Skip to content

[PW_SID:1068546] RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()#1634

Open
linux-riscv-bot wants to merge 1 commit intoworkflow__riscv__fixesfrom
pw1068546
Open

[PW_SID:1068546] RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()#1634
linux-riscv-bot wants to merge 1 commit intoworkflow__riscv__fixesfrom
pw1068546

Conversation

@linux-riscv-bot
Copy link

@linux-riscv-bot linux-riscv-bot commented Mar 18, 2026

PR for series 1068546 applied to workflow__riscv__fixes

Name: RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()
URL: https://patchwork.kernel.org/project/linux-riscv/list/?series=1068546
Version: 1

@6eanut
RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()
7859f34 
In kvm_riscv_vcpu_pmu_snapshot_set_shmem(), when kvm_vcpu_write_guest()
fails, kvpmu->sdata is freed but not set to NULL. This leaves a dangling
pointer that will be freed again when kvm_pmu_clear_snapshot_area() is
called during vcpu teardown, triggering a KASAN double-free report.

First free occurs in kvm_riscv_vcpu_pmu_snapshot_set_shmem():
 kvm_riscv_vcpu_pmu_snapshot_set_shmem arch/riscv/kvm/vcpu_pmu.c:443
 kvm_sbi_ext_pmu_handler arch/riscv/kvm/vcpu_sbi_pmu.c:74
 kvm_riscv_vcpu_sbi_ecall arch/riscv/kvm/vcpu_sbi.c:608
 kvm_riscv_vcpu_exit arch/riscv/kvm/vcpu_exit.c:240
 kvm_arch_vcpu_ioctl_run arch/riscv/kvm/vcpu.c:1008
 kvm_vcpu_ioctl virt/kvm/kvm_main.c:4476

Second free (double-free) occurs in kvm_pmu_clear_snapshot_area():
 kvm_pmu_clear_snapshot_area arch/riscv/kvm/vcpu_pmu.c:403 [inline]
 kvm_riscv_vcpu_pmu_deinit.part arch/riscv/kvm/vcpu_pmu.c:905
 kvm_riscv_vcpu_pmu_deinit arch/riscv/kvm/vcpu_pmu.c:893
 kvm_arch_vcpu_destroy arch/riscv/kvm/vcpu.c:199
 kvm_vcpu_destroy virt/kvm/kvm_main.c:469 [inline]
 kvm_destroy_vcpus virt/kvm/kvm_main.c:489
 kvm_arch_destroy_vm arch/riscv/kvm/vm.c:54
 kvm_destroy_vm virt/kvm/kvm_main.c:1301 [inline]
 kvm_put_kvm virt/kvm/kvm_main.c:1338
 kvm_vm_release virt/kvm/kvm_main.c:1361

Fix it by setting kvpmu->sdata to NULL after kfree() in
kvm_riscv_vcpu_pmu_snapshot_set_shmem(), so that the subsequent
kfree(NULL) in kvm_pmu_clear_snapshot_area() becomes a safe no-op.

This bug was found by fuzzing the KVM RISC-V PMU interface.

Fixes: c2f41dd ("RISC-V: KVM: Implement SBI PMU Snapshot feature")
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>
@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
build-rv32-defconfig
Desc: Builds riscv32 defconfig
Duration: 138.76 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
build-rv64-clang-allmodconfig
Desc: Builds riscv64 allmodconfig with Clang, and checks for errors and added warnings
Duration: 1031.48 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
build-rv64-gcc-allmodconfig
Desc: Builds riscv64 allmodconfig with GCC, and checks for errors and added warnings
Duration: 1382.64 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
build-rv64-nommu-k210-defconfig
Desc: Builds riscv64 defconfig with NOMMU for K210
Duration: 26.88 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
build-rv64-nommu-k210-virt
Desc: Builds riscv64 defconfig with NOMMU for the virt platform
Duration: 28.00 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
checkpatch
Desc: Runs checkpatch.pl on the patch
Duration: 0.74 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
dtb-warn-rv64
Desc: Checks for Device Tree warnings/errors
Duration: 82.39 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
header-inline
Desc: Detects static functions without inline keyword in header files
Duration: 0.22 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
kdoc
Desc: Detects for kdoc errors
Duration: 0.88 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
module-param
Desc: Detect module_param changes
Duration: 0.24 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
verify-fixes
Desc: Verifies that the Fixes: tags exist
Duration: 0.26 seconds
Result: PASS

@linux-riscv-bot
Copy link
Author

linux-riscv-bot commented Mar 18, 2026

Patch 1: "RISC-V: KVM: Fix double-free of sdata in kvm_pmu_clear_snapshot_area()"
verify-signedoff
Desc: Verifies that Signed-off-by: tags are correct
Duration: 0.29 seconds
Result: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@linux-riscv-bot @6eanut