From nobody Mon Jun 15 19:26:25 2026 Received: from mail-oa1-f45.google.com (mail-oa1-f45.google.com [209.85.160.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 83C8630E83A for ; Mon, 13 Apr 2026 05:44:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776059087; cv=none; b=Csi5IvIAxXw0hIurO7jOla1SB3ZkaEOdGBOTTtcpTw9UzMwCcYZq6nT9XM4ijlWYz5Hac2DlhxY70xH7Th+FT2CIwq7CBMI5KI7zRCfjLYRJ4jnaFkhefFdNxjnzemG66u7AkK8VS4zZT7bRgS8krcIQVdUNXxP8cncLm/B2YPc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776059087; c=relaxed/simple; bh=DF3MzSny1Am7eKIwk79qee/angPaE8IKQJ94fvbsu28=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=UkINrlnu+w8h/sDd+xcV4UcGx0buFozBFeatR7dLu2CPuWrfa1mczWJLN8sHnSNxcuSxoLblJG9C4Dodln07aNk9eHzMLMdExfsoVWHnXika+KAmZpF1vK/ddyvunpARqiqOFUTDh2HxO22vlPeTF6QOqpGy4pCMrWZWeZ4Vkj8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ACXBKVy3; arc=none smtp.client-ip=209.85.160.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ACXBKVy3" Received: by mail-oa1-f45.google.com with SMTP id 586e51a60fabf-4138136f02eso2531446fac.2 for ; Sun, 12 Apr 2026 22:44:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776059084; x=1776663884; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:from:to:cc:subject:date:message-id:reply-to; bh=5VXrjV443bibQOd/tYM5XouxdJe5ZhAegjzCEygNJdw=; b=ACXBKVy3vjkzD+3XnN5t/Odyt9XDnX9YcOzCXQDg4ET3UTntw1tJ5e8JkcnHEcf5w4 /85YNflNNoy16orqtF/vvKuI+TfC5bCCK7Kbg65IaCg/afP+iKoRCl7GR9Q2LhxLC6a2 rc0TG+c76YuJrlgQuH4b1P1ZzuPT9JP2heKj6i8tSlyzxJuFW9fMLLFNHkasLJ45advD 059iHbCVPpEBhkp4rexbB4F5tyU4GePF5ufxFuX9nBtQ9CJNCqly7rJObwQO2F7FS0sZ u+tkRcLSEvJ+imKBSYgbI17b8NkbbzL+rurHxFEnQwNaZ3+W7vh0YOBd02abHujyGXHA RGiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776059084; x=1776663884; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5VXrjV443bibQOd/tYM5XouxdJe5ZhAegjzCEygNJdw=; b=ISEdR+ebhmzwgAUzaZn74Rxy4mKTnK2vjDvJOx0W3LDdM6ejvNlnOvB4C/zoEb8XfZ skZ325rvQ9484YXLq9fXz1WG7y3mnvyXKwxw7huPgdlYC9OzWLFQqq6XJ8F3mrzEcZTr dWFqJZcKHMFJvqAOovRjDwPZPYxeUkRuBX5XEda+2r7kI+M+k8f0pXmqvLA9zdB+3D4U rtSKjClCpihaYhBE+Tq9azveZXJLnf2zvAodGAsn/opLQO9x4WQGwGnU1D8osPsIvuvA LLaR3hOWcBJZHHil8aqB+5y0x9P5k5pTsBDKWNfXMHart3VxfsyV2gK1FZdHCYx92N4D TR5g== X-Forwarded-Encrypted: i=1; AFNElJ9tLdktzvlyLJhXrb13quIaXdblMpl0JlAk18DOJeq2UvvNVbR7sP1tJ3SK3QKj103gZFtbvN0gBTl54qk=@vger.kernel.org X-Gm-Message-State: AOJu0YysGRDdCjdbnYNiRKc/vjtSgy+hHMUk9qkk1Aizok7rW3I1YtiV Dyu5cPcHJQYI4o/VuTgk3zl3pBsxBOZiUtXSDQ4a2aKQyfBM9pRk/eCW X-Gm-Gg: AeBDietQh9kOJW/SsvRf9miimuVx+X2wak22VtPGvGkS5GVpgL6vmG5E2Rs85WPY13P yqH6xejoSLb7urfTYS+BdLVh4ZjF7mGpwsI4RCTVlSSUlfaCdo82RBGlKmTs4uUjE8xdw/jAR1x FQFS4gHEbvezkzQ8ZxLfGb7sYP0netjSAOqDwoLgez6+Ujmw/Kn8l0B6YlJSQUWGu4nohvvpN59 6Jfn2Uojw29vm5grbxpQLYzSWT/KWsTsuiOKVPUScWHJ4s5qKvNY4UBY1Yb9CIaqncrDHE3WkC4 sQsGVIaO3P7i2TLp26Jis6kCLo+yhcjboxb/q4wLz+gMEKWkKOeOHf3iLg3FUmG7mwAPQPbZOoT 7shXM1UmPEYCaUMYjlaK2uPHzc7JB/BkXQvblWi1b5oo4cb5vtp8Kx9N4B2bIu1FOEi0Hy3w0kq 9qVVZDwcaIBaDyMx/FSXSV9OKH74F1HdlNQsGBpgbVWdo6 X-Received: by 2002:a05:6871:8a5:b0:422:ba93:2150 with SMTP id 586e51a60fabf-423e0dcd14cmr6537796fac.4.1776059084209; Sun, 12 Apr 2026 22:44:44 -0700 (PDT) Received: from ird-aus2.tenstorrent.com ([38.104.49.66]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-423dcf9726fsm8520703fac.0.2026.04.12.22.44.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Apr 2026 22:44:43 -0700 (PDT) Sender: Michael Neuling From: Michael Neuling To: anup@brainfault.org Cc: atish.patra@linux.dev, pjw@kernel.org, palmer@dabbelt.com, aou@eecs.berkeley.edu, alex@ghiti.fr, kvm@vger.kernel.org, vincent.chen@sifive.com, greentime.hu@sifive.com, andy.chiu@sifive.com, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, Michael Neuling Subject: [PATCH] riscv: KVM: Fix memory leak in vector context allocation Date: Mon, 13 Apr 2026 05:44:39 +0000 Message-ID: <20260413054439.1715082-1-mikey@neuling.org> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable When the second kzalloc() for host_context vector data fails, the already-allocated guest_context vector data is not freed, causing a memory leak. This is triggerable from userspace via: ioctl(vm_fd, KVM_CREATE_VCPU) =E2=86=92 kvm_vm_ioctl_create_vcpu() =E2=86=92 kvm_arch_vcpu_create() =E2=86=92 kvm_riscv_vcpu_alloc_vector_context() Note also that kvm_vm_ioctl_create_vcpu() does not call kvm_arch_vcpu_destroy() on kvm_arch_vcpu_create() failure: kvm_arch_vcpu_create() =E2=86=90 fails, returns error goto vcpu_free_run_page; =E2=86=90 line 4209 ... arch_vcpu_destroy: =E2=86=90 SKIPPED kvm_arch_vcpu_destroy(vcpu); =E2=86=90 which would call free_vector_c= ontext vcpu_free_run_page: =E2=86=90 lands HERE, below arch_vcpu_de= stroy free_page(vcpu->run); vcpu_free: kmem_cache_free(vcpu); so kvm_riscv_vcpu_free_vector_context() is never called to clean up the partial allocation. Fixes: 0f4b82579716 ("RISC-V: KVM: Add vector lazy save/restore support") Assisted-By: Claude Opus 4.6 (1M context) Signed-off-by: Michael Neuling --- arch/riscv/kvm/vcpu_vector.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c index 05f3cc2d8e..46fbf48f25 100644 --- a/arch/riscv/kvm/vcpu_vector.c +++ b/arch/riscv/kvm/vcpu_vector.c @@ -80,8 +80,10 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu = *vcpu) return -ENOMEM; =20 vcpu->arch.host_context.vector.datap =3D kzalloc(riscv_v_vsize, GFP_KERNE= L); - if (!vcpu->arch.host_context.vector.datap) + if (!vcpu->arch.host_context.vector.datap) { + kfree(vcpu->arch.guest_context.vector.datap); return -ENOMEM; + } =20 return 0; } --=20 2.43.0