[PATCH v2 0/3] KVM: SVM: Fix a (very) unlikely UAF for GA Log IRQs
From: Sean Christopherson
Date: Tue Jun 30 2026 - 17:05:26 EST
Fix a potential UAF due to freeing vCPUs while they're still reachable through
the global hashed list used to handle GA Log notifications.
v2:
- Defer adding the VM to the GA Log list until a vCPU is created (KVM only
needs GA Lot notifications to wake blocking vCPUs), so that removing the
VM from the list can be done during pre-destroy without having to handle
the scenario where VM creation fails at a later stage. [Sashiko, Xiao]
- Drop the stable@ tag, as it's not clear to me that the bug can actually
occur in the wild, whereas the changes themselves are somewhat risky.
v1: https://lore.kernel.org/all/20260625220933.3357733-1-seanjc@xxxxxxxxxx
Sean Christopherson (3):
KVM: SVM: Make kvm_x86_ops.vcpu_precreate() hook fully AVIC specific
KVM: SVM: Do all per-VM AVIC initialization during vCPU precreation
phase
KVM: SVM: Remove VM from the GA Log notifier list before VM
destruction
arch/x86/kvm/svm/avic.c | 96 +++++++++++++++++++++++++++--------------
arch/x86/kvm/svm/svm.c | 16 ++-----
arch/x86/kvm/svm/svm.h | 3 +-
3 files changed, 69 insertions(+), 46 deletions(-)
base-commit: a204badd8432f93b7e862e7dac6db0fe3d65f370
--
2.55.0.rc0.799.gd6f94ed593-goog