1. Patchew
  2. linux
  3. View series

[PATCH] riscv/kvm: fix guest vector leak on host alloc failure

Yufan Chen posted 1 patch 5 days, 3 hours ago 
arch/riscv/kvm/vcpu_vector.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
[PATCH] riscv/kvm: fix guest vector leak on host alloc failure
Posted by Yufan Chen 5 days, 3 hours ago 
From: Yufan Chen <ericterminal@gmail.com>

When allocating vector context for a vCPU, guest_context.vector.datap is allocated before host_context.vector.datap. If the second allocation fails, the function returns -ENOMEM directly and leaks the guest buffer.

Switch the failure path to centralized cleanup. On host allocation failure, free guest_context.vector.datap, clear the pointer, and return -ENOMEM through a shared exit label.

Signed-off-by: Yufan Chen <ericterminal@gmail.com>
---
 arch/riscv/kvm/vcpu_vector.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8..4c2f92dce 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -75,15 +75,23 @@ void kvm_riscv_vcpu_host_vector_restore(struct kvm_cpu_context *cntx)
 
 int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 {
+	int rc = -ENOMEM;
+
 	vcpu->arch.guest_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
 	if (!vcpu->arch.guest_context.vector.datap)
-		return -ENOMEM;
+		goto out;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
 	if (!vcpu->arch.host_context.vector.datap)
-		return -ENOMEM;
+		goto free_guest_vector_datap;
 
 	return 0;
+
+free_guest_vector_datap:
+	kfree(vcpu->arch.guest_context.vector.datap);
+	vcpu->arch.guest_context.vector.datap = NULL;
+out:
+	return rc;
 }
 
 void kvm_riscv_vcpu_free_vector_context(struct kvm_vcpu *vcpu)
-- 
2.47.3
Re: [PATCH] riscv/kvm: fix guest vector leak on host alloc failure
Posted by Anup Patel 5 days, 2 hours ago 
On Sat, Mar 28, 2026 at 2:52 PM Yufan Chen <yufan.chen@linux.dev> wrote:
>
> From: Yufan Chen <ericterminal@gmail.com>
>
> When allocating vector context for a vCPU, guest_context.vector.datap is allocated before host_context.vector.datap. If the second allocation fails, the function returns -ENOMEM directly and leaks the guest buffer.
>
> Switch the failure path to centralized cleanup. On host allocation failure, free guest_context.vector.datap, clear the pointer, and return -ENOMEM through a shared exit label.
>
> Signed-off-by: Yufan Chen <ericterminal@gmail.com>

This is already fixed by patch "riscv: kvm: fix vector context allocation leak".

Regards,
Anup

> ---
>  arch/riscv/kvm/vcpu_vector.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
> index 05f3cc2d8..4c2f92dce 100644
> --- a/arch/riscv/kvm/vcpu_vector.c
> +++ b/arch/riscv/kvm/vcpu_vector.c
> @@ -75,15 +75,23 @@ void kvm_riscv_vcpu_host_vector_restore(struct kvm_cpu_context *cntx)
>
>  int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
>  {
> +       int rc = -ENOMEM;
> +
>         vcpu->arch.guest_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
>         if (!vcpu->arch.guest_context.vector.datap)
> -               return -ENOMEM;
> +               goto out;
>
>         vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
>         if (!vcpu->arch.host_context.vector.datap)
> -               return -ENOMEM;
> +               goto free_guest_vector_datap;
>
>         return 0;
> +
> +free_guest_vector_datap:
> +       kfree(vcpu->arch.guest_context.vector.datap);
> +       vcpu->arch.guest_context.vector.datap = NULL;
> +out:
> +       return rc;
>  }
>
>  void kvm_riscv_vcpu_free_vector_context(struct kvm_vcpu *vcpu)
> --
> 2.47.3
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.