CVE-2025-40038

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn&amp;#39;t valid<br /> <br /> Skip the WRMSR and HLT fastpaths in SVM&amp;#39;s VM-Exit handler if the next RIP<br /> isn&amp;#39;t valid, e.g. because KVM is running with nrips=false. SVM must<br /> decode and emulate to skip the instruction if the CPU doesn&amp;#39;t provide the<br /> next RIP, and getting the instruction bytes to decode requires reading<br /> guest memory. Reading guest memory through the emulator can fault, i.e.<br /> can sleep, which is disallowed since the fastpath handlers run with IRQs<br /> disabled.<br /> <br /> BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106<br /> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu<br /> preempt_count: 1, expected: 0<br /> INFO: lockdep is turned off.<br /> irq event stamp: 30580<br /> hardirqs last enabled at (30579): [] vcpu_run+0x1787/0x1db0 [kvm]<br /> hardirqs last disabled at (30580): [] __schedule+0x1e2/0xed0<br /> softirqs last enabled at (30570): [] fpu_swap_kvm_fpstate+0x44/0x210<br /> softirqs last disabled at (30568): [] fpu_swap_kvm_fpstate+0x44/0x210<br /> CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE<br /> Tainted: [U]=USER<br /> Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x7d/0xb0<br /> __might_resched+0x271/0x290<br /> __might_fault+0x28/0x80<br /> kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm]<br /> kvm_fetch_guest_virt+0x92/0xc0 [kvm]<br /> __do_insn_fetch_bytes+0xf3/0x1e0 [kvm]<br /> x86_decode_insn+0xd1/0x1010 [kvm]<br /> x86_emulate_instruction+0x105/0x810 [kvm]<br /> __svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd]<br /> handle_fastpath_invd+0xc4/0x1a0 [kvm]<br /> vcpu_run+0x11a1/0x1db0 [kvm]<br /> kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm]<br /> kvm_vcpu_ioctl+0x578/0x6a0 [kvm]<br /> __se_sys_ioctl+0x6d/0xb0<br /> do_syscall_64+0x8a/0x2c0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7f479d57a94b<br /> <br /> <br /> Note, this is essentially a reapply of commit 5c30e8101e8d ("KVM: SVM:<br /> Skip WRMSR fastpath on VM-Exit if next RIP isn&amp;#39;t valid"), but with<br /> different justification (KVM now grabs SRCU when skipping the instruction<br /> for other reasons).