CVE-2025-38055

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq<br /> <br /> Currently, using PEBS-via-PT with a sample frequency instead of a sample<br /> period, causes a segfault. For example:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000195<br /> <br /> ? __die_body.cold+0x19/0x27<br /> ? page_fault_oops+0xca/0x290<br /> ? exc_page_fault+0x7e/0x1b0<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? intel_pmu_pebs_event_update_no_drain+0x40/0x60<br /> ? intel_pmu_pebs_event_update_no_drain+0x32/0x60<br /> intel_pmu_drain_pebs_icl+0x333/0x350<br /> handle_pmi_common+0x272/0x3c0<br /> intel_pmu_handle_irq+0x10a/0x2e0<br /> perf_event_nmi_handler+0x2a/0x50<br /> <br /> That happens because intel_pmu_pebs_event_update_no_drain() assumes all the<br /> pebs_enabled bits represent counter indexes, which is not always the case.<br /> In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.<br /> <br /> The behaviour of PEBS-via-PT with sample frequency is questionable because<br /> although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not<br /> adjusted anyway.<br /> <br /> Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing<br /> the mask of counter bits instead of &amp;#39;size&amp;#39;. Note, prior to the Fixes<br /> commit, &amp;#39;size&amp;#39; would be limited to the maximum counter index, so the issue<br /> was not hit.