2414489 – (CVE-2025-40160) CVE-2025-40160 kernel: xen/events: Return -EEXIST for bound VIRQs

Bug 2414489 (CVE-2025-40160) - CVE-2025-40160 kernel: xen/events: Return -EEXIST for bound VIRQs

Summary: CVE-2025-40160 kernel: xen/events: Return -EEXIST for bound VIRQs

Keywords:
Status:	NEW
Alias:	CVE-2025-40160
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-12 11:03 UTC by OSIDB Bzimport
Modified:	2025-11-13 15:18 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-12 11:03:01 UTC

In the Linux kernel, the following vulnerability has been resolved:

xen/events: Return -EEXIST for bound VIRQs

Change find_virq() to return -EEXIST when a VIRQ is bound to a
different CPU than the one passed in.  With that, remove the BUG_ON()
from bind_virq_to_irq() to propogate the error upwards.

Some VIRQs are per-cpu, but others are per-domain or global.  Those must
be bound to CPU0 and can then migrate elsewhere.  The lookup for
per-domain and global will probably fail when migrated off CPU 0,
especially when the current CPU is tracked.  This now returns -EEXIST
instead of BUG_ON().

A second call to bind a per-domain or global VIRQ is not expected, but
make it non-fatal to avoid trying to look up the irq, since we don't
know which per_cpu(virq_to_irq) it will be in.

Comment 1 Alexander B 2025-11-13 15:15:55 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025111239-CVE-2025-40160-b13a@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.