CVE-2025-22094

Publication date

2025-04-16 14:12:45

Family

Linux

State

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix ref-counting on the PMU vpa_pmu Commit 176cda0619b6 ("powerpc/perf: Add perf interface to expose vpa counters") introduced vpa_pmu to expose Book3s-HV nested APIv2 provided L1<->L2 context switch latency counters to L1 user-space via perf-events. However the newly introduced PMU named vpa_pmu doesnt assign ownership of the PMU to the module vpa_pmu. Consequently the module vpa_pmu can be unloaded while one of the perf-events are still active, which can lead to kernel oops and panic of the form below on a Pseries-LPAR: BUG: Kernel NULL pointer dereference on read at 0x00000058 NIP [c000000000506cb8] event_sched_out+0x40/0x258 LR [c00000000050e8a4] __perf_remove_from_context+0x7c/0x2b0 Call Trace: [c00000025fc3fc30] [c00000025f8457a8] 0xc00000025f8457a8 (unreliable) [c00000025fc3fc80] [fffffffffffffee0] 0xfffffffffffffee0 [c00000025fc3fcd0] [c000000000501e70] event_function+0xa8/0x120 Kernel panic - not syncing: Aiee, killing interrupt handler! Fix this by adding the module ownership to vpa_pmu so that the module vpa_pmu is ref-counted and prevented from being unloaded when perf-events are initialized.