From nobody Tue Feb 10 19:01:11 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2090DC001DF
	for <linux-kernel@archiver.kernel.org>; Sat, 22 Jul 2023 01:24:15 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229477AbjGVBYO (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 21:24:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37286 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231373AbjGVBYB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 21:24:01 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2788530C4
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 18:24:00 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 3f1490d57ef6-d0737b86c45so381085276.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 18:24:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689989039; x=1690593839;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=;
        b=jA6SOzCZ5JV7gpezuMZaywqy77akcRhAVmKuF6oqtso7tzhrR5MVVK0jfJGHg7rfJb
         FaPJ742hNwflKbWuQ22IMhyWTrBH4002LLDcFa1S87vsGhPwjHQnYseUqYK6KJ7g2RMc
         XUGtCCZRZWaTSAPtYDlqRaGN7Dx4oGErykWf4zUhs9BZ46uJlFZh46ZN8QN1Up7cpWj0
         W9zo7aSE/D5zytti/7d1f1srapwfpt/aGgQUKvId1yAi0P2UPz1QopjoYVUiZDViSRUZ
         kOqhG40It9Hg+4Hbnogmc7L/jM3hweiBdcpjXezcVzs4ENU0p4nyRFqVvowFX1ru6cuC
         TEFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689989039; x=1690593839;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=;
        b=DiG9oXEoLyBKWeROj51hPwxpUTg9/L/Q8xvegc0kHINtpkmZyOQlGqHpcNMNzR9+rM
         PtDlUeSrnwaYW1njN3DIcGbYWWaQi61DsL4oVwpIRBMy/LR2yhnTJ7EbzBxjioUHvO7I
         haGR/3RLUe7jKXCwg7dNZyOmz8TW4+3ESjLtisEBko5K4+EIH3KI8oRF03JjmZULhPH/
         UahoQdkJs2OG6vl3XbYLHuaRlF0IYsW22M9nuS3MkJw2ZOZPJDiZv9gJF/rRfGDxSB+n
         7zEcXLRer1NC/nV5QtrUvW4+M856GtWMuxZFeMU3EliJvfQN/58SpEymGxWLbK+lEJWJ
         Y7Cg==
X-Gm-Message-State: ABy/qLYvEa9Cd8+nSTFfVexJ/nrX8V0uwunhho0yefgFwgP8gbUI06CN
        tw6w22S22HF/W9Vq8mJk/DHYqU5vvdA=
X-Google-Smtp-Source: 
 APBJJlG4F4EQ9uhDHw6m55eaN7Vbz04oCDG10G4GfxVA/IFa2UOJj0VpL0Cn2kNZlQv8CFDewvS1yPBgAsA=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a25:d6ce:0:b0:c6d:a342:99f1 with SMTP id
 n197-20020a25d6ce000000b00c6da34299f1mr21928ybg.13.1689989039471; Fri, 21 Jul
 2023 18:23:59 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 18:23:49 -0700
In-Reply-To: <20230722012350.2371049-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230722012350.2371049-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230722012350.2371049-5-seanjc@google.com>
Subject: [PATCH 4/5] KVM: x86/mmu: Disallow guest from using !visible slots
 for page tables
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Reima Ishii <ishiir@g.ecc.u-tokyo.ac.jp>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Explicitly inject a page fault if guest attempts to use a !visible gfn
as a page table.  kvm_vcpu_gfn_to_hva_prot() will naturally handle the
case where there is no memslot, but doesn't catch the scenario where the
gfn points at a KVM-internal memslot.

Letting the guest backdoor its way into accessing KVM-internal memslots
isn't dangerous on its own, e.g. at worst the guest can crash itself, but
disallowing the behavior will simplify fixing how KVM handles !visible
guest root gfns (immediately synthesizing a triple fault when loading the
root is architecturally wrong).

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/paging_tmpl.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
index 0662e0278e70..122bfc0124d3 100644
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -351,6 +351,7 @@ static int FNAME(walk_addr_generic)(struct guest_walker=
 *walker,
 	++walker->level;
=20
 	do {
+		struct kvm_memory_slot *slot;
 		unsigned long host_addr;
=20
 		pt_access =3D pte_access;
@@ -381,7 +382,11 @@ static int FNAME(walk_addr_generic)(struct guest_walke=
r *walker,
 		if (unlikely(real_gpa =3D=3D INVALID_GPA))
 			return 0;
=20
-		host_addr =3D kvm_vcpu_gfn_to_hva_prot(vcpu, gpa_to_gfn(real_gpa),
+		slot =3D kvm_vcpu_gfn_to_memslot(vcpu, gpa_to_gfn(real_gpa));
+		if (!kvm_is_visible_memslot(slot))
+			goto error;
+
+		host_addr =3D gfn_to_hva_memslot_prot(slot, gpa_to_gfn(real_gpa),
 					    &walker->pte_writable[walker->level - 1]);
 		if (unlikely(kvm_is_error_hva(host_addr)))
 			goto error;
--=20
2.41.0.487.g6d72f3e995-goog