Home

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() Add SRCU read-side protection when reading PDPTR registers in __get_sregs2(). Reading PDPTRs may trigger access to guest memory: kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() -> kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot() kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(), which uses srcu_dereference_check() and requires either kvm->srcu or kvm->slots_lock to be held. Currently only vcpu->mutex is held, triggering lockdep warning: ============================= WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot 6.12.59+ #3 Not tainted include/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-06 | Updated 2026-05-08 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

6dba940352038b56db9b591b172fb2ec76a5fd5e (git) before f621ca24f9f489e226e22560761b04884984133b
affected

6dba940352038b56db9b591b172fb2ec76a5fd5e (git) before 708e20c66b2761d878a2bc3c7534e7f814e4dec5
affected

6dba940352038b56db9b591b172fb2ec76a5fd5e (git) before 9f2bfea51151dfbb24b52f452eb3d5f5fe0e506e
affected

6dba940352038b56db9b591b172fb2ec76a5fd5e (git) before 57536ff0a6bd69a5808d682925202babdb5ddc13
affected

6dba940352038b56db9b591b172fb2ec76a5fd5e (git) before b33f8d816950b10e7879cd8ffd7ae4b649ada4db
affected

6dba940352038b56db9b591b172fb2ec76a5fd5e (git) before 95d848dc7e639988dbb385a8cba9b484607cf98c
affected

Default status
affected

5.14
affected

Any version before 5.14
unaffected

6.1.165 (semver)
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.16 (semver)
unaffected

6.19.6 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/f621ca24f9f489e226e22560761b04884984133b

git.kernel.org/...c/708e20c66b2761d878a2bc3c7534e7f814e4dec5

git.kernel.org/...c/9f2bfea51151dfbb24b52f452eb3d5f5fe0e506e

git.kernel.org/...c/57536ff0a6bd69a5808d682925202babdb5ddc13

git.kernel.org/...c/b33f8d816950b10e7879cd8ffd7ae4b649ada4db

git.kernel.org/...c/95d848dc7e639988dbb385a8cba9b484607cf98c

cve.org (CVE-2026-43214)

nvd.nist.gov (CVE-2026-43214)

Download JSON