From nobody Sun Feb  8 03:57:15 2026
Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com
 [209.85.128.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3C4B812
	for <linux-kernel@vger.kernel.org>; Wed, 20 Mar 2024 00:15:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710893749; cv=none;
 b=FGsGa6HgCZBA+LrXd/HjBXMxniFOdbb4b1QmtZtNL689qm63sfl4cuYjrr+RKHkhrO3l8Wtv04buJCIpu4eyqpECUyImpuKiRT/RwSAk3tRuhoPuxRywp79aSatdRFWQB5LKp2LDPB/kUaa8qjZ5jft5w4HX2z1f81oayf70X9M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710893749; c=relaxed/simple;
	bh=YyvaQnQJdiY8Q7R4CiMT+UezwhRShOi5cPHWawz2f9s=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=liQClu3iyTuzo7sgUT/iTU89HwOaQln5S1cpgEeQUKCEZZ0ot1uADdAqkHuv28AhQghhNmPfN1cEPHi/DnmTUIOtWRPrWXyiSheD3TqG066QLFbDCRU3c31GTkLlwQZYdvXI51NrmZI4KV4ydBHP5nBqmPmOdmm4ShynJfrmem0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=dft+e1h4; arc=none smtp.client-ip=209.85.128.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="dft+e1h4"
Received: by mail-yw1-f201.google.com with SMTP id
 00721157ae682-60a2b53b99eso133896307b3.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 19 Mar 2024 17:15:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1710893746; x=1711498546;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=i9kVuQFqGWveMSm1GQ8GItZlMlvWOz6Hx+yWjI9J9D0=;
        b=dft+e1h4Nh8crW2PYZK9Wc/PQ3LW8gKEhxHBn0x64lcmPtwmgTIW21PgdkJ5S42sS/
         Pmlcadj0i4zwmPC1fx5sFT3boRtHkaV3jogEkosH/84RWf1nGwB9Sr6xtk3vHuO2dmLO
         WNyCeHEgy/5Be4Tl9LzRkX1AuVXcnAGwhsw2ezspFv0MFKQavvxySNpZzQlAmF6KbhQu
         JF46oCgdu5DbrC3IbFadILDqW6xUnfXjqw6zcBY40NCxmm8ey6DUaQkgvLXPIYnesBEL
         UUfbP8gv/yVvEyBij/bRHX3ejd96LVCEv79BVUyBaTKGlaP4EL8eAHlEtuk9DHgIlTGu
         DzEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710893746; x=1711498546;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=i9kVuQFqGWveMSm1GQ8GItZlMlvWOz6Hx+yWjI9J9D0=;
        b=Q6IV4GpWMXp+NtHQz/y160zDyMv/HphZdbIKRDM/QgStMmv4gwKxbjotnzosObdkED
         Sy4zbnuBOiPsL1xBTQJxdkEfTHmyq9o+yDIJ0oBDCLTvzYRRXRIAUvk02hv/k1gMpOB3
         zpzSlmboRrQaJw6Orx+hArIiq/jeX/DQI8Cxnk8cqrq02/bPF4j3D22HvVdRO6vItFRu
         hzHxGXFFBXgvPFXmTL6FsXjz4lnRdSD4J0rmvrwXKRs/08CbORDgFbol5bsoOLj0oLlT
         zy5ZRayF45a31qRIiNmFUy/jNqb6PGyQgjGZEcphh79DknUR57IyFE5Aov8yDPQCy7kM
         wspg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVS3QNVShqpKBPtrilvfbvZj9vbPN/XNL/K+mdwNDqAynAZ2Wm5fGY/xhFqIG0ifdYNNA/wq4oCaQttpgf+Z4zF0MkeSDSaWZs53iH6
X-Gm-Message-State: AOJu0Yx6XBSwQRpzFricB7nSyBhRWrHLEIAAPbfL8Yg0Va2HKYc7EA7H
	znA9JwGHdY5lcqpfogCwQcCkFIs23gf+yWa0yf5g0r+HtFeygyfImOwuY0FDVaBtC13RGjonOso
	FFw==
X-Google-Smtp-Source: 
 AGHT+IF0fWCYk6aKjKkWi7E/zeckbR9RpV3kVXyudQGGVegRGO/dQ5GmRozoHp9hQmE7pRVxq/v7aqYk34A=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6902:1507:b0:dcd:ad52:6932 with SMTP id
 q7-20020a056902150700b00dcdad526932mr4330305ybu.5.1710893746735; Tue, 19 Mar
 2024 17:15:46 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 19 Mar 2024 17:15:40 -0700
In-Reply-To: <20240320001542.3203871-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20240320001542.3203871-1-seanjc@google.com>
X-Mailer: git-send-email 2.44.0.291.gc1ea87d7ee-goog
Message-ID: <20240320001542.3203871-2-seanjc@google.com>
Subject: [PATCH 1/3] KVM: Add helpers to consolidate gfn_to_pfn_cache's page
 split check
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Sean Christopherson <seanjc@google.com>,
 syzbot+106a4f72b0474e1d1b33@syzkaller.appspotmail.com,
	David Woodhouse <dwmw2@infradead.org>, Paul Durrant <paul@xen.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a helper to check that the incoming length for a gfn_to_pfn_cache is
valid with respect to the cache's GPA and/or HVA.  To avoid activating a
cache with a bogus GPA, a future fix will fork the page split check in
the inner refresh path into activate() and the public rerfresh() APIs, at
which point KVM will check the length in three separate places.

Deliberately keep the "page offset" logic open coded, as the only other
path that consumes the offset, __kvm_gpc_refresh(), already needs to
differentiate between GPA-based and HVA-based caches, and it's not obvious
that using a helper is a net positive in overall code readability.

Note, for GPA-based caches, this has a subtle side effect of using the GPA
instead of the resolved HVA in the check() path, but that should be a nop
as the HVA offset is derived from the GPA, i.e. the two offsets are
identical, barring a KVM bug.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Paul Durrant <paul@xen.org>
---
 virt/kvm/pfncache.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
index 4e07112a24c2..8f2121b5f2a0 100644
--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -57,6 +57,19 @@ void gfn_to_pfn_cache_invalidate_start(struct kvm *kvm, =
unsigned long start,
 	spin_unlock(&kvm->gpc_lock);
 }
=20
+static bool kvm_gpc_is_valid_len(gpa_t gpa, unsigned long uhva,
+				 unsigned long len)
+{
+	unsigned long offset =3D kvm_is_error_gpa(gpa) ? offset_in_page(uhva) :
+						       offset_in_page(gpa);
+
+	/*
+	 * The cached access must fit within a single page. The 'len' argument
+	 * to activate() and refresh() exists only to enforce that.
+	 */
+	return offset + len <=3D PAGE_SIZE;
+}
+
 bool kvm_gpc_check(struct gfn_to_pfn_cache *gpc, unsigned long len)
 {
 	struct kvm_memslots *slots =3D kvm_memslots(gpc->kvm);
@@ -74,7 +87,7 @@ bool kvm_gpc_check(struct gfn_to_pfn_cache *gpc, unsigned=
 long len)
 	if (kvm_is_error_hva(gpc->uhva))
 		return false;
=20
-	if (offset_in_page(gpc->uhva) + len > PAGE_SIZE)
+	if (!kvm_gpc_is_valid_len(gpc->gpa, gpc->uhva, len))
 		return false;
=20
 	if (!gpc->valid)
@@ -247,13 +260,7 @@ static int __kvm_gpc_refresh(struct gfn_to_pfn_cache *=
gpc, gpa_t gpa, unsigned l
 	if (WARN_ON_ONCE(kvm_is_error_gpa(gpa) =3D=3D kvm_is_error_hva(uhva)))
 		return -EINVAL;
=20
-	/*
-	 * The cached acces must fit within a single page. The 'len' argument
-	 * exists only to enforce that.
-	 */
-	page_offset =3D kvm_is_error_gpa(gpa) ? offset_in_page(uhva) :
-					      offset_in_page(gpa);
-	if (page_offset + len > PAGE_SIZE)
+	if (!kvm_gpc_is_valid_len(gpa, uhva, len))
 		return -EINVAL;
=20
 	lockdep_assert_held(&gpc->refresh_lock);
@@ -270,6 +277,8 @@ static int __kvm_gpc_refresh(struct gfn_to_pfn_cache *g=
pc, gpa_t gpa, unsigned l
 	old_uhva =3D PAGE_ALIGN_DOWN(gpc->uhva);
=20
 	if (kvm_is_error_gpa(gpa)) {
+		page_offset =3D offset_in_page(uhva);
+
 		gpc->gpa =3D INVALID_GPA;
 		gpc->memslot =3D NULL;
 		gpc->uhva =3D PAGE_ALIGN_DOWN(uhva);
@@ -279,6 +288,8 @@ static int __kvm_gpc_refresh(struct gfn_to_pfn_cache *g=
pc, gpa_t gpa, unsigned l
 	} else {
 		struct kvm_memslots *slots =3D kvm_memslots(gpc->kvm);
=20
+		page_offset =3D offset_in_page(gpa);
+
 		if (gpc->gpa !=3D gpa || gpc->generation !=3D slots->generation ||
 		    kvm_is_error_hva(gpc->uhva)) {
 			gfn_t gfn =3D gpa_to_gfn(gpa);
--=20
2.44.0.291.gc1ea87d7ee-goog
From nobody Sun Feb  8 03:57:15 2026
Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com
 [209.85.128.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63823187F
	for <linux-kernel@vger.kernel.org>; Wed, 20 Mar 2024 00:15:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710893751; cv=none;
 b=AdD5hKrtFqloQ3It45Kc2Kw5grxtXoaA/2LSlQzajjXl65ngATrpwo5kIlS4voZNsj/5q4oSDqR1p3kBYFDcuOK7iIV8PukA5VyDcLSENPaOrK1cFuxt9CDhNAFQmRmTB1pLON3dYBs72bWeOcWcLCtg6gf77umEij/uxRSPx2g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710893751; c=relaxed/simple;
	bh=Yt+8bVzeNRVFwoSbiyyZuiajeFUG3KOlGSiF7ZwTVSQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=SQkH+faDjnDB9bdhuNT5RoUSmJatvnB50phc5bv2IP3SYwLJKRbOZ6teEluwitLM8FoPWqE+2D6PgnQfIdw8rV5XzQdGb7mc22r82Fpp5cI1ZcIWY6aB/7rGht3BsrHp8sRtDRFs/VQykdmRfqfCT8U0OSI8DHLHZ76ny/piHU4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=BmpNwsXd; arc=none smtp.client-ip=209.85.128.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="BmpNwsXd"
Received: by mail-yw1-f201.google.com with SMTP id
 00721157ae682-609fe93b5cfso106538507b3.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 19 Mar 2024 17:15:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1710893748; x=1711498548;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=UhfoJMqa7cgNDZOfpPVEAPEpiQKCx49jDxBa32QwPAM=;
        b=BmpNwsXdYI6/JGb+exXrYX/eFJL/C8wSN8tD3FEpjUVJmGxPQsCOOHhuj8HK0etjcA
         WnA97gjyzB7R1GJ2NXahJSTgl/FwTg0DevzGeMx3vCxAi0mYu/3VeexkbvGyoc1Kycup
         3YtaDHwWYXnhWNcAxnaStR653PEejZGZe3uoKSsSBoBuMcJBTaO6Fe4ldta53WvyEPMU
         v+oEn9LBW1J0hQwPFfKKTcftEnFSj85COUO1NobnH3f/ZvVJummDldwjjVMDjlaBqE3A
         cwzJr8j5GJdaNJx2yhpJrC0l110BD2lYj9v5xaem4lwCq0ZD6KPVw8v7bnDRKZFpSvX3
         O5GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710893748; x=1711498548;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=UhfoJMqa7cgNDZOfpPVEAPEpiQKCx49jDxBa32QwPAM=;
        b=TH9+2PYWl3TKpWyu5o/hsF1eFSYNvCEVRTVkL6lynS3Gga2dFo824senyBSOKipPKC
         h59yXwxux7bYE7KyEL/1ZKNNajF4tBUkYd6t6UACcgnF4m64JBfqvXjnnq3smhayyyms
         YZU6xZc4XMHKDHa223Ft/JeUXNxNN2gz4AAJX162CTzA/rYXOOjpE4rh5ymLOVplrkmg
         80rqrRn2komKGpjFTrwJK9j1MuUeQQ/Ysggn8OQNwk97dYXCF6iTdVkjLO8LeoiNB9/G
         9yGdzXbJZIQdhPRvlDK5J4Y4Mwp2uxzpMjYEmaqBv71yrdNjneAci12JBxYtOTA4zFce
         ZpYw==
X-Forwarded-Encrypted: i=1;
 AJvYcCW8C/5zAYKvSka5ks6ar0mgz+Yi6RifvRWXiiNdS6D4jWBmol4wqXISiXAOroZVdR0mCNq8UtIBzmvLArHJ6UZWroBD33rofGDuVvKP
X-Gm-Message-State: AOJu0Yx/3lpEcu/u98jhiEZeXHEsP1EoNiflBt28a0189l8jS1hwbsln
	yDq4bgU82OnxnWm7Ze/Mc5BZEpqv1Pl6lz7yJujqoJwm19PnnhIbXMwWeNpSyoSGqOJRyHhiewq
	iBA==
X-Google-Smtp-Source: 
 AGHT+IEEvlbSsccTqQ4jGgQQB1hc+eWbYdcXnNRWLJsFow/ZnDqIfy1THCaZsqq7Y5Q3P1IQWedbNpfgLH8=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6902:2181:b0:dc6:dd76:34cc with SMTP id
 dl1-20020a056902218100b00dc6dd7634ccmr887389ybb.1.1710893748542; Tue, 19 Mar
 2024 17:15:48 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 19 Mar 2024 17:15:41 -0700
In-Reply-To: <20240320001542.3203871-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20240320001542.3203871-1-seanjc@google.com>
X-Mailer: git-send-email 2.44.0.291.gc1ea87d7ee-goog
Message-ID: <20240320001542.3203871-3-seanjc@google.com>
Subject: [PATCH 2/3] KVM: Check validity of offset+length of gfn_to_pfn_cache
 prior to activation
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Sean Christopherson <seanjc@google.com>,
 syzbot+106a4f72b0474e1d1b33@syzkaller.appspotmail.com,
	David Woodhouse <dwmw2@infradead.org>, Paul Durrant <paul@xen.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When activating a gfn_to_pfn_cache, verify that the offset+length is sane
and usable before marking the cache active.  Letting __kvm_gpc_refresh()
detect the problem results in a cache being marked active without setting
the GPA (or any other fields), which in turn results in KVM trying to
refresh a cache with INVALID_GPA.

Attempting to refresh a cache with INVALID_GPA isn't functionally
problematic, but it runs afoul of the sanity check that exactly one of
GPA or userspace HVA is valid, i.e. that a cache is either GPA-based or
HVA-based.

Reported-by: syzbot+106a4f72b0474e1d1b33@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/0000000000005fa5cc0613f1cebd@google.com
Fixes: 721f5b0dda78 ("KVM: pfncache: allow a cache to be activated with a f=
ixed (userspace) HVA")
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Paul Durrant <paul@xen.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Paul Durrant <paul@xen.org>
---
 virt/kvm/pfncache.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
index 8f2121b5f2a0..91b0e329006b 100644
--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -245,8 +245,7 @@ static kvm_pfn_t hva_to_pfn_retry(struct gfn_to_pfn_cac=
he *gpc)
 	return -EFAULT;
 }
=20
-static int __kvm_gpc_refresh(struct gfn_to_pfn_cache *gpc, gpa_t gpa, unsi=
gned long uhva,
-			     unsigned long len)
+static int __kvm_gpc_refresh(struct gfn_to_pfn_cache *gpc, gpa_t gpa, unsi=
gned long uhva)
 {
 	unsigned long page_offset;
 	bool unmap_old =3D false;
@@ -260,9 +259,6 @@ static int __kvm_gpc_refresh(struct gfn_to_pfn_cache *g=
pc, gpa_t gpa, unsigned l
 	if (WARN_ON_ONCE(kvm_is_error_gpa(gpa) =3D=3D kvm_is_error_hva(uhva)))
 		return -EINVAL;
=20
-	if (!kvm_gpc_is_valid_len(gpa, uhva, len))
-		return -EINVAL;
-
 	lockdep_assert_held(&gpc->refresh_lock);
=20
 	write_lock_irq(&gpc->lock);
@@ -365,6 +361,9 @@ int kvm_gpc_refresh(struct gfn_to_pfn_cache *gpc, unsig=
ned long len)
=20
 	guard(mutex)(&gpc->refresh_lock);
=20
+	if (!kvm_gpc_is_valid_len(gpc->gpa, gpc->uhva, len))
+		return -EINVAL;
+
 	/*
 	 * If the GPA is valid then ignore the HVA, as a cache can be GPA-based
 	 * or HVA-based, not both.  For GPA-based caches, the HVA will be
@@ -372,7 +371,7 @@ int kvm_gpc_refresh(struct gfn_to_pfn_cache *gpc, unsig=
ned long len)
 	 */
 	uhva =3D kvm_is_error_gpa(gpc->gpa) ? gpc->uhva : KVM_HVA_ERR_BAD;
=20
-	return __kvm_gpc_refresh(gpc, gpc->gpa, uhva, len);
+	return __kvm_gpc_refresh(gpc, gpc->gpa, uhva);
 }
=20
 void kvm_gpc_init(struct gfn_to_pfn_cache *gpc, struct kvm *kvm)
@@ -392,6 +391,9 @@ static int __kvm_gpc_activate(struct gfn_to_pfn_cache *=
gpc, gpa_t gpa, unsigned
 {
 	struct kvm *kvm =3D gpc->kvm;
=20
+	if (!kvm_gpc_is_valid_len(gpa, uhva, len))
+		return -EINVAL;
+
 	guard(mutex)(&gpc->refresh_lock);
=20
 	if (!gpc->active) {
@@ -411,7 +413,7 @@ static int __kvm_gpc_activate(struct gfn_to_pfn_cache *=
gpc, gpa_t gpa, unsigned
 		gpc->active =3D true;
 		write_unlock_irq(&gpc->lock);
 	}
-	return __kvm_gpc_refresh(gpc, gpa, uhva, len);
+	return __kvm_gpc_refresh(gpc, gpa, uhva);
 }
=20
 int kvm_gpc_activate(struct gfn_to_pfn_cache *gpc, gpa_t gpa, unsigned lon=
g len)
--=20
2.44.0.291.gc1ea87d7ee-goog
From nobody Sun Feb  8 03:57:15 2026
Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com
 [209.85.128.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58DA1566A
	for <linux-kernel@vger.kernel.org>; Wed, 20 Mar 2024 00:15:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710893752; cv=none;
 b=o24aRWhiK15r18MGBPAVCQPemsLssCsEtpAyWcziBrkUDnW6A6L1f2MSPnyod6T35iPGi4E4Awe9QvPJiPrcEzfc13+wjnudUP98v6sJmZpqao4SnnaaH054zrFqLoTyAgM9neHjb+05iMQBSvJKM5xfVGSVqT077JkE0O5ymzQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710893752; c=relaxed/simple;
	bh=w7N5groxenxQwOyx2Bg0o9JgzIKj55+kMVOrUurrk9Y=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=tKeEOTJLknMoRmnSmGr5C8R0+0l8inPBmSz3hCYA6ebHu43EPd1Adkdae1ss8+IJaIoKoutFyAjkBE7uhnfD987An+gvzrGstDGhHSR7nlLVabkSAl/NVX4+bmO0r+7CXu4/S+s8pjywKCmDMMApulW3TdnYPoAlsvKvxufek9E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=bSroxVNO; arc=none smtp.client-ip=209.85.128.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="bSroxVNO"
Received: by mail-yw1-f202.google.com with SMTP id
 00721157ae682-60cc8d4e1a4so117839187b3.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 19 Mar 2024 17:15:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1710893750; x=1711498550;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=QwdnnYU5NTwIDpJoKUhQ+ev0BrLDudc5wiCqltwp/lk=;
        b=bSroxVNOMlhRMbm4vIfnBfwwKndEXfOCkPSEclAOu/7jzyqG45JIDH5emZRxcsQJLK
         Vduof3xv6U+bH+X7W+KFKZSj2XqrJjhwaZbplzWkAtYUzjVLwui78jrBzUMgKKczng6F
         hYb8ATjqkUcDQOigMbrKvluoKJmnA5U0Rk0kyn6Ir0BRdXw0kw+KIjVHlbsV6poefeQR
         eL02mPPcKWofZIwUuGHRu6J8FQGKZEyUDBckzAl7Y8peMMmiH7i4HjtM5Ca0nv5YUSmS
         aITDmev19YHOR4ONyWaNghbTbGRbOu0DeyoKKs/0oM8l/1m3vcA0yX3IUjxvx45F/5p7
         aaQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710893750; x=1711498550;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=QwdnnYU5NTwIDpJoKUhQ+ev0BrLDudc5wiCqltwp/lk=;
        b=uxzysmCKGgrgA8e2jdYZCDmcpW8vPjhr54VVYhTvVUcATDURZu3RUqxnEj0FN5KX96
         oyMIu60Ysu+fyzHbmhYYxbRj8eozwVS+NnKQFn+G/kKu4ElJBuMWSb+8qtXJcnDn+COA
         3nHmLDtewSxlsD8j3JId0vGXBFMYDdVxP0kV+m1H6gzUPPQneWZr7aToIBdGUkFMOIDI
         aXGbU1RTy8BvVnu+h0OIC6I0C2nDLYs1c9cTBUhlwhmTpQO6hOlu7bY6tiuA9sTYUWeF
         WaLQgSbb6eDjGunFtas5BS05lrt7ghDc0O5pHWdiPJnHCWpsMHNVnKa8CpehLevLoY5X
         QJCg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWlYSRWPGAwtWZ6UncU9GkAarIbEQ0G0218Dukn8nYzyEdHdd/hdz7RMLRpQvQhlHnEzacgSPL/3tUeoE1GPZWPEYfjbTReUHa0kcT5
X-Gm-Message-State: AOJu0Yxygh1oeyEaRJd/rHb/VAfOEql/+6nkM8vWu/UHt0t1vVBK35VL
	JhCqG5kSByEo3yvK/kfPoOuQ8Qj3UmaHdWOi8TYbUTmWrUj3qQ+wI8uIg3scDdSKI9ZTHEwReNE
	fHQ==
X-Google-Smtp-Source: 
 AGHT+IFoMEoUU1bqXVgSJMZ8c63cXq26fjN6lJZWr1OCTaj+JhBJGEp+ggbssXee4pM4Ws29Fac1D1f2DtU=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a0d:db01:0:b0:60c:cbdc:48b4 with SMTP id
 d1-20020a0ddb01000000b0060ccbdc48b4mr1115906ywe.3.1710893750386; Tue, 19 Mar
 2024 17:15:50 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 19 Mar 2024 17:15:42 -0700
In-Reply-To: <20240320001542.3203871-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20240320001542.3203871-1-seanjc@google.com>
X-Mailer: git-send-email 2.44.0.291.gc1ea87d7ee-goog
Message-ID: <20240320001542.3203871-4-seanjc@google.com>
Subject: [PATCH 3/3] KVM: Explicitly disallow activatating a gfn_to_pfn_cache
 with INVALID_GPA
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Sean Christopherson <seanjc@google.com>,
 syzbot+106a4f72b0474e1d1b33@syzkaller.appspotmail.com,
	David Woodhouse <dwmw2@infradead.org>, Paul Durrant <paul@xen.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Explicit disallow activating a gfn_to_pfn_cache with an error gpa, i.e.
INVALID_GPA, to ensure that KVM doesn't mistake a GPA-based cache for an
HVA-based cache (KVM uses INVALID_GPA as a magic value to differentiate
between GPA-based and HVA-based caches).

WARN if KVM attempts to activate a cache with INVALID_GPA, purely so that
new caches need to at least consider what to do with a "bad" GPA, as all
existing usage of kvm_gpc_activate() guarantees gpa !=3D INVALID_GPA.  I.e.
removing the WARN in the future is completely reasonable if doing so would
yield cleaner/better code overall.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Paul Durrant <paul@xen.org>
---
 virt/kvm/pfncache.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
index 91b0e329006b..f618719644e0 100644
--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -418,6 +418,13 @@ static int __kvm_gpc_activate(struct gfn_to_pfn_cache =
*gpc, gpa_t gpa, unsigned
=20
 int kvm_gpc_activate(struct gfn_to_pfn_cache *gpc, gpa_t gpa, unsigned lon=
g len)
 {
+	/*
+	 * Explicitly disallow INVALID_GPA so that the magic value can be used
+	 * by KVM to differentiate between GPA-based and HVA-based caches.
+	 */
+	if (WARN_ON_ONCE(kvm_is_error_gpa(gpa)))
+		return -EINVAL;
+
 	return __kvm_gpc_activate(gpc, gpa, KVM_HVA_ERR_BAD, len);
 }
=20
--=20
2.44.0.291.gc1ea87d7ee-goog