{"id":"CVE-2024-40953","summary":"KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm-\u003elast_boosted_vcpu to ensure the\nloads and stores are atomic.  In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n  CPU0                              CPU1\n  last_boosted_vcpu = 0xff;\n\n                                    (last_boosted_vcpu = 0x100)\n                                    last_boosted_vcpu[15:8] = 0x01;\n  i = (last_boosted_vcpu = 0x1ff)\n                                    last_boosted_vcpu[7:0] = 0x00;\n\n  vcpu = kvm-\u003evcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n  BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n  write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n  kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n  handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n  vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n  vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n  kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n  kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n  __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n  __x64_sys_ioctl (fs/ioctl.c:890)\n  x64_sys_call (arch/x86/entry/syscall_64.c:33)\n  do_syscall_64 (arch/x86/entry/common.c:?)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n  read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n  kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n  handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n  vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n  vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n  kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n  kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n  __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n  __x64_sys_ioctl (fs/ioctl.c:890)\n  x64_sys_call (arch/x86/entry/syscall_64.c:33)\n  do_syscall_64 (arch/x86/entry/common.c:?)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n  value changed: 0x00000012 -\u003e 0x00000000","modified":"2026-04-02T12:17:22.207863Z","published":"2024-07-12T12:31:56.832Z","related":["SUSE-SU-2024:2802-1","SUSE-SU-2024:2892-1","SUSE-SU-2024:2894-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2901-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2940-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40953.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17"},{"type":"WEB","url":"https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84"},{"type":"WEB","url":"https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40953.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40953"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"217ece6129f2d3b4fdd18d9e79be9e43d8d14a42"},{"fixed":"11a772d5376aa6d3e2e69b5b5c585f79b60c0e17"},{"fixed":"4c141136a28421b78f34969b25a4fa32e06e2180"},{"fixed":"71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84"},{"fixed":"82bd728a06e55f5b5f93d10ce67f4fe7e689853a"},{"fixed":"92c77807d938145c7c3350c944ef9f39d7f6017c"},{"fixed":"a937ef951bba72f48d2402451419d725d70dba20"},{"fixed":"95c8dd79f3a14df96b3820b35b8399bd91b2be60"},{"fixed":"49f683b41f28918df3e51ddc0d928cb2e934ccdb"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40953.json"}}],"schema_version":"1.7.5"}