CVE-2025-22094
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-22094
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22094.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-22094
- Downstream
- Related
- Published
- 2025-04-16T14:12:45Z
- Modified
- 2025-10-17T23:29:01.494280Z
- Summary
- powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'
Commit 176cda0619b6 ("powerpc/perf: Add perf interface to expose vpa counters") introduced 'vpapmu' to expose Book3s-HV nested APIv2 provided L1<->L2 context switch latency counters to L1 user-space via perf-events. However the newly introduced PMU named 'vpapmu' doesn't assign ownership of the PMU to the module 'vpapmu'. Consequently the module 'vpapmu' can be unloaded while one of the perf-events are still active, which can lead to kernel oops and panic of the form below on a Pseries-LPAR:
BUG: Kernel NULL pointer dereference on read at 0x00000058 <snip> NIP [c000000000506cb8] eventschedout+0x40/0x258 LR [c00000000050e8a4] _perfremovefromcontext+0x7c/0x2b0 Call Trace: [c00000025fc3fc30] [c00000025f8457a8] 0xc00000025f8457a8 (unreliable) [c00000025fc3fc80] [fffffffffffffee0] 0xfffffffffffffee0 [c00000025fc3fcd0] [c000000000501e70] event_function+0xa8/0x120 <snip> Kernel panic - not syncing: Aiee, killing interrupt handler!
Fix this by adding the module ownership to 'vpapmu' so that the module 'vpapmu' is ref-counted and prevented from being unloaded when perf-events are initialized.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced176cda0619b6c17a553625f6e2fcbc3981ad667dFixed70ea7c5189197c6f5acdcfd8a2651be2c41e2faa
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced176cda0619b6c17a553625f6e2fcbc3981ad667dFixed6cf045b51e2c5721db7e55305f09ee32741e00f9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced176cda0619b6c17a553625f6e2fcbc3981ad667dFixedff99d5b6a246715f2257123cdf6c4a29cb33aa78
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"id": "CVE-2025-22094-0da8d1ff",
"digest": {
"line_hashes": [
"249242719731175353159759540805168224829",
"319206473847239410764709895685993850328",
"127595810321825886432585173294128174696",
"299310484269493692734337481410160869073"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "arch/powerpc/perf/vpa-pmu.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ff99d5b6a246715f2257123cdf6c4a29cb33aa78",
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-22094-256da7c1",
"digest": {
"line_hashes": [
"249242719731175353159759540805168224829",
"319206473847239410764709895685993850328",
"127595810321825886432585173294128174696",
"299310484269493692734337481410160869073"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "arch/powerpc/perf/vpa-pmu.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70ea7c5189197c6f5acdcfd8a2651be2c41e2faa",
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-22094-7a509a8f",
"digest": {
"line_hashes": [
"249242719731175353159759540805168224829",
"319206473847239410764709895685993850328",
"127595810321825886432585173294128174696",
"299310484269493692734337481410160869073"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "arch/powerpc/perf/vpa-pmu.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6cf045b51e2c5721db7e55305f09ee32741e00f9",
"signature_type": "Line",
"signature_version": "v1"
}
]