CVE-2025-22094

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/perf: Fix ref-counting on the PMU &amp;#39;vpa_pmu&amp;#39;<br /> <br /> Commit 176cda0619b6 ("powerpc/perf: Add perf interface to expose vpa<br /> counters") introduced &amp;#39;vpa_pmu&amp;#39; to expose Book3s-HV nested APIv2 provided<br /> L1L2 context switch latency counters to L1 user-space via<br /> perf-events. However the newly introduced PMU named &amp;#39;vpa_pmu&amp;#39; doesn&amp;#39;t<br /> assign ownership of the PMU to the module &amp;#39;vpa_pmu&amp;#39;. Consequently the<br /> module &amp;#39;vpa_pmu&amp;#39; can be unloaded while one of the perf-events are still<br /> active, which can lead to kernel oops and panic of the form below on a<br /> Pseries-LPAR:<br /> <br /> BUG: Kernel NULL pointer dereference on read at 0x00000058<br /> <br /> NIP [c000000000506cb8] event_sched_out+0x40/0x258<br /> LR [c00000000050e8a4] __perf_remove_from_context+0x7c/0x2b0<br /> Call Trace:<br /> [c00000025fc3fc30] [c00000025f8457a8] 0xc00000025f8457a8 (unreliable)<br /> [c00000025fc3fc80] [fffffffffffffee0] 0xfffffffffffffee0<br /> [c00000025fc3fcd0] [c000000000501e70] event_function+0xa8/0x120<br /> <br /> Kernel panic - not syncing: Aiee, killing interrupt handler!<br /> <br /> Fix this by adding the module ownership to &amp;#39;vpa_pmu&amp;#39; so that the module<br /> &amp;#39;vpa_pmu&amp;#39; is ref-counted and prevented from being unloaded when perf-events<br /> are initialized.