CVE-2025-37936

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU&amp;#39;s value.<br /> <br /> When generating the MSR_IA32_PEBS_ENABLE value that will be loaded on<br /> VM-Entry to a KVM guest, mask the value with the vCPU&amp;#39;s desired PEBS_ENABLE<br /> value. Consulting only the host kernel&amp;#39;s host vs. guest masks results in<br /> running the guest with PEBS enabled even when the guest doesn&amp;#39;t want to use<br /> PEBS. Because KVM uses perf events to proxy the guest virtual PMU, simply<br /> looking at exclude_host can&amp;#39;t differentiate between events created by host<br /> userspace, and events created by KVM on behalf of the guest.<br /> <br /> Running the guest with PEBS unexpectedly enabled typically manifests as<br /> crashes due to a near-infinite stream of #PFs. E.g. if the guest hasn&amp;#39;t<br /> written MSR_IA32_DS_AREA, the CPU will hit page faults on address &amp;#39;0&amp;#39; when<br /> trying to record PEBS events.<br /> <br /> The issue is most easily reproduced by running `perf kvm top` from before<br /> commit 7b100989b4f6 ("perf evlist: Remove __evlist__add_default") (after<br /> which, `perf kvm top` effectively stopped using PEBS). The userspace side<br /> of perf creates a guest-only PEBS event, which intel_guest_get_msrs()<br /> misconstrues a guest-*owned* PEBS event.<br /> <br /> Arguably, this is a userspace bug, as enabling PEBS on guest-only events<br /> simply cannot work, and userspace can kill VMs in many other ways (there<br /> is no danger to the host). However, even if this is considered to be bad<br /> userspace behavior, there&amp;#39;s zero downside to perf/KVM restricting PEBS to<br /> guest-owned events.<br /> <br /> Note, commit 854250329c02 ("KVM: x86/pmu: Disable guest PEBS temporarily<br /> in two rare situations") fixed the case where host userspace is profiling<br /> KVM *and* userspace, but missed the case where userspace is profiling only<br /> KVM.