Linux Kernel KVM IRR Scan Vulnerability in APIC Update

A vulnerability in the Linux kernel's KVM module for x86 architecture has been addressed. The issue arose because the Interrupt Request Register (IRR) scan was not performed in the '__kvm_apic_update_irr' function when the Pending Interrupt Register (PIR) was empty. This oversight could lead to incorrect reporting of the highest pending interrupt, causing a spurious warning and unnecessary overhead during virtual machine operations. The vulnerability was triggered by a race condition between synchronizing the PIR to the IRR on the target virtual CPU and delivering posted interrupts from a sender virtual CPU, particularly under nested virtual machine stress tests.

Impact

The vulnerability could cause a spurious warning about pending interrupts and disrupt the normal execution cycle of nested virtual machines, leading to performance degradation.

Reproduction

The vulnerability can be reproduced in a nested virtual machine environment by sending an Inter-Processor Interrupt (IPI) to a target virtual CPU while it is in the process of synchronizing its PIR to its IRR. This interleaving of operations creates a race condition that triggers the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.