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del(). It's safe since cpuc->active_mask or cpuc->pebs_enabled is always checked before access the event pointer from cpuc->events[].

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9734e25fbf5ae68eb04234b2cd14a4b36ab89141 < cf69b99805c263117305ac6dffbc85aaf9259d32affected
LinuxLinux9734e25fbf5ae68eb04234b2cd14a4b36ab89141 < 6b089028bff1f2ff9e0c62b8f1faca1a620e5d6eaffected
LinuxLinux9734e25fbf5ae68eb04234b2cd14a4b36ab89141 < 7e772a93eb61cb6265bdd1c5bde17d0f2718b452affected
LinuxLinux6.16affected
LinuxLinux0 < 6.16unaffected
LinuxLinux6.17.13 <= 6.17.*unaffected
LinuxLinux6.18.2 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References