1.問題描述

宿主機使用麒麟V10操作系統(tǒng)作為hostos時，對虛擬機進行軟關機操作，會導致系統(tǒng)宕機，出問題時對應的調用棧如下：

[ 2188.225012] Process CPU 0/KVM (pid: 11384, stack limit = 0x000000005889c77d)

[ 2188.225671] CPU: 13 PID: 11384 Comm: CPU 0/KVM Kdump: loaded Tainted: G           OE     4.19.90-52.44.v2207.fortest.ky10.aarch64 #1

[ 2188.226744] Source Version: 9de2a08e7b57c09e80a10421b6798d000d26a533

[ 2188.227412] Hardware name: GreatWall \xe6\x93\x8e\xe5\xa4\xa9DF723/N/A, BIOS KunLun BIOS V4.0 03/17/2021

[ 2188.228157] pstate: 80000085 (Nzcv daIf -PAN -UAO)

[ 2188.228607] pc : queued_spin_lock_slowpath+0x190/0x308

[ 2188.229104] lr : update_lpi_config+0x160/0x168

[ 2188.229503] sp : ffffbeba9ff13790

[ 2188.229821] x29: ffffbeba9ff13790 x28: 0000000000000000

[ 2188.230267] x27: 0000000000000000 x26: ffffbeba9ff139c0

[ 2188.230736] x25: 0000000000000000 x24: 0000000000000000

[ 2188.231309] x23: 0000000000000001 x22: 0000000000000000

[ 2188.231791] x21: ffffc2b986a00000 x20: 00000000e87ab700

[ 2188.232309] x19: ffffc13ce87a9b80 x18: ffff8000c0024390

[ 2188.232834] x17: 0000fffe613ce498 x16: ffff00000811e570

[ 2188.233336] x15: 0000fffd00290007 x14: ffff8000cada6cf8

[ 2188.233862] x13: ffff8000cada6b38 x12: 0000000000000000

[ 2188.234363] x11: 0000000000000040 x10: ffff0000098ef8b0

[ 2188.234879] x9 : 000000000808008c x8 : 0000000000000000

[ 2188.235416] x7 : ffff4cf9f0373b48 x6 : 0000000000380000

[ 2188.235900] x5 : ffffc53d36082600 x4 : 000001a400000004

[ 2188.236359] x3 : ffff4cf9effd2620 x2 : ffffc53d36082600

[ 2188.236836] x1 : ffff4cf9effd2000 x0 : ffffc53d36082608

[ 2188.237311] Call trace:

[ 2188.237558]  queued_spin_lock_slowpath+0x190/0x308

[ 2188.237980]  update_lpi_config+0x160/0x168

[ 2188.238338]  vgic_its_process_commands.part.11+0x898/0x9b0

[ 2188.238819]  vgic_mmio_write_its_cwriter+0xa4/0xa8

[ 2188.239242]  dispatch_mmio_write+0x94/0x110

[ 2188.239624]  __kvm_io_bus_write.isra.27+0xa4/0x158

[ 2188.240062]  kvm_io_bus_write+0x68/0x90

[ 2188.240430]  io_mem_abort+0xd8/0x350

[ 2188.240758]  kvm_handle_guest_abort+0x2a8/0x478

[ 2188.241269]  handle_exit+0x184/0x368

[ 2188.241635]  kvm_arch_vcpu_ioctl_run+0x250/0x850

[ 2188.242044]  kvm_vcpu_ioctl+0x460/0x880

[ 2188.242401]  do_vfs_ioctl+0xb0/0x8e8

[ 2188.242733]  ksys_ioctl+0x8c/0xa0

[ 2188.243055]  sys_ioctl+0x34/0xa0

[ 2188.243373]  __sys_trace_return+0x0/0x4

2.受影響的軟件包

銀河麒麟高級服務器操作系統(tǒng) V10 SP3 2303 aarch64

4.19.90-52.44.v2207

銀河麒麟高級服務器操作系統(tǒng) V10 SP3 2403 aarch64

4.19.90-89.18.v2401~4.19.90-89.19.v2401

3.問題復現(xiàn)方法

在部署麒麟操作系統(tǒng)的主機上啟動虛擬機。在虛擬機中執(zhí)行電源->關機操作，或者使用virsh shutdown命令關閉虛擬機，會導致主機宕機。

4.問題分析結果

該問題是因為上游社區(qū)解決CVE-2024-26598的補丁ad362fe07fec ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache")所引入，該補丁對中斷變量irq進行了引用計數(shù)累加，但是在釋放的時候對irq進行了過早的釋放，從而導致系統(tǒng)訪問irq的時候是個非法地址。針對該問題，修復在正確的位置釋放變量irq，避免出現(xiàn)引用錯誤內存地址，導致系統(tǒng)宕機。

5.補丁及下載地址

通過新內核更新修復

6.修復和更新方法

yum update kernel（用root權限執(zhí)行以下命令）