From: Xinyu <zhengxinyu6@huawei.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Zhangjiaji <zhangjiaji1@huawei.com>,
Paolo Bonzini <pbonzini@redhat.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Wangqinxiao (Tom)" <wangqinxiao@huawei.com>,
zhangyashu <zhangyashu2@h-partners.com>,
"wangyanan (Y)" <wangyanan55@huawei.com>,
zouyipeng <zouyipeng@huawei.com>, <zhengxinyu6@huawei.com>
Subject: Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)
Date: Sat, 9 May 2026 09:55:51 +0800 [thread overview]
Message-ID: <2715ea19-5480-4266-b581-0428494013ed@huawei.com> (raw)
In-Reply-To: <af3yQrxgyC8YxAPt@google.com>
On 5/8/2026 10:25 PM, Sean Christopherson wrote:
> On Fri, May 08, 2026, Xinyu Zheng wrote:
>> On 2/19/2026 4:56 AM, Sean Christopherson wrote:
>>> On Tue, Feb 10, 2026, Sean Christopherson wrote:
>>> diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
>>> index 2c7d76262898..0bb2a34fb93d 100644
>>> --- a/include/linux/kvm_host.h
>>> +++ b/include/linux/kvm_host.h
>>> @@ -320,7 +320,8 @@ static inline bool kvm_vcpu_can_poll(ktime_t cur, ktime_t stop)
>>> struct kvm_mmio_fragment {
>>> gpa_t gpa;
>>> void *data;
>>> - unsigned len;
>>> + u64 val;
>>
>> Hi, Jiayi and Sean,
>>
>> Since I met a KABI consistence break problem from this change, I am finding
>> a way to avoid add including kvm_mmio_fragment.val.
>
> I assume you're looking for a solution for a private/proprietary kernel? I.e.
> not trying to figure out a solution for an upstream LTS kernel?
Yes.
>
>> Can I try to directly malloc a 8 size buffer for kvm_mmio_fragment.data
>> instead of using kvm_mmio_fragment.val, and free this buffer in
>> complete_emulated_mmio when all fragments is been copied?
>
> I highly doubt that will work, because you'd still need to stash the pointer
> somewhere. And it pretty much would have to be somewhere in kvm_vcpu, which
> would likely mean a change in KABI. FWIW, freeing the allocation in
> complete_emulated_mmio() wouldn't suffice; you'd also need to free the memory
> on vCPU destruction, because there's no guarantee userspace would complete
> KVM_RUN.
Thanks for your correction and patient reply!
>
> You should be able to use the padding in the "kvm_run.s". Thanks to s390's
> massive regs size, there's a huge amount of unused space in the union on x86.
> Note, because there can be two fragments in-flight, you'd need to index the
> array using the correct fragment number.
>
> Userspace can scribble the value, but that's completely irrelevant from a host
> safety perspective.
>
> diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
> index 6c8afa2047bf..29c7123d5467 100644
> --- a/include/uapi/linux/kvm.h
> +++ b/include/uapi/linux/kvm.h
> @@ -515,7 +515,10 @@ struct kvm_run {
> __u64 kvm_valid_regs;
> __u64 kvm_dirty_regs;
> union {
> - struct kvm_sync_regs regs;
> + struct {
> + struct kvm_sync_regs regs;
> + u64 x86_mmio_val[2];
> + };
> char padding[SYNC_REGS_SIZE_BYTES];
> } s;
> };
I will take this suggestion.
--
Xinyu Zheng
next prev parent reply other threads:[~2026-05-09 1:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-10 11:56 Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0) Zhangjiaji
2026-02-10 19:11 ` Sean Christopherson
2026-02-18 20:56 ` Sean Christopherson
2026-05-08 7:57 ` Xinyu Zheng
2026-05-08 14:25 ` Sean Christopherson
2026-05-09 1:55 ` Xinyu [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-02-02 1:24 Zhangjiaji
2026-02-06 23:30 ` Sean Christopherson
2026-02-09 20:21 ` Sean Christopherson
2026-02-10 6:26 ` Paolo Bonzini
2026-02-10 14:35 ` Sean Christopherson
2026-02-10 17:41 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2715ea19-5480-4266-b581-0428494013ed@huawei.com \
--to=zhengxinyu6@huawei.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=wangqinxiao@huawei.com \
--cc=wangyanan55@huawei.com \
--cc=zhangjiaji1@huawei.com \
--cc=zhangyashu2@h-partners.com \
--cc=zouyipeng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox