摘要:
In the Linux kernel, the following vulnerability has been resolved:
powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'
Commit 176cda0619b6 ("powerpc/perf: Add perf interface to expose vpa
counters") introduced 'vpa_pmu' to expose Book3s-HV nested APIv2 provided
L1<->L2 context switch latency counters to L1 user-space via
perf-events. However the newly introduced PMU named 'vpa_pmu' doesn't
assign ownership of the PMU to the module 'vpa_pmu'. Consequently the
module 'vpa_pmu' can be unloaded while one of the perf-events are still
active, which can lead to kernel oops and panic of the form below on a
Pseries-LPAR:
BUG: Kernel NULL pointer dereference on read at 0x00000058
<snip>
NIP [c000000000506cb8] event_sched_out+0x40/0x258
LR [c00000000050e8a4] __perf_remove_from_context+0x7c/0x2b0
Call Trace:
[c00000025fc3fc30] [c00000025f8457a8] 0xc00000025f8457a8 (unreliable)
[c00000025fc3fc80] [fffffffffffffee0] 0xfffffffffffffee0
[c00000025fc3fcd0] [c000000000501e70] event_function+0xa8/0x120
<snip>
Kernel panic - not syncing: Aiee, killing interrupt handler!
Fix this by adding the module ownership to 'vpa_pmu' so that the module
'vpa_pmu' is ref-counted and prevented from being unloaded when perf-events
are initialized.
安全等级: Low
公告ID: KylinSec-SA-2025-2415
发布日期: 2025年5月30日
关联CVE: CVE-2025-22094
Linux内核漏洞修复公告:
组件:powerpc/perf子系统(vpa_pmu性能监控单元)
漏洞描述:
提交记录 176cda0619b6 新增的 vpa_pmu 模块用于通过 perf-events 向用户态暴露Book3s-HV嵌套APIv2的L1↔L2上下文切换延迟计数器。但该模块存在以下缺陷:
引用计数缺失:未将 vpa_pmu PMU的所有权归属到模块自身
模块卸载风险:当 perf-events 仍处于活跃状态时,模块可能被卸载
内核崩溃后果:触发空指针解引用(NULL pointer dereference),导致内核Oops及Pseries-LPAR系统的致命panic(示例日志见下文)
修复方案:
通过为 vpa_pmu 模块添加引用计数机制,确保以下两点:
当 perf-events 初始化时,模块引用计数递增
强制阻止模块在事件活跃期间被卸载
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-22094 | KY3.4-5A | kernel | Unaffected |
| CVE-2025-22094 | V6 | kernel | Unaffected |
