CVE-2025-40122

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error<br /> <br /> When running perf_fuzzer on PTL, sometimes the below "unchecked MSR<br /> access error" is seen when accessing IA32_PMC_x_CFG_B MSRs.<br /> <br /> [ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30)<br /> [ 55.611280] Call Trace:<br /> [ 55.611282] <br /> [ 55.611284] ? intel_pmu_config_acr+0x87/0x160<br /> [ 55.611289] intel_pmu_enable_acr+0x6d/0x80<br /> [ 55.611291] intel_pmu_enable_event+0xce/0x460<br /> [ 55.611293] x86_pmu_start+0x78/0xb0<br /> [ 55.611297] x86_pmu_enable+0x218/0x3a0<br /> [ 55.611300] ? x86_pmu_enable+0x121/0x3a0<br /> [ 55.611302] perf_pmu_enable+0x40/0x50<br /> [ 55.611307] ctx_resched+0x19d/0x220<br /> [ 55.611309] __perf_install_in_context+0x284/0x2f0<br /> [ 55.611311] ? __pfx_remote_function+0x10/0x10<br /> [ 55.611314] remote_function+0x52/0x70<br /> [ 55.611317] ? __pfx_remote_function+0x10/0x10<br /> [ 55.611319] generic_exec_single+0x84/0x150<br /> [ 55.611323] smp_call_function_single+0xc5/0x1a0<br /> [ 55.611326] ? __pfx_remote_function+0x10/0x10<br /> [ 55.611329] perf_install_in_context+0xd1/0x1e0<br /> [ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10<br /> [ 55.611333] __do_sys_perf_event_open+0xa76/0x1040<br /> [ 55.611336] __x64_sys_perf_event_open+0x26/0x30<br /> [ 55.611337] x64_sys_call+0x1d8e/0x20c0<br /> [ 55.611339] do_syscall_64+0x4f/0x120<br /> [ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> On PTL, GP counter 0 and 1 doesn&amp;#39;t support auto counter reload feature,<br /> thus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR<br /> which requires to enable auto counter reload on GP counter 0.<br /> <br /> The root cause of causing this issue is the check for auto counter<br /> reload (ACR) counter mask from user space is incorrect in<br /> intel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter<br /> mask from user space could be set into hw.config1 and then written into<br /> CFG_B MSRs and trigger the MSR access warning.<br /> <br /> e.g., User may create a perf event with ACR counter mask (config2=0xcb),<br /> and there is only 1 event created, so "cpuc-&gt;n_events" is 1.<br /> <br /> The correct check condition should be "i + idx &gt;= cpuc-&gt;n_events"<br /> instead of "i + idx &gt; cpuc-&gt;n_events" (it looks a typo). Otherwise,<br /> the counter mask would traverse twice and an invalid "cpuc-&gt;assign[1]"<br /> bit (bit 0) is set into hw.config1 and cause MSR accessing error.<br /> <br /> Besides, also check if the ACR counter mask corresponding events are<br /> ACR events. If not, filter out these counter mask. If a event is not a<br /> ACR event, it could be scheduled to an HW counter which doesn&amp;#39;t support<br /> ACR. It&amp;#39;s invalid to add their counter index in ACR counter mask.<br /> <br /> Furthermore, remove the WARN_ON_ONCE() since it&amp;#39;s easily triggered as<br /> user could set any invalid ACR counter mask and the warning message<br /> could mislead users.