From nobody Mon May 25 06:41:05 2026 Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBE5B3BB12E for ; Sun, 17 May 2026 18:13:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779041618; cv=none; b=Ql1qIgLpr7Kox4MJMCbOeC2POrwBzGj25Cye4+Z6Gqy3o6rJAxSIq2/4dZfhGFK8qID3fsivKTf5c0pe+8JZaMwc8ZzhhgReTjEAVO6XI4Zi6gHAJkHnnJ8EIjR2hkEv++QsHpP/K7N3MN0x8aNoHmK3Ueqwuic7dLuZcrgsAvI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779041618; c=relaxed/simple; bh=8MW3Q6anTw0mMAQ2n/kBjmr7GxkK53PFrDHsjAsCODk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WHcgC/mpMsLnpc+VohV74TG5LfeyUybRDzTFZ+Hb7RlSThcER2OsIAyW78HOUr8IquWug1BasprMtYPZ7C7xknYu43xUr8nQMVaFAX8F8FNAz4bIKKWl+FWz/ULvE5wqcXqjQ2T8mqsnpXP4cNer8CoM5oo5lQWadYEgf5RdLgg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=L97da+f0; arc=none smtp.client-ip=209.85.222.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="L97da+f0" Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-9106ea78cd8so304767585a.3 for ; Sun, 17 May 2026 11:13:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779041615; x=1779646415; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Td6FiAaTmTkeflxhImr5px9zzqspJuHFjJUaI/KnqV4=; b=L97da+f0HuH2pnsA5ucfOJzFyueN4oABHQyYCU8I68dkYKuzBZNsHVp1eALJpqnN4Y kge8UHBKr362EWy2qyENINYqrRwRhfabdPpLF7VjjNbkCT5o0FXxd3Z6fA8A0AQZQBv9 AD5fIaXkFN3cdOOoHvG5o/Yr1wpylcTbwIuV8S1QNegVdPF+VoqpJj5PIzFwQzfx4+fm xTjO3Fh/lYE7vZtlbrPgWFmDVmmQBLEiY8WsGTgvU1IwkxdHGE6ovwEx7nYa9XTlki4B A1Mqbuc4GFI79H4uWwPERumfcyN24PC63AXRrT5xp5OX/Qxm0eBr3BRwgVGwoM+Y7Y5Z FldQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779041615; x=1779646415; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Td6FiAaTmTkeflxhImr5px9zzqspJuHFjJUaI/KnqV4=; b=sygQTRNi00SJcRYg9fkuhYofupP0clt8C9eAQ3htrE0sVCqAHIHLqIAQQWMqgt+cc+ ffCywDNJjpXWubgTy8AzaQjawonXcSx1NgWs+D0OBoAZqgvD47ZBzTmAlRMNX1icJXDz pGMIey0R3Foe5dPZyLKBnNeLKB2BD9n6+FLL/g+X1o36+hjo7dxh9F9AWxHd6BjI8sj2 yPo6Mbc5YtvhY4ra+q0kKDotLaaCY60Rv+RcPaWRdrOpVpglqW/oyKD70CbaGcFlpkWZ 1PkFDgn0Z5HebJWovxwt5rMGJddHmmr/OagcOGYhJvaMU0a3apBIVxKz2H7TGChbSDYh ij1w== X-Forwarded-Encrypted: i=1; AFNElJ8/AjS2yYnBVoWeaQttCdZ1W8YewUOg8j5kTegv8GEdBiGC9/h17w+8+ccrAtQq40IIeYBJqJJ7zDP0j6o=@vger.kernel.org X-Gm-Message-State: AOJu0YzC19/x6IkniDho1817bvHC+ilMulZ2VVi6U2Kbr48+nSHLG2GT /YS9H04wAln+lZg/4gGHeyw6XHoriAFmVUCPGVkMEcc/y4JYMTEaZBHP X-Gm-Gg: Acq92OECY4PXisoiNHQIEn/gTUECyfNb1YjjHlB9crDnZAh3I/hSJIrXFdyCOi3KrMY CCEAWReMwF4jIys8TdsQMkXaXRjaSyka7LlMDnHsc944VW8r1Yl9xAeZfIWLqSC5qmzQuOjmbqQ /ZV5My8OnUW72+eybn1bUjzToiDRfm35c2H7gM5j+IlRxlp1WoEGxfIss5rwniYCC1qzQm9cAzk ZZ1BnWK1qdAFH1bN6wm+vuU0cNR2bX7Mg+cXVo4T09RXtCODJWPrJZ8HtTC9hYpTZ/6iwYf5ohz h8Ds1EzZaYgT5JkHSfKSGZ9qygTucxLW0TNSFXgoRVWkwg73AoIqbp90XIAFuMabhw7EgUEx8wr oQ7jjRIrrO92sDjaHqilGEEnNzq8HmvD789jhSOmkkmIMDHf4VNRi8SIZyrYRhUk+WHIYvFAtZY 50J33NVypUdY3yD4YfOuQXKmY0aLq19V+JVCs8NZYBamQa8b5dFwmu5k1TrzZkhY7ciadop9vSL BDcQGHnRIlUHPuZrq7rx1wrqBEVVMKfZ3s5LE1W+oU= X-Received: by 2002:a05:620a:45a9:b0:910:87f4:9a26 with SMTP id af79cd13be357-911cde539fbmr1929262685a.41.1779041614662; Sun, 17 May 2026 11:13:34 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-910bc936407sm1237378485a.22.2026.05.17.11.13.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 11:13:34 -0700 (PDT) From: Michael Bommarito To: Marc Zyngier , Oliver Upton Cc: Joey Gouly , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH] KVM: arm64: vgic: free private_irqs when init fails after allocation Date: Sun, 17 May 2026 14:13:31 -0400 Message-ID: <20260517181331.367676-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Companion to commit 250f25367b58 ("KVM: arm64: Tear down vGIC on failed vCPU creation"), which added the missing kvm_vgic_vcpu_destroy() call to the kvm_share_hyp() failure path in kvm_arch_vcpu_create(). The kvm_vgic_vcpu_init() failure path immediately above it has the same shape and still needs the same cleanup. If kvm_vgic_vcpu_init() allocates per-vCPU private IRQs via vgic_allocate_private_irqs_locked() and then vgic_register_redist_iodev() fails (for example when kvm_io_bus_register_dev() runs out of MMIO-bus slots, or vgic_v3_check_base() rejects the configuration), the function returns the error without freeing the private-IRQ allocation. The caller kvm_arch_vcpu_create() returns this error directly, and kvm_vm_ioctl_create_vcpu() jumps to vcpu_free_run_page on kvm_arch_vcpu_create() failure, which does not invoke kvm_arch_vcpu_destroy(). The vCPU struct is then released via kmem_cache_free(kvm_vcpu_cache, ...), dropping the only reference to the leaked allocation. The comment block above __kvm_vgic_vcpu_destroy() explicitly anticipates this case ("vCPUs that failed creation are torn down outside of the kvm->arch.config_lock ... it is both safe and necessary to do so here"), but the caller never actually invokes the destroy primitive on the kvm_vgic_vcpu_init() error path. Call it now, mirroring the shape of the kvm_share_hyp() cleanup added by 250f25367b58. Per-failure leak is VGIC_NR_PRIVATE_IRQS * sizeof(struct vgic_irq), roughly 3.8 KiB rounded up to 4 KiB by the kmalloc-cg-4k slab. On systems whose /dev/kvm policy lets unprivileged users open the device this is reachable to any local user; reach is policy-dependent and varies by distro and packager. Confirmed with kmemleak on v7.1-rc1+: 50 failed KVM_CREATE_VCPU attempts (run with the per-VM MMIO bus pre-filled to NR_IOBUS_DEVS so vgic_register_redist_iodev() returns -ENOSPC) leave 49 unreferenced 4096-byte blocks whose allocation backtrace is __kmalloc_noprof+0x390/0x4d0 vgic_allocate_private_irqs_locked+0x68/0x1c8 kvm_vgic_vcpu_init+0x78/0xd8 With this patch applied to the same tree, kmemleak reports zero unreferenced objects under the identical workload. Cc: stable@vger.kernel.org Cc: Will Deacon Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Reviewed-by: Yuan Yao --- arch/arm64/kvm/arm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index 176cbe8baad30..5d5e2f81b9c94 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -554,8 +554,10 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu) kvm_destroy_mpidr_data(vcpu->kvm); =20 err =3D kvm_vgic_vcpu_init(vcpu); - if (err) + if (err) { + kvm_vgic_vcpu_destroy(vcpu); return err; + } =20 err =3D kvm_share_hyp(vcpu, vcpu + 1); if (err) --=20 2.53.0