CVE-2024-47744

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description A potential deadlock issue has been identified in the Linux kernel's KVM (Kernel-based Virtual Machine) component, specifically on x86 systems. This issue arises due to a chain of locks and SRCU synchronizations, which can lead to a circular locking dependency. The problem occurs when the kvm->slots lock is acquired while already holding the kvm lock, and another CPU is waiting on the cpu hotplug lock which is also held by the first CPU, resulting in a deadlock. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited.

Technical details about the issue include the involvement of the cpu hotplug lock, kvm lock, and kvm->srcu locks, as well as the kvm->slots lock. The kvmclock cpufreq notifier() function is also mentioned as potentially contributing to the deadlock. The issue is considered rare due to the specific combination of dependencies and timings required to trigger it.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the kvm module until a patch is available. Restrict access to the cpu hotplug lock and kvm lock to minimize the risk of exploitation. Avoid using the kvm->slots lock and kvm->srcu locks simultaneously until the issue is resolved.