Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: Xinyu Zheng <zhengxinyu6@huawei.com>
Cc: Zhangjiaji <zhangjiaji1@huawei.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	 "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Wangqinxiao (Tom)" <wangqinxiao@huawei.com>,
	 zhangyashu <zhangyashu2@h-partners.com>,
	"wangyanan (Y)" <wangyanan55@huawei.com>,
	 zouyipeng <zouyipeng@huawei.com>
Subject: Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)
Date: Fri, 8 May 2026 07:25:06 -0700	[thread overview]
Message-ID: <af3yQrxgyC8YxAPt@google.com> (raw)
In-Reply-To: <41da263a-ca8e-4041-8214-b6b9f80edebb@huawei.com>

On Fri, May 08, 2026, Xinyu Zheng wrote:
> On 2/19/2026 4:56 AM, Sean Christopherson wrote:
> > On Tue, Feb 10, 2026, Sean Christopherson wrote:
> > diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
> > index 2c7d76262898..0bb2a34fb93d 100644
> > --- a/include/linux/kvm_host.h
> > +++ b/include/linux/kvm_host.h
> > @@ -320,7 +320,8 @@ static inline bool kvm_vcpu_can_poll(ktime_t cur, ktime_t stop)
> >   struct kvm_mmio_fragment {
> >   	gpa_t gpa;
> >   	void *data;
> > -	unsigned len;
> > +	u64 val;
> 
> Hi, Jiayi and Sean,
> 
> Since I met a KABI consistence break problem from this change, I am finding
> a way to avoid add including kvm_mmio_fragment.val.

I assume you're looking for a solution for a private/proprietary kernel?  I.e.
not trying to figure out a solution for an upstream LTS kernel?

> Can I try to directly malloc a 8 size buffer for kvm_mmio_fragment.data
> instead of using kvm_mmio_fragment.val, and free this buffer in
> complete_emulated_mmio when all fragments is been copied?

I highly doubt that will work, because you'd still need to stash the pointer
somewhere.  And it pretty much would have to be somewhere in kvm_vcpu, which
would likely mean a change in KABI.  FWIW, freeing the allocation in
complete_emulated_mmio() wouldn't suffice; you'd also need to free the memory
on vCPU destruction, because there's no guarantee userspace would complete
KVM_RUN.

You should be able to use the padding in the "kvm_run.s".  Thanks to s390's
massive regs size, there's a huge amount of unused space in the union on x86.
Note, because there can be two fragments in-flight, you'd need to index the
array using the correct fragment number.

Userspace can scribble the value, but that's completely irrelevant from a host
safety perspective.

diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 6c8afa2047bf..29c7123d5467 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -515,7 +515,10 @@ struct kvm_run {
        __u64 kvm_valid_regs;
        __u64 kvm_dirty_regs;
        union {
-               struct kvm_sync_regs regs;
+               struct {
+                       struct kvm_sync_regs regs;
+                       u64 x86_mmio_val[2];
+               };
                char padding[SYNC_REGS_SIZE_BYTES];
        } s;
 };

next prev parent reply	other threads:[~2026-05-08 14:25 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <67a2f20537354628bcb835586a7c6255@huawei.com>
     [not found] ` <aYuC87rMLlBYIZRc@google.com>
     [not found]   ` <aZYneb7Dvuu-HQsP@google.com>
2026-05-08  7:57     ` [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0) Xinyu Zheng
2026-05-08 14:25       ` Sean Christopherson [this message]
2026-05-09  1:55         ` Xinyu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6c8afa2047b dfblob:29c7123d546 )
 OR (
bs:"Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=af3yQrxgyC8YxAPt@google.com \
    --to=seanjc@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=wangqinxiao@huawei.com \
    --cc=wangyanan55@huawei.com \
    --cc=zhangjiaji1@huawei.com \
    --cc=zhangyashu2@h-partners.com \
    --cc=zhengxinyu6@huawei.com \
    --cc=zouyipeng@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox