{"id":"CVE-2025-38055","summary":"perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault.  For example:\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000195\n    \u003cNMI\u003e\n    ? __die_body.cold+0x19/0x27\n    ? page_fault_oops+0xca/0x290\n    ? exc_page_fault+0x7e/0x1b0\n    ? asm_exc_page_fault+0x26/0x30\n    ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n    ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n    intel_pmu_drain_pebs_icl+0x333/0x350\n    handle_pmi_common+0x272/0x3c0\n    intel_pmu_handle_irq+0x10a/0x2e0\n    perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of 'size'.  Note, prior to the Fixes\ncommit, 'size' would be limited to the maximum counter index, so the issue\nwas not hit.","modified":"2026-04-02T12:47:46.042501Z","published":"2025-06-18T09:33:35.556Z","related":["SUSE-SU-2025:02254-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02333-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38055.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38055.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38055"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"722e42e45c2f1c6d1adec7813651dba5139f52f4"},{"fixed":"ca51db23166767a8445deb8331c9b8d5205d9287"},{"fixed":"0b1874a5b1173fbcb2185ab828f4c33d067e551e"},{"fixed":"99bcd91fabada0dbb1d5f0de44532d8008db93c6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"a9d6d466bcf0621a872e1052bc40e4c6f0541b8d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38055.json"}}],"schema_version":"1.7.5"}