[SRU][J][PATCH v2 0/2] CVE-2025-37849

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Tue Feb 10 14:02:43 UTC 2026 

[ Impact ]

KVM: arm64: Tear down vGIC on failed vCPU creation

If kvm_arch_vcpu_create() fails to share the vCPU page with the
hypervisor, we propagate the error back to the ioctl but leave the
vGIC vCPU data initialised. Note only does this leak the corresponding
memory when the vCPU is destroyed but it can also lead to use-after-free
if the redistributor device handling tries to walk into the vCPU.

Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
vGIC vCPU structures are destroyed on error.

[ Fix ]

Backport the fix commit and a dependency from mainline:
- d26b9cb33c2d1 KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy()
- 250f25367b58d KVM: arm64: Tear down vGIC on failed vCPU creation

[ Test Plan ]

Compile tested.
Tested on a bare metal arm64 server using:
* kvm kselftest
```
$ uname -a
Linux puniper 5.15.0-172-generic #182 SMP Tue Feb 10 13:13:39 UTC 2026 aarch64 aarch64 aarch64 GNU/Linux
$ sudo make summary=1 TARGETS="kvm" kselftest
TAP version 13
1..13
# selftests: kvm: debug-exceptions
ok 1 selftests: kvm: debug-exceptions
# selftests: kvm: get-reg-list
ok 2 selftests: kvm: get-reg-list
# selftests: kvm: psci_cpu_on_test
ok 3 selftests: kvm: psci_cpu_on_test
# selftests: kvm: vgic_init
ok 4 selftests: kvm: vgic_init
# selftests: kvm: demand_paging_test
ok 5 selftests: kvm: demand_paging_test
# selftests: kvm: dirty_log_test
ok 6 selftests: kvm: dirty_log_test
# selftests: kvm: dirty_log_perf_test
ok 7 selftests: kvm: dirty_log_perf_test
# selftests: kvm: kvm_create_max_vcpus
ok 8 selftests: kvm: kvm_create_max_vcpus
# selftests: kvm: kvm_page_table_test
ok 9 selftests: kvm: kvm_page_table_test
# selftests: kvm: rseq_test
not ok 10 selftests: kvm: rseq_test # exit=254
# selftests: kvm: set_memory_region_test
ok 11 selftests: kvm: set_memory_region_test
# selftests: kvm: steal_time
ok 12 selftests: kvm: steal_time
# selftests: kvm: kvm_binary_stats_test
ok 13 selftests: kvm: kvm_binary_stats_test
```
* kvm unit test
```
$ uname -a
Linux puniper 5.15.0-172-generic #182 SMP Tue Feb 10 13:13:39 UTC 2026 aarch64 aarch64 aarch64 GNU/Linux
$ sudo ./run_tests.sh
PASS selftest-setup (2 tests)
PASS selftest-vectors-kernel (3 tests)
PASS selftest-vectors-user (2 tests)
PASS selftest-smp (1 tests)
PASS pci-test (1 tests)
PASS pmu-cycle-counter (2 tests)
PASS pmu-event-introspection (1 tests)
PASS pmu-event-counter-config (3 tests)
FAIL pmu-basic-event-count (11 tests, 1 unexpected failures, 1 skipped)
FAIL pmu-mem-access (3 tests, 2 unexpected failures, 1 skipped)
PASS pmu-mem-access-reliability (2 tests, 1 skipped)
PASS pmu-sw-incr (5 tests, 1 skipped)
FAIL pmu-chained-counters (6 tests, 6 unexpected failures)
FAIL pmu-chained-sw-incr (2 tests, 2 unexpected failures)
FAIL pmu-chain-promotion (7 tests, 5 unexpected failures)
FAIL pmu-overflow-interrupt (7 tests, 3 unexpected failures, 1 skipped)
SKIP gicv2-ipi (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
SKIP gicv2-mmio (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
SKIP gicv2-mmio-up (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
SKIP gicv2-mmio-3p (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
PASS gicv3-ipi (3 tests)
SKIP gicv2-active (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
PASS gicv3-active (1 tests)
PASS its-introspection (5 tests)
PASS its-trigger (6 tests)
PASS its-migration (2 tests)
PASS its-pending-migration (1 tests)
PASS its-migrate-unmapped-collection (3 tests)
PASS psci (5 tests)
PASS timer (18 tests)
SKIP micro-bench (test marked as manual run only)
PASS cache (1 tests)
PASS debug-bp (16 tests)
PASS debug-bp-migration (17 tests)
PASS debug-wp (8 tests)
PASS debug-wp-migration (9 tests)
PASS debug-sstep (1 tests)
PASS debug-sstep-migration (1 tests)
SKIP fpu-context (test marked as manual run only)
```

Both KASAN and PROVE_LOCKING were enabled during the test.
Notice that all tests failing were failing even before the patchset.

[ Regression Potential ]

The regression potential is minimal. The patch affects only arm64
error path when create_hyp_mappings() fails during vCPU creation.

[ Changes between v1 and v2 ]

Backported also the dependency d26b9cb33c2d1.


Marc Zyngierso the dependency  (1):
  KVM: arm64: vgic: Add a non-locking primitive for
    kvm_vgic_vcpu_destroy()

Will Deacon (1):
  KVM: arm64: Tear down vGIC on failed vCPU creation

 arch/arm64/kvm/arm.c            |  6 +++++-
 arch/arm64/kvm/vgic/vgic-init.c | 13 +++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

-- 
2.51.0

More information about the kernel-team mailing list