Linux Kernel KVM: arm64 Hyp Mode Initialization Failure Handling Vulnerability

A vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) module for arm64 architecture. The issue arises because there is no proper synchronization between the 'finalize_pkvm' function and the 'kvm_arm_init' initialization calls. As a result, 'finalize_pkvm' can proceed even if 'kvm_arm_init' fails, leading to a warning on all CPUs and eventually causing a hypervisor panic. This vulnerability has been addressed by ensuring that 'finalize_pkvm' checks for the successful initialization of 'kvm_arm_init' before proceeding.

Impact

The vulnerability can cause a kernel panic in the hypervisor, disrupting all running virtual machines and potentially leading to a denial of service on the host system.

Reproduction

The vulnerability can be reproduced by loading the KVM module for arm64 architecture and then triggering the 'finalize_pkvm' function before the 'kvm_arm_init' function has successfully completed its initialization. This can be done by manipulating the initialization sequence, such as by forcing 'finalize_pkvm' to run prematurely.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.