CVE-2025-40026

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access.

Pivot on EMULTYPENODECODE to detect that KVM is completing emulation. Of the three users of EMULTYPENODECODE, only completeemulatedio() (the intended "recipient") can reach the code in question. gpinterception()'s use is mutually exclusive with isguestmode(), and completeemulatedinsngp() unconditionally pairs EMULTYPENODECODE with EMULTYPE_SKIP.

The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction.

WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulatorpioinout+0x154/0x170 [kvm] Modules linked in: kvmintel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulatorpioinout+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: <TASK> kvmfastpio+0xd6/0x1d0 [kvm] vmxhandleexit+0x149/0x610 [kvmintel] kvmarchvcpuioctlrun+0xda8/0x1ac0 [kvm] kvmvcpuioctl+0x244/0x8c0 [kvm] __x64sysioctl+0x8a/0xd0 dosyscall64+0x5d/0xc60 entrySYSCALL64afterhwframe+0x4b/0x53 </TASK>