CVE-2025-38424

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix sample vs do_exit()

Baisheng Gao reported an ARM64 crash, which Mark decoded as being a
synchronous external abort -- most likely due to trying to access
MMIO in bad ways.

The crash further shows perf trying to do a user stack sample while in
exit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address
space it is trying to access.

It turns out that we stop perf after we tear down the userspace mm; a
receipie for disaster, since perf likes to access userspace for
various reasons.

Flip this order by moving up where we stop perf in do_exit().

Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER
to abort when the current task does not have an mm (exit_mm() makes
sure to set current->mm = NULL; before commencing with the actual
teardown). Such that CPU wide events don't trip on this same problem.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
vulnerable
bullseye (security)
5.10.244-1
fixed
bookworm
6.1.148-1
fixed
bookworm (security)
6.1.153-1
fixed
trixie
6.12.43-1
fixed
trixie (security)
6.12.48-1
fixed
forky
6.16.12-2
fixed
sid
6.16.12-2
fixed
linux-6.1
bullseye (security)
6.1.153-1~deb11u1
fixed
References
https://git.kernel.org/stable/c/2ee6044a693735396bb47eeaba1ac3ae26c1c99b
https://git.kernel.org/stable/c/456019adaa2f5366b89c868dea9b483179bece54
https://git.kernel.org/stable/c/4f6fc782128355931527cefe3eb45338abd8ab39
https://git.kernel.org/stable/c/507c9a595bad3abd107c6a8857d7fd125d89f386
https://git.kernel.org/stable/c/7311970d07c4606362081250da95f2c7901fc0db
https://git.kernel.org/stable/c/7b8f3c72175c6a63a95cf2e219f8b78e2baad34e
https://git.kernel.org/stable/c/975ffddfa2e19823c719459d2364fcaa17673964
https://git.kernel.org/stable/c/a9f6aab7910a0ef2895797f15c947f6d1053160f