{"id":"AZL-68303","summary":"CVE-2024-53195 affecting package kernel 5.15.200.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Get rid of userspace_irqchip_in_use\n\nImproper use of userspace_irqchip_in_use led to syzbot hitting the\nfollowing WARN_ON() in kvm_timer_update_irq():\n\nWARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/arch_timer.c:459\nkvm_timer_update_irq+0x21c/0x394\nCall trace:\n  kvm_timer_update_irq+0x21c/0x394 arch/arm64/kvm/arch_timer.c:459\n  kvm_timer_vcpu_reset+0x158/0x684 arch/arm64/kvm/arch_timer.c:968\n  kvm_reset_vcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264\n  kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline]\n  kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline]\n  kvm_arch_vcpu_ioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695\n  kvm_vcpu_ioctl+0x4ec/0xf74 virt/kvm/kvm_main.c:4658\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __arm64_sys_ioctl+0x108/0x184 fs/ioctl.c:893\n  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n  invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49\n  el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132\n  do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151\n  el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nThe following sequence led to the scenario:\n - Userspace creates a VM and a vCPU.\n - The vCPU is initialized with KVM_ARM_VCPU_PMU_V3 during\n   KVM_ARM_VCPU_INIT.\n - Without any other setup, such as vGIC or vPMU, userspace issues\n   KVM_RUN on the vCPU. Since the vPMU is requested, but not setup,\n   kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change().\n   As a result, KVM_RUN returns after enabling the timer, but before\n   incrementing 'userspace_irqchip_in_use':\n   kvm_arch_vcpu_run_pid_change()\n       ret = kvm_arm_pmu_v3_enable()\n           if (!vcpu-\u003earch.pmu.created)\n               return -EINVAL;\n       if (ret)\n           return ret;\n       [...]\n       if (!irqchip_in_kernel(kvm))\n           static_branch_inc(&userspace_irqchip_in_use);\n - Userspace ignores the error and issues KVM_ARM_VCPU_INIT again.\n   Since the timer is already enabled, control moves through the\n   following flow, ultimately hitting the WARN_ON():\n   kvm_timer_vcpu_reset()\n       if (timer-\u003eenabled)\n          kvm_timer_update_irq()\n              if (!userspace_irqchip())\n                  ret = kvm_vgic_inject_irq()\n                      ret = vgic_lazy_init()\n                          if (unlikely(!vgic_initialized(kvm)))\n                              if (kvm-\u003earch.vgic.vgic_model !=\n                                  KVM_DEV_TYPE_ARM_VGIC_V2)\n                                      return -EBUSY;\n                  WARN_ON(ret);\n\nTheoretically, since userspace_irqchip_in_use's functionality can be\nsimply replaced by '!irqchip_in_kernel()', get rid of the static key\nto avoid the mismanagement, which also helps with the syzbot issue.","modified":"2026-04-01T05:21:23.921721Z","published":"2024-12-27T14:15:27Z","upstream":["CVE-2024-53195"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53195"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.15.200.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68303.json"}}],"schema_version":"1.7.5"}