From ca6de4e91c7b86ff5dfa9b4026aee10d1aa07ef0 Mon Sep 17 00:00:00 2001 From: Michael Neuling Date: Mon, 13 Apr 2026 05:44:39 +0000 Subject: [PATCH] riscv: KVM: Fix memory leak in vector context allocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the second kzalloc() for host_context vector data fails, the already-allocated guest_context vector data is not freed, causing a memory leak. This is triggerable from userspace via: ioctl(vm_fd, KVM_CREATE_VCPU) → kvm_vm_ioctl_create_vcpu() → kvm_arch_vcpu_create() → kvm_riscv_vcpu_alloc_vector_context() Note also that kvm_vm_ioctl_create_vcpu() does not call kvm_arch_vcpu_destroy() on kvm_arch_vcpu_create() failure: kvm_arch_vcpu_create() ← fails, returns error goto vcpu_free_run_page; ← line 4209 ... arch_vcpu_destroy: ← SKIPPED kvm_arch_vcpu_destroy(vcpu); ← which would call free_vector_context vcpu_free_run_page: ← lands HERE, below arch_vcpu_destroy free_page(vcpu->run); vcpu_free: kmem_cache_free(vcpu); so kvm_riscv_vcpu_free_vector_context() is never called to clean up the partial allocation. Fixes: 0f4b82579716 ("RISC-V: KVM: Add vector lazy save/restore support") Assisted-By: Claude Opus 4.6 (1M context) Signed-off-by: Michael Neuling Signed-off-by: Linux RISC-V bot --- arch/riscv/kvm/vcpu_vector.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c index 05f3cc2d8e311a..46fbf48f2503ef 100644 --- a/arch/riscv/kvm/vcpu_vector.c +++ b/arch/riscv/kvm/vcpu_vector.c @@ -80,8 +80,10 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu) return -ENOMEM; vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL); - if (!vcpu->arch.host_context.vector.datap) + if (!vcpu->arch.host_context.vector.datap) { + kfree(vcpu->arch.guest_context.vector.datap); return -ENOMEM; + } return 0; }