CVE-2024-47744 - KVM Deadlock Vulnerability in Linux kernel Resolved with Dedicated Mutex

In the latest Linux kernel, a vulnerability has been resolved that potentially caused a deadlock in the KVM (Kernel-based Virtual Machine) subsystem on x86 architectures. This vulnerability is now addressed by using a dedicated mutex to protect the kvm_usage_count, which helps avoid the deadlock scenario. The patch can be seen as a crucial step towards ensuring stable and deadlock-free virtual machines on Linux systems.

The vulnerability exists due to a chain of locks and SRCU (sleepable read-copy-update) synchronizations involving multiple CPU cores. The deadlock scenario involves different CPU cores trying to acquire locks in a circular dependency, causing the system to stall. The use of dedicated mutex in this patch helps to break such lock dependencies and ensure stable operation.

Below is a sample code snippet highlighting the issue

CPU                     CPU1                     CPU2
1   lock(&kvm->slots_lock);
2                                                     lock(&vcpu->mutex);
3                                                     lock(&kvm->srcu);
4                            lock(cpu_hotplug_lock);
5                            lock(kvm_lock);
6                            lock(&kvm->slots_lock);
7                                                     lock(cpu_hotplug_lock);
8   sync(&kvm->srcu);

It's important to note that there might be other potential deadlocks in KVM x86 due to the combination of dependencies and timings involved. However, triggering such deadlocks has been quite rare and difficult to reproduce.

The most robust solution for the general cpu_hotplug_lock issue is likely to switch the vm_list to be an RCU-protected list, which would help eliminate the need to take kvm_lock in certain scenarios. However, since this would be a more involved change, the current patch settles for fixing what is considered the most blatant deadlock.

The original patch can be found in the following link: KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock

This patch is essential for anyone running KVM-based virtual machines on Linux systems using the x86 architecture, as it resolves a potential deadlock condition. System administrators and users are encouraged to update their Linux kernel to include this patch to ensure the stability and reliability of their virtual machines.

In summary, the CVE-2024-47744 vulnerability in the Linux kernel involving a potential deadlock in the KVM subsystem on x86 architectures has been addressed using a dedicated mutex to protect the kvm_usage_count. This patch is an important step towards maintaining a secure and stable virtualization environment on Linux systems.

Timeline

Published on: 10/21/2024 13:15:04 UTC
Last modified on: 12/19/2024 09:27:15 UTC