CVE-2025-40122

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel: Fix IA32PMCxCFGB MSRs access error

When running perffuzzer on PTL, sometimes the below "unchecked MSR access error" is seen when accessing IA32PMCxCFG_B MSRs.

[ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (nativewritemsr+0x8/0x30) [ 55.611280] Call Trace: [ 55.611282] <TASK> [ 55.611284] ? intelpmuconfigacr+0x87/0x160 [ 55.611289] intelpmuenableacr+0x6d/0x80 [ 55.611291] intelpmuenableevent+0xce/0x460 [ 55.611293] x86pmustart+0x78/0xb0 [ 55.611297] x86pmuenable+0x218/0x3a0 [ 55.611300] ? x86pmuenable+0x121/0x3a0 [ 55.611302] perfpmuenable+0x40/0x50 [ 55.611307] ctxresched+0x19d/0x220 [ 55.611309] perfinstallincontext+0x284/0x2f0 [ 55.611311] ? _pfxremotefunction+0x10/0x10 [ 55.611314] remotefunction+0x52/0x70 [ 55.611317] ? _pfxremotefunction+0x10/0x10 [ 55.611319] genericexecsingle+0x84/0x150 [ 55.611323] smpcallfunctionsingle+0xc5/0x1a0 [ 55.611326] ? _pfxremotefunction+0x10/0x10 [ 55.611329] perfinstallincontext+0xd1/0x1e0 [ 55.611331] ? _pfxperfinstallincontext+0x10/0x10 [ 55.611333] _dosysperfeventopen+0xa76/0x1040 [ 55.611336] _x64sysperfeventopen+0x26/0x30 [ 55.611337] x64syscall+0x1d8e/0x20c0 [ 55.611339] dosyscall64+0x4f/0x120 [ 55.611343] entrySYSCALL64afterhwframe+0x76/0x7e

On PTL, GP counter 0 and 1 doesn't support auto counter reload feature, thus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR which requires to enable auto counter reload on GP counter 0.

The root cause of causing this issue is the check for auto counter reload (ACR) counter mask from user space is incorrect in intelpmuacrlatesetup() helper. It leads to an invalid ACR counter mask from user space could be set into hw.config1 and then written into CFG_B MSRs and trigger the MSR access warning.

e.g., User may create a perf event with ACR counter mask (config2=0xcb), and there is only 1 event created, so "cpuc->n_events" is 1.

The correct check condition should be "i + idx >= cpuc->nevents" instead of "i + idx > cpuc->nevents" (it looks a typo). Otherwise, the counter mask would traverse twice and an invalid "cpuc->assign[1]" bit (bit 0) is set into hw.config1 and cause MSR accessing error.

Besides, also check if the ACR counter mask corresponding events are ACR events. If not, filter out these counter mask. If a event is not a ACR event, it could be scheduled to an HW counter which doesn't support ACR. It's invalid to add their counter index in ACR counter mask.

Furthermore, remove the WARNONONCE() since it's easily triggered as user could set any invalid ACR counter mask and the warning message could mislead users.