CVE-2024-53195

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Get rid of userspaceirqchipin_use

Improper use of userspaceirqchipinuse led to syzbot hitting the following WARNON() in kvmtimerupdate_irq():

WARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/archtimer.c:459 kvmtimerupdateirq+0x21c/0x394 Call trace: kvmtimerupdateirq+0x21c/0x394 arch/arm64/kvm/archtimer.c:459 kvmtimervcpureset+0x158/0x684 arch/arm64/kvm/archtimer.c:968 kvmresetvcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264 kvmvcpusettarget arch/arm64/kvm/arm.c:1553 [inline] kvmarchvcpuioctlvcpuinit arch/arm64/kvm/arm.c:1573 [inline] kvmarchvcpuioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695 kvmvcpuioctl+0x4ec/0xf74 virt/kvm/kvmmain.c:4658 vfs_ioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:907 [inline] __sesysioctl fs/ioctl.c:893 [inline] __arm64sysioctl+0x108/0x184 fs/ioctl.c:893 __invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132 doel0svc+0x40/0x50 arch/arm64/kernel/syscall.c:151 el0svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712 el0t64synchandler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t64sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The following sequence led to the scenario: - Userspace creates a VM and a vCPU. - The vCPU is initialized with KVMARMVCPUPMUV3 during KVMARMVCPUINIT. - Without any other setup, such as vGIC or vPMU, userspace issues KVMRUN on the vCPU. Since the vPMU is requested, but not setup, kvmarmpmuv3enable() fails in kvmarchvcpurunpidchange(). As a result, KVMRUN returns after enabling the timer, but before incrementing 'userspaceirqchipinuse': kvmarchvcpurunpidchange() ret = kvmarmpmuv3enable() if (!vcpu->arch.pmu.created) return -EINVAL; if (ret) return ret; [...] if (!irqchipinkernel(kvm)) staticbranchinc(&userspaceirqchipinuse); - Userspace ignores the error and issues KVMARMVCPUINIT again. Since the timer is already enabled, control moves through the following flow, ultimately hitting the WARNON(): kvmtimervcpureset() if (timer->enabled) kvmtimerupdateirq() if (!userspaceirqchip()) ret = kvmvgicinjectirq() ret = vgiclazyinit() if (unlikely(!vgicinitialized(kvm))) if (kvm->arch.vgic.vgicmodel != KVMDEVTYPEARMVGICV2) return -EBUSY; WARN_ON(ret);

Theoretically, since userspaceirqchipinuse's functionality can be simply replaced by '!irqchipin_kernel()', get rid of the static key to avoid the mismanagement, which also helps with the syzbot issue.