Re: [BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)

[Paolo Bonzini]

On 2/10/26 15:35, Sean Christopherson wrote:
> On Tue, Feb 10, 2026, Paolo Bonzini wrote:
> > > I've analyzed the Syzkaller output and the complete_emulated_mmio() code path.
> > > The buggy address is created in em_enter(), where it passes its local variable `ulong rbp` to emulate_push(), finally ends in emulator_read_write_onepage() putting the address into vcpu->mmio_fragments[].data .
> > > The bug happens when kvm guest executes an "enter" instruction, and top of the stack crosses the mem page.
> > > In that case, the em_enter() function cannot complete the instruction within itself, but leave the rest data (which is in the other page) to complete_emulated_mmio().
> > > When complete_emulated_mmio() starts, em_enter() has exited, so local variable `ulong rbp` is also released.
> > > Now complete_emulated_mmio() trys to access vcpu->mmio_fragments[].data , and the bug happened.
> > >
> > > any idea?
> >
> > Ouch, the bug is certainly legit.  The easiest way to fix it is something
> > like this:
> >
> > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> > index c8e292e9a24d..1c8698139dd5 100644
> > --- a/arch/x86/kvm/emulate.c
> > +++ b/arch/x86/kvm/emulate.c
> > @@ -1905,7 +1905,7 @@ static int em_enter(struct x86_emulate_ctxt *ctxt)
> >   	rbp = reg_read(ctxt, VCPU_REGS_RBP);
> >   	rc = emulate_push(ctxt, &rbp, stack_size(ctxt));
> >   	if (rc != X86EMUL_CONTINUE)
> > -		return rc;
> > +		return X86EMUL_UNHANDLEABLE;
>
> This won't do anything, rc == X86EMUL_CONTINUE when MMIO is needed.

Yeah, I was thinking of X86EMUL_IO_NEEDED but that's only for reads.

Paolo