ACK: [SRU][J][PATCH v2 0/2] CVE-2025-37849
Austin Rhodes
austin.rhodes at canonical.com
Thu Feb 26 16:10:50 UTC 2026
On 2/10/26 09:02, Massimiliano Pellizzer wrote:
> [ Impact ]
>
> KVM: arm64: Tear down vGIC on failed vCPU creation
>
> If kvm_arch_vcpu_create() fails to share the vCPU page with the
> hypervisor, we propagate the error back to the ioctl but leave the
> vGIC vCPU data initialised. Note only does this leak the corresponding
> memory when the vCPU is destroyed but it can also lead to use-after-free
> if the redistributor device handling tries to walk into the vCPU.
>
> Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
> vGIC vCPU structures are destroyed on error.
>
> [ Fix ]
>
> Backport the fix commit and a dependency from mainline:
> - d26b9cb33c2d1 KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy()
> - 250f25367b58d KVM: arm64: Tear down vGIC on failed vCPU creation
>
> [ Test Plan ]
>
> Compile tested.
> Tested on a bare metal arm64 server using:
> * kvm kselftest
> ```
> $ uname -a
> Linux puniper 5.15.0-172-generic #182 SMP Tue Feb 10 13:13:39 UTC 2026 aarch64 aarch64 aarch64 GNU/Linux
> $ sudo make summary=1 TARGETS="kvm" kselftest
> TAP version 13
> 1..13
> # selftests: kvm: debug-exceptions
> ok 1 selftests: kvm: debug-exceptions
> # selftests: kvm: get-reg-list
> ok 2 selftests: kvm: get-reg-list
> # selftests: kvm: psci_cpu_on_test
> ok 3 selftests: kvm: psci_cpu_on_test
> # selftests: kvm: vgic_init
> ok 4 selftests: kvm: vgic_init
> # selftests: kvm: demand_paging_test
> ok 5 selftests: kvm: demand_paging_test
> # selftests: kvm: dirty_log_test
> ok 6 selftests: kvm: dirty_log_test
> # selftests: kvm: dirty_log_perf_test
> ok 7 selftests: kvm: dirty_log_perf_test
> # selftests: kvm: kvm_create_max_vcpus
> ok 8 selftests: kvm: kvm_create_max_vcpus
> # selftests: kvm: kvm_page_table_test
> ok 9 selftests: kvm: kvm_page_table_test
> # selftests: kvm: rseq_test
> not ok 10 selftests: kvm: rseq_test # exit=254
> # selftests: kvm: set_memory_region_test
> ok 11 selftests: kvm: set_memory_region_test
> # selftests: kvm: steal_time
> ok 12 selftests: kvm: steal_time
> # selftests: kvm: kvm_binary_stats_test
> ok 13 selftests: kvm: kvm_binary_stats_test
> ```
> * kvm unit test
> ```
> $ uname -a
> Linux puniper 5.15.0-172-generic #182 SMP Tue Feb 10 13:13:39 UTC 2026 aarch64 aarch64 aarch64 GNU/Linux
> $ sudo ./run_tests.sh
> PASS selftest-setup (2 tests)
> PASS selftest-vectors-kernel (3 tests)
> PASS selftest-vectors-user (2 tests)
> PASS selftest-smp (1 tests)
> PASS pci-test (1 tests)
> PASS pmu-cycle-counter (2 tests)
> PASS pmu-event-introspection (1 tests)
> PASS pmu-event-counter-config (3 tests)
> FAIL pmu-basic-event-count (11 tests, 1 unexpected failures, 1 skipped)
> FAIL pmu-mem-access (3 tests, 2 unexpected failures, 1 skipped)
> PASS pmu-mem-access-reliability (2 tests, 1 skipped)
> PASS pmu-sw-incr (5 tests, 1 skipped)
> FAIL pmu-chained-counters (6 tests, 6 unexpected failures)
> FAIL pmu-chained-sw-incr (2 tests, 2 unexpected failures)
> FAIL pmu-chain-promotion (7 tests, 5 unexpected failures)
> FAIL pmu-overflow-interrupt (7 tests, 3 unexpected failures, 1 skipped)
> SKIP gicv2-ipi (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
> SKIP gicv2-mmio (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
> SKIP gicv2-mmio-up (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
> SKIP gicv2-mmio-3p (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
> PASS gicv3-ipi (3 tests)
> SKIP gicv2-active (qemu-system-aarch64: host does not support in-kernel GICv2 emulation)
> PASS gicv3-active (1 tests)
> PASS its-introspection (5 tests)
> PASS its-trigger (6 tests)
> PASS its-migration (2 tests)
> PASS its-pending-migration (1 tests)
> PASS its-migrate-unmapped-collection (3 tests)
> PASS psci (5 tests)
> PASS timer (18 tests)
> SKIP micro-bench (test marked as manual run only)
> PASS cache (1 tests)
> PASS debug-bp (16 tests)
> PASS debug-bp-migration (17 tests)
> PASS debug-wp (8 tests)
> PASS debug-wp-migration (9 tests)
> PASS debug-sstep (1 tests)
> PASS debug-sstep-migration (1 tests)
> SKIP fpu-context (test marked as manual run only)
> ```
>
> Both KASAN and PROVE_LOCKING were enabled during the test.
> Notice that all tests failing were failing even before the patchset.
>
> [ Regression Potential ]
>
> The regression potential is minimal. The patch affects only arm64
> error path when create_hyp_mappings() fails during vCPU creation.
>
> [ Changes between v1 and v2 ]
>
> Backported also the dependency d26b9cb33c2d1.
>
>
> Marc Zyngierso the dependency (1):
> KVM: arm64: vgic: Add a non-locking primitive for
> kvm_vgic_vcpu_destroy()
>
> Will Deacon (1):
> KVM: arm64: Tear down vGIC on failed vCPU creation
>
> arch/arm64/kvm/arm.c | 6 +++++-
> arch/arm64/kvm/vgic/vgic-init.c | 13 +++++++++++--
> 2 files changed, 16 insertions(+), 3 deletions(-)
>
Acked-by: Austin Rhodes <austin.rhodes at canonical.com>
More information about the kernel-team
mailing list