CVE-2022-48765

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: LAPIC: Also cancel preemption timer during SET_LAPIC<br /> <br /> The below warning is splatting during guest reboot.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]<br /> CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5<br /> RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]<br /> Call Trace:<br /> <br /> kvm_vcpu_ioctl+0x279/0x710 [kvm]<br /> __x64_sys_ioctl+0x83/0xb0<br /> do_syscall_64+0x3b/0xc0<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7fd39797350b<br /> <br /> This can be triggered by not exposing tsc-deadline mode and doing a reboot in<br /> the guest. The lapic_shutdown() function which is called in sys_reboot path<br /> will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears<br /> APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode<br /> switch between tsc-deadline and oneshot/periodic, which can result in preemption<br /> timer be cancelled in apic_update_lvtt(). However, We can&amp;#39;t depend on this when<br /> not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption<br /> timer. Qemu will synchronise states around reset, let&amp;#39;s cancel preemption timer<br /> under KVM_SET_LAPIC.