From nobody Tue Dec 2 01:04:49 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D7652222D0 for ; Sat, 22 Nov 2025 09:09:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763802554; cv=none; b=fFlNTGAc8+M3h4lcfWiz6KCc3+pvqUPiexZ+btkTUUFdad7EeST6mkXCc0e0LrX+ndUXWwMfaN7I0mxdOcLdGoAvZJm8Fah/IBg8qhZJd7Mjd5MRERSpayitfYz/31CFE9N+U/YEeIhkSqVZgiWgMkhZ4jiZTyOzdCM+6Qj3FBc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763802554; c=relaxed/simple; bh=TwGtLeyLLi7YyE3RrIM2s7vEQwBTZUsPJ24wCK9jEsU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=YMxO40H9CeMsOXCtZY05w1BBf5eweguGCT3Iza27vaufy6yOHCYEc0U9z0nYH89lH+rOEHy+zHROKHDTLUjO1pGN38nUz1l7K0FUumEobi5Br8twLtSnN5qELQdtFUAmtFSdSmWoul9vwJ7/x+kZ8XM2yVLWjDKd09H4+hXYNoI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=DEktdgAA; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=fWcd4W1s; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="DEktdgAA"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="fWcd4W1s" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1763802551; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=p3GaxkYsnMwulitUB48P3Qz5M8Yniy4BOYL3CNBCuHU=; b=DEktdgAAkX7Z1fFmSNleQLhdGVDSe6AMe1HRXicDOpuVcBB9D+W8DAtIltrBWt7/Wsfqjp FFp7dQ767ZxmoUmi4Xy7/ZaBcd2mmPMG/DUzTH8wS3ddZkcSrbuNkc0x50OT2q412Buxd/ 6c7X3vW++iJr1QTVPMNx5/bsTO3Bc5Q= Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com [209.85.210.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-60-gHjQe0kiM4-b8B0IKX0YOw-1; Sat, 22 Nov 2025 04:09:09 -0500 X-MC-Unique: gHjQe0kiM4-b8B0IKX0YOw-1 X-Mimecast-MFC-AGG-ID: gHjQe0kiM4-b8B0IKX0YOw_1763802548 Received: by mail-pf1-f200.google.com with SMTP id d2e1a72fcca58-7b80de683efso5306148b3a.3 for ; Sat, 22 Nov 2025 01:09:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1763802548; x=1764407348; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=p3GaxkYsnMwulitUB48P3Qz5M8Yniy4BOYL3CNBCuHU=; b=fWcd4W1s78eMTz+IGLJnur3++lzTp2qvuyAmErMXlLXUFGZJ1ydt3p3DDVTs8h9vf6 I2eh5Y7RNVXLD3ERlz7Us9fA9dHqYHiu0jL4g3e/5uk1FMRC79oGiDGzfDFVkMVDCrfZ VHCDkPqB41WY5cH/Fyw6U6BigGftYtTJJql28YiJHvsom98+pzHaAFMkEsWOx5vFZyzK AG4o4zfnFwH1Yb06GNcaTTJgMAPvUZHT6sR6RdS28BEyayhLXkhhxRjKyzGMiSgV36qw +WZ0bSex+MMSmnsMonlk12WTKmxBawIsfbuerNrOo8bg7B7KnrQds8n4ZGZDsVl/f6CT 959A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763802548; x=1764407348; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=p3GaxkYsnMwulitUB48P3Qz5M8Yniy4BOYL3CNBCuHU=; b=DNobpsn86VVTohT7CSCSWHFby7FSUAyVbOAxThXTO6a01+aFoyD+4HXehZ5doWgRie rcS/pEmgcGhlTJGWKndhVJyK2lVIYiLarN1h8kKukE4fFZz7FBea7yxO2cPzQU5H1ZYT eoHoCAJgJQwnGUshoUiqoUJEnA0n35/dEYsYdehN7PjGLvFqJsHv1q/FEY6khLD2SkYR mahYQExwaP865Ob5fK3r7exceZRWoQFJjwElDNTqzLDGG/jhg1r3f073QIhx++NEMXdI 0gnrtdYFFpzvbzlYyQ4ewHiRPVQwFb64Z5jflltCtT54iVxym9iEM/pGp2AtPWCV2/Eb YmZw== X-Forwarded-Encrypted: i=1; AJvYcCXgkBgdhXCSwSIvHiXEK5ZMuxiJaVxKNPESIOe38bRoKIRerSUDcVmIC1sJoYH1AHAw3wceZu5fsDjzS2I=@vger.kernel.org X-Gm-Message-State: AOJu0Yz78iht1FQBdISuy6KB/fyxJwTxkUdd4+f8iI7rvRc0jBNQULYo mv4ltYnukZ2e6FvWA6ka8tX8bxLnA5meLaAxwnokDe3iXegRx+X6aLsjDJBAigbYa1GAgx9uzSM 8nzE2F+oDUoIH8AHSm2mlnJaKbZj7gmjpS4GuY3fpXVvEA+6DT3pJd3n4AMFtPEwnPQ== X-Gm-Gg: ASbGnctn/C+YHv8ao5S0Fqfn9ljSWZFHtnnSAhbM2RJeUC3sPanwPWoKPVKNSpjJfFW C6f+V59QeI193sA4a8V1UOYsYJE3GtV3+K5/f+fJBHo2FSjyzrJFvN50mwPDUBWklIJ4yKiV+ev XXH0WEz3zTrtpP0roqUDt1lcVAa9X7904dYeEu/Yij+6B520g4CQ0awva0io+apEbkGYWfJjxlV piOS1hzkF9bW8aNJ0Woh4PPk0MzoDx/rhdjDylU2vMzfUnPaM8pkKLB3jnvTsWOBEJdPoTPFp2W gty9MXsYkFyPob61PpkGf/kPFaAzP9tIpALcCSzd7IMUJdI9f1i9SEtiLNfJE6KlPCcemIcHXLh ZhnbO X-Received: by 2002:a05:6a20:7d8b:b0:35d:bb66:5cf5 with SMTP id adf61e73a8af0-3614eb185bbmr6278582637.3.1763802548093; Sat, 22 Nov 2025 01:09:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IEgaX+nLSLXHn2V9mu3wqNyKEhlSdKGbz5UeadF74X1dtCVoGyu/ayX8nVUh1GbnJnrIm+dmw== X-Received: by 2002:a05:6a20:7d8b:b0:35d:bb66:5cf5 with SMTP id adf61e73a8af0-3614eb185bbmr6278561637.3.1763802547621; Sat, 22 Nov 2025 01:09:07 -0800 (PST) Received: from zeus ([2405:6580:83a0:7600:6e93:a15a:9134:ae1f]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd7604de4cdsm7681733a12.20.2025.11.22.01.09.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 22 Nov 2025 01:09:07 -0800 (PST) From: Ryosuke Yasuoka To: pbonzini@redhat.com, vkuznets@redhat.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com Cc: Ryosuke Yasuoka , x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] x86/kvm: Avoid freeing stack-allocated node in kvm_async_pf_queue_task Date: Sat, 22 Nov 2025 18:08:24 +0900 Message-ID: <20251122090828.1416464-1-ryasuoka@redhat.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" kvm_async_pf_queue_task() can incorrectly remove a node allocated on the stack of kvm_async_pf_task_wait_schedule(). This occurs when a task request a PF while another task's PF request with the same token is still pending. Currently, kvm_async_pf_queue_task() assumes that any entry in the list is a dummy entry and tries to kfree(). To fix this, add a dummy flag to the node structure and the function should check this flag and kfree() only if it is a dummy entry. Signed-off-by: Ryosuke Yasuoka --- arch/x86/kernel/kvm.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index b67d7c59dca0..2c92ec528379 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -88,6 +88,7 @@ struct kvm_task_sleep_node { struct swait_queue_head wq; u32 token; int cpu; + bool dummy; }; =20 static struct kvm_task_sleep_head { @@ -119,10 +120,17 @@ static bool kvm_async_pf_queue_task(u32 token, struct= kvm_task_sleep_node *n) raw_spin_lock(&b->lock); e =3D _find_apf_task(b, token); if (e) { + struct kvm_task_sleep_node *dummy =3D NULL; + /* dummy entry exist -> wake up was delivered ahead of PF */ - hlist_del(&e->link); + /* Otherwise it should not be freed here. */ + if (e->dummy) { + hlist_del(&e->link); + dummy =3D e; + } + raw_spin_unlock(&b->lock); - kfree(e); + kfree(dummy); return false; } =20 @@ -230,6 +238,7 @@ static void kvm_async_pf_task_wake(u32 token) } dummy->token =3D token; dummy->cpu =3D smp_processor_id(); + dummy->dummy =3D true; init_swait_queue_head(&dummy->wq); hlist_add_head(&dummy->link, &b->list); dummy =3D NULL; base-commit: 2eba5e05d9bcf4cdea995ed51b0f07ba0275794a --=20 2.51.0