Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: Xinyu Zheng <zhengxinyu6@huawei.com>
Cc: Zhangjiaji <zhangjiaji1@huawei.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	 "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Wangqinxiao (Tom)" <wangqinxiao@huawei.com>,
	 zhangyashu <zhangyashu2@h-partners.com>,
	"wangyanan (Y)" <wangyanan55@huawei.com>,
	 zouyipeng <zouyipeng@huawei.com>
Subject: Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)
Date: Fri, 8 May 2026 07:25:06 -0700	[thread overview]
Message-ID: <af3yQrxgyC8YxAPt@google.com> (raw)
In-Reply-To: <41da263a-ca8e-4041-8214-b6b9f80edebb@huawei.com>

On Fri, May 08, 2026, Xinyu Zheng wrote:
> On 2/19/2026 4:56 AM, Sean Christopherson wrote:
> > On Tue, Feb 10, 2026, Sean Christopherson wrote:
> > diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
> > index 2c7d76262898..0bb2a34fb93d 100644
> > --- a/include/linux/kvm_host.h
> > +++ b/include/linux/kvm_host.h
> > @@ -320,7 +320,8 @@ static inline bool kvm_vcpu_can_poll(ktime_t cur, ktime_t stop)
> >   struct kvm_mmio_fragment {
> >   	gpa_t gpa;
> >   	void *data;
> > -	unsigned len;
> > +	u64 val;
> 
> Hi, Jiayi and Sean,
> 
> Since I met a KABI consistence break problem from this change, I am finding
> a way to avoid add including kvm_mmio_fragment.val.

I assume you're looking for a solution for a private/proprietary kernel?  I.e.
not trying to figure out a solution for an upstream LTS kernel?

> Can I try to directly malloc a 8 size buffer for kvm_mmio_fragment.data
> instead of using kvm_mmio_fragment.val, and free this buffer in
> complete_emulated_mmio when all fragments is been copied?

I highly doubt that will work, because you'd still need to stash the pointer
somewhere.  And it pretty much would have to be somewhere in kvm_vcpu, which
would likely mean a change in KABI.  FWIW, freeing the allocation in
complete_emulated_mmio() wouldn't suffice; you'd also need to free the memory
on vCPU destruction, because there's no guarantee userspace would complete
KVM_RUN.

You should be able to use the padding in the "kvm_run.s".  Thanks to s390's
massive regs size, there's a huge amount of unused space in the union on x86.
Note, because there can be two fragments in-flight, you'd need to index the
array using the correct fragment number.

Userspace can scribble the value, but that's completely irrelevant from a host
safety perspective.

diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 6c8afa2047bf..29c7123d5467 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -515,7 +515,10 @@ struct kvm_run {
        __u64 kvm_valid_regs;
        __u64 kvm_dirty_regs;
        union {
-               struct kvm_sync_regs regs;
+               struct {
+                       struct kvm_sync_regs regs;
+                       u64 x86_mmio_val[2];
+               };
                char padding[SYNC_REGS_SIZE_BYTES];
        } s;
 };

next prev parent reply	other threads:[~2026-05-08 14:25 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-10 11:56 Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0) Zhangjiaji
2026-02-10 19:11 ` Sean Christopherson
2026-02-18 20:56   ` Sean Christopherson
2026-05-08  7:57     ` Xinyu Zheng
2026-05-08 14:25       ` Sean Christopherson [this message]
2026-05-09  1:55         ` Xinyu
  -- strict thread matches above, loose matches on Subject: below --
2026-02-02  1:24 Zhangjiaji
2026-02-06 23:30 ` Sean Christopherson
2026-02-09 20:21   ` Sean Christopherson
2026-02-10  6:26 ` Paolo Bonzini
2026-02-10 14:35   ` Sean Christopherson
2026-02-10 17:41     ` Paolo Bonzini

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6c8afa2047b dfblob:29c7123d546 )
 OR (
bs:"Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=af3yQrxgyC8YxAPt@google.com \
    --to=seanjc@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=wangqinxiao@huawei.com \
    --cc=wangyanan55@huawei.com \
    --cc=zhangjiaji1@huawei.com \
    --cc=zhangyashu2@h-partners.com \
    --cc=zhengxinyu6@huawei.com \
    --cc=zouyipeng@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.