{"id":"CVE-2021-47639","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU\n\nZap both valid and invalid roots when zapping/unmapping a gfn range, as\nKVM must ensure it holds no references to the freed page after returning\nfrom the unmap operation.  Most notably, the TDP MMU doesn't zap invalid\nroots in mmu_notifier callbacks.  This leads to use-after-free and other\nissues if the mmu_notifier runs to completion while an invalid root\nzapper yields as KVM fails to honor the requirement that there must be\n_no_ references to the page after the mmu_notifier returns.\n\nThe bug is most easily reproduced by hacking KVM to cause a collision\nbetween set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug\nexists between kvm_mmu_notifier_invalidate_range_start() and memslot\nupdates as well.  Invalidating a root ensures pages aren't accessible by\nthe guest, and KVM won't read or write page data itself, but KVM will\ntrigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing\na zap of an invalid root _after_ the mmu_notifier returns is fatal.\n\n  WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]\n  RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]\n  Call Trace:\n   \u003cTASK\u003e\n   kvm_set_pfn_dirty+0xa8/0xe0 [kvm]\n   __handle_changed_spte+0x2ab/0x5e0 [kvm]\n   __handle_changed_spte+0x2ab/0x5e0 [kvm]\n   __handle_changed_spte+0x2ab/0x5e0 [kvm]\n   zap_gfn_range+0x1f3/0x310 [kvm]\n   kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]\n   kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]\n   set_nx_huge_pages+0xb4/0x190 [kvm]\n   param_attr_store+0x70/0x100\n   module_attr_store+0x19/0x30\n   kernfs_fop_write_iter+0x119/0x1b0\n   new_sync_write+0x11c/0x1b0\n   vfs_write+0x1cc/0x270\n   ksys_write+0x5f/0xe0\n   do_syscall_64+0x38/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n   \u003c/TASK\u003e","modified":"2026-02-04T03:22:05.347235Z","published":"2025-02-26T06:37:05Z","related":["SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1241-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/0c8a8da182d4333d9bbb9131d765145568c847b2"},{"type":"FIX","url":"https://git.kernel.org/stable/c/8cf6f98ab1d16d5e607635a0c21c4231eb15367e"},{"type":"FIX","url":"https://git.kernel.org/stable/c/af47248407c0c5ae52a752af1ab5ce5b0db91502"},{"type":"FIX","url":"https://git.kernel.org/stable/c/d62007edf01f5c11f75d0f4b1e538fc52a5b1982"}],"schema_version":"1.7.3"}